Alarming Phemedrone Malware Lets Hackers Sneak Past Windows Defender, Patch ASAP

Windows has had some recent security issues, but Microsoft has gnerally been good about offering critical fixes. A problem comes when people don't actually apply those fixes to make their systems more secure. As such, TrendMicro has discovered a previously-patched vulnerability being exploited on Windows devices to bypass Windows security measures and steal cryptocurrency and personal data.

Earlier this week, researchers from TrendMicro discovered the exploitation of CVE-2023-36025 in the Phemedrone Stealer Campaign. This Common Vulnerability Enumeration (CVE) relates to Microsoft Windows Defender SmartScreen and how it handles Internet Shortcut .url files. This issue originally affected Windows 10 and Windows 11, as well as Windows Server 2022, 2019, 2012, and 2008, but it was patched on November 14th, 2023.


Once a system is compromised, this campaign then downloads a control panel item from an attacker-controlled server. When executed, Windows PowerShell downloads and executes the next stage, which has been hosted on GitHub. This next stage is another PowerShell tool that downloads a zip file containing three additional files, which establishes persistence and the second stage. Following this, there are a few more steps that ultimately lead to harvesting sensitive information like passwords, crypto wallets, Discord tokens, files, user data, Steam account information, and other data.

You can read the full write-up on the stealer campaign through TrendMicro, which is pretty interesting. Of course, it serves as a good reminder to keep your Windows install up to date so that this is not a security issue for you.