Skip to main content

Windows Defender thwarts major malware attack directed mostly at Russian users

On Thursday, March 8, Microsoft said that just before noon on Tuesday, Windows Defender blocked more than 80,000 instances of a massive malware attack that used a trojan called Dofoil, also known as Smoke Loader. Within the following 12 hours, Windows Defender blocked another 400,000 instances. Most of the smoky outbreak took place in Russia (73 percent) followed by Turkey (18 percent) and Ukraine (4 percent). 

Smoke Loader is a trojan that can retrieve a payload from a remote location once it infects a PC. It was last seen in a fake patch for the Meltdown and Spectre processor vulnerabilities, which downloaded various payloads for malicious purposes. But for the current outbreak in Russia and its neighboring countries, Smoke Loader’s payload was a cryptocurrency miner. 

Recommended Videos

“Because the value of Bitcoin and other cryptocurrencies continues to grow, malware operators see the opportunity to include coin mining components in their attacks,” Microsoft stated. “For example, exploit kits are now delivering coin miners instead of ransomware. Scammers are adding coin mining scripts in tech support scam websites. And certain banking trojan families added coin mining behavior.” 

Please enable Javascript to view this content

Once on the PC, the Smoke Loader trojan launched a new instance of Explorer in Windows and placed it in a suspended state. The trojan then carved out a portion of the code used it to run in the system memory and filled that blank space with malware. After that, the malware could run undetected and delete the trojan components stored on the PC’s hard drive or SSD. 

Now disguised as the typical Explorer process running in the background, the malware launched a new instance of the Windows Update AutoUpdate Client service. Again, a section of the code was carved out, but coin mining malware filled the blank space instead. Windows Defender caught the miner red-handed because its Windows Update-based disguise ran from the wrong location. Network traffic stemming from this instance constituted highly suspicious activity as well. 

Because Smoke Loader needs an internet connection to receive remote commands, it relies on a command and control server located within the experimental, open-source Namecoin network infrastructure. According to Microsoft, this server tells the malware to sleep for a period of time, connect or disconnect to a specific IP address, download and execute a file from a specific IP address, and so on. 

“For coin miner malware, persistence is key. These types of malware employ various techniques to stay undetected for long periods of time in order to mine coins using stolen computer resources,” Microsoft says. That includes making a copy of itself and hiding out in the Roaming AppData folder and making another copy of itself to access IP addresses from the Temp folder. 

Microsoft says artificial intelligence and behavior-based detection helped thwart the Smoke Loader invasion but the company doesn’t state how victims received the malware. One possible method is the typical email campaign as seen with the recent fake Meltdown/Spectre patch, tricking recipients into downloading and installing/opening attachments.

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Turns out, it’s not that hard to do what OpenAI does for less
OpenAI's new typeface OpenAI Sans

Even as OpenAI continues clinging to its assertion that the only path to AGI lies through massive financial and energy expenditures, independent researchers are leveraging open-source technologies to match the performance of its most powerful models -- and do so at a fraction of the price.

Last Friday, a unified team from Stanford University and the University of Washington announced that they had trained a math and coding-focused large language model that performs as well as OpenAI's o1 and DeepSeek's R1 reasoning models. It cost just $50 in cloud compute credits to build. The team reportedly used an off-the-shelf base model, then distilled Google's Gemini 2.0 Flash Thinking Experimental model into it. The process of distilling AIs involves pulling the relevant information to complete a specific task from a larger AI model and transferring it to a smaller one.

Read more
New MediaTek Chromebook benchmark surfaces with impressive speed
Asus Chromebook CX14

Many SoCs are being prepared for upcoming 2025 devices, and a recent benchmark suggests that a MediaTek chipset could make Chromebooks as fast as they have ever been this year.

Referencing the GeekBench benchmark, ChromeUnboxed discovered the latest scores of the MediaTek MT8196 chip, which has been reported on for some time now. With the chip being housed on the motherboard codenamed ‘Navi,’ the benchmark shows the chip excelling in single-core and multi-core benchmarks, as well as in GPU, NPU, and some other tests run.

Read more
Chrome incognito just got even more private with this change
The Chrome browser on the Nothing Phone 2a.

Google Chrome's Incognito mode and InPrivate just became even more private, as they no longer save copied text and media to the clipboard, according to Windows Latest. The changes apply to Windows 11 and 10 users and were rolled out in 2024. However, neither Microsoft nor Google documented it.

Even though this change is not a recent feature, it's odd that neither tech giant thought it was worth mentioning. Previously, the default setting was that when a user saved text or images to the clipboard history, it was synced with Cloud Clipboard on Windows. Moreover, accessing this synced content was as simple as pressing the Windows and V keys, which poses a security risk, especially when using incognito mode.

Read more