ClickCease SmartScreen Vulnerability Exploited To Target Traders

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

SmartScreen Vulnerability Exploited To Target Traders

Wajahat Raja

February 28, 2024 - TuxCare expert team

A cybersecurity firm has recently detected a flaw in the Microsoft Defender SmartScreen and is terming it a zero-day threat. The target devices are infected with highly dangerous DarkMe malware through this SmartScreen vulnerability

The SmartScreen vulnerability attack is believed to be the work of an advanced persistent threat (APT) termed Water Hydra, which is a financially motivated campaign and has been found exploiting WinRAR zero-day as well.

In this article, we’ll cover the details of SmartScreen vulnerability in a comprehensive manner.


The phishing campaign by the Water Hydra group has been tracked since December 2023. Besides SmartScreen vulnerability, abuse of the uniform resource locators (URLs) and components of Web-based Distributed Authoring and Versioning (WebDAV) has been associated with Water Hydra.

The Water Hydra group came onto the scene in 2021 and instantly became notorious for phishing the financial market. The attacks launched by the groups targeted every kind of financial platform, be it banks, betting sites, casinos, foreign exchange and stock trading forums, and cryptocurrency platforms.

How Does SmartyScreen Vulnerability Attack Work?

The SmartScreen vulnerability of Microsoft Defender was found to be exploited in a sophisticated manner. It involved leveraging CVE-2024-21412 in order to go around the Microsoft Defender SmartScreen and infect the devices with the DarkMe malware.

As far as the attack chain is concerned, the user is sent a link to a harmless stock chart image file titled “photo_2023-12-29.jpg.url”. From here, the user is redirected to click on another URL titled “fxbulls[.]ru” which adds a malicious installer named “7z.msi” to their systems. 

The user is pointed to another URL after clicking on the malicious “fxbulls[.]ru.” All this is made possible by the Windows search feature. The second URL is hosted on a remote server, “2.url”. This URL directs the user to a CMD shell script in a ZIP archive. This shell script is hosted on “” which is the same server.
The victim is shown the stock image on his or her device screen while DarkMe is being installed in the background. 

SmartScreen Vulnerability Impact

The adverse impacts of SmartScreen vulnerability attacks on devices are far-reaching. The DarkMe malware that the devices are infected with is capable of doing the following through the SmartScreen vulnerability.

  • Collection of host’s system information
  • Manipulation of files
  • Creation and deletion of folders
  • Exploitation of Windows Registry
  • Execution of arbitrary commands
  • Taking screenshots
  • Generation of ZIP files
  • Self-updating capability


The SmartScreen vulnerability is a severe cybersecurity threat similar to the FritzFrog Botnet. Although the flaw has been addressed by Microsoft through the SmartScreen vulnerability patch in its February update, however, all is still not well. 

The SmartScreen vulnerability fix will not work if the victim clicks on the link containing harmless content; apparently, the device will be infected. This warrants enhanced cybersecurity measures so the users, especially the financial market traders, can ensure SmartScreen vulnerability prevention

The sources used for this article include The Hacker News and SecurityWeek.

SmartScreen Vulnerability Exploited To Target Traders
Article Name
SmartScreen Vulnerability Exploited To Target Traders
Financial market traders are at risk of the Microsoft Defender SmartScreen vulnerability. Know everything about this new security flaw here.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter