Trojan:Script/Wacatac.B!ml: Meaning, False Positive, and Removal

Trojan:Script/Wacatac.B!ml Quick Answer

What Does Trojan:Script/Wacatac.B!ml Mean?

The name breaks down like this: Trojan is the broad threat category, Script suggests the suspicious object is script-related or script-delivered, Wacatac.B is the detection family, and !ml means the detection was influenced by Microsoft Defender’s machine-learning/heuristic logic.

Microsoft describes Wacatac as a family that can be used for credential theft, downloading more malware, and opening a backdoor when the detected file is truly malicious. That does not prove every Wacatac.B!ml alert is malware, but it explains why Defender treats the name aggressively.

If your Defender alert names an executable instead of a script, compare it with our related guides for Trojan:Win32/Wacatac and Trojan:Win32/Wacatac.H!ml. If the alert is Trojan:Script/Conteban.A!ml, handle it as a separate script/archive detection. For a broader explanation of Defender naming, see Microsoft Defender detections.

Script vs Win32/Wacatac.B!ml

Search results and Defender alerts often mix Trojan:Script/Wacatac.B!ml, Trojan:Win32/Wacatac.B!ml, and plain wacatac.b ml. Use the platform part of the name as a clue: Script usually points to JavaScript, HTML, VBS, PowerShell, browser-cache content, or a script embedded in an archive, while Win32 usually points to a Windows executable or installer. The cleanup logic overlaps, but the source path tells you whether you are dealing with an extracted script, a packed installer, a developer build, or a stale Protection History entry.

Is It Malware or a False Positive?

Use the file context, not the detection name alone. A Wacatac.B!ml alert from a random download is a very different risk from the same alert on a local development build you created yourself.

Treat It as Malware If

• The file came from a crack, keygen, pirated game, unofficial mod, fake update, Telegram/Discord link, or unknown archive.
• The path is inside %Temp%, AppData, browser cache, Downloads, or a folder with a random name.
• You recently saw browser redirects, pop-ups, changed search settings, disabled security tools, or new startup entries.
• Defender finds the same detection again after quarantine or restart.
• Other security tools also flag the file or the extracted contents.

Consider a False Positive If

• The file is from your own project, a known vendor, or a tool you can re-download from the official source.
• The alert appears only inside a compressed archive and never runs on the system.
• The detection disappears after Defender updates and a rescan finds nothing.
• The file is a script, emulator component, APK, unsigned build, or packed installer that you can independently verify.

Even in a likely false-positive case, do not restore the file until you have verified it. If it is business-critical or private, avoid uploading it to public multi-scanner services. Use the vendor’s official submission flow instead.

If Defender Found Wacatac.B!ml in a ZIP, RAR, Browser Cache, or Partial Download

Many real user cases start with Defender flagging a compressed file, an interrupted browser download, a mod archive, or a cached HTML/script file. That does not automatically prove the code ran. It means Defender saw suspicious content while scanning the container, the extracted item, or the download stream.

• ZIP/RAR/7z: delete the original archive if you do not trust the source. If it is your own archive, rescan the extracted files after updating Defender definitions.
• Browser cache or partial download: clear the browser download/cache folder, remove the source download, then run a full scan. A detection during download often means the file was blocked before execution.
• Game mods, emulators, APKs, and developer builds: verify the source, hash, signature, and vendor/project reputation before restoring anything.
• Only one scanner detected it once: keep the file out of use, update definitions, rescan, and submit it to Microsoft if you need a clean verdict.

What to Do First

1. Keep the item quarantined. Open Windows Security, then go to Virus & threat protection > Protection history.
2. Copy the detected path and threat name. The folder location tells you whether this was a download, archive extraction, browser cache item, or startup persistence.
3. Update Defender security intelligence. Run Windows Update or update protection definitions before rescanning.
4. Run a full scan. A quick scan is useful, but a full scan is better when the source was suspicious.
5. Use a second-opinion scanner. GridinSoft Anti-Malware can check for leftover startup entries, bundled apps, browser hijackers, and hidden files that a single-file quarantine does not explain.
6. Change passwords only if exposure is plausible. Do it after cleanup if you ran the file, entered credentials, saw browser hijacking, or found other malware.

What If Wacatac.B!ml Keeps Coming Back?

Repeated Wacatac.B!ml notifications can mean two different things. Sometimes Defender already removed the file and you are seeing old Protection History notifications. Other times the original archive, browser cache, startup task, or downloader is still recreating the suspicious file.

1. Check whether the file path in each alert is the same or changing.
2. If the path points to an old quarantined item or Protection History entry, update Defender and run a full scan to confirm there is no active detection.
3. If the path keeps reappearing in Downloads, Temp, AppData, browser cache, Startup, or Task Scheduler, delete the source file and inspect persistence locations.
4. If the detection returns after reboot or removal fails, run Microsoft Defender Offline Scan and then a second-opinion scan before changing passwords.

How to Remove Trojan:Script/Wacatac.B!ml

1. Remove the Quarantined Item

In Windows Security, open Protection history, select the Trojan:Script/Wacatac.B!ml event, and choose the recommended removal action. If Defender already quarantined it, do not restore it just to delete it manually.

2. Delete the Source Download or Archive

If the alert came from a ZIP/RAR/7z, ISO, installer, browser cache, or partial download, delete the original source file too. Defender may quarantine the extracted object while the original archive remains in Downloads.

3. Check Startup Locations

Look for unfamiliar entries in Task Manager > Startup apps, Task Scheduler, and the common Startup folders. Script malware often tries to survive by launching powershell.exe, wscript.exe, cscript.exe, or a random file from Temp/AppData.

4. Run a Full System Scan

Use Windows Security > Virus & threat protection > Scan options > Full scan. If the detection returns, or if Defender reports that removal failed, run Microsoft Defender Offline Scan so Windows can check the system before normal startup.

5. Scan With GridinSoft Anti-Malware

Defender may catch the suspicious file but not every bundled component around it. A GridinSoft Anti-Malware scan is useful when the source was a fake installer, adware bundle, crack, browser hijacker, or unknown archive.

How to Handle a Likely False Positive

A false positive is possible, especially with custom scripts, unsigned builds, compressed tools, emulators, or software packed in a way that resembles malware. Handle it carefully.

1. Confirm the file came from a trusted source.
2. Re-download the file from the official website and compare whether Defender still flags it.
3. Scan the file or folder directly with Microsoft Defender.
4. If it is your software or a vendor file, submit it to Microsoft as a false positive for review.
5. Add a Defender exclusion only after verification, and only for the narrow file or folder that needs it.

For most home users, deleting the suspicious file is safer than excluding it. Exclusions tell Defender not to inspect that location, which can make a real infection easier to miss later.

How to Avoid Wacatac-Style Alerts Again

• Do not run cracks, keygens, pirated installers, or “activation” tools.
• Keep file extensions visible in Windows so invoice.pdf.js does not look like a PDF.
• Do not open scripts from email, chat, or shared folders unless you expected them.
• Keep Defender real-time protection and cloud-delivered protection enabled.
• Use standard user accounts for daily work instead of an administrator account.
• Back up important files to a location malware cannot easily rewrite.

FAQ

Related Defender detection: Gridinsoft also has a path-based cleanup guide for Trojan:Win32/Skeeyah.A!rfn, especially when Defender quarantines an item from browser cache or a download folder.

Another script downloader alert: If Defender shows TrojanDownloader:JS/Nemucod instead of Wacatac, follow this Nemucod cleanup and cache-triage guide before restoring or excluding the file.

Related Defender alert: For a packed-file warning such as Trojan:Win32/VMProtect, this VMProtect false-positive and removal guide explains how to check the source, signature, path, and scan results.

References

1. Microsoft Security Intelligence. “Trojan:Script/Wacatac.B!ml threat description.” Microsoft, updated January 11, 2026, accessed June 7, 2026. https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Trojan%3AScript%2FWacatac.B%21ml
2. Microsoft Support. “Help protect my PC with Microsoft Defender Offline.” Microsoft Support, accessed June 7, 2026. https://support.microsoft.com/en-us/windows/help-protect-my-pc-with-microsoft-defender-offline-9306d528-64bf-4668-5b80-ff533f183d6c
3. Microsoft Security Intelligence. “Submit a file for malware analysis.” Microsoft, accessed June 7, 2026. https://www.microsoft.com/en-us/wdsi/filesubmission