counterfeit software Archives

Tech Optimizer

May 23, 2025

Cloudflare, Microsoft & police disrupt global malware service

Cloudflare, in collaboration with Microsoft and international law enforcement, has dismantled the infrastructure of LummaC2, an information-stealing malware service. This initiative led to the seizure and blocking of malicious domains and disrupted digital marketplaces used by criminals. Lumma Stealer operates as a subscription service providing threat actors access to a central panel for customized malware builds and stolen data retrieval. The stolen information includes credentials, cryptocurrency wallets, and sensitive data, posing risks of identity theft and financial fraud. Lumma Stealer was first identified on Russian-language crime forums in early 2023 and has since migrated to Telegram for distribution. Its proliferation is facilitated by social engineering campaigns, including deceptive pop-ups and bundled malware in cracked software. Cloudflare implemented measures to block access to Lumma's command and control servers and collaborated with various authorities to prevent the criminals from regaining control. Mitigation strategies for users include restricting unknown scripts, limiting password storage in browsers, and using reputable endpoint protection tools. The operation has significantly hindered Lumma's operations and aims to undermine the infostealer-as-a-service model contributing to cybercrime.

AppWizard

May 9, 2025

You can now verify if your Mullvad VPN app is legit

Mullvad has introduced reproducible builds for its Android VPN application starting with version 2025.2, allowing users to confirm the legitimacy of the app before installation. Reproducible builds ensure that identical copies of the application can be recreated from the same source code, build environment, and instructions, providing assurance against unauthorized modifications. This decision follows a rise in malicious free VPN applications and malware distribution through counterfeit software. Currently, only the latest version of Mullvad's Android VPN app features this capability, with no confirmed plans for other platforms. Mullvad encourages technically skilled users to verify the builds and has provided instructions for the verification process.

AppWizard

April 24, 2025

Trojanized Alpine Quest app geolocates Russian soldiers

Russian soldiers are facing a digital threat from a modified Android application, Alpine Quest, which has been tampered with to track their locations and extract sensitive information. The malware, known as Android.Spy.1292.origin, was embedded in an older version of the app and distributed as a free upgrade to Alpine Quest Pro via a fraudulent Telegram channel. Once installed, the trojan collects various types of information, including geolocation, downloaded files, phone numbers, and app versions, and can download additional modules to exfiltrate specific files. Additionally, researchers at Kaspersky discovered a backdoor hidden in counterfeit software updates for ViPNet, a secure networking suite. The malware, disguised as msinfo32.exe, connects to a command-and-control server to steal files and deploy more malicious components. On the Ukrainian side, Russian operatives are conducting a phishing campaign targeting Ukrainian officials and allies, using social engineering tactics to hijack Microsoft 365 accounts. Attackers contact victims via messaging apps, invite them to video calls, and trick them into providing OAuth codes, granting access to their accounts.

Winsage

November 8, 2024

Windows PCs targeted by new malware hitting a vulnerable driver

Researchers have identified a new threat campaign called SteelFox, which uses counterfeit software activators and cracks to infiltrate Windows systems. The campaign deploys a vulnerable driver, information-stealing malware, and a cryptocurrency miner, compromising sensitive data and exploiting system resources for illicit mining. Victims are reported globally, including regions from Brazil to China, affecting users of commercial software like Foxit PDF Editor, JetBrains, and AutoCAD. Cybercriminals continue to advertise these fake software solutions, increasing the potential for further infections.

Tech Optimizer

November 8, 2024

New malware SteelFox targets Windows users through fake software activators

A new malware named "SteelFox" is targeting Windows users by using counterfeit software activators to infiltrate systems, leading to cryptocurrency mining and data theft. Since February 2023, it has spread rapidly, primarily through torrent sites and online forums, masquerading as legitimate software cracks for programs like AutoCAD and Foxit PDF Editor. Upon installation, it deploys a risky driver called WinRingO.sys, exploiting vulnerabilities CVE-2021-41285 and CVE-2020-14979, which allows attackers to gain full access to the infected computer. The malware uses XMRig for crypto mining, causing performance issues and increased utility bills, while also stealing sensitive data from over 13 web browsers. Countries with high infection rates include Mexico, Brazil, Russia, China, and India. Kaspersky has blocked over 11,000 attempted attacks, but the actual number of infections may be much higher. To protect against SteelFox, users are advised to download software only from verified sources, maintain updated antivirus software, avoid pirated software, and keep systems current with security patches.

Tech Optimizer

August 13, 2024

Threat Actors Hijacking Websites To Deliver .NET-Based Malware

Clearlake is involved in a sophisticated cybersecurity threat that distributes counterfeit antivirus software to manipulate users into installing harmful programs. Cybercriminals are hijacking legitimate websites to spread .NET-based malware, which is difficult to detect due to its complex code. The ClearFake initiative specifically targets the .NET framework to exploit vulnerabilities in Windows systems, utilizing free code hosting services like GitHub and Bitbucket for malware distribution. Attackers also use URL shortening services to obscure malicious links, complicating detection efforts. Cybersecurity researchers advise users to be cautious of deceptive prompts to update web browsers. Indicators of Compromise (IoCs): - Infected webpage: stoicinvesting[.]com - Payload URL: dais7nsa[.]pics/endpoint - Binance contract: 0xa6165aa33ac710ad5dcd4f4d6379466825476fde - GitHub repo: github[.]com/BrowserCompanyLLC/-12 - Bitbucket repos: bitbucket[.]org/shakespeare1/workspace/projects/