CVE-2023-36025
published 2023-11-14CVE-2023-36025: Windows SmartScreen Security Feature Bypass Vulnerability
PriorityP192high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2023-12-05
Exploited in the wild
EPSS
88.20%
99.7th percentile
Windows SmartScreen Security Feature Bypass Vulnerability
Affected
37 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_10_version_1507 | >= 10.0.10240.0 < 10.0.10240.20308 | 10.0.10240.20308 |
| microsoft | windows_10_version_1607 | >= 10.0.14393.0 < 10.0.14393.6452 | 10.0.14393.6452 |
| microsoft | windows_10_version_1809 | >= 10.0.0 < 10.0.17763.5122 | 10.0.17763.5122 |
| microsoft | windows_10_version_1809 | >= 10.0.17763.0 < 10.0.17763.5122 | 10.0.17763.5122 |
| microsoft | windows_10_version_21h2 | >= 10.0.19043.0 < 10.0.19043.3693 | 10.0.19043.3693 |
| microsoft | windows_10_version_22h2 | >= 10.0.19045.0 < 10.0.19045.3693 | 10.0.19045.3693 |
| microsoft | windows_11_version_21h2 | >= 10.0.0 < 10.0.22000.2600 | 10.0.22000.2600 |
| microsoft | windows_11_version_22h2 | >= 10.0.22621.0 < 10.0.22621.2715 | 10.0.22621.2715 |
| microsoft | windows_11_version_22h3 | >= 10.0.22631.0 < 10.0.22631.2715 | 10.0.22631.2715 |
| microsoft | windows_11_version_23h2 | >= 10.0.22631.0 < 10.0.22631.2715 | 10.0.22631.2715 |
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2008_r2_service_pack_1 | >= 6.1.7601.0 < 6.1.7601.26816 | 6.1.7601.26816 |
| microsoft | windows_server_2008_service_pack_2 | >= 6.0.6003.0 < 6.0.6003.22367 | 6.0.6003.22367 |
| microsoft | windows_server_2012 | — | — |
| microsoft | windows_server_2012 | >= 6.2.9200.0 < 6.2.9200.24569 | 6.2.9200.24569 |
| microsoft | windows_server_2012_r2 | >= 6.3.9600.0 < 6.3.9600.21668 | 6.3.9600.21668 |
| microsoft | windows_server_2016 | < 10.0.14393.6452 | 10.0.14393.6452 |
| microsoft | windows_server_2016 | >= 10.0.14393.0 < 10.0.14393.6452 | 10.0.14393.6452 |
| microsoft | windows_server_2019 | < 10.0.17763.5122 | 10.0.17763.5122 |
| microsoft | windows_server_2019 | >= 10.0.17763.0 < 10.0.17763.5122 | 10.0.17763.5122 |
| microsoft | windows_server_2022 | < 10.0.20348.2113 | 10.0.20348.2113 |
| microsoft | windows_server_2022 | >= 10.0.20348.0 < 10.0.20348.2113 | 10.0.20348.2113 |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_10_version_1809 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
processrundll32.exe spawning unexpected child processes after a user interacts with a shortcut file↗
- →Hunt for .URL files where the URL= parameter points to a UNC path (file:// or \\server\share\) rather than http:// or https://. This is the core exploit primitive for CVE-2023-36025. ↗
- →Alert on outbound SMB (TCP 445) or WebDAV connections initiated immediately after a user opens a .URL or shortcut file — indicates payload retrieval from attacker-controlled share. ↗
- →Detect rundll32.exe or ieframe.dll spawning unexpected child processes following user interaction with a .URL shortcut file. ↗
- →Monitor for creation of the scheduled task named 'Licensing2' executing WerFaultSecure.exe from C:\Users\Public\Libraries\Books at 90-minute intervals — persistence mechanism used by Phemedrone Stealer. ↗
- →Detect creation of directory C:\Users\Public\Libraries\Books containing wer.dll, secure.pdf, and WerFaultSecure.exe — hallmark of Phemedrone Stealer staging. ↗
- →Hunt for the mutex value 5dad16bd-6884-4ab8-b182-a504b4c99bcf to identify active Phemedrone Stealer infections. ↗
- →Flag .MSI files delivered via open redirect URLs (e.g., Google DoubleClick/DDM) that contain a ZIP archive exploiting CVE-2023-36025 in their path — used in DarkGate campaigns. ↗
- →Monitor for WerFaultSecure.exe (legitimate binary) loading wer.dll from the same directory — DLL sideloading technique used by Phemedrone Stealer. ↗
- ·CVE-2023-36025 was patched by Microsoft on November 14, 2023 (Patch Tuesday). Exploitation was confirmed in the wild as a zero-day prior to patching, and CISA added it to the Known Exploited Vulnerabilities (KEV) list. ↗
- ·Patching CVE-2023-36025 did not fully stop exploitation; threat actors pivoted to CVE-2024-21412 as a bypass of the same patched component, demonstrating that patching alone is insufficient without defense-in-depth. ↗
- ·The exploit requires user interaction — the victim must be convinced to open a malicious .URL file. Social engineering via phishing emails (ZIP attachments), Discord links, or file-sharing sites is the primary delivery vector. ↗
- ·Blocking outbound TCP port 445 at the perimeter prevents payload retrieval from attacker-controlled SMB/WebDAV shares, mitigating exploitation even on unpatched systems. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
cisa8.8HIGH
vendor_msrc8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4jff-227j-6g3v: Windows SmartScreen Security Feature Bypass Vulnerability
ghsa_unreviewed·2023-11-14
CVE-2023-36025 [HIGH] GHSA-4jff-227j-6g3v: Windows SmartScreen Security Feature Bypass Vulnerability
Windows SmartScreen Security Feature Bypass Vulnerability
VulnCheck
Microsoft Windows SmartScreen Security Feature Bypass Vulnerability
vulncheck·2023·CVSS 8.8
CVE-2023-36025 [HIGH] Microsoft Windows SmartScreen Security Feature Bypass Vulnerability
Microsoft Windows SmartScreen Security Feature Bypass Vulnerability
Microsoft Windows SmartScreen contains a security feature bypass vulnerability that could allow an attacker to bypass Windows Defender SmartScreen checks and their associated prompts.
Affected: Microsoft Windows
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2023-Nov; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://twitter.com/ffforward/status/1726540034462159165; https://www.trendmicro.com/en_us/research/24/a/cve-2023-36025-exploited-for-defense-evasion-in-phemedrone-steal.html; https://uni
Microsoft
Windows SmartScreen Security Feature Bypass Vulnerability
vendor_msrc·2023-11-14·CVSS 8.8
CVE-2023-36025 [HIGH] Windows SmartScreen Security Feature Bypass Vulnerability
Windows SmartScreen Security Feature Bypass Vulnerability
FAQ: What kind of security feature could be bypassed by successfully exploiting this vulnerability?
The attacker would be able to bypass Windows Defender SmartScreen checks and their associated prompts.
FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?
The user would have to click on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file to be compromised by the attacker.
Windows SmartScreen: Windows SmartScreen
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Security Feature Bypass
Exploit Status: Publicly Disclosed:Yes;Exploited:Yes;Latest Software Release:Exploitation Detected
Reference: https://catalog.
CISA
Microsoft Windows SmartScreen Security Feature Bypass Vulnerability
cisa·2023-11-14·CVSS 8.8
CVE-2023-36025 [HIGH] Microsoft Windows SmartScreen Security Feature Bypass Vulnerability
Vulnerability: Microsoft Windows SmartScreen Security Feature Bypass Vulnerability
Affected: Microsoft Windows
Microsoft Windows SmartScreen contains a security feature bypass vulnerability that could allow an attacker to bypass Windows Defender SmartScreen checks and their associated prompts.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-36025; https://nvd.nist.gov/vuln/detail/CVE-2023-36025
Remediation Due Date: 2023-12-05
Suricata
ET MALWARE WebDAV Retrieving .vbs from .url M1 (CVE-2023-36025)
suricata·2023-11-29·CVSS 8.8
CVE-2023-36025 [HIGH] ET MALWARE WebDAV Retrieving .vbs from .url M1 (CVE-2023-36025)
ET MALWARE WebDAV Retrieving .vbs from .url M1 (CVE-2023-36025)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WebDAV Retrieving .vbs from .url M1 (CVE-2023-36025)"; flow:established,to_client; xbits:isset,ET.PROPFIND,track ip_dst; http.stat_code; content:"200"; http.content_type; bsize:22; content:"application/x-mswinurl"; file.data; content:"[InternetShortcut]"; content:"URL=file://"; distance:0; fast_pattern; content:".vbs"; distance:0; reference:url,msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36025; reference:url,vulnera.com/newswire/windows-zero-day-cve-2023-36025-vulnerability-poc-exploit-published-by-researchers; reference:cve,2023-36025; classtype:trojan-activity; sid:2049398; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bi
Suricata
ET MALWARE WebDAV Retrieving .vbs from .url M2 (CVE-2023-36025)
suricata·2023-11-29·CVSS 8.8
CVE-2023-36025 [HIGH] ET MALWARE WebDAV Retrieving .vbs from .url M2 (CVE-2023-36025)
ET MALWARE WebDAV Retrieving .vbs from .url M2 (CVE-2023-36025)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WebDAV Retrieving .vbs from .url M2 (CVE-2023-36025)"; flow:established,to_client; flowbits:isset,ET.WebDAVURL; http.stat_code; content:"200"; file.data; content:"[InternetShortcut]"; fast_pattern; content:".vbs"; distance:0; reference:url,msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36025; reference:url,vulnera.com/newswire/windows-zero-day-cve-2023-36025-vulnerability-poc-exploit-published-by-researchers; reference:cve,2023-36025; classtype:trojan-activity; sid:2049399; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_11_29, cve CVE_2023_36025, deployment Perimeter, deployme
Suricata
ET MALWARE WebDAV Retrieving .zip from .url M2 (CVE-2023-36025)
suricata·2023-11-28·CVSS 8.8
CVE-2023-36025 [HIGH] ET MALWARE WebDAV Retrieving .zip from .url M2 (CVE-2023-36025)
ET MALWARE WebDAV Retrieving .zip from .url M2 (CVE-2023-36025)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WebDAV Retrieving .zip from .url M2 (CVE-2023-36025)"; flow:established,to_client; flowbits:isset,ET.WebDAVURL; http.stat_code; content:"200"; file.data; content:"[InternetShortcut]"; fast_pattern; content:".zip"; distance:0; reference:url,msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36025; reference:url,vulnera.com/newswire/windows-zero-day-cve-2023-36025-vulnerability-poc-exploit-published-by-researchers; reference:cve,2023-36025; classtype:trojan-activity; sid:2049320; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_11_28, cve CVE_2023_36025, deployment Perimeter, deployme
Suricata
ET MALWARE WebDAV Retrieving .exe from .url M2 (CVE-2023-36025)
suricata·2023-11-28·CVSS 8.8
CVE-2023-36025 [HIGH] ET MALWARE WebDAV Retrieving .exe from .url M2 (CVE-2023-36025)
ET MALWARE WebDAV Retrieving .exe from .url M2 (CVE-2023-36025)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WebDAV Retrieving .exe from .url M2 (CVE-2023-36025)"; flow:established,to_client; flowbits:isset,ET.WebDAVURL; http.stat_code; content:"200"; file.data; content:"[InternetShortcut]"; fast_pattern; content:".exe"; distance:0; reference:url,msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36025; reference:url,vulnera.com/newswire/windows-zero-day-cve-2023-36025-vulnerability-poc-exploit-published-by-researchers; reference:cve,2023-36025; classtype:trojan-activity; sid:2049321; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2023_11_28, cve CVE_2023_36025, deployment Perimeter, deployme
Suricata
ET MALWARE WebDAV Retrieving .exe from .url M1 (CVE-2023-36025)
suricata·2023-11-27·CVSS 8.8
CVE-2023-36025 [HIGH] ET MALWARE WebDAV Retrieving .exe from .url M1 (CVE-2023-36025)
ET MALWARE WebDAV Retrieving .exe from .url M1 (CVE-2023-36025)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WebDAV Retrieving .exe from .url M1 (CVE-2023-36025)"; flow:established,to_client; xbits:isset, ET.PROPFIND,track ip_dst; http.stat_code; content:"200"; http.content_type; bsize:22; content:"application/x-mswinurl"; file.data; content:"[InternetShortcut]"; content:"URL=file://"; distance:0; fast_pattern; content:".exe"; distance:0; reference:url,msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36025; reference:url,vulnera.com/newswire/windows-zero-day-cve-2023-36025-vulnerability-poc-exploit-published-by-researchers; reference:cve,2023-36025; classtype:trojan-activity; sid:2049316; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_B
Suricata
ET MALWARE WebDAV Retrieving .zip from .url M1 (CVE-2023-36025)
suricata·2023-11-27·CVSS 8.8
CVE-2023-36025 [HIGH] ET MALWARE WebDAV Retrieving .zip from .url M1 (CVE-2023-36025)
ET MALWARE WebDAV Retrieving .zip from .url M1 (CVE-2023-36025)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE WebDAV Retrieving .zip from .url M1 (CVE-2023-36025)"; flow:established,to_client; xbits:isset, ET.PROPFIND,track ip_dst; http.stat_code; content:"200"; http.content_type; bsize:22; content:"application/x-mswinurl"; file.data; content:"[InternetShortcut]"; content:"URL=file://"; distance:0; fast_pattern; content:".zip"; distance:0; reference:url,msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36025; reference:url,vulnera.com/newswire/windows-zero-day-cve-2023-36025-vulnerability-poc-exploit-published-by-researchers; reference:cve,2023-36025; classtype:trojan-activity; sid:2049317; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_B
No public exploits indexed.
Elastic
Katz and Mouse Game: MaaS Infostealers Adapt to Patched Chrome Defenses — Elastic Security Labs
blogs_elastic·2024-10-28
Katz and Mouse Game: MaaS Infostealers Adapt to Patched Chrome Defenses — Elastic Security Labs
28 October 2024•Jia Yu Chan•Salim Bitam•Daniel Stepanic•Samir Bousseaden•Cyril François•Seth Goodwin
# Katz and Mouse Game: MaaS Infostealers Adapt to Patched Chrome Defenses
Elastic Security Labs breaks down bypass implementations from the infostealer ecosystem’s reaction to Chrome 127's Application-Bound Encryption scheme.
12 min readMalware Analysis
# Introduction
In July, Google announced a new protection mechanism for cookies stored within Chrome on Windows, known as Application-Bound Encryption. There is no doubt this security implementation has raised the bar and directly impacted the malware ecosystem. After months with this new feature, many infostealers have written new code to bypass this protection (as the Chrome Security Team predicted) in order to stay competitive in the
Checkpoint
Unmasking Styx Stealer: How a Hacker’s Slip Led to an Intelligence Treasure Trove
blogs_checkpoint·2024-08-16
CVE-2023-36025 Unmasking Styx Stealer: How a Hacker’s Slip Led to an Intelligence Treasure Trove
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Unmasking Styx Stealer: How a Hacker’s Slip Led to an Intelligence Treasure Trove
## Key takeaways
Check Point Research (CPR) recently uncovered Styx Stealer, a new malware capable of st
Trendmicro
CVE-2024-38213: Copy2Pwn Exploit Evades Windows Web Protections
blogs_trendmicro·2024-08-15·CVSS 8.1
CVE-2024-38213 [HIGH] CVE-2024-38213: Copy2Pwn Exploit Evades Windows Web Protections
# CVE-2024-38213: Copy2Pwn Exploit Evades Windows Web Protections
Learn how the cve-2024-38213 and copy2pwn exploit evades Windows web protections.
By: Peter Girnus
2024/08/15
Read time: ( words)
Save to Folio
Zero Day Initiative threat researchers discovered CVE-2024-38213, a simple and effective way to bypass Windows mark-of-the-web protections leading to remote code execution.
In March 2024, Trend Micro’s Zero Day Initiative Threat Hunting team started analyzing samples connected to the activity carried out by DarkGate operators to infect users through copy-and-paste operations. This DarkGate campaign was an update from a previous campaign in which the DarkGate operators were exploiting a zero-day vulnerability, CVE-2024-21412, which we disclosed to Microsoft earlier this year.
T
Bleepingcomputer
New Windows SmartScreen bypass exploited as zero-day since March
blogs_bleepingcomputer·2024-08-13·CVSS 8.1
[HIGH] New Windows SmartScreen bypass exploited as zero-day since March
## New Windows SmartScreen bypass exploited as zero-day since March
## Sergiu Gatlan
"An attacker who successfully exploited this vulnerability could bypass the SmartScreen user experience. An attacker must send the user a malicious file and convince them to open it," Redmond explains in a security advisory published on Tuesday.
Despite the increased difficulty in exploiting it, Trend Micro security researcher Peter Girnus discovered that the vulnerability was being exploited in the wild in March. Girnus reported the attacks to Microsoft, who patched the flaw during the June 2024 Patch Tuesday. However, the company forgot to include the advisory with that month's security updates (or with July's).
"In March 2024, Trend Micro's Zero Day Initiative Threat Hunting team started analyzing s
Checkpoint
Resurrecting Internet Explorer: Threat Actors Using Zero-day Tricks in Internet Shortcut File to Lure Victims (CVE-2024-38112)
blogs_checkpoint·2024-07-09·CVSS 8.8
CVE-2024-38112 [HIGH] Resurrecting Internet Explorer: Threat Actors Using Zero-day Tricks in Internet Shortcut File to Lure Victims (CVE-2024-38112)
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Resurrecting Internet Explorer: Threat Actors Using Zero-day Tricks in Internet Shortcut File to Lure Victims (CVE-2024-38112)
by Haifei Li
## Introduction and Background
Check Point R
Bleepingcomputer
Microsoft fixes two Windows zero-days exploited in malware attacks
blogs_bleepingcomputer·2024-04-09·CVSS 6.7
CVE-2024-26234 [MEDIUM] Microsoft fixes two Windows zero-days exploited in malware attacks
## Microsoft fixes two Windows zero-days exploited in malware attacks
## Sergiu Gatlan
Microsoft has fixed two actively exploited zero-day vulnerabilities during the April 2024 Patch Tuesday, although the company failed to initially tag them as such.
The first, tracked as CVE-2024-26234 and described as a proxy driver spoofing vulnerability, was issued to track a malicious driver signed using a valid Microsoft Hardware Publisher Certificate that was found by Sophos X-Ops in December 2023 and reported by team lead Christopher Budd.
This malicious file was labeled as "Catalog Authentication Client Service" by "Catalog Thales," likely an attempt to impersonate Thales Group. However, further investigation revealed that it was previously bundled with a marketing software called LaiXi Androi
Bleepingcomputer
Microsoft April 2024 Patch Tuesday fixes 150 security flaws, 67 RCEs
blogs_bleepingcomputer·2024-04-09·CVSS 8.1
[HIGH] Microsoft April 2024 Patch Tuesday fixes 150 security flaws, 67 RCEs
## Microsoft April 2024 Patch Tuesday fixes 150 security flaws, 67 RCEs
## Lawrence Abrams
There were also fixes for twenty-six Secure Boot bypasses released this month, including two from Lenovo.
The number of bugs in each vulnerability category is listed below:
31 Elevation of Privilege Vulnerabilities
29 Security Feature Bypass Vulnerabilities
67 Remote Code Execution Vulnerabilities
13 Information Disclosure Vulnerabilities
7 Denial of Service Vulnerabilities
3 Spoofing Vulnerabilities
The total count of 150 flaws does not include 5 Microsoft Edge flaws fixed on April 4th and 2 Mariner flaws. Mariner is an open-source Linux distribution developed by Microsoft for its Microsoft Azure services.
To learn more about the non-security updates released today, you can review our ded
Trendmicro
CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign
blogs_trendmicro·2024-03-13·CVSS 8.1
CVE-2024-21412 [HIGH] CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign
Exploits & Vulnerabilities
## CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign
In addition to our Water Hydra APT zero day analysis, the Zero Day Initiative (ZDI) observed a DarkGate campaign which we discovered in mid-January 2024 where DarkGate operators exploited CVE-2024-21412.
By: Peter Girnus, Aliakbar Zahravi, Simon Zuckerbraun Mar 13, 2024 Read time: ( words)
Save to Folio
The Zero Day Initiative (ZDI) recently uncovered a DarkGate campaign in mid-January 2024, which exploited CVE-2024-21412 through the use of fake software installers. During this campaign, users were lured using PDFs that contained Google DoubleClick Digital Marketing (DDM) open redirects that led unsuspecting victims to compromised sites hosting the Microso
Trendmicro
CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign
blogs_trendmicro·2024-03-13·CVSS 8.1
CVE-2024-21412 [HIGH] CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign
Exploits & Vulnerabilities
## CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign
In addition to our Water Hydra APT zero day analysis, the Zero Day Initiative (ZDI) observed a DarkGate campaign which we discovered in mid-January 2024 where DarkGate operators exploited CVE-2024-21412.
By: Peter Girnus, Aliakbar Zahravi, Simon Zuckerbraun 2024/03/13 Read time: ( words)
Save to Folio
The Zero Day Initiative (ZDI) recently uncovered a DarkGate campaign in mid-January 2024, which exploited CVE-2024-21412 through the use of fake software installers. During this campaign, users were lured using PDFs that contained Google DoubleClick Digital Marketing (DDM) open redirects that led unsuspecting victims to compromised sites hosting the Microsoft
Trendmicro
CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign
blogs_trendmicro·2024-03-13·CVSS 8.1
CVE-2024-21412 [HIGH] CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign
Ausnutzung von Schwachstellen
## CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign
In addition to our Water Hydra APT zero day analysis, the Zero Day Initiative (ZDI) observed a DarkGate campaign which we discovered in mid-January 2024 where DarkGate operators exploited CVE-2024-21412.
By: Peter Girnus, Aliakbar Zahravi, Simon Zuckerbraun Mar 13, 2024 Read time: ( words)
Save to Folio
The Zero Day Initiative (ZDI) recently uncovered a DarkGate campaign in mid-January 2024, which exploited CVE-2024-21412 through the use of fake software installers. During this campaign, users were lured using PDFs that contained Google DoubleClick Digital Marketing (DDM) open redirects that led unsuspecting victims to compromised sites hosting the Micr
Trendmicro
CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign
blogs_trendmicro·2024-03-13·CVSS 8.1
CVE-2024-21412 [HIGH] CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign
Exploits & Vulnerabilities
# CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign
In addition to our Water Hydra APT zero day analysis, the Zero Day Initiative (ZDI) observed a DarkGate campaign which we discovered in mid-January 2024 where DarkGate operators exploited CVE-2024-21412.
By: Peter Girnus, Aliakbar Zahravi, Simon Zuckerbraun
2024/03/13
Read time: ( words)
Save to Folio
The Zero Day Initiative (ZDI) recently uncovered a DarkGate campaign in mid-January 2024, which exploited CVE-2024-21412 through the use of fake software installers. During this campaign, users were lured using PDFs that contained Google DoubleClick Digital Marketing (DDM) open redirects that led unsuspecting victims to compromised sites hosting the Microsoft
Trendmicro
CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign
blogs_trendmicro·2024-03-13·CVSS 8.1
CVE-2024-21412 [HIGH] CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign
Exploits y vulnerabilidades
## CVE-2024-21412: DarkGate Operators Exploit Microsoft Windows SmartScreen Bypass in Zero-Day Campaign
In addition to our Water Hydra APT zero day analysis, the Zero Day Initiative (ZDI) observed a DarkGate campaign which we discovered in mid-January 2024 where DarkGate operators exploited CVE-2024-21412.
By: Peter Girnus, Aliakbar Zahravi, Simon Zuckerbraun Mar 13, 2024 Read time: ( words)
Save to Folio
The Zero Day Initiative (ZDI) recently uncovered a DarkGate campaign in mid-January 2024, which exploited CVE-2024-21412 through the use of fake software installers. During this campaign, users were lured using PDFs that contained Google DoubleClick Digital Marketing (DDM) open redirects that led unsuspecting victims to compromised sites hosting the Micros
Wiz
Crying Out Cloud - March 2024 Newsletter | Wiz
blogs_wiz·2024-03-01·CVSS 8.6
CVE-2024-21626 [HIGH] Crying Out Cloud - March 2024 Newsletter | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – crucial vulnerabilities, exclusive data, and noteworthy incidents. Stay informed and stay secure. Let's delve in.
Here are our cloud security highlights!
## 🐞 High Profile Vulnerabilities
Leaky Vessels: Docker and runc Container Escape Vulnerabilities
Several vulnerabilities have been revealed in the runC command line tool (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653). These flaws pose a risk of container escape, exploiting these vulnerabilities could grant unauthorized access to the host operating system, potentially compromising sensitive data and facilitating further attacks, particularly with superuser privileges.
According to Wiz data, 18% percent of cloud environments have resources
Trendmicro
SmartScreen Vulnerability CVE-2024-21412: Fakten und Fixes
blogs_trendmicro·2024-02-16·CVSS 8.8
CVE-2024-21412 [HIGH] SmartScreen Vulnerability CVE-2024-21412: Fakten und Fixes
APT und gezielte Angriffe
## SmartScreen Vulnerability CVE-2024-21412: Fakten und Fixes
Derzeit nutzt die APT-Gruppe Water Hydra die Schwachstelle CVE-2024-21412 aktiv aus. Wir liefern alle nötigen Informationen zu CVE-2024-21412, wie sie von Bedrohungsakteuren eingesetzt werden kann und wie Unternehmen sich schützen können.
By: Trend Micro Feb 16, 2024 Read time: ( words)
Save to Folio
Am 13. Februar 2024 veröffentlichte Microsoft einen Patch für CVE-2024-21412, eine Microsoft Defender SmartScreen -Schwachstelle bezüglich Internet Shortcuts. Zuvor hatten wir entdeckt, dass eine APT-Gruppe namens Water Hydra CVE-2024-21412 in einer ausgeklügelten Kampagne mit Ziel Finanzmarkthändler ausnutzt. Die Lücke erlaubt es, den Microsoft Defender SmartScreen zu umgehen und potenzielle Opfer mit
Trendmicro
SmartScreen Vulnerability: CVE-2024-21412 Facts and Fixes
blogs_trendmicro·2024-02-13·CVSS 8.8
CVE-2024-21412 [HIGH] SmartScreen Vulnerability: CVE-2024-21412 Facts and Fixes
Exploits y vulnerabilidades
## SmartScreen Vulnerability: CVE-2024-21412 Facts and Fixes
This entry aims to provide additional context to CVE-2024-21412, how it can be used by threat actors, and how Trend protects customers from this specific vulnerability.
By: Trend Micro Research Feb 13, 2024 Read time: ( words)
Save to Folio
On Feb. 13, 2024, Microsoft issued a patch for CVE-2024-21412, a Microsoft Defender SmartScreen vulnerability revolving around internet shortcuts. Previously, we discovered that an advanced persistent threat (APT) group we track under the name Water Hydra has been exploiting CVE-2024-21412 in a sophisticated campaign targeting financial market traders, allowing the group to bypass Microsoft Defender SmartScreen and infect its victims with the DarkMe remote acce
Tenable
Microsoft’s February 2024 Patch Tuesday Addresses 73 CVEs (CVE-2024-21351, CVE-2024-21412)
blogs_tenable·2024-02-13·CVSS 7.6
[HIGH] Microsoft’s February 2024 Patch Tuesday Addresses 73 CVEs (CVE-2024-21351, CVE-2024-21412)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Bleepingcomputer
Hackers used new Windows Defender zero-day to drop DarkMe malware
blogs_bleepingcomputer·2024-02-13·CVSS 8.8
CVE-2024-21412 [HIGH] Hackers used new Windows Defender zero-day to drop DarkMe malware
## Hackers used new Windows Defender zero-day to drop DarkMe malware
## Sergiu Gatlan
"However, the attacker would have no way to force a user to view the attacker-controlled content. Instead, the attacker would have to convince them to take action by clicking on the file link."
Trend Micro security researcher Peter Girnus, credited for reporting this zero-day, revealed that the CVE-2024-21412 flaw bypasses another Defender SmartScreen vulnerability (CVE-2023-36025).
CVE-2023-36025 was patched during the November 2023 Patch Tuesday , and, as Trend Micro revealed last month, it was also exploited to bypass Windows security prompts when opening URL files to deploy the Phemedrone info-stealer malware .
## Zero-day used to target financial market traders
The zero-day that Microsoft patch
Trendmicro
SmartScreen Vulnerability: CVE-2024-21412 Facts and Fixes
blogs_trendmicro·2024-02-13·CVSS 8.8
CVE-2024-21412 [HIGH] SmartScreen Vulnerability: CVE-2024-21412 Facts and Fixes
Exploits & Vulnerabilities
## SmartScreen Vulnerability: CVE-2024-21412 Facts and Fixes
This entry aims to provide additional context to CVE-2024-21412, how it can be used by threat actors, and how Trend protects customers from this specific vulnerability.
By: Trend Micro Research 2024/02/13 Read time: ( words)
Save to Folio
On Feb. 13, 2024, Microsoft issued a patch for CVE-2024-21412, a Microsoft Defender SmartScreen vulnerability revolving around internet shortcuts. Previously, we discovered that an advanced persistent threat (APT) group we track under the name Water Hydra has been exploiting CVE-2024-21412 in a sophisticated campaign targeting financial market traders, allowing the group to bypass Microsoft Defender SmartScreen and infect its victims with the DarkMe remote access
Trendmicro
CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day
blogs_trendmicro·2024-02-13·CVSS 8.1
CVE-2024-21412 [HIGH] CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day
Ausnutzung von Schwachstellen
## CVE-2024-21412: Water Hydra Targets Traders With Microsoft Defender SmartScreen Zero-Day
The APT group Water Hydra has been exploiting the Microsoft Defender SmartScreen vulnerability (CVE-2024-21412) in its campaigns targeting financial market traders. This vulnerability, which has now been patched by Microsoft, was discovered and disclosed by the Trend Micro Zero Day Initiative.
By: Peter Girnus, Aliakbar Zahravi, Simon Zuckerbraun Feb 13, 2024 Read time: ( words)
Save to Folio
The Trend Micro Zero Day Initiative discovered the vulnerability CVE-2024-21412 which we track as ZDI-CAN-23100, and alerted Microsoft of a Microsoft Defender SmartScreen bypass used as part of a sophisticated zero-day attack chain by the advanced persistent threat (APT) group
Krebs
Fat Patch Tuesday, February 2024 Edition
blogs_krebs·2024-02-13·CVSS 5.4
CVE-2024-21412 [MEDIUM] Fat Patch Tuesday, February 2024 Edition
Microsoft Corp. today pushed software updates to plug more than 70 security holes in its Windows operating systems and related products, including two zero-day vulnerabilities that are already being exploited in active attacks.
Top of the heap on this Fat Patch Tuesday is CVE-2024-21412, a “security feature bypass” in the way Windows handles Internet Shortcut Files that Microsoft says is being targeted in active exploits. Redmond’s advisory for this bug says an attacker would need to convince or trick a user into opening a malicious shortcut file.
Researchers at Trend Micro have tied the ongoing exploitation of CVE-2024-21412 to an advanced persistent threat group dubbed “Water Hydra,” which they say has being using the vulnerability to execute a malicious Microsoft Installer File (.msi)
Trendmicro
CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day
blogs_trendmicro·2024-02-13·CVSS 8.1
CVE-2024-21412 [HIGH] CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day
Exploits & Vulnerabilities
# CVE-2024-21412: Water Hydra Targets Traders With Microsoft Defender SmartScreen Zero-Day
The APT group Water Hydra has been exploiting the Microsoft Defender SmartScreen vulnerability (CVE-2024-21412) in its campaigns targeting financial market traders. This vulnerability, which has now been patched by Microsoft, was discovered and disclosed by the Trend Micro Zero Day Initiative.
By: Peter Girnus, Aliakbar Zahravi, Simon Zuckerbraun
2024/02/13
Read time: ( words)
Save to Folio
The Trend Micro Zero Day Initiative discovered the vulnerability CVE-2024-21412 which we track as ZDI-CAN-23100, and alerted Microsoft of a Microsoft Defender SmartScreen bypass used as part of a sophisticated zero-day attack chain by the advanced persistent threat (APT) group we t
Krebs
Fat Patch Tuesday, February 2024 Edition
blogs_krebs·2024-02-13·CVSS 5.4
CVE-2024-21412 [MEDIUM] Fat Patch Tuesday, February 2024 Edition
Microsoft Corp. today pushed software updates to plug more than 70 security holes in its Windows operating systems and related products, including two zero-day vulnerabilities that are already being exploited in active attacks.
Top of the heap on this Fat Patch Tuesday is CVE-2024-21412 , a “security feature bypass” in the way Windows handles Internet Shortcut Files that Microsoft says is being targeted in active exploits. Redmond’s advisory for this bug says an attacker would need to convince or trick a user into opening a malicious shortcut file.
Researchers at Trend Micro have tied the ongoing exploitation of CVE-2024-21412 to an advanced persistent threat group dubbed “ Water Hydra ,” which they say has being using the vulnerability to execute a malicious Microsoft Installer File (.m
Trendmicro
CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day
blogs_trendmicro·2024-02-13·CVSS 8.1
CVE-2024-21412 [HIGH] CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day
Exploits & Vulnerabilities
## CVE-2024-21412: Water Hydra Targets Traders With Microsoft Defender SmartScreen Zero-Day
The APT group Water Hydra has been exploiting the Microsoft Defender SmartScreen vulnerability (CVE-2024-21412) in its campaigns targeting financial market traders. This vulnerability, which has now been patched by Microsoft, was discovered and disclosed by the Trend Micro Zero Day Initiative.
By: Peter Girnus, Aliakbar Zahravi, Simon Zuckerbraun Feb 13, 2024 Read time: ( words)
Save to Folio
The Trend Micro Zero Day Initiative discovered the vulnerability CVE-2024-21412 which we track as ZDI-CAN-23100, and alerted Microsoft of a Microsoft Defender SmartScreen bypass used as part of a sophisticated zero-day attack chain by the advanced persistent threat (APT) group we
Trendmicro
SmartScreen Vulnerability: CVE-2024-21412 Facts and Fixes
blogs_trendmicro·2024-02-13·CVSS 8.8
CVE-2024-21412 [HIGH] SmartScreen Vulnerability: CVE-2024-21412 Facts and Fixes
Exploits & Vulnerabilities
## SmartScreen Vulnerability: CVE-2024-21412 Facts and Fixes
This entry aims to provide additional context to CVE-2024-21412, how it can be used by threat actors, and how Trend protects customers from this specific vulnerability.
By: Trend Micro Research Feb 13, 2024 Read time: ( words)
Save to Folio
On Feb. 13, 2024, Microsoft issued a patch for CVE-2024-21412, a Microsoft Defender SmartScreen vulnerability revolving around internet shortcuts. Previously, we discovered that an advanced persistent threat (APT) group we track under the name Water Hydra has been exploiting CVE-2024-21412 in a sophisticated campaign targeting financial market traders, allowing the group to bypass Microsoft Defender SmartScreen and infect its victims with the DarkMe remote acces
Trendmicro
SmartScreen Vulnerability: CVE-2024-21412 Facts and Fixes
blogs_trendmicro·2024-02-13·CVSS 8.8
CVE-2024-21412 [HIGH] SmartScreen Vulnerability: CVE-2024-21412 Facts and Fixes
Exploits & Vulnerabilities
# SmartScreen Vulnerability: CVE-2024-21412 Facts and Fixes
This entry aims to provide additional context to CVE-2024-21412, how it can be used by threat actors, and how Trend protects customers from this specific vulnerability.
By: Trend Micro Research
2024/02/13
Read time: ( words)
Save to Folio
On Feb. 13, 2024, Microsoft issued a patch for CVE-2024-21412, a Microsoft Defender SmartScreen vulnerability revolving around internet shortcuts. Previously, we discovered that an advanced persistent threat (APT) group we track under the name Water Hydra has been exploiting CVE-2024-21412 in a sophisticated campaign targeting financial market traders, allowing the group to bypass Microsoft Defender SmartScreen and infect its victims with the DarkMe remote access
Trendmicro
CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day
blogs_trendmicro·2024-02-13·CVSS 8.1
CVE-2024-21412 [HIGH] CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day
Exploits & Vulnerabilities
## CVE-2024-21412: Water Hydra Targets Traders With Microsoft Defender SmartScreen Zero-Day
The APT group Water Hydra has been exploiting the Microsoft Defender SmartScreen vulnerability (CVE-2024-21412) in its campaigns targeting financial market traders. This vulnerability, which has now been patched by Microsoft, was discovered and disclosed by the Trend Micro Zero Day Initiative.
By: Peter Girnus, Aliakbar Zahravi, Simon Zuckerbraun 2024/02/13 Read time: ( words)
Save to Folio
The Trend Micro Zero Day Initiative discovered the vulnerability CVE-2024-21412 which we track as ZDI-CAN-23100, and alerted Microsoft of a Microsoft Defender SmartScreen bypass used as part of a sophisticated zero-day attack chain by the advanced persistent threat (APT) group we t
Trendmicro
CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day
blogs_trendmicro·2024-02-13·CVSS 8.1
CVE-2024-21412 [HIGH] CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day
Exploits y vulnerabilidades
## CVE-2024-21412: Water Hydra Targets Traders With Microsoft Defender SmartScreen Zero-Day
The APT group Water Hydra has been exploiting the Microsoft Defender SmartScreen vulnerability (CVE-2024-21412) in its campaigns targeting financial market traders. This vulnerability, which has now been patched by Microsoft, was discovered and disclosed by the Trend Micro Zero Day Initiative.
By: Peter Girnus, Aliakbar Zahravi, Simon Zuckerbraun Feb 13, 2024 Read time: ( words)
Save to Folio
The Trend Micro Zero Day Initiative discovered the vulnerability CVE-2024-21412 which we track as ZDI-CAN-23100, and alerted Microsoft of a Microsoft Defender SmartScreen bypass used as part of a sophisticated zero-day attack chain by the advanced persistent threat (APT) group w
Unit42
Exploring the Latest Mispadu Stealer Variant
blogs_unit42·2024-02-02·CVSS 8.8
CVE-2023-36025 [HIGH] Exploring the Latest Mispadu Stealer Variant
Threat Research Center
Threat Research
Malware
## Exploring the Latest Mispadu Stealer Variant
Daniela Shalev
Josh Grunzweig
Published: February 2, 2024
Learning Hub
Malware
Threat Research
Vulnerabilities
Banking Trojan
CVE-2023-36025
Mispadu infostealer
## Executive Summary
Unit 42 researchers recently discovered activity attributed to Mispadu Stealer, a stealthy infostealer first reported in 2019. We found this activity as part of the Unit 42 Managed Threat Hunting offering. We discovered this threat activity while hunting for the SmartScreen CVE-2023-36025 vulnerability.
When we hunted for exploitation of the CVE-2023-36025 vulnerability in this case, we discovered an infostealer family that targets specific regions and URLs that are most commonly associated with ci
Unit42
Exploring the Latest Mispadu Stealer Variant
blogs_unit42·2024-02-02·CVSS 8.8
CVE-2023-36025 [HIGH] Exploring the Latest Mispadu Stealer Variant
## Executive Summary
Unit 42 researchers recently discovered activity attributed to Mispadu Stealer, a stealthy infostealer first reported in 2019. We found this activity as part of the Unit 42 Managed Threat Hunting offering. We discovered this threat activity while hunting for the SmartScreen CVE-2023-36025 vulnerability.
When we hunted for exploitation of the CVE-2023-36025 vulnerability in this case, we discovered an infostealer family that targets specific regions and URLs that are most commonly associated with citizens of Mexico. We identified a new variant of Mispadu Stealer, which we analyze here.
Palo Alto Networks customers are better protected from the threats described in this article through Cortex XDR and WildFire malware analysis. Advanced URL Filtering and DNS Security i
Bleepingcomputer
Windows SmartScreen flaw exploited to drop Phemedrone malware
blogs_bleepingcomputer·2024-01-15·CVSS 8.8
CVE-2023-36025 [HIGH] Windows SmartScreen flaw exploited to drop Phemedrone malware
## Windows SmartScreen flaw exploited to drop Phemedrone malware
## Bill Toulas
"The user would have to click on a specially crafted Internet Shortcut (.URL) or a hyperlink pointing to an Internet Shortcut file to be compromised by the attacker," explains the CVE-2023-36025 security bulletin.
Not many details were initially shared about the exploitation of CVE-2023-36025 in the wild, but proof-of-concept exploits published shortly after elevated the risk for unpatched Windows systems.
Trend Micro's researchers report that the Phemedrone campaign is not the only malware family they've seen targeting the particular flaw in Windows, with other cases involving ransomware.
## Bypassing SmartScreen
The attackers host malicious URL files on trustworthy cloud services like Discord and FireTr
Trendmicro
CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign
blogs_trendmicro·2024-01-12·CVSS 8.8
CVE-2023-36025 [HIGH] CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign
Exploits & Vulnerabilities
## CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign
This blog delves into the Phemedrone Stealer campaign's exploitation of CVE-2023-36025, the Windows Defender SmartScreen Bypass vulnerability, for its defense evasion and investigates the malware's payload.
By: Peter Girnus, Aliakbar Zahravi, Simon Zuckerbraun Jan 12, 2024 Read time: ( words)
Save to Folio
During routine threat hunting, Trend Micro uncovered evidence pointing to an active exploitation of CVE-2023-36025 to infect users with a previously unknown strain of the malware, Phemedrone Stealer.
Phemedrone targets web browsers and data from cryptocurrency wallets and messaging apps such as Telegram, Steam, and Discord. It also takes screenshots and gathers system informati
Trendmicro
CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign
blogs_trendmicro·2024-01-12·CVSS 8.8
CVE-2023-36025 [HIGH] CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign
Exploits & Vulnerabilities
# CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign
This blog delves into the Phemedrone Stealer campaign's exploitation of CVE-2023-36025, the Windows Defender SmartScreen Bypass vulnerability, for its defense evasion and investigates the malware's payload.
By: Peter Girnus, Aliakbar Zahravi, Simon Zuckerbraun
Jan 12, 2024
Read time: ( words)
Save to Folio
During routine threat hunting, Trend Micro uncovered evidence pointing to an active exploitation of CVE-2023-36025 to infect users with a previously unknown strain of the malware, Phemedrone Stealer.
Phemedrone targets web browsers and data from cryptocurrency wallets and messaging apps such as Telegram, Steam, and Discord. It also takes screenshots and gathers system informati
Trendmicro
CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign
blogs_trendmicro·2024-01-12·CVSS 8.8
CVE-2023-36025 [HIGH] CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign
Ausnutzung von Schwachstellen
## CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign
This blog delves into the Phemedrone Stealer campaign's exploitation of CVE-2023-36025, the Windows Defender SmartScreen Bypass vulnerability, for its defense evasion and investigates the malware's payload.
By: Peter Girnus, Aliakbar Zahravi, Simon Zuckerbraun Jan 12, 2024 Read time: ( words)
Save to Folio
During routine threat hunting, Trend Micro uncovered evidence pointing to an active exploitation of CVE-2023-36025 to infect users with a previously unknown strain of the malware, Phemedrone Stealer.
Phemedrone targets web browsers and data from cryptocurrency wallets and messaging apps such as Telegram, Steam, and Discord. It also takes screenshots and gathers system inform
Trendmicro
CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign
blogs_trendmicro·2024-01-12·CVSS 8.8
CVE-2023-36025 [HIGH] CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign
Exploits y vulnerabilidades
## CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign
This blog delves into the Phemedrone Stealer campaign's exploitation of CVE-2023-36025, the Windows Defender SmartScreen Bypass vulnerability, for its defense evasion and investigates the malware's payload.
By: Peter Girnus, Aliakbar Zahravi, Simon Zuckerbraun Jan 12, 2024 Read time: ( words)
Save to Folio
During routine threat hunting, Trend Micro uncovered evidence pointing to an active exploitation of CVE-2023-36025 to infect users with a previously unknown strain of the malware, Phemedrone Stealer.
Phemedrone targets web browsers and data from cryptocurrency wallets and messaging apps such as Telegram, Steam, and Discord. It also takes screenshots and gathers system informat
Trendmicro
CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign
blogs_trendmicro·2024-01-12·CVSS 8.8
CVE-2023-36025 [HIGH] CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign
Sfruttamento vulnerabilità
## CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign
This blog delves into the Phemedrone Stealer campaign's exploitation of CVE-2023-36025, the Windows Defender SmartScreen Bypass vulnerability, for its defense evasion and investigates the malware's payload.
By: Peter Girnus, Aliakbar Zahravi, Simon Zuckerbraun Jan 12, 2024 Read time: ( words)
Save to Folio
During routine threat hunting, Trend Micro uncovered evidence pointing to an active exploitation of CVE-2023-36025 to infect users with a previously unknown strain of the malware, Phemedrone Stealer.
Phemedrone targets web browsers and data from cryptocurrency wallets and messaging apps such as Telegram, Steam, and Discord. It also takes screenshots and gathers system informati
Trendmicro
CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign
blogs_trendmicro·2024-01-12·CVSS 8.8
CVE-2023-36025 [HIGH] CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign
Exploits & Vulnerabilities
## CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign
This blog delves into the Phemedrone Stealer campaign's exploitation of CVE-2023-36025, the Windows Defender SmartScreen Bypass vulnerability, for its defense evasion and investigates the malware's payload.
By: Peter Girnus, Aliakbar Zahravi, Simon Zuckerbraun 2024/01/12 Read time: ( words)
Save to Folio
During routine threat hunting, Trend Micro uncovered evidence pointing to an active exploitation of CVE-2023-36025 to infect users with a previously unknown strain of the malware, Phemedrone Stealer.
Phemedrone targets web browsers and data from cryptocurrency wallets and messaging apps such as Telegram, Steam, and Discord. It also takes screenshots and gathers system information
Trendmicro
CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign
blogs_trendmicro·2024-01-12·CVSS 8.8
CVE-2023-36025 [HIGH] CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign
Exploits & Vulnerabilities
# CVE-2023-36025 Exploited for Defense Evasion in Phemedrone Stealer Campaign
This blog delves into the Phemedrone Stealer campaign's exploitation of CVE-2023-36025, the Windows Defender SmartScreen Bypass vulnerability, for its defense evasion and investigates the malware's payload.
By: Peter Girnus, Aliakbar Zahravi, Simon Zuckerbraun
2024/01/12
Read time: ( words)
Save to Folio
During routine threat hunting, Trend Micro uncovered evidence pointing to an active exploitation of CVE-2023-36025 to infect users with a previously unknown strain of the malware, Phemedrone Stealer.
Phemedrone targets web browsers and data from cryptocurrency wallets and messaging apps such as Telegram, Steam, and Discord. It also takes screenshots and gathers system information
Krebs
Microsoft Patch Tuesday, November 2023 Edition
blogs_krebs·2023-11-15·CVSS 8.8
CVE-2023-36025 [HIGH] Microsoft Patch Tuesday, November 2023 Edition
Microsoft today released updates to fix more than five dozen security holes in its Windows operating systems and related software, including three “zero day” vulnerabilities that Microsoft warns are already being exploited in active attacks.
The zero-day threats targeting Microsoft this month include CVE-2023-36025, a weakness that allows malicious content to bypass the Windows SmartScreen Security feature. SmartScreen is a built-in Windows component that tries to detect and block malicious websites and files. Microsoft’s security advisory for this flaw says attackers could exploit it by getting a Windows user to click on a booby-trapped link to a shortcut file.
Kevin Breen, senior director of threat research at Immersive Labs, said emails with .url attachments or logs with processes spa
Trendmicro
The November 2023 Security Update Review
blogs_trendmicro·2023-11-14·CVSS 8.8
[HIGH] The November 2023 Security Update Review
## The November 2023 Security Update Review
Get the November 2023 security update and review.
By: Zero Day Initiative 2023/11/14 Read time: ( words)
Save to Folio
It’s the penultimate second Tuesday of 2023, and Microsoft and Adobe have released their latest security patches into the crisp, fall air. Take a break from your scheduled activities and join us as we review the details of their latest advisories. If you’d rather watch the video recap, you can check it out here:
C VE
Title
Severity
CVSS
Public
Exploited
Type
CVE-2023-36033
Windows DWM Core Library Elevation of Privilege Vulnerability
Important
7.8
Yes
Yes
EoP
CVE-2023-36036
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
Important
7.8
No
Yes
EoP
CVE-2023-36025
Windows SmartSc
Talos
Microsoft discloses only three critical vulnerabilities in November’s Patch Tuesday update, three other zero-days
blogs_talos·2023-11-14·CVSS 8.8
[HIGH] Microsoft discloses only three critical vulnerabilities in November’s Patch Tuesday update, three other zero-days
Microsoft’s monthly security update released Tuesday only includes three critical vulnerabilities, an unusually small number based on previous months’ Patch Tuesdays.
In all, this set of vulnerabilities Microsoft patched includes 57 vulnerabilities, 54 of which are considered “important.” This is the fewest number of vulnerabilities Microsoft disclosed in a month since May.
However, there are three zero-day vulnerabilities included in November’s Patch Tuesday, and another three that have already been publicly disclosed.
CVE-2023-36033 is an elevation of privilege vulnerability in the Windows DWM Core Library that could allow an attacker to gain SYSTEM-level privileges. According to Microsoft, this vulnerability has already been exploited in the wild and there is proof-of-concept code av
Bleepingcomputer
Microsoft November 2023 Patch Tuesday fixes 5 zero-days, 58 flaws
blogs_bleepingcomputer·2023-11-14·CVSS 7.8
[HIGH] Microsoft November 2023 Patch Tuesday fixes 5 zero-days, 58 flaws
## Microsoft November 2023 Patch Tuesday fixes 5 zero-days, 58 flaws
## Lawrence Abrams
16 Elevation of Privilege Vulnerabilities
6 Security Feature Bypass Vulnerabilities
15 Remote Code Execution Vulnerabilities
6 Information Disclosure Vulnerabilities
5 Denial of Service Vulnerabilities
11 Spoofing Vulnerabilities
The total count of 58 flaws does not include 5 Mariner security updates and 20 Microsoft Edge security updates released earlier this month.
To learn more about the non-security updates released today, you can review our dedicated articles on the new Windows 11 KB5032190 cumulative update and Windows 10 KB5032189 cumulative update .
## Five zero-days fixed
This month's Patch Tuesday fixes five zero-day vulnerabilities, with three exploited in attacks and three publicl
Trendmicro
The November 2023 Security Update Review
blogs_trendmicro·2023-11-14
The November 2023 Security Update Review
# The November 2023 Security Update Review
Get the November 2023 security update and review.
By: Zero Day Initiative
2023/11/14
Read time: ( words)
Save to Folio
It’s the penultimate second Tuesday of 2023, and Microsoft and Adobe have released their latest security patches into the crisp, fall air. Take a break from your scheduled activities and join us as we review the details of their latest advisories. If you’d rather watch the video recap, you can check it out here:
Adobe Patches for November 2023
For November, Adobe released 14 bulletins addressing 76 CVEs in Adobe Acrobat and Reader, ColdFusion, Audition, Premiere Pro, After Effects, Media Encoder, Dimension, Animate, InCopy, InDesign, RoboHelp, FrameMaker Publishing Server, Bridge, and Photoshop. A total of 54 of these bugs
Qualys
November 2023 Patch Tuesday: MS and Adobe Remediation | Qualys
blogs_qualys·2023-11-14
November 2023 Patch Tuesday: MS and Adobe Remediation | Qualys
#### Table of Contents
- Microsoft Patch Tuesday for November 2023
- Adobe Patches for November 2023
- Zero-day Vulnerabilities Patched in November Patch Tuesday Edition
- Other Critical Severity Vulnerabilities Patched in November Patch Tuesday Edition
- Other Microsoft Vulnerability Highlights
- Microsoft Release Summary
- Discover and Prioritize Vulnerabilities inVulnerability Management, Detection & Response(VMDR)
- Rapid Response with Patch Management (PM)
- EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
- EXECUTE Mitigation Using Qualys Custom Assessment and Remediation (CAR)
- Qualys Monthly Webinar Series
Microsoft released its second last Patch Tuesday edition of the year. We invite you to join us to review and discuss the details of these security updates and
Talos
Microsoft discloses only three critical vulnerabilities in November’s Patch Tuesday update, three other zero-days
blogs_talos·2023-11-14·CVSS 8.8
[HIGH] Microsoft discloses only three critical vulnerabilities in November’s Patch Tuesday update, three other zero-days
## Microsoft discloses only three critical vulnerabilities in November’s Patch Tuesday update, three other zero-days
Microsoft’s monthly security update released Tuesday only includes three critical vulnerabilities, an unusually small number based on previous months’ Patch Tuesdays .
In all, this set of vulnerabilities Microsoft patched includes 57 vulnerabilities, 54 of which are considered “important.” This is the fewest number of vulnerabilities Microsoft disclosed in a month since May.
However, there are three zero-day vulnerabilities included in November’s Patch Tuesday, and another three that have already been publicly disclosed.
CVE-2023-36033 is an elevation of privilege vulnerability in the Windows DWM Core Library that could allow an attacker to gain SYSTEM-level privileges.
Krebs
Microsoft Patch Tuesday, November 2023 Edition
blogs_krebs·2023-11-14·CVSS 8.8
CVE-2023-36025 [HIGH] Microsoft Patch Tuesday, November 2023 Edition
Microsoft today released updates to fix more than five dozen security holes in its Windows operating systems and related software, including three “zero day” vulnerabilities that Microsoft warns are already being exploited in active attacks.
The zero-day threats targeting Microsoft this month include CVE-2023-36025 , a weakness that allows malicious content to bypass the Windows SmartScreen Security feature. SmartScreen is a built-in Windows component that tries to detect and block malicious websites and files. Microsoft’s security advisory for this flaw says attackers could exploit it by getting a Windows user to click on a booby-trapped link to a shortcut file.
Kevin Breen , senior director of threat research at Immersive Labs , said emails with .url attachments or logs with processes
Qualys
Microsoft and Adobe Patch Tuesday, November 2023 Security Update Review
blogs_qualys·2023-11-14
Microsoft and Adobe Patch Tuesday, November 2023 Security Update Review
## Table of Contents
Microsoft Patch Tuesday for November 2023
Adobe Patches for November 2023
Zero-day Vulnerabilities Patched in November Patch Tuesday Edition
Other Critical Severity Vulnerabilities Patched in November Patch Tuesday Edition
Other Microsoft Vulnerability Highlights
Microsoft Release Summary
Discover and Prioritize Vulnerabilities inVulnerability Management, Detection & Response(VMDR)
Rapid Response with Patch Management (PM)
EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)
EXECUTE Mitigation Using Qualys Custom Assessment and Remediation (CAR)
Qualys Monthly Webinar Series
Microsoft released its second last Patch Tuesday edition of the year. We invite you to join us to review and discuss the details of these security updates and patches.
## M
Trendmicro
The November 2023 Security Update Review
blogs_trendmicro·2023-11-14·CVSS 8.8
[HIGH] The November 2023 Security Update Review
## The November 2023 Security Update Review
Get the November 2023 security update and review.
By: Zero Day Initiative Nov 14, 2023 Read time: ( words)
Save to Folio
It’s the penultimate second Tuesday of 2023, and Microsoft and Adobe have released their latest security patches into the crisp, fall air. Take a break from your scheduled activities and join us as we review the details of their latest advisories. If you’d rather watch the video recap, you can check it out here:
C VE
Title
Severity
CVSS
Public
Exploited
Type
CVE-2023-36033
Windows DWM Core Library Elevation of Privilege Vulnerability
Important
7.8
Yes
Yes
EoP
CVE-2023-36036
Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
Important
7.8
No
Yes
EoP
CVE-2023-36025
Windows Smart
Tenable
Microsoft’s November 2023 Patch Tuesday Addresses 57 CVEs (CVE-2023-36025)
blogs_tenable·2023-11-14·CVSS 8.8
[HIGH] Microsoft’s November 2023 Patch Tuesday Addresses 57 CVEs (CVE-2023-36025)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Huntress
CVE-2023-36025 (SmartScreen Bypass) Vulnerability: Analysis & Detection | Huntress
blogs_huntress·CVSS 8.8
CVE-2023-36025 [HIGH] CVE-2023-36025 (SmartScreen Bypass) Vulnerability: Analysis & Detection | Huntress
CVE-2023-36025 Vulnerability
Published: 02/20/2026
Written by: Nadine Rozell
## What is CVE-2023-36025 vulnerability?
CVE-2023-36025 is a flaw in how Windows Defender SmartScreen processes specific internet shortcut files ( .URL ).
Normally, SmartScreen analyzes files downloaded from the web ("Mark of the Web") and warns the user if the file is potentially dangerous. By exploiting this vulnerability, an attacker can create a specially crafted .URL file that bypasses these checks entirely.
It is rated High (CVSS 8.8) because it allows for the silent execution of malicious payloads without the user receiving the expected warning prompts.
## When was it discovered?
The vulnerability was publicly disclosed and patched by Microsoft on November 14, 2023 (Patch Tuesday). At the time of re
Trendmicro
Trend Micro
blogs_trendmicro
Trend Micro
Elimine la separación entre la protección frente a amenazas y la gestión del riesgo cibernético
El líder en gestión de exposiciones: convirtiendo la visibilidad de los ciberriesgos en una seguridad proactiva y decisiva
Detenga a los adversarios con una visibilidad sin igual, impulsada por la inteligencia de XDR, SIEM agente y SOAR agente para dejar a los atacantes en ningún lugar
La plataforma de seguridad en la nube más fiable para desarrolladores, equipos de seguridad y empresas
Amplíe la visibilidad de la nube y optimice las investigaciones del SOC
Simplifique la seguridad de sus aplicaciones nativas en la nube con un avanzado análisis de imágenes de contenedor, control de admisión con base en política y protección de tiempo de ejecución del contenedor
Proteja el flujo de trabajo
Trendmicro
Trend Micro
blogs_trendmicro
Trend Micro
Bridge threat protection and cyber risk management
Browse Trend-approved partner solutions for our leading platform
Your environment, your choice – deploy Trend Vision One™ as SaaS or customer hosted
The leader in Exposure Management – turning cyber risk visibility into decisive, proactive security
Stop adversaries with unrivaled visibility, powered by the intelligence of XDR, Agentic SIEM, and Agentic SOAR to leave attackers with nowhere left to hide
The most trusted cloud security platform for developers, security teams, and businesses
Extend visibility to the cloud and streamline SOC investigations
Secure your data center, cloud, and containers without compromising performance by leveraging a cloud security platform with CNAPP capabilities
Simplify security for your cloud-native
Trendmicro
Trend Micro
blogs_trendmicro
Trend Micro
Verbindet den Schutz vor Bedrohungen und das Management des Cyberrisikos
Spitzenreiter im Bereich Exposure Management – macht Cyberrisiken transparent und sorgt für entschlossene, proaktive Sicherheit
Stoppen Sie Angreifer mit unübertroffener Transparenz, unterstützt durch XDR, agentenbasiertes SIEM und SOAR – damit Angreifer sich nirgendwo mehr verstecken können
Nutzen Sie die bewährte Cloud-Sicherheitsplattform für Entwickler, Sicherheitsteams und Unternehmen.
Erweiterung der Transparenz auf die Cloud und Optimierung von SOC-Untersuchungen
Vereinfachen Sie die Sicherheit für Ihre Cloud-nativen Anwendungen durch erweitertes Container-Image-Scanning, richtlinienbasierte Zugriffssteuerung und Container-Laufzeitschutz.
Schützen Sie Anwendungsworkflows und Cloud-Speicher vor neuen und k
Trendmicro
Trend Micro
blogs_trendmicro
Trend Micro
Bridge threat protection and cyber risk management
Browse Trend-approved partner solutions for our leading platform
Your environment, your choice – deploy Trend Vision One™ as SaaS or customer hosted
The leader in Exposure Management – turning cyber risk visibility into decisive, proactive security
Stop adversaries with unrivaled visibility, powered by the intelligence of XDR, Agentic SIEM, and Agentic SOAR to leave attackers with nowhere left to hide
The most trusted cloud security platform for developers, security teams, and businesses
Extend visibility to the cloud and streamline SOC investigations
Secure your data centre, cloud, and containers without compromising performance by leveraging a cloud security platform with CNAPP capabilities
Simplify security for your cloud-native
Trendmicro
Trend Micro
blogs_trendmicro
Trend Micro
Bridge threat protection and cyber risk management
Browse Trend-approved partner solutions for our leading platform
Your environment, your choice – deploy Trend Vision One™ as SaaS or customer hosted
The leader in Exposure Management – turning cyber risk visibility into decisive, proactive security
Stop adversaries with unrivaled visibility, powered by the intelligence of XDR, Agentic SIEM, and Agentic SOAR to leave attackers with nowhere left to hide
The most trusted cloud security platform for developers, security teams, and businesses
Extend visibility to the cloud and streamline SOC investigations
Secure your data center, cloud, and containers without compromising performance by leveraging a cloud security platform with CNAPP capabilities
Simplify security for your cloud-native
Crowdstrike
November Patch Tuesday 2023: Updates and Analysis
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] November Patch Tuesday 2023: Updates and Analysis
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand AT
Trendmicro
Trend Micro
blogs_trendmicro
Trend Micro
Collega la protezione dalle minacce e la gestione del rischio informatico
Scopri le soluzioni dei partner approvate da Trend per la nostra piattaforma leader
Il leader nella gestione dell'esposizione: trasformare la visibilità del rischio informatico in una sicurezza decisiva e proattiva
Blocca gli aggressori con una visibilità ineguagliabile, basata sull'intelligenza di XDR, Agentic SIEM e Agentic SOAR, che non lascia agli aggressori alcun posto dove nascondersi.
La piattaforma di sicurezza cloud più affidabile per sviluppatori, team di sicurezza e aziende
Estensione della visibilità al cloud e semplificazione delle indagini SOC
Semplifica la sicurezza delle applicazioni native per il cloud con scansione avanzata delle immagini dei container, controllo dell'accesso basato su criteri
CTF
insane / README
ctf_writeups
insane / README
---
layout: default
title: Insane Machines
parent: Machines
nav_order: 4
description: "25+ Insane HTB machine writeups with walkthroughs"
permalink: /machines/insane/
---
# HackTheBox INSANE Difficulty Machines - Complete Reference
> Exhaustive list of ALL known retired Insane-rated HTB machines with key techniques and writeup links.
---
## Linux Insane Machines
| # | Machine | OS | Key Techniques | One-Line Summary | Writeup Links |
|---|---------|----|----|------|------|
| 1 | **Brainfuck** | Linux | WordPress plugin exploit, Vigenere cipher, LXD privesc | Chain WP auth bypass with crypto analysis and container group abuse for root | [0xdf](https://0xdf.gitlab.io/2022/05/16/htb-brainfuck.html), [Medium](https://sparshjazz.medium.com/hackthebox-brainfuck-difficulty-insane-53f0fe650f5
2023-11-14
Published
2023-11-14
Added to CISA KEV
Exploited in the wild