{
	"id": "1df5a56f-f7b6-4bc9-9922-8696e22dc4ae",
	"created_at": "2026-04-06T00:22:17.026172Z",
	"updated_at": "2026-04-10T03:21:18.192522Z",
	"deleted_at": null,
	"sha1_hash": "8f5bfd9c908251395d3dad2c69abc2b739747f76",
	"title": "A Malware that Mimics Pirated Software Sites | Zscaler",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2532047,
	"plain_text": "A Malware that Mimics Pirated Software Sites | Zscaler\r\nBy Mitesh Wani, Kaivalya Khursale\r\nPublished: 2022-08-23 · Archived: 2026-04-05 14:23:57 UTC\r\nSummary:\r\nThreat actors distributing infostealers are gaining momentum by targeting victims seeking to illegally download\r\npirated software. Because obtaining and using pirated software is against the law, many individuals partaking in\r\nthis type of behavior suspend proper scrutiny for the source of their download. As a result, whether they are good\r\nor bad people, victims across the world are paying the price with their private information for a single bad\r\ndecision.\r\nDiscover the techniques being used to distribute these threats and unravel the infection chain from two different\r\nexamples to understand how these malware developers operate and use the latest techniques to avoid detection.\r\nIntroduction:\r\nIt has been over 20 years since the launch of Napster taught the internet how to get and share digital content\r\nonline, and nearly a decade since the resilient Pirate Bay torrent site began enabling visitors to find and download\r\nstolen media and unlocked or ‘cracked’ versions of software. All these years later, in spite of many lawsuits and\r\ninjunctions it is still extremely common for people to download pirated software from shady shareware sites\r\ninstead of buying licenses for noncommercial purposes. Today, we typically see sites hosting cracked softwares\r\nlike Microsoft Office and Windows installers appearing in indexed Google search results and ad banners. \r\nRecently, the Zscaler ThreatLabz researchers discovered multiple ongoing threat campaigns distributing info-stealer malware by targeting victims trying to download pirated software applications. The screenshot in Fig. 1\r\nshows Google search results featuring these fake sites that look just like the real pirate hosting sites. Part of what\r\nmakes this type of threat so successful is that it targets individuals participating in an illegal yet common activity,\r\nas such many of the users can’t identify the intent behind one makeshift pop-up site peddling illegal software\r\ndownloads vs. another one hosting malware downloads. The sections that follow provide a detailed technical\r\nanalysis of two different active infostealer infection chains that fall into this category. \r\nhttps://www.zscaler.com/blogs/security-research/making-victims-pay-infostealer-malwares-mimick-pirated-software-download\r\nPage 1 of 20\n\nFig 1. Fake shareware sites indexed on Google search\r\nTechnical Analysis Case 1\r\nStage 1: Redirection and Infostealer Malware Distribution\r\nWhen users visit fake shareware sites and click to download, they immediately experience multiple redirects that\r\nobfuscate the process for detection by search engines, scanners, and victims, and finally deliver them to a\r\nmalicious site hosting the threat actor’s intended content - an infostealer malware like the one featured in  Fig 2\r\nbelow. While this process may raise eyebrows on a verified site, visitors on these back channel sites may assume\r\nthat this sleight-of-hand is a normal part of how shareware sites operate.\r\nFig 2. Infection vector\r\nAfter arriving at the final destination and finishing the download, the final payload received in this sample is a zip\r\narchive file\r\nhttps://www.zscaler.com/blogs/security-research/making-victims-pay-infostealer-malwares-mimick-pirated-software-download\r\nPage 2 of 20\n\nFig 3. Web directory containing thousands of malware laced zip files\r\nThe malware distribution pattern our researchers observed is not consistent, but we did discover that trusted sites\r\nlike Mediafire as shown in Fig. 4 below, and Discord are also being used to host malware in several different\r\ncampaigns.\r\nhttps://www.zscaler.com/blogs/security-research/making-victims-pay-infostealer-malwares-mimick-pirated-software-download\r\nPage 3 of 20\n\nFig 4. Redirected landing phishing page \r\nStage 2: Loader\r\nThe downloaded file is a compressed archive file that contains a password-protected zip archive and a text file\r\ndisguised to contain stored passwords.\r\nFig 5. Password and Archive file\r\nThe password-protected zip file further contains a zip file named setup.zip of size 1.3 MB. Extracting the zip\r\narchive reveals a 0x20 and 0x00 byte padded executable file just over600 MB in size as shown in Fig. 5 below. \r\nFig 5. File padded with irrelevant bytes\r\nThreatLabz researchers found that the padded bytes were irrelevant to running the sample file and determined that\r\nthreat actor included them to evade detection by security engines. The file also contains Anti-VM and Anti-Debug\r\nchecks. Following this the dumping process removes irrelevant bytes dropping the file size in this sample down\r\nfrom 600MB to 78 KB, as shown in Fig 6 below.\r\nhttps://www.zscaler.com/blogs/security-research/making-victims-pay-infostealer-malwares-mimick-pirated-software-download\r\nPage 4 of 20\n\nFig 6: Actual file size after dumping the process\r\nOnce the file is executed it spawns an encoded PowerShell command that launches a cmd.exe process with a\r\ntimeout of 10 secs. This timeout period is added for evading automated sandbox analysis tools. The decoded\r\nPowerShell command looks like this:\r\n(Start-Sleep-s10;Remove-Item-Path\"C:\\Users\\User\\Desktop\\Setupfinal.exe\"-Force)\r\nOnce the timeout period is over the loader connects to the remote server requesting a jpg file named\r\n‘windows.decoder.manager.form.fallout15_Uwifqzjw.jpg’, as shown in Fig. 7 below.\r\nhttps://www.zscaler.com/blogs/security-research/making-victims-pay-infostealer-malwares-mimick-pirated-software-download\r\nPage 5 of 20\n\nFig 7: Loader downloading requested jpg file from the remote server\r\nThe downloaded jpg file looks like it is encrypted but opening it with an editor reveals that the contents are simply\r\nstored in reverse order and once the content is reversed by the malicious program, it transforms into a DLL file.\r\nStage 3: Redline Stealer\r\nThe DLL payload contains a RedLine Stealer malware that targets your stored browser history, it is obfuscated\r\nwith a crypter and compiled into memory by the loader. The loader loads the DLL and replaces it with the current\r\nthread context.\r\nThis RedLine Stealer sample is designed to steal stored browser passwords, auto-complete data including credit\r\ncard information, and cryptocurrency files and wallets. The implications for an unsuspecting victim trying to save\r\nmoney on a program they may barely intend to use can be severe resulting in financial losses, identity theft, and\r\nother forms of fraud and extortion.\r\nTechnical Analysis Case 2\r\nThreatLabz researchers also observed fake shareware sites distributing instances of the RecordBreaker Stealer\r\nmalware delivered without the use of any legitimate file hosting services by instead using malware packer tools\r\nlike Themida, VMprotect, and MPRESS, as found in the sample packed with Themida shown in Fig. 8 below.\r\nhttps://www.zscaler.com/blogs/security-research/making-victims-pay-infostealer-malwares-mimick-pirated-software-download\r\nPage 6 of 20\n\nFig 8: Files packed with Themida/VMprotect \r\nMalware authors typically use packers and protectors for compression and to wrap the software in an extra layer\r\nof disguised code to evade detection. Packers are also growing in popularity for the anti-VM and anti-debugging\r\ntechniques they offer which allow the malware to effectively navigate the system, avoid detection, and run more\r\nsmoothly, as shown in the screenshots featured in Fig. 9-10 below.\r\nFig 9: API calls used for anti-debugging techniques using FindWindow API\r\nhttps://www.zscaler.com/blogs/security-research/making-victims-pay-infostealer-malwares-mimick-pirated-software-download\r\nPage 7 of 20\n\nFig 10: Message box displayed to close security tools\r\nAfter execution, the malware in this sample communicates with the C2 server and sends back the machine ID and\r\nconfig ID before downloading its required libraries from the remote server.\r\nFig 11: Communication with C2 server\r\nThe examined instance of RecordBreaker is designed to steal browser information from extensions, including:\r\nMetaMask, TronLink, BinanceChain, Ronin, MetaMask, MetaX, XDEFI, WavesKeeper, Solflare, Rabby,\r\nCyanoWallet, Coinbase, AuroWallet, KHC, TezBox, Coin98, Temple, ICONex, Sollet, CloverWallet,\r\nPolymeshWallet, NeoLine, Keplr, TerraStation, Liquality, SaturnWallet, GuildWallet, Phantom, TronLink, Brave,\r\nMetaMask, Ronin, MEW_CX, TON, Goby and TON using extension IDs provided from the C2 server, like the\r\nexamples shown below. \r\nejbalbakoplchlghecdalmeeeajnimhm;(MetaMask)\r\nibnejdfjmmkpcnlpebklmnkoeoihofec;(TronLink)\r\nfhbohimaelbohpjbbldcngcnapndodjp;(BinanceChain)\r\nfnjhmkhhmkbjkkabndcnnogagogbneec;(Ronin)\r\nkjmoohlgokccodicjjfebfomlbljgfhk;(Ronin)\r\nnkbihfbeogaeaoehlefnkodbefgpgknn;(MetaMask)\r\nmcohilncbfahbmgdjkbpemcciiolgcge;(MetaX)\r\nhmeobnfnfcmdkdcmlblgagmfpfboieaf;(XDEFI)\r\nlpilbniiabackdjcionkobglmddfbcjo;(WavesKeeper)\r\nbhhhlbepdkbapadjdnnojkbgioiodbic;(Solflare)\r\nacmacodkjbdgmoleebolmdjonilkdbch;(Rabby)\r\ndkdedlpgdmmkkfjabffeganieamfklkm;(CyanoWallet)\r\nhnfanknocfeofbddgcijnmhnfnkdnaad;(Coinbase)\r\nhttps://www.zscaler.com/blogs/security-research/making-victims-pay-infostealer-malwares-mimick-pirated-software-download\r\nPage 8 of 20\n\ncnmamaachppnkjgnildpdmkaakejnhae;(AuroWallet)\r\nhcflpincpppdclinealmandijcmnkbgn;(KHC)\r\nmnfifefkajgofkcjkemidiaecocnkjeh;(TezBox)\r\naeachknmefphepccionboohckonoeemg;(Coin98)\r\nookjlbkiijinhpmnjffcofjonbfbgaoc;(Temple)\r\nflpiciilemghbmfalicajoolhkkenfel;(ICONex)\r\nfhmfendgdocmcbmfikdcogofphimnkno;(Sollet)\r\nnhnkbkgjikgcigadomkphalanndcapjk;(CloverWallet)\r\njojhfeoedkpkglbfimdfabpdfjaoolaf;(PolymeshWallet)\r\ncphhlgmgameodnhkjdmkpanlelnlohao;(NeoLine)\r\ndmkamcknogkgcdfhhbddcghachkejeap;(Keplr)\r\najkhoeiiokighlmdnlakpjfoobnjinie;(TerraStation)\r\naiifbnbfobpmeekipheeijimdpnlpgpp;(TerraStation)\r\nkpfopkelmapcoipemfendmdcghnegimn;(Liquality)\r\nnkddgncdjgjfcddamfgcmfnlhccnimig;(SaturnWallet)\r\nnanjmdknhkinifnkgdcggcfnhdaammmj;(GuildWallet)\r\nbfnaelmomeimhlpmgjnjophhpkkoljpa;(Phantom)\r\nibnejdfjmmkpcnlpebklmnkoeoihofec;(TronLink)\r\nodbfpeeihdkbihmopkbjmoonfanlbfcl;(Brave)\r\nejbalbakoplchlghecdalmeeeajnimhm;(MetaMask)\r\nkjmoohlgokccodicjjfebfomlbljgfhk;(Ronin)\r\nnlbmnnijcnlegkjjpcfjclmcfggfefdm;(MEW_CX) \r\ncgeeodpfagjceefieflmdfphplkenlfk;(TON)\r\njnkelfanjkeadonecabehalmbgpfodjm;(Goby)\r\nnphplpgoakhhjchkkhmiggakijnkhfnd;(TON)\r\nAfter running, the gathered system information and installed application information is sent back to the C2 server.\r\nhttps://www.zscaler.com/blogs/security-research/making-victims-pay-infostealer-malwares-mimick-pirated-software-download\r\nPage 9 of 20\n\nFig 12: Stealing system and installed software information \r\nThis malware can also send screenshots back to the C2 server, as shown below in the post-transaction relaying\r\ndesktop screenshot.\r\nhttps://www.zscaler.com/blogs/security-research/making-victims-pay-infostealer-malwares-mimick-pirated-software-download\r\nPage 10 of 20\n\nFig 13: Screenshot sent back to C2 server\r\nRecordBreaker leaves nothing untapped, also collecting cookies from across the victims different browsers and\r\nsending them back to the C2 server, as shown in Fig 14 below\r\nhttps://www.zscaler.com/blogs/security-research/making-victims-pay-infostealer-malwares-mimick-pirated-software-download\r\nPage 11 of 20\n\nFig 15: Stealing browser cookies \r\nSample downloaded files\r\n45.150.67[.]175/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nss3.dll\r\n45.150.67[.]175/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/msvcp140.dll\r\n45.150.67[.]175/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/vcruntime140.dll\r\n45.150.67[.]175/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/mozglue.dll\r\n45.150.67[.]175/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/freebl3.dll\r\n45.150.67[.]175/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/softokn3.dll\r\n45.150.67[.]175/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/sqlite3.dll\r\n45.150.67[.]175/aN7jD0qO6kT5bK5bQ4eR8fE1xP7hL2vK/nssdbm3.dll\r\n94.158.244[.]119/U4N9B5X5F5K2A0L4L4T5/84897964387342609301.bin\r\nhttps://www.zscaler.com/blogs/security-research/making-victims-pay-infostealer-malwares-mimick-pirated-software-download\r\nPage 12 of 20\n\nConclusion:\r\nThis campaign highlights how attackers take advantage of users’ behavior through the distribution of pirated\r\nsoftware to spread infostealer malware and extort victims for financial profits and other gains.  The campaigns\r\nanalyzed in this article depend on users visiting and downloading software from unscrupulous websites as the\r\ninitial infection vector, users can easily prevent these unfortunate infections by avoiding this illegal practice and\r\nonly visiting legitimate sites and downloading software from trustworthy sources.\r\nBest Practices:\r\nAvoid visiting untrusted sites including those that host pirated software\r\nDo not install pirated software on your device\r\nEnable policy to block password-protected files\r\nDo not save credentials in the browser\r\nZscaler Cloud Sandbox Detection:\r\nIOCs\r\nThese are the malicious indicators involved in this campaign, MD5s are not listed because the password-protected\r\nzip files involved generate a new MD5 with each download transaction.\r\nMalicious IPs:\r\n45[.]150[.]67[.]175\r\n94[.]158[.]244[.]119\r\n45[.]135[.]134[.]211\r\nhttps://www.zscaler.com/blogs/security-research/making-victims-pay-infostealer-malwares-mimick-pirated-software-download\r\nPage 13 of 20\n\n194[.]180[.]174[.]180\r\n185[.]250[.]148[.]76\r\n37[.]221[.]67[.]219\r\n45[.]140[.]146[.]169\r\n94[.]140[.]114[.]231\r\n94[.]158[.]244[.]213\r\n45[.]142[.]212[.]100\r\n194[.]180[.]174[.]187\r\n194[.]180[.]174[.]186\r\n135[.]181[.]105[.]89\r\n77[.]91[.]102[.]88\r\n77[.]91[.]103[.]31\r\n94[.]158[.]247[.]24\r\n85[.]239[.]34[.]235\r\n45[.]67[.]34[.]234\r\n45[.]67[.]34[.]238\r\n45[.]142[.]215[.]92\r\n45[.]153[.]230[.]183\r\n45[.]152[.]86[.]98\r\n74[.]119[.]193[.]57\r\n77[.]91[.]74[.]67\r\n146[.]19[.]247[.]28\r\n77[.]91[.]102[.]115\r\n45[.]159[.]251[.]21\r\n146[.]19[.]247[.]52\r\n45[.]142[.]215[.]50\r\nhttps://www.zscaler.com/blogs/security-research/making-victims-pay-infostealer-malwares-mimick-pirated-software-download\r\nPage 14 of 20\n\n45[.]133[.]216[.]170\r\n193[.]43[.]146[.]22\r\n193[.]43[.]146[.]26\r\n146[.]70[.]124[.]71\r\n193[.]43[.]146[.]17\r\n146[.]19[.]75[.]8\r\n45[.]84[.]0[.]152\r\n45[.]133[.]216[.]249\r\n45[.]67[.]34[.]152\r\n45[.]133[.]216[.]145\r\nFake shareware download sites:\r\nfullcrack4u[.]com\r\nactivationskey[.]org\r\nxproductkey[.]com\r\nsaifcrack[.]com\r\ncrackedpcs[.]com\r\nallcracks[.]org\r\naryancrack[.]com\r\nprolicensekeys[.]com\r\napps-for-pc[.]com\r\nbagas3-1[.]com\r\nseostar2[.]xyz\r\nkeygenwin[.]com\r\ncloud27[.]xyz\r\nallpcsoftwares[.]info\r\ndeepprostore[.]com\r\nhttps://www.zscaler.com/blogs/security-research/making-victims-pay-infostealer-malwares-mimick-pirated-software-download\r\nPage 15 of 20\n\nserialfull[.]info\r\nsteamunlocked[.]one\r\nfile-store2[.]xyz\r\nreallkeys[.]com\r\nfullcrackedz[.]com\r\nsoftwaresdaily[.]com\r\nofficials-kmspico[.]com\r\nhotbuckers[.]com\r\nmycrackfree[.]com\r\nprocfullcracked[.]com\r\nidmfullcrack[.]info\r\ndrake4[.]xyz\r\ncrackedsofts[.]info\r\ngetintopc[.]digital\r\npiratespc[.]net\r\napxsoftwares[.]com\r\ncrackfullpro[.]com\r\nallcrackhere[.]info\r\nkuyhaa-me[.]pw\r\ncrackplaced[.]com\r\nfreepccrack[.]com\r\nproapkcrack[.]com\r\ncrackfullpc[.]com\r\nFree-4paid[.]com\r\ncrackedlink[.]com\r\ncrackpropc[.]com\r\nhttps://www.zscaler.com/blogs/security-research/making-victims-pay-infostealer-malwares-mimick-pirated-software-download\r\nPage 16 of 20\n\ncracktube[.]net\r\ngetmacos[.]org\r\ngetwindowsactivator[.]info\r\nplayzipgames[.]co\r\nproactivationkey[.]com\r\nprocrackfree[.]com\r\nshowcrack[.]com\r\nRedirected Malicious NRD domains:\r\nfile-store2[.]xyz\r\nseostar2[.]xyz\r\ndrake4[.]xyz\r\ncloud27[.]xyz\r\nkirov1[.]xyz\r\nunixfilesystem2[.]xyz\r\nfile-store4[.]xyz\r\ncloud25[.]xyz\r\nclubfiletyc[.]com\r\nihgatms[.]cfd\r\nnotbeexcluded[.]cfd\r\nandslideasco[.]cfd\r\nsonarsurveyof[.]cfd\r\nbutvelocities[.]cfd\r\nherihed[.]cfd\r\nlargerinscale[.]cfd\r\nitsdebri[.]cfd\r\nlditsdebriisar[.]cfd\r\nhttps://www.zscaler.com/blogs/security-research/making-victims-pay-infostealer-malwares-mimick-pirated-software-download\r\nPage 17 of 20\n\neeorderso[.]cfd\r\npsestwotothr[.]cfd\r\nuptomscan[.]cfd\r\nfmagnitude[.]cfd\r\nbyasdebrisfie[.]cfd\r\nticlewesimulate[.]cfd\r\nergyfrommo[.]cfd\r\nsup7podthee[.]cfd\r\nheirreplacem[.]cfd\r\nhthecrown[.]cfd\r\nentbymo[.]cfd\r\nctswasprimarilyd[.]cfd\r\nadsharedwi897th[.]cfd\r\nmershadclo[.]cfd\r\naptersandt[.]cfd\r\nnkstherefor[.]cfd\r\niruiotish[.]cfd\r\nitishindia[.]cfd\r\ntheyt786ku[.]cfd\r\ntheritishind[.]cfd\r\nedbythe67ak[.]cfd\r\npanyruld[.]cfd\r\nuslimsofbr[.]cfd\r\nsputrey567rik[.]cfd\r\nshatheg[.]cfd\r\nistanmove[.]cfd\r\nhttps://www.zscaler.com/blogs/security-research/making-victims-pay-infostealer-malwares-mimick-pirated-software-download\r\nPage 18 of 20\n\nmenhichs[.]cfd\r\nupta16theu[.]cfd\r\nandelect[.]cfd\r\noughtme[.]cfd\r\nionvictoriesin[.]cfd\r\nanwasthere[.]cfd\r\nateofakist[.]cfd\r\negiontheh[.]cfd\r\nahthegha[.]cfd\r\nmayyadc[.]cfd\r\nemodernst[.]cfd\r\nalmofmultiple[.]cfd\r\nofth546ebr[.]cfd\r\nznavidsde[.]cfd\r\nmprisesth[.]cfd\r\nionthatco[.]cfd\r\nonzeage[.]cfd\r\nindush[.]cfd\r\nlow-lyingwh[.]cfd\r\nnalhajarm[.]cfd\r\niesandb[.]cfd\r\nhelandsca[.]cfd\r\ntsofhormuz[.]cfd\r\nrhighest[.]cfd\r\nrategicstrai[.]cfd\r\nundimangen[.]cfd\r\nhttps://www.zscaler.com/blogs/security-research/making-victims-pay-infostealer-malwares-mimick-pirated-software-download\r\nPage 19 of 20\n\nani453las[.]cfd\r\nanceovarec[.]cfd\r\ndcommerc[.]cfd\r\ncondandthi[.]cfd\r\nresonherse[.]cfd\r\nordsexecutiv[.]cfd\r\noundandk[.]cfd\r\nquezachieve[.]cfd\r\nundertheguid[.]cfd\r\ndomainxnewma[.]com\r\nExplore more Zscaler blogs\r\nSource: https://www.zscaler.com/blogs/security-research/making-victims-pay-infostealer-malwares-mimick-pirated-software-download\r\nhttps://www.zscaler.com/blogs/security-research/making-victims-pay-infostealer-malwares-mimick-pirated-software-download\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/making-victims-pay-infostealer-malwares-mimick-pirated-software-download"
	],
	"report_names": [
		"making-victims-pay-infostealer-malwares-mimick-pirated-software-download"
	],
	"threat_actors": [],
	"ts_created_at": 1775434937,
	"ts_updated_at": 1775791278,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8f5bfd9c908251395d3dad2c69abc2b739747f76.pdf",
		"text": "https://archive.orkl.eu/8f5bfd9c908251395d3dad2c69abc2b739747f76.txt",
		"img": "https://archive.orkl.eu/8f5bfd9c908251395d3dad2c69abc2b739747f76.jpg"
	}
}