Windows Defender Does Its Job and Prevents Geographic Malware Attack

Yet another malware attack has been discovered, but the good news is Windows Defender did its job and prevented 400,000 attacks within a short amount of time. The attack seems to be geographic in nature and aimed at Russian users.

Initially, it was just 80,000 systems that were hit with the Dofoil malware, also known as Smoke Loader. This particular Trojan, without your consent, can download other programs, even other malware. This time Dofoil was trying to force its targets to mine for cryptocurrency.

Twelve hours later the malware had hit another 320,000 users. Interestingly, nearly all the targets were Russian. In fact, 73 percent were from Russia, 18 percent from Turkey, and 4 percent from the Ukraine.


Cryptomining malware is seen as more devastating as it is more taxing on computer processors. They’re forced to do extra work, and that leads to more heat. Once it works that hard for an extended period of time, the processor could fail.

“Because the value of Bitcoin and other cryptocurrencies continues to grow, malware operators see the opportunity to include coin mining components in their attacks,” said Microsoft.

“For example, exploit kits are now delivering coin miners instead of ransomware. Scammers are adding coin mining scripts in tech support scam websites. And certain banking trojan families added coin mining behavior.”

Dofoil launches Explorer and stalls it, then takes out some of the code and puts malware in its place. This allows it to run undetected and delete its components that are stored on the hard drive or SSD. This fools the system into thinking it’s a normal Explorer process.


The malware launches the Windows Update AutoUpdate Client service and again takes out a section of code, but in its place it puts the mining malware.

Microsoft’s Windows Defender detected the very first Dofoil hits “within milliseconds” because the attack, now disguised as a Windows Update, ran from the wrong location, and the network traffic activity looked suspicious.

With this full process by Windows Defender, it was able to not only detect it and analyze it but also interact with Microsoft’s cloud. This means it didn’t just block the malware on one computer – it quickly spread information about the infection to other computers running Windows Defender on Windows 7, Windows 8, and Windows 10 systems. This allowed it to prevent another 320,000 computers from being infected.

Even though Russia and its neighboring countries seem to be the targets, users throughout the world will be protected from this malware thanks to Defender sharing the information with all computers running it.

The solution to this seems pretty clear. If you run Windows 7, 8, or 10, make sure you’re running Windows Defender. If there’s a malware attack designed to hit multiple users, with any luck the app will either detect it and prevent it from hitting your computer or notify your computer of the potential of infection.

Do you run Windows Defender? How safe does this make you feel? Let us know by adding your thoughts to the comments section below.

Leave a Reply

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.