{
	"id": "39136960-8c61-404e-8f68-a7fd42ccd5ee",
	"created_at": "2026-04-06T02:11:03.934889Z",
	"updated_at": "2026-04-10T03:21:07.063155Z",
	"deleted_at": null,
	"sha1_hash": "e528c54819c724ab0d2b0ffcbc55f96e909011bf",
	"title": "Fake Installers Drop Malware and Open Doors for Opportunistic Attackers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 334806,
	"plain_text": "Fake Installers Drop Malware and Open Doors for Opportunistic\r\nAttackers\r\nBy Gilbert Sison, Arianne Dela Cruz ( words)\r\nPublished: 2021-09-27 · Archived: 2026-04-06 01:28:54 UTC\r\nMalware\r\nWe recently spotted fake installers of popular software being used to deliver bundles of malware onto victims’ devices.\r\nThese installers are widely used lures that trick users into opening malicious documents or installing unwanted applications.\r\nBy: Gilbert Sison, Arianne Dela Cruz Sep 27, 2021 Read time: 5 min (1395 words)\r\nSave to Folio\r\nIt is widely known that with regard to cybersecurity, a user is often identified as the weakest linkopen on a new tab. This\r\nmeans that they become typical entry vectors for attacks and common social-engineering targets for hackers. Enterprises can\r\nalso suffer from these individual weak links. Employees are sometimes unaware of online threats, or are unfamiliar with\r\ncybersecurity best practices, and attackers know exactly how to take advantage of this gap in security. \r\nOne way that attackers trick users is by luring them with unauthorized apps or installers carrying malicious payloads. We\r\nrecently spotted some of these fake installers being used to deliver bundles of malware onto victims’ devices. These fake\r\ninstallers are not a new technique used by attackers; in fact, they are old and widely used lures that trick users into opening\r\nmalicious documents or installing unwanted applications. Some users fall into this trap when they search the internet for free\r\nor cracked versions of paid applications. \r\nLooking inside the fake installers\r\nWe saw users trying to download cracked versions of non-malicious applications that had limited free versions and paid full\r\nversions, specifically, TeamViewer (a remote connectivity and engagement solutions app), VueScan Pro (an app for scanner\r\ndrivers), Movavi Video Editor (an all-in-one video maker), and Autopano Pro for macOS (an app for automated picture\r\nstitching). \r\nOne example that we dive into here involves a user who tried to download an unauthorized version of TeamViewer (an app\r\nthat has actually been used as camouflage for trojan spywareopen on a new tab before). The user downloaded a malicious\r\nfile disguised as a crack installer for the application. \r\nFigure 1. Malicious files downloaded by user\r\nAfter downloading and executing these files, one of the child processes created other files and the executable\r\nsetup.exe/setup-installv1.3.exe, which was extracted from 320yea_Teamviewer_15206.zip via WinRAR.exe. This file\r\nseems to be the source of most of the downloaded malicious files, as seen in the following figure.\r\nhttps://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html\r\nPage 1 of 6\n\nFigure 2. Unpacking of setup-installv1.3.exe via WinRar.exe\r\nAfterward, the file aae15d524bc2.exe was dropped and executed via Command Prompt. It then  spawned a file, C:\\Users\\\r\n{username}\\Documents\\etiKyTN_F_nmvAb2DF0BYeIk.exe, which sequentially initiated the BITS admin download.\r\nBITS admin is a command-line tool that can help monitor progress and create, download, and upload jobs. The tool also\r\nallows a user to obtain arbitrary files from the internet, a feature that attackers can abuse. \r\nFigure 3. BITS admin execution detection\r\nWe also observed that information in the browser's credential store was taken by the attacker. Specifically, the stored data in\r\nC:\\Users\\{username}\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Login was copied. Credentials stored in\r\nbrowsers are often critical personal data that could be leveraged by attackers to gain access into personal, business, or\r\nfinancial accounts. Attackers can even compile and sell this information in underground markets. \r\nTo maintain persistence, an executable file was entered in the AutoStart registry and a scheduled task was created:\r\nCreate scheduled task: C:\\Windows\\System32\\schtasks.exe /create /f/sc onlogon /rl highest /tn\"services64\"/tr\r\n'\"C:\\Users\\{username}\\AppData\\Roaming\\services64.exe\"'\r\nAutoStart\r\nregistry: HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\prun:C:\\WINDOWS\\PublicGaming\\prun.exe\r\nAs previously mentioned, these cases come about because users search for free applications and trust that someone is going\r\nto put the cracked or stolen full version online as a gesture of good will. But as we can see, attackers simply take advantage\r\nhttps://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html\r\nPage 2 of 6\n\nof those who download these files. \r\nIn Figure 4, we can see that a trojanized VueScan file is already in a Downloads folder and is executed by legitimate user.\r\nFigure 4. Unpacking of 61193b_VueScan-Pro-974.zip which created a new process\r\nFollowing the execution of setup_x86_x64_install.exe, it created and executed a new file named setup_installer.exe that\r\ndropped several files and queried several domains. Most of these domains are malicious, as evidenced in Figure 5.\r\nFigure 5. Dropped malicious files querying several domains\r\nThis malicious payload also exhibits backdoor behavior. We can see that the attackers are listening on these channels:\r\n127.0.0.1:53711 and 127.0.0.1:53713. This lets the attacker keep a foothold in the computer; through this, they can possibly\r\nmove laterally across the network and, if it is an enterprise device, compromise a critical company asset. \r\nThe other fake installers also had similar behavior that exploits users that attempt to download either an unauthorized\r\napplication cracker/activator or an illegal full version. These infections then create persistence for later access. \r\nHow widespread is the threat?\r\nCamouflaged malicious installers and apps are often used to load malware onto victim’s devices. A few recent examples are\r\nwidespread fake cryptocurrency-mining applicationsopen on a new tab that took advantage of neophyte cryptominers and\r\nfake Covid-19 update appsopen on a new tab. In tracking this current batch of fake installers, we were able to detect\r\nincidents around the world. We initially do not classify these particular events as targeted attacks, mostly because in all cases\r\nthe users actively searched for application crackers or unlocked versions of software. But even if these were not initially\r\ntargeted attacks, they can later lead to opportunistic hacks because the attacker already has a presence in the computer. Aside\r\nfrom loading malware, the attackers can use their initial access to conduct malicious activity, like compromising a\r\ncompany’s virtual private network (VPN). They could even sell the access to other cybercrime gangs, such as ransomware\r\noperators. It’s important to stress that attackers use every tool within reach, and even legitimate applicationsopen on a new\r\ntab can be weaponized.  \r\nhttps://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html\r\nPage 3 of 6\n\nFigure 6. Unique detections per region of the indicators of compromise (IOCs) listed in the following. The\r\ndata is sourced from Trend Micro™ Smart Protection Network™ for the month of August.\r\nOf course, we also know that software piracy is prevalent in many regions. From the data in Figure 6, we can surmise that it\r\nis still a major threat to security. Users have to be more aware of the threats these illegal installers can hold and implement\r\nstricter security practices for installing and executing applications from the internet onto their personal and work devices. \r\nThe global pandemic has pushed users out of offices and into work-from-home (WFH) situations where there are other\r\n“physically” connected devices like the internet of things (IoT), personal mobiles, and personal computers that have weak\r\nsecurity. These present a problem because malware can quickly spread from personal devices to business computers on the\r\nsame network. \r\nMalicious capabilities of the fake installers \r\nWe were able to analyze some of the malicious files bundled into the installers. Their capabilities are varied, from\r\ncryptocurrency mining to stealing credentials from social media applications. We enumerate them in this table:\r\nMalicious file Actions\r\nTrojan.Win32.MULTDROPEX.A\r\nMain dropper of the malicious file\r\nDisguised as cracker/installer of legitimate applications\r\nTrojan.Win32.SOCELARS.D\r\nGathers information regarding the machine\r\nCollects browser information\r\nCollects social media information (Instagram and Facebook)\r\nCollects information from Steam application\r\nDrops Google Chrome extension responsible for further\r\nstealing of Facebook/credit card/payment credentials\r\nTrojan.Win32.DEALOADER.A\r\nMalware downloader\r\nURL inactive, but based on research possibly another stealer\r\nTrojanSpy.Win32.BROWALL.A\r\nCollects browser information\r\nCollects cryptocurrency wallet information\r\nhttps://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html\r\nPage 4 of 6\n\nTrojanSpy.Win32.VIDAR.D\r\nCollects browser information\r\nCollects credentials\r\nTrojan.Win64.REDLINESTEALER.N\r\nExecutes command from remote user\r\nGathers information regarding the machine\r\nCollects browser information\r\nCollects FTP client information\r\nCollects VPN information\r\nCollects cryptocurrency wallet information\r\nCollects information from other applications (Discord, Steam,\r\nTelegram)\r\nCoinminer.MSIL.MALXMR.TIAOODBL\r\nDownloads miner module hosted on Discord\r\nXMR miner\r\nInstalls persistence via scheduled tasks and AutoRun registry\r\nHow to protect yourself from the threat of malware\r\nAs aforementioned, fake installers are not new, but they are still a widely used delivery system for malware. Attackers are\r\nuploading more and more of these files for a simple reason: They work. Users download and execute these installers, and\r\nthis lets attackers maintain persistence in personal devices and gives them a way into company networks as well. \r\nTo combat this threat, it is important for users to be educated on the effects of downloading files from untrusted websites.\r\nThere are also other security measures to take:\r\nA multilayered security approach is necessary when protecting the environment. If one layer of protection fails, there\r\nare still others in place that can prevent the threat.\r\nApplication control will help prevent execution of suspicious files.\r\nRestricting admin rights for users that do not need access is also a good preventive measure. \r\nIndicators of Compromise\r\nFile name SHA256 Detection name\r\nsetup-installv1.3.exe 787939d2fc30c7b6ff6ddb7f4e7f981c2a2bad0788b2f4d858c3bb10186d42f6 Trojan.Win32.MULTDROPEX\r\nsetup_installer.exe bdf727b2ac0b42a955c4744bf7768cbb9fa67167321e4fb5639ee5529ccbcfa4 Trojan.Win32.MULTDROPEX\r\nsetup_install.exe 97f18d430b68ac9379ecd267492e58734b3c57ffd66615e27ff621ea2bce8e6b Trojan.Win32.MULTDROPEX\r\n5f9a813bc385231.exe 9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2 Trojan.Win32.SOCELARS.CD\r\nsqlite.dll 5c41a6b98890b743dd67caa3a186bf248b31eba525bec19896eb7e23666ed872 TrojanSpy.Win32.SOCELARS\r\nb5203513d7.exe a5f373f8bcfae3d9f4895c477206de63f66f08e66b413114cf2666bed798eb71 Coinminer.MSIL.MALXMR.T\r\n5f9a813bc38523010.exe 8bd8f7a32de3d979cae2f487ad2cc5a495afa1bfb1c740e337c47d1e2196e1f2 Trojan.Win32.DEALOADER.A\r\naae15d524bc2.exe 1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff TrojanSpy.Win32.BROWALL.\r\nbf2e8642ac5.exe e3c9119e809a1240caaaf4b6d5420352f037cc2585cb321cb746f05ed0ec0e43 TrojanSpy.Win32.SOCELARS\r\n745d0d3ff9cc2c3.exe b151ffd0f57b21600a05bb28c5d1f047f423bba9750985ab6c3ffba7a33fa0ff TrojanSpy.Win32.VIDAR.D\r\n438dc1669.exe e254914f5f7feb6bf10041e2c705d469bc2b292d709dc944381db5911beb1d9f Trojan.Win64.REDLINESTEA\r\n1cr.exe 949eec48613bd1ce5dd05631602e1e1571fa9d6b0034ab1bffe313e923aff29c TrojanSpy.MSIL.REDLINEST\r\na6168f1f756.exe c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775 Coinminer.MSIL.MALXMR.T\r\nhttps://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html\r\nPage 5 of 6\n\nf65dc44f3b4.exe dc5bbf1ea15c5235185184007d3e6183c7aaeb51e6684fbd106489af3255a378 Mal_HPGen-50\r\na070c3838.exe 9e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e TROJ_GEN.R053C0PHC21\r\nMalicious URLs:\r\nhxxp://fsstoragecloudservice[.]com/data/data[.]7z\r\nhxxp://3[.]128[.]66[.]194/\r\n45[.]14[.]49[.]68\r\nplugnetx[.]com\r\nznegs[.]xyz\r\niryarahara[.]xyz\r\nswiftlaunchx[.]com\r\nbluewavecdn[.]com\r\nsproutfrost[.]com\r\nhxxp://37[.]0[.]11[.]8/\r\nhxxp://52[.]51[.]116[.]220/\r\n195[.]181[.]169[.]68\r\n88[.]99[.]66[.]31\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html\r\nhttps://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html"
	],
	"report_names": [
		"fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775441463,
	"ts_updated_at": 1775791267,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e528c54819c724ab0d2b0ffcbc55f96e909011bf.pdf",
		"text": "https://archive.orkl.eu/e528c54819c724ab0d2b0ffcbc55f96e909011bf.txt",
		"img": "https://archive.orkl.eu/e528c54819c724ab0d2b0ffcbc55f96e909011bf.jpg"
	}
}