Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Windows PCs targeted by dangerous new threat that even gets around Defender - and even though there's a fix, you could still be at risk

Magnifying glass enlarging the word 'malware' in computer machine code.

Windows PCs are being targeted with a new threat that is capable of working around its Defender antivirus solution, experts have warned.

Named Phemedrone Stealer, the malware steals sensitive data from the compromised device, such as passwords and authentication cookies, and leaks it to the attackers, according to a new report from cybersecurity researchers Trend Micro. 

As per the report, the malware looks for sensitive information stored in web browsers, cryptocurrency wallets, and messaging platforms such as Telegram, Steam, and Discord. It can also take screengrabs, and siphon out data on hardware, location, and the operating system. The stolen information is then presented to the attackers via Telegram or their command-and-control (C&C) server. 

A patch is available

The malware leverages a vulnerability that was recently discovered in Microsoft Windows Defender SmartScreen. It’s tracked as CVE-2023-36025 and carries a vulnerability score of 8.8/10. Described as a Windows SmartScreen security feature bypass vulnerability, this flaw allows threat actors to work around Defender Smartscreen checks and the associated prompts. To abuse the flaw, an attacker would need to craft a custom Internet Shortcut (.URL), or a hyperlink that points to a shortcut, and get the victim to interact with it.

Microsoft patched the flaw in mid-November 2023, however, hackers are still on the lookout for vulnerable devices that haven’t been patched, so applying the fix is highly recommended. In fact, the evidence of in-the-wild use has prompted the Cybersecurity and Infrastructure Security Agency (CISA) to add the flaw to the Known Exploited Vulnerabilities (KEV) list. 

“It has come to public attention that various demos and proof-of-concept codes have been circulated on social media, detailing the exploitation of CVE-2023-36025,” Trend Micro explained in its writeup. 

“Since details of this vulnerability first emerged, a growing number of malware campaigns, one of which distributes the Phemedrone Stealer payload, have incorporated this vulnerability into their attack chains.”

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.