{
	"id": "4d3c2c31-fa59-4364-aa7f-200bdc9ac415",
	"created_at": "2026-04-06T00:18:47.008087Z",
	"updated_at": "2026-04-10T03:20:42.937566Z",
	"deleted_at": null,
	"sha1_hash": "a8f1a6e19b923ee8c838828950e0e960e0c2495b",
	"title": "Fake Microsoft Store, Spotify sites spread info-stealing malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2553713,
	"plain_text": "Fake Microsoft Store, Spotify sites spread info-stealing malware\r\nBy Lawrence Abrams\r\nPublished: 2021-04-20 · Archived: 2026-04-05 17:46:28 UTC\r\nAttackers are promoting sites impersonating the Microsoft Store, Spotify, and an online document converter that distribute\r\nmalware to steal credit cards and passwords saved in web browsers.\r\nThe attack was discovered by cybersecurity firm ESET who issued a warning yesterday on Twitter to be on the lookout for\r\nthe malicious campaign.\r\nIn a conversation with Jiri Kropac, ESET's Head of Threat Detection Labs, BleepingComputer learned that the attack is\r\nconducted through malicious advertising that promotes what appears to be legitimate applications.\r\nhttps://www.bleepingcomputer.com/news/security/fake-microsoft-store-spotify-sites-spread-info-stealing-malware/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/fake-microsoft-store-spotify-sites-spread-info-stealing-malware/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nFor example, one of the advertisements used in this attack promotes an online Chess application, as shown below.\r\nMalicious advertisement promoting a fake Chess app\r\nHowever, when users click on the ad, they are brought to a fake Microsoft Store page for a fake 'xChess 3' online chess\r\napplication, which is automatically downloaded from an Amazon AWS server.\r\nThe downloaded zip file is named 'xChess_v.709.zip' [VirusTotal], which is actually the the 'Ficker', or\r\n'FickerStealer,'  information-stealing malware in disguise, as shown by this Any.Run report created by BleepingComputer.\r\nFake Microsoft Store page distributing the Ficker malware\r\nOther advertisements from this malware campaign pretend to be for Spotify (shown below) or an online document converter.\r\nWhen visited, their landing pages will also automatically download a zip file containing the Ficker malware.\r\nhttps://www.bleepingcomputer.com/news/security/fake-microsoft-store-spotify-sites-spread-info-stealing-malware/\r\nPage 3 of 5\n\nFake Spotify landing page\r\nOnce a user unzips the file and launches the executable, instead of being greeted by a new online Chess application or the\r\nSpotify software, the Ficker malware will run and begin stealing the data stored on their computer.\r\nWhat is the Ficker malware\r\nFicker is an information-stealing Trojan released on Russian-speaking hacker forums in January when the developer began\r\nrenting out the malware to other threat actors.\r\nIn a forum post, the developer describes the malware's capabilities and allows other threat actors to rent the software from\r\nanyone from one week up to six months.\r\nA forum post marketing the FickerStealer malware\r\nUsing this malware, threat actors can steal saved credentials in web browsers, desktop messaging clients (Pidgin, Steam,\r\nDiscord), and FTP clients.\r\nhttps://www.bleepingcomputer.com/news/security/fake-microsoft-store-spotify-sites-spread-info-stealing-malware/\r\nPage 4 of 5\n\nIn addition to stealing passwords, the developer claims the malware can steal over fifteen cryptocurrency wallets, steal\r\ndocuments, and take screenshots of the active applications running on victims' computers.\r\nThis information is then compiled into a zip file and transmitted back to the attacker, where they can then extract the data\r\nand use it for other malicious activities.\r\nDue to the Ficker malware's extensive functionality, victims of this campaign should immediately change their online\r\npasswords, check firewalls for suspicious port forwarding rules, and perform a thorough antivirus scan of your computer to\r\ncheck for additional malware.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/fake-microsoft-store-spotify-sites-spread-info-stealing-malware/\r\nhttps://www.bleepingcomputer.com/news/security/fake-microsoft-store-spotify-sites-spread-info-stealing-malware/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/fake-microsoft-store-spotify-sites-spread-info-stealing-malware/"
	],
	"report_names": [
		"fake-microsoft-store-spotify-sites-spread-info-stealing-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434727,
	"ts_updated_at": 1775791242,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a8f1a6e19b923ee8c838828950e0e960e0c2495b.pdf",
		"text": "https://archive.orkl.eu/a8f1a6e19b923ee8c838828950e0e960e0c2495b.txt",
		"img": "https://archive.orkl.eu/a8f1a6e19b923ee8c838828950e0e960e0c2495b.jpg"
	}
}