How can organizations protect themselves from CVE-2024-21412?

<p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">Organizations should apply the February 2024 Patch Tuesday security updates immediately across all Windows 10 and Windows 11 endpoints and Windows Server instances. Additional hardening steps include: <ul class="[li_&]:mb-0 [li_&]:mt-1 [li_&]:gap-1 [&:not(:last-child)_ul]:pb-1 [&:not(:last-child)_ol]:pb-1 list-disc flex flex-col gap-1 pl-8 mb-3"> <li class="font-claude-response-body whitespace-normal break-words pl-2">Blocking inbound and outbound SMB (port 445) at network perimeters where not required</li> <li class="font-claude-response-body whitespace-normal break-words pl-2">Restricting execution of <span class="highlight">.URL</span> files from internet-sourced locations via AppLocker or Windows Defender Application Control (WDAC) policies</li> <li class="font-claude-response-body whitespace-normal break-words pl-2">Deploying EDR with behavioral detection for shortcut-initiated process chains</li> <li class="font-claude-response-body whitespace-normal break-words pl-2">Conducting user awareness training to recognize phishing lures targeting financial or trading content</li></ul>

CVE-2024-21412 Vulnerability

Written by: Lizzie Danielson

Published: 12/5/2025

What is CVE-2024-21412 Vulnerability?

CVE-2024-21412 is a security feature bypass vulnerability in Microsoft Windows Internet Shortcut Files, specifically in how Microsoft Defender SmartScreen handles chained .URL shortcut files. Exploiting this flaw allows an unauthenticated remote attacker to bypass Windows Defender SmartScreen's Mark-of-the-Web (MotW) security warnings and deliver malicious files to a victim's system. It is tracked under the Common Vulnerabilities and Exposures (CVE) system with the identifier CVE-2024-21412 and has a CVSS score of 8.1. User interaction is required to exploit this vulnerability, the target must open a maliciously crafted Internet Shortcut file.

When was it discovered?

CVE-2024-21412 was first disclosed by Trend Micro Zero Day Initiative. Following its discovery, the vulnerability was publicly recognized on publicly disclosed and patched on February 13, 2024.

Affected Products & Versions

Windows 10 Version 21H2 / 22H2	All builds prior to Feb 2024 Patch Tuesday	KB5034763
Windows 10 Enterprise LTSC 2019 / Windows Server 2019	All builds prior to Feb 2024 Patch Tuesday	KB5034768
Windows 11 Version 21H2	All builds prior to Feb 2024 Patch Tuesday	KB5034766
Windows 11 Version 22H2 / 23H2	All builds prior to Feb 2024 Patch Tuesday	KB5034765
Windows Server 2022 (21H2 / 22H2)	All builds prior to Feb 2024 Patch Tuesday	KB5034770
Windows Server 2022 Version 23H2	All builds prior to Feb 2024 Patch Tuesday	KB5034769

CVE-2024-21412 Technical Description

CVE-2024-21412 is a security feature bypass vulnerability in Microsoft Windows Internet Shortcut Files (specifically in how Microsoft Defender SmartScreen handles them). A remote attacker can exploit this flaw to bypass the Mark-of-the-Web (MotW) security warnings and deliver malicious files, leading to potential malware installation and execution.

Tactics, Techniques & Procedures (TTPs)

Attackers targeting CVE-2024-21412 often rely on phishing campaigns or exposed public-facing services to identify vulnerable systems.

Exploitation occurs through social engineering — the attacker must convince the target to open a specially crafted .URL file, typically delivered via phishing email, compromised website, or malicious PDF attachment.

Key TTPs observed in the wild include:

T1566.001 – Spearphishing Attachment: Malicious .URL files delivered via phishing emails or PDF lures containing redirect links
T1204.002 – User Execution: Malicious File: Victim must open the crafted shortcut file to trigger exploitation
T1574.002 – DLL Side-Loading: Post-exploitation payloads (e.g., DarkGate) use sideloaded DLLs within fake software installers
T1105 – Ingress Tool Transfer: Malware payloads fetched over WebDAV or SMB after initial shortcut execution
T1036 – Masquerading: Malicious shortcuts and installers disguised as legitimate software (Apple iTunes, NVIDIA, Notion) or financial charts

Indicators of Compromise (IoCs)

IP Addresses

62.133.61.26
62.133.61.43
5.42.107.78

Hostnames

21centuryart.com
scratchedcards.com
proffyrobharborye.xyz
answerrsdo.shop
pcvcf.xyz
pcvvf.xyz
pdddk.xyz
pdddj.xyz
pddbj.xyz
pbpbj.xyz
pbdbj.xyz
ptdrf.xyz
pqdrf.xyz

Note: IoCs are associated with campaigns active at time of initial disclosure. Organizations should cross-reference with current threat intelligence feeds for the most up-to-date indicators.

Known Proof-of-Concepts & Exploits

Proof-of-concept exploit code for CVE-2024-21412 was publicly identified in exploit databases and security research repositories shortly after the February 2024 Patch Tuesday disclosure. Notable campaigns that weaponized this vulnerability include:

Water Hydra (DarkCasino): The APT group exploited CVE-2024-21412 as a zero-day beginning in late 2023, targeting foreign exchange traders via spearphishing on forex forums and Telegram channels, ultimately deploying the DarkMe Remote Access Trojan (RAT).
DarkGate campaign: Following Microsoft's patch, DarkGate malware operators incorporated the exploit into their infection chains, using open redirects from Google Ads to direct victims to compromised sites hosting malicious .MSI installers loaded with DarkGate.
Lumma Stealer and Meduza Stealer: Additional threat actors were subsequently observed exploiting CVE-2024-21412 to deliver information-stealing malware payloads targeting credential and financial data.

How to detect CVE-2024-21412 Vulnerability?

Detection of CVE-2024-21412 involves monitoring for the following:

Suspicious .URL file execution — particularly files opening SMB or WebDAV-hosted resources rather than standard web URLs
SmartScreen bypass indicators — processes launched from .URL files without expected MotW warnings or SmartScreen prompts
WebDAV/SMB outbound connections — monitor for unexpected outbound SMB (port 445) or WebDAV traffic initiated by shortcut file execution
EDR and SIEM signatures — detection rules targeting T1204.002 (malicious file execution) and T1105 (ingress tool transfer) are particularly relevant
Endpoint log sources — Windows Security Event Log (Event IDs 4688, 4103), Sysmon (Event IDs 1, 3, 11), and Microsoft Defender telemetry should be monitored for shortcut-initiated process chains

Impact & risk of CVE-2024-21412 Vulnerability

Left unaddressed, CVE-2024-21412 poses significant risks to data confidentiality and integrity. Because it bypasses one of Windows' primary user-facing security warnings, it substantially lowers the bar for successful social engineering attacks. Specific misuse scenarios observed in the wild include:

RAT deployment (DarkMe) enabling persistent remote access and lateral movement
Information stealers (Lumma Stealer, Meduza Stealer) targeting stored credentials, session tokens, and financial data
Ransomware staging: initial access via SmartScreen bypass facilitating later ransomware deployment
Financial targeting demonstrated real-world exploitation against foreign exchange traders and financial institutions

Organizations running unpatched Windows 10 or Windows 11 endpoints, particularly those in financial services or with remote workers who regularly download files, should treat this as a high-priority patch.

CVE-2024-21412 Vulnerability FAQs

CVE-2024-21412 is a security feature bypass vulnerability in Windows Defender SmartScreen. It exploits the way Windows handles chained Internet Shortcut (.URL) files — an attacker crafts a shortcut that references a second shortcut on a remote SMB share. When the victim opens the first file, Windows resolves the chain and executes the final payload without displaying SmartScreen's standard security warning, allowing malware to run without the typical user prompt.

This vulnerability is exploited through user interaction. Attackers deliver a malicious .URL file via phishing emails, malicious PDFs, or compromised websites. When a user opens the file, the chained shortcut mechanism silently bypasses SmartScreen and can execute malware — such as the DarkMe RAT or DarkGate — on the victim's system.

While Microsoft issued a patch in February 2024, this vulnerability remains a risk on any unpatched Windows endpoint. The techniques it introduced,chaining Internet Shortcut files to bypass MotW, have continued to influence attacker tradecraft. Organizations with delayed patch cycles, legacy Windows environments, or large numbers of remote endpoints remain at elevated risk.

Organizations should apply the February 2024 Patch Tuesday security updates immediately across all Windows 10 and Windows 11 endpoints and Windows Server instances. Additional hardening steps include:

Blocking inbound and outbound SMB (port 445) at network perimeters where not required
Restricting execution of .URL files from internet-sourced locations via AppLocker or Windows Defender Application Control (WDAC) policies
Deploying EDR with behavioral detection for shortcut-initiated process chains
Conducting user awareness training to recognize phishing lures targeting financial or trading content