Numerous Chromium-based browsers and apps, including Google Authenticator, Microsoft Authenticator, LastPass, NordPass, KeePass, and Duo Mobile, have been targeted by Phemedrone for exfiltration of geolocation information, operating system details, and other telemetry, a report from Trend Micro revealed. Initial compromise has been enabled by malicious Internet Shortcut files, which when downloaded trigger the execution of scripts that would prevent SmartScreen from warning users that they are under attack. "Microsoft Windows Defender SmartScreen should warn users with a security prompt before executing the .url file from an untrusted source. However, the attackers craft a Windows shortcut (.url) file to evade the SmartScreen protection prompt by employing a .cpl file as part of a malicious payload delivery mechanism," said researchers, which added the various techniques have also been used by the information-stealing malware to bypass detection.