Trend Micro’s recent discovery unveils an ongoing exploitation of the Windows Defender vulnerability CVE-2023-36025, leading to infections by the newly identified Phemedrone Stealer. This sophisticated malware specifically targets cryptocurrency wallets, web browsers, and messaging apps, extracting sensitive data and system information. Exploiting a flaw in Microsoft Windows Defender SmartScreen, threat actors can bypass security measures, posing a significant threat to cryptocurrency users.
Despite Microsoft’s patch release, in-the-wild exploitation persists, prompting the Cybersecurity and Infrastructure Security Agency (CISA) to include it in the Known Exploited Vulnerabilities list. The attack involves a complex infection chain, including a malicious .url file, DLL sideloading, and a second-stage loader (Donut). Phemedrone Stealer then exfiltrates a broad range of user data through Telegram, highlighting the persistent threat landscape and the urgent need for updated defenses against evolving malware tactics.