Hackers Trick Windows Into Turning Off Its Own Security Protections

We have already seen attackers abuse SharePoint in phishing campaigns, and now hackers appear to have found a way to bypass Windows security itself.

A new Windows malware campaign shows how attackers can shut down Microsoft Defender and other security tools without exploiting software vulnerabilities.

Security researchers at Fortinet uncovered the attack, which relies on social engineering and abuse of Windows architecture rather than traditional exploits. The campaign highlights how attackers increasingly target user trust and built-in system behavior instead of patchable flaws.

Malware bypasses Defender using Windows’ own security logic

Victims receive what appears to be a routine business document inside a compressed archive. The archive contains malicious shortcut files that look like harmless documents. Once opened, the shortcut launches PowerShell scripts that bypass execution policies and download additional malware.

The malware then disables Microsoft Defender by registering a fake antivirus product. Windows automatically turns off Defender when it detects another active security solution, allowing the malware to neutralize protections without triggering obvious alerts.

Attackers also inject code into trusted Windows processes such as Task Manager, further reducing suspicion.

Core Windows tools and recovery options get disabled

The malware disables Task Manager, Registry Editor, the Run dialog, and System Settings through registry policies. It also neutralizes the Windows Recovery Environment using built-in administrative commands.

Backup catalogs disappear, and the malware deletes all Volume Shadow Copy snapshots, removing common recovery options. By the time users notice unusual behavior, system protections are already gone.

Malware hides in plain sight on trusted platforms

Attack components are hosted on legitimate services like GitHub and Dropbox. This tactic helps the malware blend into normal network traffic and evade detection by security tools.

After disabling defenses, the attack deploys Amnesia RAT, which steals browser data, saved passwords, and cryptocurrency wallet information. The malware then encrypts user data, increasing the damage.

This campaign stands out because it convinces Windows to disable its own defenses. That approach makes detection and response far more difficult than traditional malware techniques.

The discovery follows recent Microsoft-related security events, including a Microsoft 365 outage and the KB5074109 update, which fixed false security alerts caused by certain DLL files.

Via TechRepublic