The source says that a recent Microsoft Defender update brought with it a new command-line argument called DownloadFile. This directive allows a local user to interact with the Microsoft Antimalware Service command-line utility (MpCmdRun.exe) to download a file from a remote location using the command MpCmdRun.exe –DownloadFile –URL [download resource address] –path [save directory].

According to reports, this feature was added in Microsoft Defender 4.18.2007.9 or 4.18.2009.9. The enthusiasts conducted several experiments, during which they managed to download the resources.exe file, which is the WastedLocker ransomware, which was used by cybercriminals in a recent attack on wearable electronics manufacturer Garmin using the command mentioned.

This problem was first discovered by information security researcher Mohammad Askar. Finding it means Microsoft Defender joins a long list of Windows operating system programs that can be used by cybercriminals to conduct cyber attacks. The good news is that Microsoft Defender itself detects malware downloaded using MpCmdRun.exe, but it’s unclear if third-party antivirus software is capable of preventing malware from downloading through this feature.