{
	"id": "df604059-63cd-47e8-aa48-2764034c5bda",
	"created_at": "2026-04-10T03:21:15.376655Z",
	"updated_at": "2026-04-10T03:22:17.055909Z",
	"deleted_at": null,
	"sha1_hash": "639249cf517826c6844f9db1c734efe392134b4a",
	"title": "Check Point Research detects Crypto Miner malware disguised as Google translate desktop and other legitimate applications",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 107021,
	"plain_text": "Check Point Research detects Crypto Miner malware disguised as\r\nGoogle translate desktop and other legitimate applications\r\nBy etal\r\nPublished: 2022-08-29 · Archived: 2026-04-10 03:07:46 UTC\r\nResearch by: Moshe Marelus\r\nHighlights:\r\nCheck Point Research (CPR) detected a Turkish based crypto miner malware campaign, dubbed\r\n‘Nitrokod’, which infected machines across 11 countries\r\nThe malware is dropped from popular software available on dozens of free software websites\r\nThe malware distributers separate malicious activity from the downloaded fake software to avoid\r\ndetection\r\nAttack was initially found by Check Point XDR, which overcomes the attack’s evasion mechanism. \r\nIntroduction\r\nAt the end of July 2022, Check Point Research (CPR) detected a previously undisclosed cryptomining campaign,\r\ncalled Nitrokod, which potentially infected thousands of machines worldwide.\r\nAt the campaign’s core there are several useful utilities. Created by a Turkish speaking entity, the campaign\r\ndropped malware from free software available on popular websites such as Softpedia and uptodown. The software\r\ncan also be easily found through Google when users search “Google Translate Desktop download”.\r\nWhile the applications boast a “100 CLEAN” banners on some site, the applications are in fact Trojanized, and\r\ncontain a delayed mechanism to unleash a long multi-stage infection that ends with a cryptomining malware.\r\nAfter the initial software installation, the attackers delayed the infection process for weeks and deleted traces from\r\nthe original installation. This allowed the campaign to successfully operate under the radar for years.\r\nhttps://research.checkpoint.com/2022/check-point-research-detects-crypto-miner-malware-disguised-as-google-translate-desktop-and-other-legitimate-applications\r\nPage 1 of 13\n\nFigure 1: Top results for “Google Translate Desktop download”\r\nNitrokod\r\nActive since 2019, Nitrokod is a Turkish speaking software developer that claims to offer free and safe software.\r\nMost of the programs Nitrokod offers are popular software that do not have an official desktop version. For\r\nexample, the most popular Nitrokod program is the Google Translate desktop application. Google has not released\r\nan official desktop version, making the attackers’ version very appealing.\r\nhttps://research.checkpoint.com/2022/check-point-research-detects-crypto-miner-malware-disguised-as-google-translate-desktop-and-other-legitimate-applications\r\nPage 2 of 13\n\nFigure 2: Nitrokod[.]com\r\nMost of their developed programs are easily built from the official web pages using a Chromium based\r\nframework. For example, the Google translate desktop application is converted from the Google Translate web\r\npage (https://translate.google.com) using the CEF project. This gives the attackers the ability to spread functional\r\nprograms without having to develop them.\r\nTo avoid detection, the Nitrokod authors separate malicious activity from the initially downloaded Nitrokod\r\nprogram:\r\nThe malware is first executed almost a month after the Nitrokod program was installed.\r\nThe malware is delivered after 6 earlier stages of infected programs.\r\nThe infection chain continued after a long delay using a scheduled task mechanism, giving the attackers\r\ntime to clear the evidence.\r\nInfection Chain\r\nhttps://research.checkpoint.com/2022/check-point-research-detects-crypto-miner-malware-disguised-as-google-translate-desktop-and-other-legitimate-applications\r\nPage 3 of 13\n\nFigure 3: infection chain\r\nInfection chains are similar in most Nitrokod campaigns, starting with the installation of an infected program\r\ndownloaded from the Web.\r\nOnce the user launches the new software, an actual Google Translate application is installed. In addition, an\r\nupdated file is dropped which starts a series of four droppers until the actual malware is dropped.\r\nAfter the malware is executed, the malware connects to its C\u0026C server to get a configuration for the XMRig\r\ncrypto miner and starts the mining activity.\r\nStage 1 – Web Installer\r\nThe initial stage of the campaign begins with downloading one of the Nitrokod infected programs. The “Google\r\nTranslate Desktop” program is used in this demonstration, but the behaviors are similar in all other infected\r\nprograms.\r\nhttps://research.checkpoint.com/2022/check-point-research-detects-crypto-miner-malware-disguised-as-google-translate-desktop-and-other-legitimate-applications\r\nPage 4 of 13\n\nFigure 4: hundreds of thousands according to popular software web sites\r\nGoogleTranslateDesktop.exe is a Windows installer built with Inno setup, a free tool for packaging and building\r\nsetup files. The installer starts by downloading an encrypted RAR file from\r\nhxxp://nitrokod[.]com/download/GoogleTranslateDesktop.rar. As a means of protection against random scans and\r\ndownloads, the file is only downloaded from the attacker’s server if the user-agent is set to\r\n“InnoDownloadPlugin/1.5” (Inno setup deflate user agent). Then GoogleTranslateDesktop2.50.exe is extracted\r\nfrom the RAR file using “asx” as the password.\r\nStage 2 – Installer\r\nThe GoogleTranslateDesktop2.50.exe installer starts by installing the Google Translate application on the\r\nfollowing path: “C:\\Program Files (x86)\\Nitrokod\\Google Translate Desktop\\GoogleTranslateDesktop.exe”\r\nAfter installation, the installer checks if an update.exe file exists on the following path\r\n“C:\\ProgramData\\Nitrokod”. If the file does not exist or the file version is not 1.0.7.0, the 3rd stage dropper\r\nupdate.exe is dropped. To maintain persistence, a schedule task is set to start the update at every system startup.\r\nhttps://research.checkpoint.com/2022/check-point-research-detects-crypto-miner-malware-disguised-as-google-translate-desktop-and-other-legitimate-applications\r\nPage 5 of 13\n\nFinally, the installer sends a Post Install message to the Nitrokod domain with some information on the infected\r\nmachine. All the details are sent as arguments on a HTTP GET requests, as shown below:\r\nFigure 5: Post install message\r\nStage 3 – Delayed Dropper\r\nThe stage 3 dropper (update.exe) is programed to run at least five days after the installation time. It does so by\r\nmaintaining two registry keys.\r\n“HKCU\\Software\\Update\\D” – stores the last run time date.\r\n“HKCU\\Software\\Update\\S” – acts as a counter.\r\nEach time the updater is executed (on every system startup) it checks if the last execution data is equal to the\r\ncurrent date. If not, the counter is incremented by one. Once the counter hits the value 4, the 4th stage dropper\r\nchainlink1.07.exe is extracted from another encrypted RAR file. In reality, this operation requires at least four\r\nrestarts on four different days, which would often translate into at least several weeks of normal user’s usage. This\r\nmechanism is also a great way to avoid Sandbox detection, which does not run over several days and multiple\r\nrestarts.\r\nStage 4 –Scheduled Tasks and Log clearing\r\nThe 4th stage dropper is in charge of creating four different schedule tasks.\r\nTask Name: Description: Runs every\r\nhttps://research.checkpoint.com/2022/check-point-research-detects-crypto-miner-malware-disguised-as-google-translate-desktop-and-other-legitimate-applications\r\nPage 6 of 13\n\nInstallService\\1 Drop an encrypted RAR file via Wget 15d\r\nInstallService\\2 Extract Dropper 5 from RAR file 2d\r\nInstallService\\3 Run Dropper 5 1d\r\nInstallService\\4 Clear system logs 3d\r\nAfter creating all the tasks listed above, stage 4 clears all system logs using the PowerShell command Clear-EventLog. Then stage 3 and 4 are self-deleted.\r\nAt this point, all related files and evidence are deleted and the next stage of the infection chain will continue after\r\n15 days by the windows utility schtasks.exe. This way, the first stages of the campaign are separated from the ones\r\nthat follow, making it very hard to trace the source of the infection chain and block the initial infected\r\napplications.\r\nAfter 15 days, an encrypted RAR file is downloaded from intelserviceupdate[.]com via the first schedule task. The\r\nnext day, the file is decompressed via the second schedule task and the stage 5 file is extracted. One day later, the\r\nstage 5 file is executed by the third task.\r\nStage 5 – VM tests with Firewall and Defender Exclusions\r\nThe stage 5 dropper starts by checking if certain programs are installed on the infected machine. First, it checks\r\nagainst a list of known virtual machine processes and then against a list of mainly security products. If one of the\r\nprograms are found, the program exits.\r\nFigure 6: ISINSTALL function\r\nThen a firewall rule is added to allow incoming network connections for a program that will be dropped in the\r\nfollowing stage, named nniawsoykfo.exe.\r\nhttps://research.checkpoint.com/2022/check-point-research-detects-crypto-miner-malware-disguised-as-google-translate-desktop-and-other-legitimate-applications\r\nPage 7 of 13\n\nFigure 7: Firewall added rule\r\nNext, the Windows Defender activity is excluded on the following path:\r\nTemp folder\r\nC:\\system32\\nniawsoykfo.exe – the file is dropped in the next stage.\r\nC:\\system32\\powermanager.exe – the file is dropped in the next stage.\r\nFinally, the program drops the last dropper (stage 6) nniawsoykfo1.8.exe from an encryption RAR file and\r\nexecutes it.\r\nStage 6 – Miner dropper\r\nThe stage 6 dropper is in charge of dropping the following three files:\r\nPowermanager.exe – The malware controlling the miner.\r\nnniawsoykfo.exe – XMRig crypto miner.\r\nWinRing0.sys – that is part of the XMRig.\r\nTo maintain persistence, a schedule task is set to start the malware (powermanager.exe) every day.\r\nStage 7 – Cryptomining Malware – powermanager.exe:\r\nOn the next day, the malware is executed by the above schedule task. The malware enumerates all the security\r\nproducts installed on the infected machine. Next, it determines if the infected machine platform is a desktop or a\r\nlaptop. For desktop detection, the malware makes the following three checks:\r\nNo battery status.\r\nThe RAM type is not SODIMM (enum 12), that is used in laptops.\r\nThe system type is 1 (Desktop).\r\nhttps://research.checkpoint.com/2022/check-point-research-detects-crypto-miner-malware-disguised-as-google-translate-desktop-and-other-legitimate-applications\r\nPage 8 of 13\n\nFigure 8: identify platform\r\nAfter that, the bot connects to its C\u0026C server nvidiacenter[.]com and sends the following data in a JSON format\r\nover a HTTP POST requests:\r\nKey Value\r\nidle_minute Last user event in minutes.\r\npc_time Time on the infected machine.\r\nAntivirus List of all security products on the infected machine.\r\nup_minute Minutes passed since last startup.\r\nversion The version of the “Powermanager.exe” malware.\r\nhttps://research.checkpoint.com/2022/check-point-research-detects-crypto-miner-malware-disguised-as-google-translate-desktop-and-other-legitimate-applications\r\nPage 9 of 13\n\nxmrig_version The version of the XMRig\r\nGuid The infected machine GUID.\r\ncore Number of processor cores.\r\nmachine_id A generated identifier of the infected machine.\r\nreference The value of “SOFTWARE\\Microsoft\\Update\\reference” the registry key\r\nThe data is then encoded by the following steps:\r\n1. Convert the JSON to a string.\r\n2. Reverse the string.\r\n3. Encode the string with base64.\r\n4. Reverse the encoded string\r\n5. Encode the string again with base64.\r\nThe C\u0026C response is decoded the same way it was encoded, but in reverse. The response contains instructions for\r\ncontrolling the malware and the XMRig miner as shown below:\r\nabort Should the malware continue to run or abort.\r\nrules A set of conditions when to run the miner, on what platform and how much CPU to use.\r\nserver_time The server time.\r\ncommand_line The command line argument passed to the XMRig crypto miner.\r\nrefresh_minute The next time to connect to the C\u0026C in minutes.\r\nexcluding_process A list of program names. If one of them is running, the malware should exit.\r\nCheck Point’s XDR (Extended Detection and Response)\r\nCPR detected this new crypto miner malware campaign using Check Point’s Infinity XDR (Extended Detection\r\nand Response) platform, a prevention-focused XDR Solution. This tool allows SOC teams to quickly detect,\r\ninvestigate, and respond to attacks across their entire IT infrastructure. It identifies threats inside the organization\r\nand prevents their expansion by leveraging data correlated from all products, including Endpoint, Network, Web\r\nsecurity, and so on.\r\nXDR has multiple behavioral detections that can find the stealthiest threats. In this case, the malware was using\r\nmultiple evasion techniques like masquerading as known applications, using scheduled tasks instead of direct\r\nactions, and spacing its activities over a long period of time.\r\nXDR was able to detect and respond to every individual malware action, follow up over time and correlate\r\nbetween all the singular detections from endpoints and network to one single attack, raise the confidence to a point\r\nhttps://research.checkpoint.com/2022/check-point-research-detects-crypto-miner-malware-disguised-as-google-translate-desktop-and-other-legitimate-applications\r\nPage 10 of 13\n\nthat allows automatic response from all relevant devices, and prevent it from happening to other machines in the\r\nnetwork.\r\nXDR prevention capabilities extend to all Check Point devices and products, allowing it to take actions like\r\nremoving malicious files from the endpoints, and add indicators of compromise of all files, URLs, domain\r\naddresses and IPs to be blocked by endpoints, gateways and mobiles.\r\nXDR’s unique Prevention-first approach significantly improves customers’ overall security posture while\r\ndetecting unknown zero-day threats. It detects and stops attacks by combining advanced threat prevention\r\npowered by AI-based analytics, big-data threat intelligence, multi-layered incident analysis, machine learning, and\r\nenterprise-wide visibility into customer’s network, cloud, email, endpoint, all from a single pane of glass.\r\n*Check Point’s XDR is at early availability stage and will become generally available in coming months\r\nTimeline of attack and Check Point’s XDR detection\r\nhttps://research.checkpoint.com/2022/check-point-research-detects-crypto-miner-malware-disguised-as-google-translate-desktop-and-other-legitimate-applications\r\nPage 11 of 13\n\nScreenshot from Check Point’s Infinity XDR\r\nCheck Point protections:\r\nCheck Point Harmony Endpoint:\r\nWin.Nitrokod.A.\r\nWin.Nitrokod.B.\r\nWin.Nitrokod.C.\r\nRemediation:\r\nTo clean an infected machine, follow these steps.\r\n1. Remove the following files on system32:\r\nAny file starting with chainlink.\r\nnniawsoykfo.exe\r\npowermanager.exe\r\n2. Remove the updater.\r\nRemove the folder C:\\ProgramData\\Nitrokod.\r\n3. Remove malicious schedule tasks.\r\nInstallService\\1\r\nInstallService\\2\r\nInstallService\\3\r\nhttps://research.checkpoint.com/2022/check-point-research-detects-crypto-miner-malware-disguised-as-google-translate-desktop-and-other-legitimate-applications\r\nPage 12 of 13\n\nInstallService\\4\r\nIOC\r\nDomain:\r\nNitrokod[.]com\r\nIntelserviceupdate[.]com\r\nnvidiacenter[.]com\r\nMD5\r\nabe0fb9cd0a6c72b280d15f62e09c776\r\na3d1702ada15ef384d1c8b2994b0cf2e\r\n668f228c2b2ff54b4f960f7d23cb4737\r\n017781535bdbe116740b6e569657eedf\r\n0cabd67c69355be4b17b0b8a57a9a53c\r\n27d32f245aaae58c1caa52b349bed6fb\r\nSummary:\r\nIn this article, Check Point Research analyzed a new Turkish crypto miner campaign, called Nitrokod, which has\r\nattacked thousands of victims globally. The malware is easily dropped from software found on top Google search\r\nresults for legitimate applications.\r\nThe malware is dropped from applications that are popular, but don’t have an actual desktop version such as\r\nGoogle Translate, keeping the malware versions in demand and exclusive.\r\nThe malware drops almost a month after the infection, and following other stages to drop files, making it very\r\nhard to analyze back to the initial stage.\r\nSource: https://research.checkpoint.com/2022/check-point-research-detects-crypto-miner-malware-disguised-as-google-translate-desktop-and-other-legitimate-applications\r\nhttps://research.checkpoint.com/2022/check-point-research-detects-crypto-miner-malware-disguised-as-google-translate-desktop-and-other-legitimate-applications\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://research.checkpoint.com/2022/check-point-research-detects-crypto-miner-malware-disguised-as-google-translate-desktop-and-other-legitimate-applications"
	],
	"report_names": [
		"check-point-research-detects-crypto-miner-malware-disguised-as-google-translate-desktop-and-other-legitimate-applications"
	],
	"threat_actors": [],
	"ts_created_at": 1775791275,
	"ts_updated_at": 1775791337,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/639249cf517826c6844f9db1c734efe392134b4a.pdf",
		"text": "https://archive.orkl.eu/639249cf517826c6844f9db1c734efe392134b4a.txt",
		"img": "https://archive.orkl.eu/639249cf517826c6844f9db1c734efe392134b4a.jpg"
	}
}