{
	"id": "994919c3-fb50-48db-b764-cf40787c5245",
	"created_at": "2026-04-06T00:08:30.684639Z",
	"updated_at": "2026-04-10T03:21:28.019883Z",
	"deleted_at": null,
	"sha1_hash": "53d047763173d9f66db096f89a6e7a1d6cc57b1f",
	"title": "IObit forums hacked to spread ransomware to its members",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3425919,
	"plain_text": "IObit forums hacked to spread ransomware to its members\r\nBy Lawrence Abrams\r\nPublished: 2021-01-18 · Archived: 2026-04-05 18:50:43 UTC\r\nWindows utility developer IObit was hacked over the weekend to perform a widespread attack to distribute the strange\r\nDeroHE ransomware to its forum members.\r\nIObit is a software developer known for Windows system optimization and anti-malware programs, such as Advanced\r\nSystemCare.\r\nOver the weekend, IObit forum members began receiving emails claiming to be from IObit stating that they are entitled to a\r\nfree 1-year license to their software as a special perk of being a forum member.\r\nhttps://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/\r\nPage 1 of 9\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/\r\nPage 2 of 9\n\nVisit Advertiser websiteGO TO PAGE\r\nIObit 'Promo' email\r\nIncluded in the email is a 'GET IT NOW' link that redirects to hxxps://forums.iobit.com/promo.html. This page no longer\r\nexists, but at the time of the attack, it was distributing a file at hxxps://forums.iobit.com/free-iobit-license-promo.zip.\r\nThis zip file [VirusTotal] contains digitally signed files from the legitimate IObit License Manager program, but with the\r\nIObitUnlocker.dll replaced with an unsigned malicious version shown below.\r\nMalicious IObitUnlocker.dll DLL\r\nSource: BleepingComputer\r\nWhen IObit License Manager.exe is executed, the malicious IObitUnlocker.dll will be executed to install the DeroHE\r\nransomware to C:\\Program Files (x86)\\IObit\\iobit.dll [VirusTotal]and execute it.\r\nhttps://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/\r\nPage 3 of 9\n\nAs most executables are signed with IOBit's certificate, and the zip file was hosted on their site, users installed the\r\nransomware thinking it was a legitimate promotion.\r\nBased on reports at IObit's forum and other forums [1, 2], this is a widespread attack that targeted all forum members.\r\nA closer look at the DeroHE ransomware\r\nBleepingComputer has since analyzed the ransomware to illustrate what happens when executed on a victim's computer.\r\nWhen first started, the ransomware will add a Windows autorun named \"IObit License Manager\" that launches the \"rundll32\r\n\"C:\\Program Files (x86)\\IObit\\iobit.dll\",DllEntry\" command when logging in to Windows.\r\nEmsisoft analyst Elise van Dorp, who also analyzed the ransomware, stated the ransomware adds the following Windows\r\nDefender exclusions to allow the DLL to run.\r\n@WMIC /Namespace:\\\\root\\Microsoft\\Windows\\Defender class MSFT_MpPreference call Add ExclusionPath=\\\"\r\n@WMIC /Namespace:\\\\root\\Microsoft\\Windows\\Defender class MSFT_MpPreference call Add ExclusionPath=\\\"\\Temp\\\\\"\r\n@WMIC /Namespace:\\\\root\\Microsoft\\Windows\\Defender class MSFT_MpPreference call Add ExclusionExtension=\\\".dll\\\"\r\n@WMIC /Namespace:\\\\root\\Microsoft\\Windows\\Defender class MSFT_MpPreference call Add ExclusionProcess=\\\"rundll32.exe\\\"\r\nThe ransomware will now display a message box claiming to be from IObit License Manager stating, \"Please wait. It may\r\ntake a little longer than expected. Keep your computer running or screen on!' The ransomware shows this alert to prevent\r\nvictims from shutting off their devices before the ransomware finishes.\r\nFake alert to not turn off the computer\r\nSource: BleepingComputer\r\nWhen encrypting victims, it will append the .DeroHE extension to encrypted files.\r\nhttps://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/\r\nPage 4 of 9\n\nFiles encrypted by the DeroHE ransomware\r\nSource: BleepingComputer\r\nEach encrypted file will also have a string of information appended to the end of the file, as shown below. The ransomware\r\nmay use this information to decrypt files if a ransom is paid.\r\n{\"version\":\"3\",\"id\":\"dERiqiUutvp35oSUfRSTCXL53TRakECSGQVQ2hhUjuCEjC6zSNFZsRqavVVSdyEzaViULtCRPxzRwRCKZ2j2ugCg5r9SrERKe7r5\r\nHex edit of an encrypted file\r\nSource: BleepingComputer\r\nhttps://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/\r\nPage 5 of 9\n\nOn the Windows desktop, the DeroHE ransomware will create two files named FILES_ENCRYPTED.html, containing a list\r\nof all encrypted files, and the READ_TO_DECRYPT.html ransom note.\r\nThe ransom note has the title of 'Dero Homomorphic Encryption,' and promotes a cryptocurrency called DERO. This note\r\ntells the victim to send 200 coins, worth approximately $100, to the listed address to get a decryptor.\r\nDeroHE ransomware ransom note\r\nSource: BleepingComputer\r\nEnclosed in the ransom note is the ransomware's Tor\r\nsite http://deropayysnkrl5xu7ic5fdprz5ixgdwy6ikxe2g3mh2erikudscrkpqd.onion, which can be used to make the payment.\r\nOf particular interest, the Tor site states that IObit can send $100,000 in DERO coins to decrypt all victims, as the attackers\r\nblame IObit for the compromise.\r\n\"Tell iobit.com to send us 100000 (1 hundred thousand) DERO coin to this address.\r\ndERopYDgpD235oSUfRSTCXL53TRakECSGQVQ2hhUjuCEjC6zSNFZsRqavVVSdyEzaViULtCRPxzRwRCKZ2j2ugCg26hRtLziwu\"\r\n\"After payment arrive, all encrypted computer (including yours) will be decrypted. THIS IS IOBIT's FAULT to made your\r\ncomputer getting infected,\" the DeroHE Tor payment site states.\r\nhttps://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/\r\nPage 6 of 9\n\nDero Ransomware Tor payment site\r\nSource: BleepingComputer\r\nThe ransomware is being analyzed for weaknesses, and it is not known if it can be decrypted for free.\r\nFurthermore, it is unknown if the threat actors will keep their word and provide a decryptor if payment is made.\r\nIObit forums likely compromised\r\nTo create the fake promotion page and host a malicious download, the attackers likely hacked IObit's forum and gained\r\naccess to an administrative account.\r\nAt this time, the forums still appear to be compromised, as if you visit missing pages that return a 404 error code, the web\r\npage will display dialogs to subscribe to browser notifications. Your browser will begin to receive desktop notifications\r\npromoting adult sites, malicious software, and other unwanted content when subscribed.\r\nhttps://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/\r\nPage 7 of 9\n\nCompromised IObit forum page\r\nSource: BleepingComputer\r\nFurthermore, if you click anywhere on the page, a new tab will open showing advertisements for adult sites. Other site\r\nsections also appear to be compromised as clicking on forum links redirect you to similar adult pages.\r\nAttackers compromised the forum by injecting a malicious script on all pages that are not found, as shown below.\r\nCompromised IObit forum page\r\nSource: BleepingComputer\r\nBleepingComputer has reached out to IObit with questions related to this attack but has not heard back.\r\nUpdated 01/19/20: A security researcher known as Ronny told BleepingComputer IOBit is using vBulletin 5.6.1 for their\r\nforum software.\r\nThis version of vBulletin has a known vulnerabily that allows remote attackers to gain control over the forum.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nhttps://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/\r\nPage 8 of 9\n\nSource: https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/\r\nhttps://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/"
	],
	"report_names": [
		"iobit-forums-hacked-to-spread-ransomware-to-its-members"
	],
	"threat_actors": [],
	"ts_created_at": 1775434110,
	"ts_updated_at": 1775791288,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/53d047763173d9f66db096f89a6e7a1d6cc57b1f.pdf",
		"text": "https://archive.orkl.eu/53d047763173d9f66db096f89a6e7a1d6cc57b1f.txt",
		"img": "https://archive.orkl.eu/53d047763173d9f66db096f89a6e7a1d6cc57b1f.jpg"
	}
}