Archiving programs designed to simplify file storage and transfers have become common tools not only for users but also for attackers. Malicious archives are regularly found in both targeted attacks and ransomware incidents. Attackers mainly use them to bypass security measures, deceive users, and, of course, extract stolen data. This means cybersecurity and IT departments should pay close attention to how archives are handled in operating systems, business applications, and security tools. Let’s now look at how attackers can use archives.

Delivering malware by bypassing “Mark of the Web” warnings

Due to the logical features and vulnerabilities of certain archivers, when unpacked in Windows, the extracted files may not receive the “downloaded from the internet” attribute (Mark of the Web, or MotW). Technically, these attributes are stored in an NTFS alternate data stream: Zone.Identifier. If this identifier points to an external source (ZoneID = 3 or 4), Windows shows a warning when you attempt to run the executable file, and Office automatically opens potentially unsafe documents in Protected View.

By exploiting flaws in archivers, attackers bypass this layer of protection. The most recent vulnerability of this type is CVE-2025-31334 in WinRAR, but there are others: CVE-2025-0411 in 7-Zip, CVE-2024-8811 in WinZip, and more. Note that some archivers don’t support MotW at all, and only apply it to certain file extensions, or only do so when files are unpacked in a certain way. A table comparing MotW support in archivers is available on GitHub.

Automatic malware execution via archiver vulnerabilities

When a user performs a seemingly safe action (like viewing an archive or opening a harmless-looking file within it), under certain conditions the archiver can execute a malicious file or shellcode. A recent example of such a vulnerability was CVE-2024-11477 in the Zstandard algorithm, used by 7-Zip for compression. This flaw hasn’t been seen in real-world attacks yet — unlike CVE-2023-38831 in WinRAR, which was widely exploited by attackers ranging from APT espionage groups to initial access brokers. This WinRAR vulnerability allowed execution of a file from an archive when trying to view an image if the EXE file was placed in a folder with the same name as the image.

In March 2025, a similar defect was discovered in an unusual place — the Vim editor, popular among *nix users. Its standard tar.vim plugin lets users view and edit files directly inside TAR archives. CVE-2025-27423 allowed arbitrary shell command execution when editing a file from a malicious archive.

Server compromise via archive uploads

If an organization has a public web app that can handle archive uploads (such as attaching files to forms), vulnerabilities in archive unpacking can be used to hijack servers. A classic method is Zip Slip, which uses symbolic links in archives to bypass input sanitization and exploit path traversal vulnerabilities to compromise server-side applications.  A list of various ZIP-handling libraries where this vulnerability has been patched (there are over 20 CVEs) is available on GitHub. It’s worth checking out to see how many instances of software can be affected by this flaw.

Even though Zip Slip was first described in 2018, logical flaws in server-side archive unpacking are still common — as seen in this 2025 pentest and the recent vulnerability CVE-2024-12905 in tar-fs.

Bypassing security with corrupted archives

Attackers may intentionally corrupt archive contents so that automated scanners and security tools fail to analyze them fully. However, the victim can still manually recover and open the respective file with minimal effort. A recent example is the exploitation of MS Office’s “document recovery” feature — since Office files are essentially ZIP archives. Security tools and archivers may fail to scan such documents, but Word can restore and open them.

Masking malware with exotic formats

Beyond common formats like ZIP, RAR, and TAR/TAR.GZ, attackers frequently use disk image files (ISO, IMG, VHD), Windows archives (CAB, MSI), and even legacy or obscure archive types: ARJ, ACE, ICE, and others. Security tools often don’t handle these well, while modern universal archivers like WinRAR can still open them.

Disguising malware using the Matryoshka method

Mail scanners and other security tools often have configurable limits to reduce server load (for example, they may skip scanning very large files or nested archives). If an attacker creates a “matryoshka doll” (aka a “Russian doll”), of several nested archives, there’s a higher chance that the innermost archive won’t be automatically scanned in the targeted organization.

Bypassing security tools and tricking users using legitimate archive features

Attackers often combine social engineering and technical tricks to get users to perform desired actions with archives without triggering security alerts. These techniques include the following:

Encrypted archives. A classic trick from the early 2000s, which still works today. The victim receives a password-protected archive, and the password is either sent in a separate email or instant message, or hinted at within the original email itself: “The password is the current year repeated twice”. For example, this method was used in the Emotet malware campaigns.

Self-extracting archives. These were originally useful in the days before archive utilities were built into all operating systems. Today, they allow attackers to easily install malware by bundling all the necessary components into a single file. For instance, the NeedleDropper attack used a self-extracting archive to extract a popular legitimate tool, AutoIT, along with malicious AutoIT scripts, which were then executed. The attacker simply needs to trick the victim into running the archive.

A combination of the above. Some attacks use self-extracting archives that, once executed, unpack a password-protected inner archive. Technically, this password is stored within the outer archive, but few security tools can detect it there and use.

Double-extension archives. Another classic is a self-extracting archive with a “.pdf.exe” extension and an Acrobat Reader icon assigned by the archiver. For victims who are not too IT-savvy, these tricks are still convincing.

Multi-volume archives. This function was originally used to split large files across CDs, flash drives and so on. Today, this rarely-used feature is still supported by archivers. Attackers use it to divide malware among volumes, or bypass scanning entirely, as some tools are configured only to scan ZIP or RAR files, but not R01, R02, and so on.

Polyglot files. Attackers can combine different file types into a single one, so, for example, one app opens the file as a PDF and another as a ZIP archive. This works in part because technical ZIP file headers are located at the end of the file, not at the beginning. We recently covered an attack by the Head Mare group, where phishing emails contained a polyglot file made of both a malicious EXE file (with the PhantomPyramid backdoor) and a small, harmless ZIP archive. When clicked normally, it would open as a ZIP, but when launching the shortcut inside, the same polyglot file would execute as an EXE via PowerShell.  Another version of the same method combines two archives in one polyglot file.

Self-extracting archives as launch tools. A more exotic variant — which has been seen in actual attacks — involves self-extracting archives that contain no actual files but include post-extraction commands to launch system tools like PowerShell or CMD, which are common in LotL attacks.

Data exfiltration

Compressing data and encrypting an archive before exiting the attacked network is well documented under MITRE ATT&CK technique T1560. Attackers use all options available: everything from basic archive tools on infected machines to popular archiving libraries built into the malware. In LotL attacks, attackers can combine techniques, using Windows utilities to collect files from other hosts and simultaneously archive them (diantz).

Protective measures when handling archives

These measures should be prioritized and adapted based on the profile of your organization, department, and role.  To protect yourself:

Test your security tools with tricky cases: exotic archive formats, corrupted archives, and polyglot files. If direct testing is difficult, ask your vendor’s tech-support whether these cases are covered. At a minimum, test your mail gateway, NGFW, EDR/XDR solution, and sandbox (if it’s a separate solution). For example, in Kaspersky Secure Mail Gateway, the sandbox is an integral part of the security architecture and prevents most malicious attachments from opening.

Set up safe extraction. Ensure your security solution can scan deeply nested archives and large files. Different tools will vary in this area: while mail filters can thoroughly scan attachments and detonate them in a sandbox, NGFWs will probably just check the reputation of the archive itself and its visible files.  Therefore, deeper analysis should be used on both endpoints and mail gateways, while web filters and NGFWs should apply lighter checks within their limitations. In any case, archives that exceed reasonable analysis capabilities should be blocked or quarantined.

Block dangerous archives. Uploading archives in exotic formats, as well as self-extracting archives, is rarely necessary, so this functionality can be blocked on hosts. Additionally, using trusted application management (apps allowlist, application control), you can prohibit the execution of all archivers except the one or two that are permitted and actually used within the organization. It’s important to analyze the use of built-in OS archiving tools and block those that aren’t used by employees or the IT department. Make sure that none of the approved tools for Windows machines are ones that have no support for Mark-of-the-Web (MotW).

Block automatic mounting of disk images. Although disk images are not exactly archives, attackers use them in similar ways. Usage of disk images should be disabled through group policy for all employees who don’t need it for legitimate business purposes.

Monitor the use of archivers on endpoints. Ensure that your EDR solution and monitoring tools (SIEM, XDR) have rules to help detect suspicious activity related to archives: launching files from temporary folders, launching processes from within an archiver, and so on. Monitoring is also needed to detect data theft attempts indicated by archiving data from network folders, creating password-protected archives, creating very large archives, and so on.

Restrict the use of archives in server-side applications. If uploading archived files is not a critically important business function, it’s better to disable this feature in CMS, CRM, and other online applications. Ensuring its security can be challenging. If archives are required, be sure that the folders where these archives are uploaded are monitored by an EDR agent on the server, that the server application itself is updated regularly, and that the permissions granted to the application don’t allow it to write files to any folders outside its designated directories.

Include archivers and archive-processing applications in your vulnerability management program. Archivers should be updated no less frequently than the operating system and office software.

Train employees. Cybersecurity training for employees should cover phishing as well as general rules for safe handling of archives: pay attention to any pop-ups or unexpected prompts when opening familiar file types (DOC, PDF), only extract archives using the archiving application approved by the company, and if an archive immediately prompts for a password upon clicking the file, don’t extract it under any circumstances and immediately report it to the security team.

Kaspersky official blog – ​Read More

While developing our Security Training Lab educational program, we at ANY.RUN have turned to well-established theories of education, cognitive skill development, and the psychology of learning. Their foundational principles emphasize one critical truth: practice is indispensable for mastering complex skills.  

In the field of cybersecurity—especially in malware analysis—the ability to apply theoretical knowledge in real-world scenarios is what separates competent professionals from novices. Inspired by this understanding, we designed the Security Training Lab to bridge the gap between classroom theory and the practical demands of the cybersecurity industry. Students, we believe, are to be equipped to tackle real threats from day one. 

As a malware analysis solutions developer, ANY.RUN has all the resources and capabilities to provide the audience of its educational program with as much practice as it’s ready to digest.  

How Security Training Lab Offers Practice-Oriented Training 

Of course, nobody is going to toss future malware analysts in at the deep end unprepared and watch them flounder in a lake of real cyber threats. Security Training Lab is based on 30 hours of academic content including texts and video lectures.

The program includes modules on:

• Advanced static and dynamic malware analysis
• Study of malware behavior, malicious scripts, files, and macros
• The basics of encryption  

Interactive tasks and tests appear at the end of each module and in the final exam. But real-world examples of detonated, dissected, and analyzed malware run through the entirety of learning material encouraging trainees to find an example or perform a task of their own, to practice their newly acquired skills.

How Security Training Lab Benefits Universities

The emphasis on applicable knowledge and practical experience are not the only features of the Security Training Lab valuable for educational organizations. As a ready-made, expert-supported solution, it offers universities the following benefits:  

• No setup hassle: full access to ANY.RUN’s Interactive Sandbox for instructors and students. The course is available and ready for use on the Seturon platform. There is no need to set up complex environments or worry about local security.

• Up-to-date: based on the latest malware samples, techniques, and real-world scenarios, keeping the curriculum relevant. 

• Scalable for classrooms and remote learners: supports self-paced, instructor-led, and hybrid learning formats. 

• Built-in analytics: instructors can track progress and assess students’ practical skills. 

The Key to Effective Learning: Interactive Sandbox 

Students don’t just read about malicious scripts, ransomware, or phishing kits—they dissect them. Through ANY.RUN’s Interactive Sandbox, they gain full access to a virtualized environment where they can upload, execute, and analyze live threats. 

They also gain access to a repository of malware samples submitted by ANY.RUN’s user community of more than 500,000 cybersecurity professionals. These users (including 15,000 corporate SOC teams that face the most current and dangerous threats) leave public reports on their analysis sessions that students can explore and analyze of their own.

All students of the Security Training Lab have an unlimited access to the Sandbox, so they can go far beyond examples and tasks in the program. 

For example, a student might analyze a phishing link disguised as a legitimate URL, interact with it in the sandbox, and observe how it attempts to steal credentials or deploy secondary malware. Another might de-obfuscate a malicious script, uncovering its hidden payload step-by-step.

These exercises simulate the real-life scenarios analysts face — whether it’s investigating a targeted attack on a corporate network or responding to a widespread malware campaign. By engaging with authentic samples, students learn to recognize patterns, anticipate attacker tactics, and develop effective mitigation strategies. 

A Dive into Practice: Full Scope of Tools 

Of course, the hands-on part of the Security Training Lab curriculum is not based solely on ANY.RUN’s tools.

A malware analysis expert is to employ an arsenal of instruments, so it’s vital for the students to start acquainting with them early and intensely.

Conclusion  

The cybersecurity industry is experiencing a global talent shortage, particularly in skilled threat researchers and malware analysts. With the Security Training Lab, we help to address this gap by providing a practice-first, job-relevant learning experience. 

Through hands-on training with real malware samples and simulations of workplace challenges, we’re preparing students not just to understand cyber threats, but to defeat them.  

By integrating ANY.RUN’s course into the academic program, universities meet the challenges of offering a competitive educational product, answering to the market urges, and providing their students with the most promising career opportunities.  

For Universities: Contact ANY.RUN to integrate Security Training Lab in your curriculum 

About ANY.RUN

ANY.RUN supports over 15,000 organizations across numerous industries, including banking, manufacturing, and healthcare. Our interactive malware analysis and threat intelligence tools allow companies and SOC teams to speed up their threat investigations, ensure proactive security, and build stronger and more resilient operations.

The post Why Practice Is Key to Training Top Malware Analysts and How ANY.RUN Supports It appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

At ANY.RUN, we love hearing about clients’ experiences. Quality feedback helps us improve and gives new and existing users a clearer understanding of our tools in actual security scenarios. 

That’s why when we spoke with Augustin Alexandrovici, who leads Cyber Intelligence Operations at Expertware, we knew we had to share our conversation.  

Check out the highlights to see how a Managed Security Service Provider employs ANY.RUN in its operations. 

Company Overview 

Expertware is a leading IT consultancy with over 18 years of experience, specializing in cybersecurity and Security Operations Center (SOC) services. With a dedicated team of over 30 cyber experts, we can seamlessly build or extend internal teams to address evolving threats and ensure robust protection for businesses. 

Our expertise spans AI and machine learning, full-stack development, IT architecture, and business optimization. Having completed over 500 successful projects for leading European clients across industries such as banking, insurance, retail, telecom, and more, we deliver innovative, high-impact solutions that foster growth and resilience. 

What Made Expertware Look for a Malware Sandbox 

We started looking for a sandbox, because we wanted to offer to our customers an in-depth view of security incidents targeting their IT Infrastructure. 

Before, we had to manually set up reverse-engineering environments, which was a time-consuming process. The extra steps required slowed down our ability to analyze and respond to malware threats in an efficient way. 

We also wanted to improve the average turnaround time for malware investigations to make operations faster and be able to process more threats.  

Another challenge we sought to address was the limited visibility into attacks. We needed a solution that would present us with an intuitive and streamlined view of threats’ entire kill chain. 

With all of these taken into consideration, ANY.RUN’s sandbox became our choice. 

ANY.RUN has enabled us to actually interact with malicious files on the fly, which saves us from risky manual setups and cuts down on the resources we allocate to daily tasks

One of the main factors behind our decision was the interactivity. It instantly solved the problem of building and maintaining our custom VMs for malware analysis. ANY.RUN has enabled us to actually interact with malicious files on the fly, which saves us from risky manual setups and cuts down on the resources we allocate to daily tasks. 

How Expertware Use ANY.RUN 

Our organization has been using ANY.RUN for over a year. Initially, we started with a proof of concept (POC) phase to see how it would fit into our SOC workflow, and we found it very effective, so we fully integrated it soon afterwards. 

Now we use all the core products provided by ANY.RUN: the Interactive Sandbox, TI Feeds, and Threat Intelligence Lookup complementing and enriching our SIEMBIOT cyber security. Our team relies on them for malware analysis, dynamic execution of files, and rapid threat intelligence analysis. 

We use the sandbox specifically for: 

• Malware Investigations: We submit suspicious files for dynamic analysis to observe malicious behavior, network indicators, and potential dropper actions. 

• Phishing Analysis: We examine advanced phishing campaigns to see how attachments or malicious scripts are executed within a controlled environment. 

• Indicator Extraction and Mapping: We extract IOCs, map the full scope of the attack to the MITRE ATT&CK framework, and quickly integrate them into our threat intelligence feeds and detection systems. 

• Training & Collaboration: We share interactive reports across the SOC and Incident Response teams to facilitate collaborative analysis and help junior analysts develop their skills. 

Examples of Cyber Threats ANY.RUN Helps Address 

At Expertware, we routinely confront threats like advanced infostealers (e.g., RedLine, Raccoon Stealer), persistent backdoors (like NanoCore or Remcos), and botnet malware (such as Emotet). ANY.RUN’s Interactive Sandbox and real-time analysis tools are invaluable in helping us quickly detect, investigate, and neutralize these evolving threats. 

Notable Use Case: XLoader Phishing Attack 

One notable case involved a highly obfuscated phishing campaign distributing XLoader malware in a multi-stage infection chain. Initially, the malicious attachment was a seemingly benign Microsoft Office document containing VBA macros. Once the macro was enabled, it executed a PowerShell command that retrieved additional payloads from a remote server.

This was followed by fileless techniques, such as reflective loading of DLLs directly into memory, making static detection difficult. When we ran the sample in ANY.RUN’s Interactive Sandbox, we could manually walk through each stage of the infection process. Specifically: 

1. Macro Execution: We triggered the VBA macro inside the sandbox, capturing real-time logs of spawned processes (e.g., powershell.exe) and network connections. 

2. Decoding the PowerShell Script: The script was obfuscated using string concatenation and base64 encoding. ANY.RUN’s interactive approach lets us step through and decode the script in real time, exposing the URLs used for Command & Control. 

3. Memory Analysis: By pausing and resuming processes, we pinpointed the exact moment the additional payload was written directly to memory. This was crucial in revealing the second-stage DLL that XLoader injected, bypassing traditional on-disk detection. 

4. Network Traffic Inspection: We observed the malware connecting to its C2 infrastructure, sending beacon requests with system reconnaissance data. ANY.RUN’s detailed packet capture allowed us to extract and analyze these indicators (e.g., domain names, IP addresses, and request parameters). 

5. Persistence Mechanisms: XLoader used several registry-based techniques to maintain persistence. We tracked registry changes within the sandbox session, which helped us craft custom detection rules in our SIEM and endpoint solutions. 

Without the ability to dynamically interact with the malware (e.g., clicking through the macros, responding to execution prompts, and examining in-memory behavior), many of these steps would have remained hidden, especially given the extensive use of fileless and obfuscation techniques. ANY.RUN gave us the granularity to uncover each stage, correlate events, and produce comprehensive IOCs to better protect our environment and inform our incident response. 

In short, ANY.RUN’s interactive approach was critical in dissecting this complex multi-stage XLoader campaign and swiftly mitigating its impact across our network. 

Security and Operational Improvements After Adopting ANY.RUN 

With ANY.RUN, our malware investigation and IOC extraction processes have seen over a 50% reduction in turnaround time.  

The time saved in malware investigations means threats are contained and remediated faster, right? So, I believe the real added value is the opportunity to reduce potential damage. Which is really the one and only scope of our work. 

With ANY.RUN, our malware investigation and IOC extraction processes have seen over a 50% reduction in turnaround time

The visual process tree and network analysis allow us to see an attack’s full scope in one place, which really speeds up our containment and remediation processes. 

Plus, collaborating got easier—everyone’s on the same page when we can share those interactive reports. 

Implementation Challenges and Solutions 

To integrate ANY.RUN into our SIEM and SOAR platforms for real-time data flow, we used APIs and custom scripts, supported by OpenCTI integration. Initial challenges included interoperability issues with our Filigran system, data formatting mismatches, and security constraints. Collaboration with vendors and iterative testing resolved these issues, achieving reliable performance. 

To help colleagues fully utilize ANY.RUN’s interactive features, we conducted in-house training sessions. These covered the platform’s core functionalities, best practices for malware analysis, and real-time collaboration techniques. This ensured all team members, from junior analysts to experienced responders, could effectively use the new workflows and maximize the platform’s capabilities. 

Employee Feedback 

Our employees are generally very positive about ANY.RUN’s products. Analysts appreciate the intuitive interface and the ability to manipulate malware in real-time. Junior analysts find it educational, since they can watch suspicious processes unfold step by step, learning about Tactics, Techniques, and Procedures (TTPs) in a hands-on manner. Senior analysts value the time savings and the visual clarity of the results. 

Junior analysts find it educational, since they can watch suspicious processes unfold step by step

Advice for Those Planning to Integrate ANY.RUN 

We advise starting with a pilot project on the most suspicious files—you’ll see the value right away. Take advantage of ANY.RUN’s API documentation and support channels to make integration smoother. And if you’re training new analysts, definitely have them dive into the interactive side of things. It’s a real game-changer. 

Plans 

We’re upping our SOC game by adding more automation. ANY.RUN’s API integration makes it easy to connect with our CTI/SOAR platform, so when something malicious is detected, it can trigger containment steps automatically. ANY.RUN will be a core piece of our future setup. 

Conclusion 

A big thank you to Augustine and Expertware for sharing their insight into the day-to-day operations of a security team during our meeting. The expertise and unique perspectives you provided as part of the interview will help other organizations understand the benefits of integrating ANY.RUN’s Interactive Sandbox for stronger security. 

If you are using ANY.RUN’s products and willing to share your experiences with the community, please send us an email at content@any.run. 

About ANY.RUN

ANY.RUN supports over 15,000 organizations across industries such as banking, manufacturing, telecommunications, healthcare, retail, and technology, helping them build stronger and more resilient cybersecurity operations.

With our cloud-based Interactive Sandbox, security teams can safely analyze and understand threats targeting Windows, Linux, and Android environments in less than 40 seconds and without the need for complex on-premise systems. Combined with our Threat Intelligence solutions, TI Lookup, YARA Search, and Feeds, we equip businesses to speed up investigations, reduce security risks, and improve team’s efficiency.

The post How MSSP Expertware Uses ANY.RUN’s Interactive Sandbox for Faster Threat Analysis appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

What do you do when you need a program but can’t buy an official license yet? Correct answer: “Use the trial version” or “Find a free alternative.” Wrong answer: “Search online for a cracked version.”

Sketchy alternative sources are known to offer cracked versions of software, along with other goodies. After wading through sites stuffed with ads, you may get the program you want (usually minus the future updates and network functionality), but with a miner, stealer, or whatever else thrown in for good measure.

Based on real-world examples, we explain why you should avoid sites that offer instant downloads of in-demand programs.

Miner and stealer on SourceForge

SourceForge was once the largest site for all things open source, the forerunner of GitHub. But don’t think that SourceForge is dead – today it provides software hosting and distribution services. Its software portal hosts multiple projects, uploaded by anyone who wants to.

And, as with GitHub, it’s this cosmopolitanism that is a barrier to high-level security. Let’s take just one example: our experts found a project called officepackage on SourceForge. At first glance, it looks harmless: a clear description, no-nonsense name, even a positive review.

“Officepackage” page on SourceForge

But what if we told you that the description and files were copied outright from an unrelated project on GitHub? Alarm bells are already ringing. That said, no malware lands on your computer when you click the Download button – the project is apparently clean. Apparently, because the malicious payload was not distributed directly through the officepackage project, but through the web page associated with it. How is this possible?

The fact is that every project created on SourceForge gets its own domain name and hosting on sourceforge.io. So a project named officepackage is given a web page at officepackage.sourceforge[.]io. Such pages are easily indexed by search engines and rank high in search results. This is how attackers attract victims.

When visiting officepackage.sourceforge[.]io from a search engine brought users to a page offering downloads of almost any version of the Microsoft Office suite. But, as ever, the devil was in the detail: when you hovered over the Download button, the browser’s status bar showed a link to https[:]//loading.sourceforge[.]io/download. Spotted the trap? The new link has nothing to do with officepackage; loading is an entirely different project.

The “Download” button on the “officepackage” page of the SourceForge software portal leads to a completely different project

And after clicking, users were redirected not to the page of the loading project, but to another intermediary site with another Download button. And only after clicking this did the user, weary of surfing, finally receive a file – an archive named vinstaller.zip. Inside was another archive, and inside this second archive was a malicious Windows Installer.

At the heart of this evil nesting doll were two nasties: instead of Microsoft products, a miner and ClipBanker – malware for substituting crypto wallet addresses in the clipboard – were let loose on the victim’s device after running the installer. Details of the infection scheme can be found in the full version of the study on our Securelist blog.

Malicious TookPS installer disguised as legitimate software

Cybercriminals do not limit themselves to SourceForge and GitHub. In another recent case unearthed by our experts, attackers were found distributing the malicious TookPS downloader, already familiar to us from the fake DeepSeek and Grok clients, through fake websites offering free downloads of specialized software. We discovered a whole series of such sites offering users cracked versions of UltraViewer, AutoCAD, SketchUp and other popular professional software, meaning that the attack was not only aimed at home users, but also at professional freelancers and organizations. Other malicious files detected included the names Ableton.exe and QuickenApp.exe, purported versions of the popular music creation and money management applications.

Fake pages distributing TookPS

By circuitous means, the installer downloaded two backdoors to the victim’s device: Backdoor.Win32.TeviRat and Backdoor.Win32.Lapmon. See another Securelist post to find out exactly how the malware was delivered to the victim’s device. The malware gave the attackers full access to the victim’s computer.

How to protect yourself

First, do not download pirated software. Under any circumstances. Ever. A cracked program may be temptingly free and instantly available, but the price you pay will be measured not in money, but in data – your data. And no, that doesn’t mean family photos and chats with friends. Cybercriminals are after your crypto wallets, payment card details, account passwords – and even your computer’s resources for cryptocurrency mining.

Here’s a list of rules we recommend for anyone who uses SourceForge, GitHub and other software portals.

• If you can’t buy the full version of an application, use alternatives or trial versions, not cracked software. You might not get the full functionality, but at least your device is guaranteed to be safe.
• Only download programs from trusted sources. As SourceForge and GitHub practice shows, even then you should proceed with caution and scan all downloaded files with an antivirus.
• Protect your cryptocurrency and banking data with reliable tools. Treat virtual wallets with the same reverence as physical ones.

Further reading in support of not downloading pirated software:

• The dangers of pirated games
• NullMixer: multiple malware in one
• XMRig miner as a New Year’s gift
• Malware lurking in “official” GitHub and GitLab links

Kaspersky official blog – ​Read More