Windows PCs targeted by dangerous new threat that even gets around Defender - and even though there's a fix, you could still be at risk

Magnifying glass enlarging the word 'malware' in computer machine code
(Image credit: Shutterstock)

Windows PCs are being targeted with a new threat that is capable of working around its Defender antivirus solution, experts have warned.

Named Phemedrone Stealer, the malware steals sensitive data from the compromised device, such as passwords and authentication cookies, and leaks it to the attackers, according to a new report from cybersecurity researchers Trend Micro. 

As per the report, the malware looks for sensitive information stored in web browsers, cryptocurrency wallets, and messaging platforms such as Telegram, Steam, and Discord. It can also take screengrabs, and siphon out data on hardware, location, and the operating system. The stolen information is then presented to the attackers via Telegram or their command-and-control (C&C) server. 

Reader Offer: Save up to 68% on Aura identity theft protection

Reader Offer: Save up to 68% on Aura identity theft protection
TechRadar editors praise Aura's upfront pricing and simplicity. Aura also includes a password manager, VPN, and antivirus to make its security solution an even more compelling deal. Save up to 50% today. 

 Preferred partner (What does this mean?) 

A patch is available

The malware leverages a vulnerability that was recently discovered in Microsoft Windows Defender SmartScreen. It’s tracked as CVE-2023-36025 and carries a vulnerability score of 8.8/10. Described as a Windows SmartScreen security feature bypass vulnerability, this flaw allows threat actors to work around Defender Smartscreen checks and the associated prompts. To abuse the flaw, an attacker would need to craft a custom Internet Shortcut (.URL), or a hyperlink that points to a shortcut, and get the victim to interact with it.

Microsoft patched the flaw in mid-November 2023, however, hackers are still on the lookout for vulnerable devices that haven’t been patched, so applying the fix is highly recommended. In fact, the evidence of in-the-wild use has prompted the Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw to the Known Exploited Vulnerabilities (KEV) list. 

“It has come to public attention that various demos and proof-of-concept codes have been circulated on social media, detailing the exploitation of CVE-2023-36025,” Trend Micro explained in its writeup. 

“Since details of this vulnerability first emerged, a growing number of malware campaigns, one of which distributes the Phemedrone Stealer payload, have incorporated this vulnerability into their attack chains.”

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.