Multi-Stage Windows Malware Abuses Cloud Services to Disable Microsoft Defender

Security researchers have identified an advanced multi-stage malware campaign actively targeting Windows systems by exploiting user trust rather than software vulnerabilities. The attack relies heavily on social engineering techniques and the abuse of legitimate operating system tools and cloud services to remain stealthy and difficult to detect.

Initial Infection Vector

The infection begins with business-themed documents designed to appear as legitimate accounting or corporate files. Victims are tricked into extracting compressed archives that contain malicious LNK shortcut files disguised as standard documents. When executed, these shortcuts silently launch PowerShell commands in the background using execution policy bypass techniques.

The PowerShell script downloads an obfuscated first-stage loader hosted on public platforms such as GitHub, allowing the malware to blend seamlessly into normal enterprise network traffic.

Multi-Stage Attack Chain

Once executed, the loader establishes persistence on the system and drops decoy documents to distract the victim. It then communicates with the attacker using the Telegram Bot API, confirming that the system has been successfully compromised.

Researchers from Fortinet identified the campaign after observing extensive defense-evasion tactics embedded throughout the attack chain.

Microsoft Defender Neutralization

A critical aspect of this campaign is the abuse of Defendnot, a research tool originally created to demonstrate weaknesses in Windows Security Center. Threat actors repurposed this tool to register a fake antivirus solution, exploiting Windows trust mechanisms and forcing Microsoft Defender to automatically disable itself.

This allows the malware to operate freely without triggering standard security alerts.

Operational Phases

After disabling defenses, the attack progresses through four structured phases:

1. System Reconnaissance & Surveillance
   Screenshot capture modules are deployed to monitor user activity and gather intelligence, which is exfiltrated to the attacker.

2. Privilege Escalation & Control
   The malware verifies administrative privileges, attempts UAC bypass techniques, and prepares the system for full takeover.

3. System Lockdown & Sabotage
   Administrative tools and recovery mechanisms are disabled. File associations are hijacked, preventing victims from launching legitimate applications or accessing their own files.

4. Payload Deployment
   The attackers deploy Amnesia RAT to maintain persistent remote access and steal browser credentials, cryptocurrency wallets, and financial data.

Ransomware & Lockout Execution

In parallel, Hakuna Matata ransomware is deployed to encrypt user files, appending the extension .NeverMind12F. A WinLocker component enforces complete system lockout, displaying countdown timers that pressure victims into contacting the attacker for ransom negotiations.

Why This Attack Is Dangerous

Unlike traditional malware campaigns, this operation avoids exploiting software vulnerabilities entirely. Instead, it abuses legitimate Windows features, native administrative tools, and trusted cloud services such as GitHub, Dropbox, and Telegram. This strategy significantly reduces the effectiveness of signature-based detection while enabling long-term, layered compromise of victim systems.