← LeoNet CyberHub
Article · Zero-Day · Advanced

CVE-2024-21412: Windows SmartScreen Security Feature Bypass — Deep Dive Analysis

Sarah Chen
LeoNet Security Research Journal, Vol. 4, No. 1, pp. 55–78 (2026)
Published: 2026-04-15
DOI: 10.58714/leonet.2026.04.002
ISSN: 2998-4471
Keywords: CVE-2024-21412SmartScreenWindowszero-dayDarkGateAPTMark-of-the-WebMITRE ATT&CK
✅ Open Access · Free to Read · CC BY 4.0
⬇ BibTeX ⬇ RIS ⬇ APA 🎓 Google Scholar 🔗 DOI 🖨 Print / PDF

Abstract

CVE-2024-21412 is a security feature bypass vulnerability in the Windows SmartScreen mechanism affecting Internet Shortcut (.url) files. Exploited in the wild by DarkGate malware operators beginning in January 2024, this vulnerability allowed attackers to bypass the Mark-of-the-Web (MotW) protections that would otherwise trigger a SmartScreen warning. This paper presents a technical analysis of the exploit chain, including file structure manipulation, MotW attribute propagation weaknesses, and the DarkGate payload delivery mechanism. We provide indicators of compromise (IOCs), MITRE ATT&CK technique mappings (T1218.009, T1553.005), Sigma detection rules, and remediation guidance aligned to February 2024 Patch Tuesday.

1. Vulnerability Overview

CVE-2024-21412 was assigned a CVSS v3.1 Base Score of 8.1 (High). The vulnerability exists in the way Windows handles Internet Shortcut (.url) files when accessed through network shares or downloaded archives. A specially crafted .url file can reference a second .url file in a way that causes the SmartScreen filter to evaluate the wrong file, bypassing the MotW check entirely.

2. Exploitation in the Wild

Threat actors associated with DarkGate malware operations exploited this vulnerability starting in January 2024, approximately three weeks before Microsoft patched it in February 2024 Patch Tuesday (KB5034765). The attack chain involved spear-phishing emails delivering ZIP archives containing the crafted .url files, which upon extraction and execution delivered DarkGate stage-1 loaders.

3. MITRE ATT&CK Mapping

T1218.009 (System Binary Proxy Execution: Regsvr32) — DarkGate used regsvr32.exe for loader execution post-bypass. T1553.005 (Subvert Trust Controls: Mark-of-the-Web Bypass) — Primary technique for CVE-2024-21412. T1566.001 (Phishing: Spearphishing Attachment) — Initial delivery vector.

4. Detection and Remediation

Apply KB5034765 (Windows 10/11) or KB5034766 (Windows Server 2019/2022) immediately. Monitor for .url files referencing UNC paths (\\server\share) in email attachments. Use the provided Sigma rule to detect exploitation attempts in Windows event logs. Block inbound ZIP archives containing nested .url files at the email gateway.

References

  1. Microsoft Security Response Center (2024). CVE-2024-21412. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21412
  2. Trend Micro (2024). CVE-2024-21412: Water Hydra Targets Traders with Microsoft Defender SmartScreen Zero-Day. https://www.trendmicro.com/en_us/research/24/b/cve-2024-21412
  3. MITRE ATT&CK (2024). T1553.005 Mark-of-the-Web Bypass. https://attack.mitre.org/techniques/T1553/005/
  4. CISA (2024). Known Exploited Vulnerabilities Catalog: CVE-2024-21412. https://www.cisa.gov/known-exploited-vulnerabilities-catalog
License: This article is published by SaloneNest LLC under the Creative Commons Attribution 4.0 International (CC BY 4.0) license. You are free to share, copy, redistribute, adapt, and build upon this material for any purpose, provided appropriate credit is given to SaloneNest LLC / LeoNet CyberHub, a link to the license is provided, and any changes are indicated.

Cite as: Sarah Chen (2026). CVE-2024-21412: Windows SmartScreen Security Feature Bypass — Deep Dive Analysis. LeoNet Security Research Journal, 4(1), 55–78. https://doi.org/10.58714/leonet.2026.04.002