What is Trojan:Script/Ulthar.A!ml?
Once the Trojan:Script/Ulthar.A!ml successfully infects a system, it can perform a range of harmful actions.

Trojan:Script/Ulthar.A!ml is a detection of Windows Defender that identifies as a trojan. It specifically refers to a script-based malicious program. However, it can often turn out to be a false positive, and antivirus programs label harmless files as malicious. Let’s understand what this detection is and why it can be false.

What is Trojan:Script/Ulthar.A!ml?

Trojan:Script/Ulthar.A!ml is a generic detection name assigned by Microsoft Defender to a malicious script. Such threats may belong to different malware families, but to simplify the designation, Microsoft groups them by characteristics.

Trojan:Script/Ulthar.A!ml detection Defender

The majority of known Ulthar A!ml cases are attributed to file archives, both of the .zip/.rar and .jar formats. This implies that the detection refers to a threat that uses code packing. Considering the features of archived files, including virtualization used to run Java archives, it is important to take this detection seriously.

Ulthar.A!ml Malware Analysis

During the analysis of Trojan:Script/Ulthar.A!ml, I’ve detected quite a lot of cases when it was assigned to benign files, i.e. was a false positive detection. Popular malware sandboxes and collections did not contain any fresh samples of the malware detected with this name. At the same time, there were some similar malware samples, which simplified my research.

The signature name gives a couple of clues to start with. Trojan:Script is a header attributed to malicious scripts; “Trojan” part means it may be of any purpose, from gaining initial access to collecting data and delivering other malware. The proper name, “Ulthar“, is not a reference to a Lovecraft book but an umbrella designation of malicious software that shares similar properties. And this is where other clues appear.

As I said, sandboxes do not keep any records regarding Trojan:Script/Ulthar.A!ml, i.e. this specific name. However, VirusTotal keeps the analysis of a malicious program detected as Trojan:Win32/Ulthar.A!ml – not completely the same thing. But the fact that it has the same name means it shares the same core functions with that one Ulthar we are interested in.

Defender detection explanation
Microsoft Defender detection explained

So, what is Ulthar trojan? According to the data from several sources, it is a backdoor, with quite a tricky detection and analysis evasion procedure. It in particular checks whether it is running on a VM or the debug environment, and then protects its file and directory it is located in. After doing all these checks and actions, Ulthar switches to collecting system information – most likely, to create a fingerprint and ease the distinction between this machine and others.

Ulthar.A!ml functions VT
Functions of Ulthar malware. Source: VirusTotal

Typically for backdoors, Ulthar provides remote access to the system. However it looks like this access is not about a real-time connection, but about remote changes done to the system. Malware grants hackers a lengthy list of things they can do in the infected system. This functionality ranges from editing system registry and directories to launching specific files. The latter, actually, is the biggest potential danger, as it means Ulthar can deploy other malware.

Is Trojan:Script/Ulthar.A!ml False Positive?

As I’ve mentioned, Trojan:Script/Ulthar.A!ml name often appears as a false positive detection. In fact, the majority of online feedback points at this detection pointing at completely legit and safe files, particularly game mods kept in archives. And while malware can be stored in archives, the detections described by different users are related to the files that are quite hard to doubt.

Trojan:Script/Ulthar.A!ml Reddit
Users’ complaints regarding the false detections

One specific reason why this false detection appears is its origination from the AI detection system of Microsoft Defender. This is, exactly, what the “!ml” particle in the end stands for. The latter has its merits, but may create problems when failing to confirm the detection through other detection systems. But don’t think all the “!ml” detections are false – this would be a costly mistake!

!ml detection false positive

To see whether the file affected by the Trojan:Script/Ulthar.A!ml detection is false positive or not, consider using our GridinSoft Online Virus Scanner. It is completely free, and will show you whether you should be concerned or not in a matter of seconds. Just upload the file, and wait for the verdict.

How to Remove the Trojan:Script/Ulthar.A!ml from PC?

It is not easy to see whether the detected file is malicious or not without special software. I recommend checking your system with reliable and effective software like GridinSoft Anti-Malware. It particularly has a function called Custom Scan, which enables scanning archives – the right thing you may need for this case. After doing so, you’ll be sure for sure if it’s a virus or not. Keep your Anti-Malware updated to the latest version and keep yourself safe when surfing the internet.


By Stephanie Adlam

I write about how to make your Internet browsing comfortable and safe. The modern digital world is worth being a part of, and I want to show you how to do it properly.

Leave a comment

Your email address will not be published. Required fields are marked *