Initial Access & Execution
Vector
The attack begins with phishing emails containing misleading business-themed documents (LNK shortcut files).
Execution
When opened, the LNK file triggers a background PowerShell script using an execution policy bypass.
Staging
The script downloads an obfuscated first-stage loader from GitHub, blending malicious traffic with legitimate developer network activity.
Defense Evasion (The "Defendnot" Tactic)
Mechanism
The malware drops and executes "Defendnot," a tool originally designed to demonstrate vulnerabilities in the Windows Security Center.
Effect
It registers a fraudulent antivirus product with the OS. Because Windows trusts this registration, it automatically disables Microsoft Defender to prevent conflict, effectively blinding the system's primary defense.
Command & Control (C2)
Channel
The malware utilizes the Telegram Bot API for communication.
Function
It sends system profiling data to the attacker and receives further commands, making C2 traffic difficult to distinguish from legitimate user chat traffic.
Payloads & Impact
The malware deploys a triad of malicious components.
Surveillance (Amnesia RAT)
Steals browser credentials, cryptocurrency wallets, and financial data. It also includes screenshot capabilities to monitor user activity.
Ransomware (Hakuna Matata)
Encrypts user files, appending the extension .NeverMind12F.
Denial of Service (WinLocker)
Enforces a total system lockout, disabling administrative tools (Task Manager, CMD) and displaying a ransom note with a countdown timer.
Remediation & Detection
Immediate Containment
Isolate
Disconnect affected hosts from the network immediately to prevent lateral movement or further encryption.
Block Telegram API
If your organization does not require it, block api.telegram.org at the perimeter firewall to sever the C2 channel.
Indicator of Compromise (IOC) Hunting
Scan your environment for the following indicators derived from the analysis.
File Extension
*.NeverMind12F
Network
Unexpected traffic to api.telegram.org or github.com from non-developer workstations.
Processes
Unexpected PowerShell execution chains spawned by explorer.exe (indicating LNK execution).
Corrective Actions
Verify Defender Status
Run the following PowerShell command to check if a fake AV provider has been registered:
Powershell
Code:
Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct
Look for unrecognized product names or "Defendnot" related entries.
Restore Associations
The malware is known to hijack file associations. You may need to reset default apps: Settings > Apps > Default apps > Reset
Prevention
LNK Handling
Configure email gateways to block or quarantine .lnk attachments.
PowerShell Constraint
Enforce Constrained Language Mode for PowerShell on standard user workstations to limit the capabilities of dropper scripts.
Sources & Attribution
Verdict
ATTRIBUTED
Confidence
High
Primary Reporting Source
Article
"New Multi-Stage Windows Malware Disables Microsoft Defender Before Dropping Malicious Payloads"
Publication
Cyber Security News
Author
Tushar Subhra Dutta
Date
January 22, 2026
Original Threat Research
Research Organization
Fortinet Threat Research (FortiGuard Labs)
Attribution
The Cyber Security News article explicitly cites Fortinet analysts as the team who identified the campaign and the specific abuse of the "Defendnot" tool. The images and attack chain diagrams provided in the article are also credited to Fortinet.
cybersecuritynews.com
