This is a Proof of Concept (POC) that implements a specific COM-based execution chain to create directories on the Windows file system, observed in the Turla Kazuar v3 loader. Instead of calling standard APIs like CreateDirectoryA/W, CreateDirectoryExA/W or the native counterpart, this technique leverages the IShellWindows interface to "pivot" through the Windows Explorer object model.
This results in the file operation being executed in the context of explorer.exe rather than the calling process. Because the COM method calls are handled via Remote Procedure Calls (RPC), Windows attributes the file system operation to the service provider (explorer.exe) rather than the requester (POC).
The POC was tested on Windows 10 Version 22H2 (Build 19045.6691)
The technique works as follows:
- Interface Initialization: Initialize COM and instantiate the CLSID_ShellWindows class. This provides access to the
IShellWindowsinterface, which manages the collection of all currently open File Explorer windows. - Window Collection Attachment: Retrieve a dispatch interface to the first available active Shell window by calling the
Item(0)method. This essentially "hooks" into an existingexplorer.exeprocess context. - Object Hierarchy Navigation: Pivot through the window’s object model using late-bound
IDispatchcalls. Move from the specific window instance to itsDocumentproperty, then to the parentApplicationproperty, eventually reaching the top-level Shell Application object. - Namespace Targeting: Once the Shell object is acquired, invoke the
NameSpacemethod. This targets a specific disk location (e.g., C:) and returns aFolderobject representing that directory. - Proxied Command Execution: Call the
NewFoldermethod on the targetedFolderobject to create the directory structure.
The POC requires two command line arguments, the target path (existing drive letter or directory path) and the folder which can be a single folder name or a folder path. For example, if you want to create a directory MyTargetDir with a sub-folder MySubDir in C:\, you would use the following arguments:
ShellWindowComFolderCreate.exe C:\ MyTargetDir\MySubDir
1. Create ShellWindows instance
2. Call IShellWindows::Item(0)
[*]Target object ID: {85CB6900-4D95-11CF-960C-0080C7F4EE85}
[*]Target type: Interface (IID)
[*]Target name: IShellWindows
3. Get .Document property
[*]Target object ID: {D30C1661-CDAF-11D0-8A3E-00C04FC9E26E}
[*]Target type: Interface (IID)
[*]Target name: IWebBrowser2
4. Get .Application property
[*]Target object ID: {29EC8E6C-46D3-411F-BAAA-611A6C9CAC66}
[*]Target type: Interface (IID)
[*]Target name: IShellFolderViewDual3
5. Call NameSpace() method
[*]Target object ID: {286E6F1B-7113-4355-9562-96B7E9D64C54}
[*]Target type: Interface (IID)
[*]Target name: IShellDispatch6
6. Call NewFolder() method
[*]Target object ID: {A7AE5F64-C4D7-4D7F-9307-4D24EE54B841}
[*]Target type: Interface (IID)
[*]Target name: Folder3
[+] Directory has been successfully created at target path.
This POC is based on an in-depth analysis of the Turla Kazuar v3 loader, the details of which can be found here: https://r136a1.dev/2026/01/14/command-and-evade-turlas-kazuar-v3-loader/
This project is for educational and authorized security research purposes only. The techniques demonstrated are intended to help defenders understand advanced evasion tactics and improve detection telemetry. Use against unauthorized systems is strictly prohibited.