DefenderWrite Tool Let Attackers Inject Malicious DLLs into AV Executable Folders

Khushal

Khushal

Level 11
Thread author
Verified
Top Poster
Well-known
Apr 4, 2024
520
2,651
969
Content source
https://www.zerosalarium.com/2025/10/defenderwrite-abusing-whitelisted-programs-arbitrary-write.html
⚠️ DefenderWrite Tool Let Attackers Inject Malicious DLLs into AV Executable Folders

Read more: New DefenderWrite Tool Let Attackers Inject Malicious DLLs into AV Executable Folders
www.zerosalarium.com

DefenderWrite: Abusing Whitelisted Programs for Arbitrary Writes

DefenderWrite tool that helps find programs whitelisted by Antivirus and exploits these programs to write arbitrary files into the Antivirus's folder
www.zerosalarium.com www.zerosalarium.com

A new tool called DefenderWrite exploits whitelisted Windows programs to bypass protections and write arbitrary files into antivirus executable folders, potentially enabling malware persistence and evasion.

The core innovation behind DefenderWrite lies in systematically scanning Windows executables to find those permitted to access AV folders.

By identifying system programs that antivirus vendors whitelist for updates and installations, attackers can leverage these exceptions to inject malicious DLLs, turning the AV's own safeguards against it.

Some Antivirus have been successfully tested​

  • Microsoft Windows Defender
  • BitDefender Antivirus
  • TrendMicro Antivirus Plus
  • Avast Antivirus
Click to expand...
 
Last edited:
  • Like
  • Wow
Reactions: Andy Ful, Zartarra, [correlate] and 5 others
You must log in or register to reply here.

You may also like...