Raccoon and Vidar Stealers Spreading via Massive Network of Fake Cracked Software


Level 85
Thread author
Honorary Member
Top Poster
Content Creator
Malware Hunter
Aug 17, 2014
A "large and resilient infrastructure" comprising over 250 domains is being used to distribute information-stealing malware such as Raccoon and Vidar since early 2020.

The infection chain "uses about a hundred of fake cracked software catalogue websites that redirect to several links before downloading the payload hosted on file share platforms, such as GitHub," cybersecurity firm SEKOIA said in an analysis published earlier this month.

The French cybersecurity company assessed the domains to be operated by a threat actor running a traffic direction system (TDS), which allows other cybercriminals to rent the service to distribute their malware.

The attacks target users searching for cracked versions of software and games on search engines like Google, surfacing fraudulent websites on top by leveraging a technique called search engine optimization (SEO) poisoning to lure victims into downloading and executing the malicious payloads.

The poisoned result comes with a download link to the promised software that, upon clicking, triggers a five-stage URL redirection sequence to take the user to a web page displaying a shortened link, which points to a password-protected RAR archive file hosted on GitHub, along with its password.

"Using several redirections complicates automated analysis by security solutions," the researchers said. "Carving the infrastructure as such is almost certainly designed to ensure resilience, making it easier and quicker to update or change a step."

Andy Ful

From Hard_Configurator Tools
Honorary Member
Top Poster
Dec 23, 2014
I would not recommend Microsoft Defender on default settings as a main protection for people who search & install cracked software, keygens, etc. Although the protection is very good for widespread threats (also 0-day threats), it is not very good for the above attack vector (semi-targeted attacks), when users actively search for pirated content. Furthermore, such attacks are too rare to impact Real-World tests, like those made by AV-Comparatives and AV-Test.

I am not sure if other AVs (on default settings) can do better because there are no reliable (comparative) tests. It can be that Norton (with Download Insight), Kaspersky (with roll back), or Comodo (with auto-sandbox) can provide better protection for some users.

Of course, the best solution (for many reasons) would be to avoid pirated software.:)

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.