Researchers from Trend Micro have recently discovered a new strain of malware known as Phemedrone Stealer [2]. This malware takes advantage of a patched vulnerability in Windows Defender SmartScreen [7], specifically CVE-2023-36025. In this article, we will provide a detailed description of Phemedrone Stealer and its methods of attack.


Phemedrone Stealer is designed to target specific types of files and information found in popular software products, including browsers [2] [6], file managers [2], and communication platforms [2]. It specifically focuses on Chromium-based browsers, crypto wallets [2] [3] [5] [6], Discord [2] [3] [4], FileGrabber [2], FileZilla [2], Gecko-based browsers [2], Steam [2] [3], and Telegram [1] [2] [3].

The attack vector employed by Phemedrone Stealer involves the use of crafted url files, which are able to bypass Windows Defender SmartScreen [3]. Once the malware goes undetected [2], it proceeds to download a payload and establish a permanent presence within the system [2]. The harvested data is then sent to hackers through the Telegram API [2].

Fortunately, Microsoft has already addressed this vulnerability with a security patch [2]. To protect against such exploits [2], it is highly recommended to regularly apply security patches.


The discovery of Phemedrone Stealer highlights the ongoing threat posed by malware and the importance of maintaining up-to-date security measures. By promptly addressing vulnerabilities and regularly applying security patches, users can mitigate the risk of falling victim to such attacks. It is crucial for individuals and organizations to remain vigilant and proactive in their efforts to protect sensitive information and maintain the integrity of their systems.