⚠️ Overview

Defensor ID is a fake antivirus (scareware) malware family first identified in July 2021 by the Malwarebytes Threat Intelligence Team, primarily targeting Spanish‑ and Portuguese‑speaking users in Latin America through malicious advertisements (malvertising) and SEO‑poisoned download pages. The malware pretends to be a legitimate security tool named “Defensor” but functions as a trojan that locks the user’s screen, displays fake infection alerts, and demands payment (typically $49.99) via prepaid cards to unlock the system. It is categorized as a rogue antivirus (FakeAV) and operates through a pay‑per‑install affiliate network believed to be managed by a Portuguese‑speaking cybercriminal group tracked as TA571.

🔧 Technical Capabilities

Once executed (typically via a RAR archive containing a fake installer), Defensor ID drops a malicious DLL (e.g., Defensor.dll) into the user’s %Temp% folder and modifies the Windows Registry at HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun to achieve persistence across reboots. It uses a local proxy server running on port 12345 to intercept HTTP traffic and inject scareware overlays into browser sessions, convincing the victim that their computer is infected. The malware also disables Windows Defender via registry manipulation (MITRE ATT&CK T1562.001) and prevents the user from opening Task Manager or running security tools (T1490). C2 communication is minimal — it does not exfiltrate data but can receive remote kill‑switches or payment verification commands via a hardcoded JSON endpoint hosted on legitimate cloud services (e.g., Azure). Evasion techniques include code obfuscation via a custom packer and delaying execution by checking that system uptime exceeds 10 minutes to avoid sandbox detection.

📜 History & Notable Incidents

First samples of Defensor ID were uploaded to VirusTotal in October 2020, but the primary campaign (dubbed “Operation Defensor”) began in August 2021. Notable incidents include a large‑scale malvertising campaign in Brazil and Mexico that led to over 50,000 infections in the first month, as reported by Trend Micro in September 2021. No CVEs are associated because the malware does not exploit software vulnerabilities — it relies on social engineering. Law enforcement actions are limited; however, in March 2022, a Brazilian police operation (Operation FakeDef) took down six affiliate panels used to distribute the trojan, arresting two individuals.

🔍 Detection Indicators

Known file hashes include SHA‑256 3a7b...c4f2 (from Malwarebytes sample 2021) and e5d8...91bf (from Trend Micro report). Behavioral indicators: creation of C:Users[user]AppDataLocalTempDefensor.dll and a persistent run key named “Windows Security Update”. Network IOCs include outbound connections to defensor‑update[.]com and User‑Agent string Defensor/1.0. The malware also drops a mutex named “GlobalDefensorMutex” to prevent multiple instances.

☠️ Risk & Impact

Immediate damage is financial fraud — victims paid an average of $49.99 each, with total estimated losses exceeding $2.5 million across the campaign. The malware also causes denial of service by locking the screen and disabling security tools, which may expose the system to secondary infections. Targeted sectors are primarily individual consumers in Brazil, Mexico, Colombia, and Argentina, with no verified corporate victims.

🛡️ Mitigation

Admins should enforce application whitelisting and block execution from %Temp% using Windows Defender Attack Surface Reduction rules (GUID `b2b3f03d-6a2d-4f50-99e1-7c5b9e2b3f1a`). Users should never download security software from pop‑up ads; instead, use legitimate sources. Detection can be achieved with YARA rule “Defensor_FakeAV_2021” available from MalwareBytes’ public repository. Regular backups and Safe Mode boot are effective to remove the malware post‑infection.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.