Microsoft SmartScreen vulnerability can be abused to deploy malware, and its happening in the wild

A white padlock on a dark digital background.
(Image credit:

Hackers are actively exploiting a known vulnerability in Microsoft SmartScreen to deploy malware.

A report from cybersecurity researchers Cyble has urged users to apply the patch immediately, since Microsoft addressed this problem months ago.

Microsoft SmartScreen is a security feature the cimpany integrated into a range of different products, including Windows, Microsoft Edge, and Outlook. By analyzing websites and downloaded files, it provides protection against phishing and malware attacks.

Lumma and Meduza Stealer

However, in mid-January 2024, The Zero Day Initiative (ZDI) observed threat actors abusing a flaw in the feature to deliver the DarkGate commodity loader. The vulnerability is now tracked as CVE-2024-21412, and is described as an “internet shortcut files security feature bypass vulnerability”. In other words, threat actors can bypass SmartScreen’s security features by having victims click on specially crafted internet links. 

Microsoft issued a patch for the vulnerability on February 13 this year, but it seems that many users did not apply it and remain vulnerable. They are now being targeted by crooks looking to deploy multiple infostealers.

This new campaign starts with phishing emails, seemingly coming from trusted sources. They carry internet shortcuts hosted on a remote WebDAV share which, if clicked, execute another .LNK file hosted on the same share, triggering the infection chain. The chain ends with the victims being infected with Lumma and Meduza Stealer.

These are popular infostealers that can grab people’s passwords, cookies, credit card information, cryptowallet data, VPN credentials, FTP credentials, browser autofill data, sensitive documents, screenshots, system information, and more. 

The researchers don’t know exactly how many people fell prey to this campaign. They do know that the threat actors are targeting a wide array of individuals and organizations in different regions and sectors. Based on the fake documents being spread in the phishing emails, the attackers are going after people in Spain, the United States, and Australia.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.