MalwareRansomware

Defendnot

Defendnot is a tool abused to disable Microsoft Defender on Windows by registering a fake antivirus product with Windows Security Center (WSC), including via the IWscAvStatus interface, causing Defender to automatically turn itself off to avoid conflicts. The content describes it as a research tool originally designed to demonstrate weaknesses in the Windows Security Center trust model, later repurposed operationally in malware campaigns.

Behavior described in the content includes process injection into a trusted Microsoft-signed process such as Taskmgr.exe, interaction with undocumented or vendor-oriented WSC APIs, and fraudulent antivirus registration. In some reporting, Defendnot components were deployed as defendnot.dll and defendnot-loader.exe under %PROGRAMDATA%, with injection telemetry potentially visible via Sysmon Event IDs 7, 8, and 10 and process creation via Event ID 4688. Optional persistence artifacts mentioned alongside its use include autorun registry entries and scheduled task creation or modification.

Defendnot appears in a multi-stage phishing campaign primarily targeting users and organizations in Russia. In that campaign, victims were lured via compressed archives containing business/accounting-themed decoys and malicious LNK files that launched PowerShell to retrieve additional stages from GitHub. After privilege escalation attempts through repeated UAC prompts, the malware disabled Defender through PowerShell configuration changes, exclusions, and Defendnot deployment, then proceeded with reconnaissance, screenshot capture, Amnesia RAT installation, and Hakuna Matata-derived ransomware/WinLocker deployment. Associated infrastructure and tooling mentioned in the content include GitHub and Dropbox for payload hosting and Telegram Bot API for operator notification and exfiltration.

High-confidence indicators and artifacts directly mentioned in the content include Defendnot registering a fake AV in Windows Security Center, possible visible registration of a fake antivirus product in the GUI, Defender state changes, deployment paths such as %PROGRAMDATA%\defendnot.dll and %PROGRAMDATA%\defendnot-loader.exe, and abuse of Taskmgr.exe as an injection target. The primary purpose consistently described is defense evasion through neutralization of Microsoft Defender rather than direct exploitation of Defender itself.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

8 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

1 technique

T1053.005Scheduled TaskEvidence1

Figure 15: Scheduled Task Creation... Figure 16: Scheduled Task Updated... Having successfully been established as a registered security product, the additional option exists to implement persistence to ensure survival across system reboots.

Persistence

3 techniques

T1053.005Scheduled TaskEvidence1

T1112Modify RegistryEvidence1

Figure 13: Sysmon Event ID 13 - Registry Key set Figure 14: Sysmon Event ID 13 - Additional registry key set... With its legitimacy established within the security framework, defendnot can now optionally establish persistence mechanisms...

T1547.001Registry Run Keys / Startup FolderEvidence1

This optional phase involves creating autorun registry entries that will reactivate the malicious security product following system restarts.

Privilege Escalation

4 techniques

T1053.005Scheduled TaskEvidence1

T1055Process InjectionEvidence1

Operating from within the injected process context, defendnot now leverages its elevated position to interact with WSC API IWscAvStatus to register itself as a legitimate antivirus product...

T1055.001Dynamic-link Library InjectionEvidence1

Specific Logs for Detection Sysmon: Event ID 7 (Image Loaded into trusted processes), Event ID 8 (CreateRemoteThread), Event ID 10 (ProcessAccess). Process Data: Unexpected modules in legitimate processes (e.g., Taskmgr.exe ).

T1547.001Registry Run Keys / Startup FolderEvidence1

This optional phase involves creating autorun registry entries that will reactivate the malicious security product following system restarts.

Stealth

3 techniques

T1036MasqueradingEvidence1

Register fake AV (Malicious Security Product) via IWscAvStatus Interface... The Windows Security Center processes the fraudulent registration request and accepts it as a legitimate security product (AV).

T1055Process InjectionEvidence1

Operating from within the injected process context, defendnot now leverages its elevated position to interact with WSC API IWscAvStatus to register itself as a legitimate antivirus product...

T1055.001Dynamic-link Library InjectionEvidence1

Defense Impairment

1 technique

T1112Modify RegistryEvidence1

Other

2 techniques

T1562Impair DefensesEvidence1

Whether persistence is established or not, defendnot now proceeds to execute its primary mission: neutralizing Windows Defender. Defense evasion outcome Windows Defender gets disabled.

T1562.001Disable or Modify ToolsEvidence1

The attack chain culminates with the successful disabling of Windows Defender, leveraging the established position as a registered security product to justify the deactivation of competing protection mechanisms.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app

security affairsNews

Jan 27, 2026

Amnesia RAT deployed in multi-stage phishing attacks against Russian users

Tool used to disable Microsoft Defender as part of the attack chain to facilitate subsequent payload execution.

scworldNews

Jan 26, 2026

Amnesia RAT, ransomware spread in new Russia-targeted phishing campaign | SC Media

Tool used to help evade or disable Microsoft Defender scanning as part of the attack chain.

rescana blogNews

Jan 25, 2026

Sophisticated Multi-Stage Phishing Attack Exploits Microsoft Windows in Russian Organizations Using Amnesia RAT and Hakuna Matata Ransomware

Tool used to disable Microsoft Defender by registering a fake antivirus product, causing Defender to disable itself; supports stealth/persistence for subsequent payload execution.

cyber security newsNews

Jan 22, 2026

New Multi-Stage Windows Malware Disables Microsoft Defender Before Dropping Malicious Payloads

A repurposed research tool used to disable Microsoft Defender by registering a fake antivirus product with Windows Security Center, forcing Defender to shut down.

+5 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping8

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.