A new variant of the infamous Snake Keylogger is making headlines after it successfully bypassed Windows Defender in a focused cyber-espionage campaign targeting Turkey’s defense and aerospace sectors. The attack, which leverages stealthy in-memory loaders and scheduled tasks, appears to specifically target firms like TUSAŞ (Turkish Aerospace Industries).
Disguised as a legitimate Excel quote request, the executable lures victims into executing malware cloaked as:
“TEKLİF İSTEĞİ – TUSAŞ TÜRK HAVACILIK UZAY SANAYİİ_xlsx.exe”
But beneath the spreadsheet facade lies a powerful .NET-based loader designed to unpack the Snake Keylogger directly into system memory—avoiding static analysis and traditional antivirus scans.
How It Bypasses Windows Defender
The most alarming part? This Snake variant disables Microsoft Defender protections from inside the system.
Once executed, it runs a PowerShell command that excludes itself from scans using:
Add-MpPreference -ExclusionPath “C:\Users\Username\AppData\…”
By adding the malware’s path to Defender’s exclusion list, it essentially gets a free pass, no alerts, no detection.
Stealthy Persistence and Data Theft
This keylogger doesn’t stop at bypassing antivirus. It also ensures persistence on infected systems by creating a scheduled task using:
schtasks.exe /create /tn “Updates\oNqxPR” /tr “malwarepath.exe” /sc minute /mo 1
This scheduled task guarantees the malware launches every time the system boots.
Once embedded, Snake Keylogger quietly harvests:
- Saved passwords
- Cookies and autofill data
- Credit card numbers
- Browser history
- Outlook and Thunderbird email credentials
In total, it targets data from over 30 popular apps and browsers.
All stolen data is then exfiltrated via SMTP to a command-and-control server hosted at mail.htcp.homes.
Why This Attack Is Especially Dangerous
This campaign isn’t just another scattershot phishing attempt. It’s precise, localized, and targeted at Turkey’s national defense ecosystem. The use of native tools like PowerShell, Defender manipulation, and Windows Task Scheduler shows a level of sophistication that points to possible nation-state involvement or advanced cybercrime syndicates.
Additionally, the malware’s ability to remain completely invisible to endpoint protection platforms using only legitimate Windows functions makes it far harder to detect and stop.
How to Protect Against It
To defend against campaigns like this:
- Monitor Defender exclusion lists regularly for suspicious changes.
- Block PowerShell execution for non-admin users or restrict it via Group Policy.
- Audit scheduled tasks, especially ones created under non-standard folder names like “Updates\”.
- Implement behavioral EDR solutions capable of detecting in-memory loaders and script-based abuse.
- Educate employees on avoiding executable attachments masquerading as documents—especially those with names mimicking internal procurement or vendor terms.
Final Thoughts
The latest Snake Keylogger Windows Defender bypass highlights a growing trend: attackers no longer rely solely on exotic exploits—they abuse trusted tools to gain a foothold. With defense contractors now firmly in their sights, this campaign serves as a wake-up call for organizations everywhere.
Security isn’t just about detection anymore—it’s about understanding how your own tools can be turned against you.
