GitHub & Dropbox Weaponized: “Defendnot” Tool Used to Disable Windows Defender

A sophisticated multi-stage malware campaign has been uncovered targeting users in Russia, blending social engineering with a clever abuse of legitimate cloud services and Windows research tools. Security researchers at FortiGuard Labs have detailed an attack chain that starts with a simple “business” document and ends with a destructive ransomware payload, all while bypassing standard defenses.

The campaign is notable not for using zero-day exploits, but for how effectively it “lives off the land,” repurposing trusted platforms like GitHub and Dropbox to deliver its malicious cargo.

The attack begins innocuously enough. Victims receive what appear to be routine business documents. “The attack begins with social engineering lures delivered via business-themed documents crafted to appear routine and benign”.

These files act as a sleight of hand. “These documents and accompanying scripts serve as visual distractions, diverting victims to fake tasks or status messages while malicious activity runs silently in the background”. While the user is focused on the decoy, the malware is already establishing its foothold.

One of the most striking features of this campaign is its use of Defendnot, a tool originally created by security researchers to demonstrate weaknesses in Windows Defender. The attackers have weaponized this research.

“A defining characteristic of this campaign is the operational abuse of Defendnot, a research tool originally designed to demonstrate weaknesses in the Windows Security Center trust model”.

Instead of exploiting a software bug, the attackers use this tool to systematically dismantle the target’s defenses. “In this campaign, Defendnot is repurposed to disable Microsoft Defender,” effectively blinding the endpoint before the heavier payloads arrive.

To evade network detection, the attackers hide their infrastructure behind trusted names. “The threat actors further increase resilience by separating payload hosting across multiple public cloud services”.

• GitHub is used to distribute the scripts that orchestrate the attack.
• Dropbox hosts the heavier binary payloads.

This “modular hosting approach” makes the traffic look like legitimate enterprise activity, complicating efforts to block or take down the operation.

Once defenses are down, the campaign shifts gears. It deploys Amnesia RAT to gain long-term control over the system. “Deploying Amnesia RAT enables long-term reconnaissance, credential theft, and interactive system control”.

But the endgame is destruction. The attack chain culminates in the deployment of “subsequent ransomware and WinLocker components,” designed to “enforce data denial and apply sustained psychological pressure on the victim”.

FortiGuard Labs warns that this campaign represents a modern class of threat that doesn’t need to break software to break in. “This attack chain demonstrates how modern malware campaigns can achieve full system compromise without exploiting software vulnerabilities”.

By abusing native Windows features and trusted administrative tools, the attackers can “disable endpoint defenses before deploying persistent surveillance tooling and destructive payloads”.

Organizations are urged to monitor for “anomalous security configuration changes” and unexpected traffic to cloud storage services, as “early detection of these behaviors is critical” to stopping the infection before recovery becomes impossible.

Related Posts:

• Defendnot: New Tool Directly Disables Windows Defender
• Dropbox security incident: hackers accessed to 130 GitHub source code repositories
• ChatGPT Deep Research: Now Integrates with Box & Dropbox for Enhanced Insights
• Dropbox Passwords Is Shutting Down: Export Your Data by October 28, 2025, or Lose Everything