Hackers Actively Exploiting Microsoft SmartScreen Vulnerability To Deploy Stealer Malware

Hackers attack Microsoft SmartScreen as it’s a cloud-based, anti-phishing, and anti-malware component that determines whether a website is potentially malicious, protecting users from downloading harmful viruses. 

By exploiting vulnerabilities in SmartScreen, hackers can sneak past Windows Defender and spread malware onto users’ devices.


Cybersecurity researchers at Cyble recently discovered that hackers have been actively exploiting the Microsoft SmartScreen vulnerability to deploy stealer malware.

Microsoft SmartScreen Vulnerability

In January 2024, the Zero Day Initiative of Cyble discovered a DarkGate campaign exploiting CVE-2024-21412 via fake software installers. 

Microsoft patched the vulnerability on February 13, but Water Hydra and other groups continued to leverage it to deploy malware, including DarkMe RAT, by bypassing SmartScreen with internet shortcuts.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Malicious links to internet shortcuts hosted on WebDAV shares are typically distributed via spam email.

When these shortcuts are run, they skip the SmartScreen step and launch a multi-step attack that uses PowerShell as well as JavaScript scripts.

Finally, the campaign installs information-stealing malware such as Lumma and Meduza Stealer, showing how threat actors have been evolving in their approach to exploiting recently patched vulnerabilities.

Infection Chain (Source – Cyble)

The threat actor targets individuals and organizations globally, using lures like fake Spanish tax documents, US Department of Transportation emails, and Australian Medicare forms.

It is a very crafty technological attack that exploits CVE-2024-21412 to bypass Microsoft Defender SmartScreen.

The attackers may send phishing emails containing a malicious link that leads to a WebDAV-hosted internet shortcut.

The attack chain includes multiple steps, with the last one involving JavaScript embedded in benign executables, using legitimate Windows utilities and poisoning them for malicious LNK file purposes.

Here, the PowerShell scripts decrypt and execute additional payloads, install malware, and display a decoy document on the victim’s machine.

Some of the methods used in this campaign include DLL side-loading and IDAT loader exploitation to distribute Lumma and Meduza Stealer malware.

The payload is then injected into explorer.exe. Increasing utilization of CVE-2024-21412, coupled with such elaborate approaches, confirms a cyber threat environment that is transforming very fast.

This development could be hurried by the availability of Malware-as-a-Service offerings, consequently underlining the urgent requirement for proactive security measures and continuous changes to counter new threats arising from such avenues.


Here below we have mentioned all the recommendations:-

  • Verify emails and links
  • Use advanced email filtering
  • Avoid suspicious links
  • Keep software up-to-date
  • Monitor forfiles utility
  • Limit scripting languages
  • Implement application whitelisting
  • Segment your network


IoCs (Source – Cyble)

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.