A single click on a malicious .url shortcut file is all it takes: attackers are weaponizing CVE-2023-36025, a CVSS 8.8 Windows SmartScreen bypass, to silently deliver Phemedrone Stealer — an open-source infostealer that drains cryptocurrency wallets, browser credentials, and messaging app sessions in one pass.
Stories Covered
CVE-2023-36025: One Click Deploys Phemedrone Stealer via Windows SmartScreen Bypass
Trend Micro researchers documented an active campaign exploiting CVE-2023-36025, a Windows SmartScreen security bypass vulnerability patched in Microsoft’s November 2023 Patch Tuesday update. The flaw allows a threat actor to craft a malicious Internet shortcut file (a .url extension) that, when clicked by a victim, causes Windows to invoke the file without routing it through the SmartScreen reputation check that would normally flag or block the action. SmartScreen is designed to intercept exactly this kind of click — examining downloaded files and links against known-malicious databases before execution — and the exploit eliminates that check entirely. The attack chain begins with a victim clicking a malicious .url file distributed through Discord or file-sharing services like filetransfer.io, with the raw link further obscured through URL shorteners. Clicking the file exploits CVE-2023-36025 to silently download and execute a malicious control panel (.cpl) file, which loads a malicious DLL acting as a loader, which in turn calls PowerShell to download a second-stage payload hosted on GitHub. That payload is a PowerShell loader that decrypts and executes Phemedrone Stealer using the open-source Donut shellcode framework.
Phemedrone Stealer is actively maintained and publicly available on GitHub, where its developers describe it as “the best open-source stealer” and list its capabilities in detail. The stealer targets Chromium-based browsers for cookies, passwords, autofill data, and credit card numbers; Gecko-based browsers for the same credential categories; Telegram, Steam, and Discord sessions via dynamic path detection; sensitive browser extensions (targeting cryptocurrency-related extensions specifically); and the majority of known cryptocurrency wallet formats. It also captures screenshots and collects hardware, location, and operating system telemetry. Exfiltration runs either directly to the attacker’s command-and-control server or through Telegram, making the operation fully functional with no requirement for persistent server infrastructure the attacker needs to maintain. The stealer is written in C# and is compatible with both 32-bit and 64-bit Windows systems. It includes anti-analysis features: anti-VM, anti-debugger, anti-CIS region targeting, and mutex-based checks to avoid running multiple instances on the same machine.
CVE-2023-36025 was patched in November 2023, and this campaign was actively running in January 2024 — meaning the attackers were relying entirely on the gap between patch availability and actual patching on victim machines. That gap is reliably wide. Months after major patch releases, tens of thousands of systems remain on vulnerable versions, either because update cycles are slow, patching is deferred, or users and organizations simply have not applied available updates. The practical takeaway is straightforward: apply the November 2023 Patch Tuesday update if not already done. In the interim, treat .url extension files from any untrusted source as hostile — this campaign requires a user to click one, and recognizing the file type is a meaningful signal. More broadly, the Phemedrone Stealer is particularly dangerous because modern machines carry real financial assets: cryptocurrency wallets hold funds that, once transferred, cannot be reversed. Browser credential theft feeds directly into credential stuffing attacks against banking and financial accounts. A single successful infostealer infection hands an attacker a complete dossier on the victim’s digital life. Patching is the most effective countermeasure when a known CVE is the entry point.
Leave a Reply