Bypass Record

Rootkit × Microsoft Windows Defender

A publicly-reported instance of Rootkit bypassing Microsoft Windows Defender, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Windows Defender

Technique

Rootkit

MITRE ATT&CK

T1014

Confidence

High

Severity

Critical

Status

in the wild

Disclosed

2026-04-14

Config / version noted

Yes

Provenance

www.gendigital.com
disclosed 2026-04-14 · original source · via exa

Reported as

WDAC policy that blocks 50 security executables from running, effectively killing antivirus protection

Mechanism

Trojanized installer drops a multi-component framework: a Python bot (PyArmor-obfuscated), an r77 rootkit stager with AMSI bypass, and a WDAC deny-list policy that prevents execution of security products (Avast, AVG, Avira, Windows Defender, etc.) after reboot. The bot uses dead-drop resolvers (legitimate web pages hosting encrypted C2 addresses) for command-and-control. Stage 2 dropper employs sandbox evasion via 15-minute sleep delays.

Detection & mitigation

Monitor for unexpected WDAC policy deployments (Event ID 3099) and use integrity checks on critical system files. Deploy application allowlisting and restrict WDAC policy modification to authorized administrators only.

Rootkit has also been recorded against

Avast AVG Avira Elastic Faceit HitmanPro Kaspersky Valve

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.