New vigilante-style malware targets users of pirated software on Windows

Abhishek Baxi


Security company Sophos has published a new research – Vigilante Malware Rats Out Software Pirates While Blocking ThePirateBay – which details a cyberattack campaign that targets users of pirated software with malware designed to block access to websites hosting pirated software.

The malware is disguised as cracked versions of popular games such as Minecraft and Among Us, productivity apps such as Microsoft Office, security software and others. Instead of seeking to steal passwords or to extort a computer’s owner for ransom, this malware blocks the victim’s access to a long list of websites, including many that distribute pirated software. Essentially, this is a ‘vigilante’ malware that rats out software pirates!

The disguised malware is distributed via the BitTorrent protocol from an account hosted on ThePirateBay, the leading digital file-sharing website. These links and malware files are also hosted on Discord.

“On the face of it, the adversary’s targets and tools suggest this could be some kind of crudely-compiled anti-piracy vigilante operation. However, the attacker’s vast potential target audience – from gamers to business professionals – combined with the curious mix of dated and new tools, techniques and procedures (TTPs) and the bizarre list of websites blocked by the malware, all make the ultimate purpose of this operation a bit murky.”

– Andrew Brandt, principal threat researcher, Sophos

Modifying the HOSTS file is a crude method to prevent a computer from being able to reach a web address. It’s effective, yes, but anyone can remove the entries from the HOSTS file to fix things.

The malicious files are compiled for 64-bit Windows 10 and then signed with bogus digital certificates. On modern Windows computers, the malware has to run as an elevated (administrator-privileges) user, so more aware and cautious users would be able to avoid the attack. The malware also triggers a fake error message to appear when it runs, which asks people to re-install the software. Sophos researchers believe this could be to allay any suspicion.