eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
New 'Defendnot' Tool tricks Windows into Disabling Microsoft Defender
Bottom Line: The new tool "Defendnot" disables Microsoft Defender by exploiting the Windows Security Center API to register as a legitimate antivirus. This poses a significant threat as it leaves Windows devices unprotected, potentially opening them to further attacks.
A new tool, Defendnot, has surfaced from security researcher es3n1n, aiming to disable Microsoft Defender through direct manipulation of the Windows Security Center (WSC) service API. This is a follow-up to their prior tool, no-defender, which used third-party antivirus (AV) binaries to spoof WSC. After receiving a Digital Millennium Copyright Act (DMCA) takedown, the author re-engineered the approach to avoid dependency on third-party code.
Windows Security Center (WSC) is responsible for managing the registration of antivirus and other protection software on the system. When a valid third-party AV registers, Defender automatically disables itself to prevent software conflicts. Defendnot registers a fake antivirus program with WSC, successfully passing all built-in validation checks. This tricks the system into believing that adequate protection is in place.
The WSC interface is normally protected by multiple layers, including Protected Process Light (PPL) and signature verification. Defendnot circumvents these protections by injecting its malicious DLL into Taskmgr.exe, a legitimate system process that is already signed by Microsoft and therefore trusted by the operating system. Once running inside Taskmgr.exe, the tool submits a spoofed antivirus registration to WSC, including a custom display name. As soon as the fake antivirus is registered, Microsoft Defender recognizes it as a legitimate AV product and disables itself. This leaves the endpoint with no active antivirus protection. Defendnot includes a loader module that accepts a configuration file. This file controls tool behavior such as naming the fake AV, toggling registration, and enabling detailed activity logs. To maintain a foothold on the device, Defendnot sets up a scheduled task that executes upon each user login. This ensures the fake antivirus remains registered across reboots and logins.
eSentire Threat Intelligence Analysis:
The predecessor of Defendnot, the “no-defender” project, gained ~1.5k GitHub stars, indicating high community interest, possibly from both red teamers and malicious actors. The use of third-party antivirus code in “no-defender” later led to a DMCA takedown. The significant attention that no-defender garnered after its release suggests that threat actors may have a specific interest in open-source software that enables security tool bypasses.
Threat actors are confirmed to have already adopted other tools and techniques to bypass security products and facilitate attacks. Two notable tools that have recently been reported on are EDRSilencer and EDRKillShifter. EDRSilencer is a red team tool that leverages the Windows Filtering Platform (WFP) in order to disrupt network communication for processes associated with EDR tools. EDRKillShifter is a tool developed by RansomHub, which utilizes a technique known as Bring Your Own Vulnerable Driver (BYOVD), exploiting vulnerabilities within legitimate drivers allowing threat actors to gain sufficient privileges to disable an EDR tool's protection. As the deployment of EDR tools within organizations is on the rise, threat actors will likely continue to adopt and develop tools and techniques that allow for security defenses to be bypassed or disabled within their attacks. This idea is underscored by the popularity of RansomHub ransomware, which is likely due, in part, to EDRKillShifter being included in the toolset offered to affiliates.
It is important to note that not only has Microsoft Defender been seen to be exploited, but SentinelOne has also been targeted in a recent report published by Aon's Stroz Friedberg Incident Response Services. In this incident, threat actors successfully disabled SentinelOne's Endpoint Detection and Response (EDR) agent. The technique used is known as “Bring Your Own Installer” (BYOI), which allowed the attackers, possessing local administrative privileges, to bypass SentinelOne's anti-tamper features and deactivate the SentinelOne agent.
In response to the release of this report, the eSentire Threat Intelligence team is actively monitoring this topic and exploring new detection opportunities. Based on the widespread use of other EDR bypass tools, the eSentire Threat Intelligence team assesses that it is probable threat actors will adopt Defendnot in real-world attacks in the near future. If Defendnot is utilized for real-world attacks, the expected outcome is that it will deactivate Defender silently, without warning the user. There will be no error messages or visual indicators unless the user manually checks the Windows Security settings. This technique does not rely on exploiting software vulnerabilities, but rather leverages native OS functionality, making detection more challenging. Lastly, it leaves the system unprotected, potentially allowing malware to operate without any restrictions.
Russian GRU Targets Western Logistics Entities and Technology Companies
Bottom Line: CISA has issued a warning about a Russian cyber espionage campaign by APT28, targeting Western logistics and technology sectors with advanced tactics. The report highlights the Tactics,Techniques, and Procedures (TTPs) used by the group in the espionage campaign since 2022.
On May 21st, the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint cybersecurity advisory (CSA) highlighting a Russian state-sponsored cyber espionage campaign. The operation is attributed to the Russian General Staff Main Intelligence Directorate’s (GRU) 85th Main Special Service Center (unit 26165), commonly known as APT28, (aka Sednit, Fancy Bear, Strontium, Forest Blizzard, or BlueDelta). The CSA was released in collaboration with cybersecurity and intelligence agencies from Australia, Canada, Czechia, Denmark, Estonia, France, Germany, the Netherlands, Poland, the United Kingdom, and the United States. Since 2022, APT28 has been actively targeting a range of sectors across NATO member states and Ukraine, including defence industries, logistics and transit centers (such as seaports and aviation terminals), shipping industry, aviation control systems, and information technology services.
APT28 operators gained access to the networks using a mix of TTPs including but not limited to brute force attacks and spearphishing attacks to steal credentials and deliver malware. The threat actor leveraged vulnerabilities in popular applications such as Outlook (CVE-2023-23397), Roundcube (CVE-2020-12641, CVE-2020-35730, CVE-2021-44026) and WinRAR (CVE-2023-38831), and exploited internet-facing applications such as Virtual Private Networks (VPNs).
Once inside a network, the threat actor was observed conducting reconnaissance activities to locate and identify additional targets. The reconnaissance efforts also gathered intelligence on the cybersecurity teams of the targeted organizations, individuals overseeing transit operations, and third-party entities affiliated with the victim organizations. APT28 utilized tools such as PsExec, Impacket, and leveraged Remote Desktop Protocol (RDP) to move laterally within compromised networks, gaining access to additional systems.
The threat actors established persistence over the systems via scheduled tasks and malicious shortcuts deployed in the startup folder. The threat actors stole sensitive data from victim devices and exfiltrated it using the tools Certipy and ADExplorer.exe. They leveraged Exchange Web Services (EWS) and Internet Message Access Protocol (IMAP) to exfiltrate data from email servers. The campaign saw heavy reliance on malware from initial access to exfiltration. Some of the malware deployed by the threat actors include HEADLACE and MASEPIE.
In addition to targeting the logistics sector, the campaign involved compromising IP cameras to monitor national borders, railway stations, and military bases, enabling the threat actors to monitor the movement of aid and military supplies being transported to Ukraine.
eSentire Threat Intelligence Analysis:
A surge in cyber espionage operations was observed soon after the inception of the Russia-Ukraine war in February 2022. APT28 emerged as a leading threat actor group in these efforts, conducting activities aimed at advancing Russian military objectives. The threat group was involved in the “Nearest Neighbour Attack” that targeted Ukrainian-related work and projects ahead of the Russian invasion of Ukraine to gather information on individuals with expertise on these projects. These espionage activities highlight APT28’s tactical capabilities, which include phishing, exploiting known vulnerabilities, and deploying sophisticated malware, all carried out with support from the Russian military to advance their strategic objectives.
Organizations are advised to implement a defense-in-depth security strategy to effectively safeguard against the threats posed by APT28 led attacks. Conducting Phishing Security and Awareness Trainings (PSATs) can be an effective measure to help prevent users and employees from falling victim to phishing attacks by enhancing their ability to recognize and respond to suspicious communications. It is recommended that organizations ensure all the hardware and software installed in the environment are up to date by implementing efficient vulnerability and patch management systems. Malware such as HEADLACE and MASEPIE can be detected and contained by deploying robust Endpoint Detection and
Response (EDR) solutions. To counter attacker activities such as intrusions, lateral movement, malicious payload deployment, and data exfiltration, organizations should adopt robust network security measures. These include network segmentation to limit access within the infrastructure, deploying network firewalls to control traffic, and continuously monitoring network activity to detect and respond to suspicious behavior in real time.
The eSentire Threat Intelligence team is continuously tracking cyber operations associated with APT28 to develop new detection opportunities. eSentire Managed Vulnerability Service has plugins in place to identify devices vulnerable to the flaws mentioned in the report. eSentire MDR for Network has detections in place to identify exploitation activities related to CVE-2023-23397 and CVE-2020-35730.
Global Operation Against Lumma Stealer
Bottom Line: Microsoft announced a successful global operation that disrupted Lumma Stealer's infrastructure by taking down 2,300 domains. The operation, authorized by court order and conducted with multiple partners, targeted the information-stealing malware that had infected over 394,000 Windows devices globally over the last three months.
On May 21st, Microsoft and ESET released reports on the coordinated disruption of Lumma Stealer infrastructure. On the same day, CISA released a report outlining Lumma Stealer related Tactics, Techniques, and Procedures (TTPs), as well as its observed impact on US critical infrastructure. Lumma Stealer is an information stealer offered for sale via the Malware-as-a-Service model. It was first observed being sold through Russian language darkweb marketplaces in 2022. The malware can be used to steal sensitive data from web browsers and cryptocurrency wallets, including passwords, financial information, and Personally Identifiable Information (PII). According to Microsoft, Lumma Stealer was being used by “hundreds of cyber threat actors”, including Scattered Spider (Octo Tempest), Storm-1607, Storm-1113, and Storm-1674. Lumma Stealer is reported to have impacted over 390,000 Windows devices globally between March 16th, 2025, and May 16th, 2025.
On May 13th, Microsoft's Digital Crimes Unit (DCU) filed legal action against Lumma Stealer and received a court order to conduct the operation. Microsoft partnered with both public and private organizations including BitSight, Lumen, Cloudflare, CleanDNS, GMO Registry, ESET, the US Department of Justice (DOJ), Europol's European Cybercrime Center (EC3), and Japan's Cybercrime Control Center (JC3). The joint effort resulted in the takedown of over 2000 domains that formed the backbone of Lumma Stealer's infrastructure, disrupting the entire MaaS operation. Following this action, the Lumma Stealer control panel is reported to have displayed a message that the webpage was seized.
Lumma Stealer operators have since released a public statement claiming an Integrated Dell Remote Access Controller (IDRAC) vulnerability was exploited to take control of a threat actor server, and a phishing page was used to collect threat actor information. This information is unconfirmed; threat actor claims should always be viewed skeptically.
eSentire Threat Intelligence Analysis:
The disruption of Lumma Stealer operations represents a major blow to the cybercrime ecosystem. As Lumma Stealer was used by hundreds of different groups, any outages would impact a number of active malware campaigns. Since January 2025, Lumma Stealer has been in the top three most observed malware families by eSentire each month. No arrests relating to this operation have been reported at the time of writing, but if law-enforcement was able to gather information related to either the developers, or those who purchased the malware, it is possible that arrests will be made in the future.
While the disruption is notable, the eSentire Threat Intelligence team assesses that it is probable that the Lumma Stealer MaaS will continue its operations in the near future. As no arrests have been made, the developers are free to continue malicious activity, and as one of the most active MaaS groups, it is probable that despite the disruption, the group will still have a paying user base. With that said, law-enforcement attention is likely to decrease the overall users of Lumma Stealer, due to concerns of continued law-enforcement action. This is unlikely to result in a long-term decrease in cybercrime, but rather, threat actors pivoting to alternative MaaS offerings.
eSentire maintains a number of detections for Lumma Stealer across both eSentire MDR for Network and Endpoint. For more information on Lumma Stealer and the MaaS operation see the eSentire TRU Intelligence Briefing for December 2024 and the October 2024 advisory Lumma Stealer ClickFix Distribution.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
