Microsoft Defender Archives

Tech Optimizer

May 21, 2025

Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer

Microsoft has monitored Lumma Stealer, an infostealer malware used by financially motivated threat actors. Lumma Stealer, also known as LummaC2, functions as a malware-as-a-service (MaaS) solution that extracts data from browsers and applications, including cryptocurrency wallets. The entity behind Lumma is identified as Storm-2477, which maintains the malware and its command-and-control (C2) infrastructure. Affiliates can create malware binaries and manage C2 communications through a panel provided by Storm-2477. Ransomware groups have integrated Lumma Stealer into their operations. Lumma Stealer employs various delivery techniques, including phishing emails, malvertising, drive-by downloads, Trojanized applications, and abuse of legitimate services. Specific campaigns have been identified, such as one in April 2025 that used EtherHiding and ClickFix techniques to deliver Lumma Stealer via compromised websites. Another campaign on April 7, 2025, targeted Canadian organizations with emails containing invoice lures that led to malicious downloads. The malware is developed using C++ and ASM, employing advanced obfuscation techniques to evade detection. It can extract a wide range of user data, including browser credentials, cryptocurrency wallet information, and user documents. Lumma Stealer maintains a robust C2 infrastructure with multiple hardcoded and fallback C2 servers, utilizing encryption methods to secure communications. Microsoft's Digital Crimes Unit has disrupted Lumma Stealer's infrastructure by blocking approximately 2,300 malicious domains. Recommendations to mitigate the impact of Lumma Stealer include strengthening Microsoft Defender configurations, implementing multifactor authentication, and utilizing phishing-resistant authentication methods. Microsoft Defender products can detect and block activities associated with Lumma Stealer, providing alerts and insights for incident response.

Tech Optimizer

May 21, 2025

Defendnot Disarms Windows Defender by Pretending to Be a Friend

A newly developed security program called Defendnot can deceive and disable Windows Defender, even without legitimate antivirus software installed. It alters the system to appear as a genuine antivirus program, allowing hackers to neutralize Windows Defender's protective measures. Defendnot operates through an undocumented API that antivirus software uses to register with the Windows Security Center, causing Microsoft Defender to deactivate. Developed by security researcher es3n1n, Defendnot injects a DLL file into the Taskmgr.exe process, misleading Windows into believing an antivirus is present. Although created for research purposes, it can be misused by cybercriminals. Microsoft Defender recognizes Defendnot as a Trojan and quarantines it upon detection.

Tech Optimizer

May 19, 2025

This new Defendnot trojan can get Windows to disable its own antivirus software

A researcher using the pseudonym es3n1n has created a tool called Defendnot that manipulates Windows operating systems to disable Microsoft Defender, making devices vulnerable to malware. Defendnot simulates the presence of a legitimate antivirus by using an undocumented API in the Windows Security Center, convincing Windows that a valid antivirus is installed. This development raises concerns about cybersecurity, as it undermines the effectiveness of built-in antivirus protections like Windows Defender.

Tech Optimizer

May 19, 2025

Microsoft Defender deactivated by new tool

The OpenEoX Technical Committee, part of OASIS, has introduced a draft framework to standardize end-of-life security notices for software and hardware, involving companies like Microsoft, Cisco, Oracle, IBM, Dell, and RedHat. The framework aims to provide clear communication about the security status of technology, helping organizations manage risks associated with legacy systems. It outlines a structured approach for notifying users about end-of-life status, enabling informed decisions on upgrades or replacements to improve security.

Tech Optimizer

May 18, 2025

Defendnot tool pitched as ‘an even funnier way’ to disable Windows Defender

A new tool called Defendnot, developed by es3n1n, allows users to disable Windows Defender by using an undocumented Windows Security Center (WSC) API to simulate the presence of another antivirus program. This tool is a successor to the no-defender tool, which was taken down due to legal issues. Defendnot does not use third-party antivirus code and aims for a clean implementation. It disables Microsoft Defender upon activation, leaving users vulnerable to malware as it does not provide real-time scanning. Defendnot is designed to run automatically at Windows startup. Microsoft classifies Defendnot as a Trojan, raising concerns about its potential misuse by malicious actors.

Tech Optimizer

May 18, 2025

Do I need antivirus software for Windows 11?

Windows 11 accounts for nearly 44% of global desktop users as of April 2025, making it a prime target for cybercriminals, with 83% of malware in 2020 aimed at Windows systems. Microsoft Defender, which comes pre-installed with Windows 11, offers commendable malware protection, basic ransomware protection, a SmartScreen feature for anti-phishing, and a firewall that monitors network traffic. While it provides a solid foundation for security, additional third-party antivirus software can enhance protection, offering more comprehensive features such as superior parental controls, integrated VPN services, and identity theft protection.

Tech Optimizer

May 17, 2025

Do You Really Need Antivirus on Windows 11? Probably Not—Here’s Why

Windows 11 has robust built-in security features that may reduce the need for third-party antivirus software. Windows Security now offers comprehensive protection, including real-time malware detection, firewall protection, SmartScreen alerts, hardware-level security, account monitoring, and system health reports. According to AV-TEST results from January and February 2025, Microsoft Defender Antivirus scored 6.0/6.0 in protection, performance, and usability, effectively stopping advanced malware and phishing attempts with minimal system resource usage. Users of Microsoft Edge benefit from SmartScreen filtering, while those using other browsers receive system notifications for network protection. Basic digital hygiene practices, such as avoiding suspicious downloads and keeping software updated, are crucial for security. Third-party antivirus solutions may offer additional features but can lead to performance issues and privacy concerns. For casual users who maintain their systems and practice safe browsing, Windows Security is generally sufficient, while those handling sensitive information or needing advanced features may consider premium antivirus options.

Tech Optimizer

May 17, 2025

New ‘Defendnot’ tool tricks Windows into disabling Microsoft Defender

A tool named Defendnot can disable Microsoft Defender on Windows devices by registering a counterfeit antivirus product using an undocumented Windows Security Center (WSC) API. Developed by researcher es3n1n, it exploits the API to register a fictitious antivirus that meets Windows' validation criteria, leading to the automatic disabling of Microsoft Defender. Defendnot circumvents security measures by injecting a dummy antivirus DLL into the trusted Taskmgr.exe process. It also includes a loader for configuration customization and establishes an autorun entry through the Windows Task Scheduler for persistence. Microsoft Defender currently detects and quarantines Defendnot as a Win32/Sabsik.FL.!ml.

Winsage

May 17, 2025

Why Windows 10 PCs are locking up and crashing after May update

Microsoft will end update support for Windows 10 in October 2025, but new patches are still being released. The latest cumulative update, KB5058379, has caused issues for users, especially those with devices from Dell, Lenovo, and HP. Microsoft is aware of the problems and has not yet deployed a fix as of May 16, but has provided a temporary workaround. For users affected by the BitLocker bug, Microsoft Support recommends the following steps to regain access: 1. Disable Secure Boot in BIOS/Firmware settings. 2. If issues persist, disable all virtualization technologies in BIOS/Firmware settings. 3. Check the Microsoft Defender System Guard Firmware Protection Status via Registry Editor or GUI method. 4. If firmware protection settings are restricted by Group Policy, disable them using Group Policy Editor or Registry Editor. A system restart is required for these changes to take effect, and these workarounds should only be temporary until a patched update is released. Disabling certain BIOS settings may compromise system security.

Winsage

May 16, 2025

Microsoft released one of its final updates for Windows 10 — and it has broken things

Microsoft is winding down support for Windows 10 this October and has released update KB5058379, which has caused unexpected BitLocker recovery prompts for some users after a restart. This issue has been confirmed by Microsoft representatives on forums, although it is not mentioned in the update's release notes. The problem predominantly affects devices from manufacturers like Dell, HP, and Lenovo, and the specific cause is unclear. Microsoft has provided workarounds, including disabling Secure Boot and virtualization technologies, checking Microsoft Defender System Guard Firmware Protection status, and disabling firmware protection via Group Policy or Registry Editor.