Skip to main content
  1. Home
  2. Computing
  3. Web
  4. News

Windows Defender thwarts major malware attack directed mostly at Russian users

Add as a preferred source on Google

On Thursday, March 8, Microsoft said that just before noon on Tuesday, Windows Defender blocked more than 80,000 instances of a massive malware attack that used a trojan called Dofoil, also known as Smoke Loader. Within the following 12 hours, Windows Defender blocked another 400,000 instances. Most of the smoky outbreak took place in Russia (73 percent) followed by Turkey (18 percent) and Ukraine (4 percent). 

Smoke Loader is a trojan that can retrieve a payload from a remote location once it infects a PC. It was last seen in a fake patch for the Meltdown and Spectre processor vulnerabilities, which downloaded various payloads for malicious purposes. But for the current outbreak in Russia and its neighboring countries, Smoke Loader’s payload was a cryptocurrency miner. 

Recommended Videos

“Because the value of Bitcoin and other cryptocurrencies continues to grow, malware operators see the opportunity to include coin mining components in their attacks,” Microsoft stated. “For example, exploit kits are now delivering coin miners instead of ransomware. Scammers are adding coin mining scripts in tech support scam websites. And certain banking trojan families added coin mining behavior.” 

Once on the PC, the Smoke Loader trojan launched a new instance of Explorer in Windows and placed it in a suspended state. The trojan then carved out a portion of the code used it to run in the system memory and filled that blank space with malware. After that, the malware could run undetected and delete the trojan components stored on the PC’s hard drive or SSD. 

Now disguised as the typical Explorer process running in the background, the malware launched a new instance of the Windows Update AutoUpdate Client service. Again, a section of the code was carved out, but coin mining malware filled the blank space instead. Windows Defender caught the miner red-handed because its Windows Update-based disguise ran from the wrong location. Network traffic stemming from this instance constituted highly suspicious activity as well. 

Because Smoke Loader needs an internet connection to receive remote commands, it relies on a command and control server located within the experimental, open-source Namecoin network infrastructure. According to Microsoft, this server tells the malware to sleep for a period of time, connect or disconnect to a specific IP address, download and execute a file from a specific IP address, and so on. 

“For coin miner malware, persistence is key. These types of malware employ various techniques to stay undetected for long periods of time in order to mine coins using stolen computer resources,” Microsoft says. That includes making a copy of itself and hiding out in the Roaming AppData folder and making another copy of itself to access IP addresses from the Temp folder. 

Microsoft says artificial intelligence and behavior-based detection helped thwart the Smoke Loader invasion but the company doesn’t state how victims received the malware. One possible method is the typical email campaign as seen with the recent fake Meltdown/Spectre patch, tricking recipients into downloading and installing/opening attachments.

Kevin Parrish
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Copilot could soon help diagnose issues with your PC
A new PC Insights feature will help you find what's slowing down your PC, though Copilot itself may be one of the main problems.
Microsoft Copilot Banner Featured

Copilot's next trick is diagnosing your PC's problems, but the catch is that the assistant doing the diagnosing is itself part of the problem. Windows Latest reports that Microsoft is testing a new Copilot feature called PC Insights, which will let you ask the AI assistant natural language questions about your computer's hardware and storage instead of digging through the Task Manager or Settings. The feature will reportedly allow users to ask questions like, "Do I have enough space for a 100GB game?" and Copilot will check the available storage to offer a response. Users will also be able to ask about CPU usage, battery health, etc., to diagnose issues.

What Copilot will be able to see

Read more
OpenAI just took the handcuffs off your ChatGPT Work and Codex usage limits, at least for now
The 5 hour limit is gone for now, your usage counter just reset, and GPT 5.6 Sol is about to get a lot lighter on your allowance.
OpenAI logo on Microsoft surface

It seems that OpenAI has been on a gallop lately, releasing new updates left and right. Just a few days back, the company launched its GPT-5.6 Sol, Terra, and Luna models for the general public, and now it's back with another update that will please its users even more. 

The headline change is that the 5-hour usage limit restriction in ChatGPT Work and Codex is being temporarily removed for all Plus, Business, and Pro plans. If you have ever been in the middle of a long working session and watched the limit message appear at the worst possible moment, this one is for you. 

Read more
This app gives your Mac a music player you’ll actually enjoy using
Apple Music on the Mac is a chore. Liqoria is the fix, and it plays nice with Spotify and YouTube too.
Liqoria music player

The Apple Music app on the Mac is not up to the mark. I don’t like how it looks or behaves, and Apple should take some inspiration from Spotify to make the app more modern and useful. Until that happens, we are stuck with a subpar app experience.

That’s why I never use the Apple Music app on my Mac and rely on third-party apps that let me control music. Today I am featuring one of the latest apps I discovered. It’s called Liqoria, and it’s probably the only music player app you will ever need.

Read more