Fake Installers Drop Malware and Open Doors for Opportunistic Attackers <\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/i\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html\"><br \/>\n<meta property=\"og:title\" content=\"Fake Installers Drop Malware and Open Doors for Opportunistic Attackers \"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers\/fake%20app%20malware%20bundle.png\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Fake Installers Drop Malware and Open Doors for Opportunistic Attackers \"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers\/fake%20app%20malware%20bundle.png\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"51.198373708284\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"1158608569\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"9.3061224489796\">\n<div class=\"article-details\" role=\"heading\" readability=\"38.204081632653\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Malware<\/p>\n<p class=\"article-details__description\">We recently spotted fake installers of popular software being used to deliver bundles of malware onto victims\u2019 devices. These installers are widely used lures that trick users into opening malicious documents or installing unwanted applications. <\/p>\n<p class=\"article-details__author-by\">By: Ryan Maglaque, Joelson Soares, Gilbert Sison <time class=\"article-details__date\">September 27, 2021<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"44.308101714962\">\n<div readability=\"34.461856889415\">\n<p>It is widely known that with regard to cybersecurity, a user is often identified as the <a href=\"https:\/\/www.sans.org\/blog\/this-is-why-the-human-is-the-weakest-link\/\" target=\"_blank\" rel=\"noopener\">weakest link<\/a>. This means that they become typical entry vectors for attacks and common social-engineering targets for hackers. Enterprises can also suffer from these individual weak links. Employees are sometimes unaware of online threats, or are unfamiliar with cybersecurity best practices, and attackers know exactly how to take advantage of this gap in security. <\/p>\n<p>One way that attackers trick users is by luring them with unauthorized apps or installers carrying malicious payloads. We recently spotted some of these fake installers being used to deliver bundles of malware onto victims\u2019 devices. These fake installers are not a new technique used by attackers; in fact, they are old and widely used lures that trick users into opening malicious documents or installing unwanted applications. Some users fall into this trap when they search the internet for free or cracked versions of paid applications. <\/p>\n<p><span class=\"body-subhead-title\">Looking inside the fake installers<\/span><\/p>\n<p>We saw users trying to download cracked versions of non-malicious applications that had limited free versions and paid full versions, specifically, TeamViewer (a remote connectivity and engagement solutions app), VueScan Pro (an app for scanner drivers), Movavi Video Editor (an all-in-one video maker), and Autopano Pro for macOS (an app for automated picture stitching). <\/p>\n<p>One example that we dive into here involves a user who tried to download an unauthorized version of TeamViewer (an app that has actually been used as camouflage for <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/cybercrime-and-digital-threats\/modified-teamviewer-tool-drops-trojan-spyware-on-victims\" target=\"_blank\" rel=\"noopener\">trojan spyware<\/a> before). The user downloaded a malicious file disguised as a crack installer for the application. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers\/Fake%20Installer%201.png\" alt=\"Figure 1. Malicious files downloaded by user\"><figcaption>Figure 1. Malicious files downloaded by user<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>After downloading and executing these files, one of the child processes created other files and the executable <b>setup.exe\/setup-installv1.3.exe<\/b>, which was extracted from <b>320yea_Teamviewer_15206.zip <\/b>via<b> WinRAR.exe<\/b>. This file seems to be the source of most of the downloaded malicious files, as seen in the following figure.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers\/Fake%20Installer%202.png\" alt=\"Figure 2. Unpacking of setup-installv1.3.exe via WinRar.exe\"><figcaption>Figure 2. Unpacking of setup-installv1.3.exe via WinRar.exe<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35.5\">\n<div readability=\"16\">\n<p>Afterward, the file <b>aae15d524bc2.exe<\/b> was dropped and executed via Command Prompt. It then spawned a file, <b>C:\\Users\\{username}\\Documents\\etiKyTN_F_nmvAb2DF0BYeIk.exe<\/b>, which sequentially initiated the BITS admin download. BITS admin is a command-line tool that can help monitor progress and create, download, and upload jobs. The tool also allows a user to obtain arbitrary files from the internet, a feature that attackers can abuse. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers\/Fale%20Installer%203.png\" alt=\"Figure 3. BITS admin execution detection\"><figcaption>Figure 3. BITS admin execution detection<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"41\">\n<div readability=\"27\">\n<p>We also observed that information in the browser’s credential store was taken by the attacker. Specifically, the stored data in<b> C:\\Users\\{username}\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Login<\/b> was copied. Credentials stored in browsers are often critical personal data that could be leveraged by attackers to gain access into personal, business, or financial accounts. Attackers can even compile and sell this information in underground markets. <\/p>\n<p>To maintain persistence, an executable file was entered in the AutoStart registry and a scheduled task was created:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Create scheduled task: C:\\Windows\\System32\\schtasks.exe \/create \/f\/sc onlogon \/rl highest \/tn”services64″\/tr ‘”C:\\Users\\{username}\\AppData\\Roaming\\services64.exe”‘<\/span><\/li>\n<li><span class=\"rte-red-bullet\">AutoStart registry: HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\prun:C:\\WINDOWS\\PublicGaming\\prun.exe<\/span><\/li>\n<\/ul>\n<p>As previously mentioned, these cases come about because users search for free applications and trust that someone is going to put the cracked or stolen full version online as a gesture of good will. But as we can see, attackers simply take advantage of those who download these files. <\/p>\n<p>In Figure 4, we can see that a trojanized VueScan file is already in a Downloads folder and is executed by legitimate user.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers\/Fake%20Installer%204.png\" alt=\"Figure 4. Unpacking of 61193b_VueScan-Pro-974.zip which created a new process\"><figcaption>Figure 4. Unpacking of 61193b_VueScan-Pro-974.zip which created a new process<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>Following the execution of <b>setup_x86_x64_install.exe<\/b>, it created and executed a new file named<b> setup_installer.exe<\/b> that dropped several files and queried several domains. Most of these domains are malicious, as evidenced in Figure 5.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers\/Fake%20Installer%205.png\" alt=\"Figure 5. Dropped malicious files querying several domains\"><figcaption>Figure 5. Dropped malicious files querying several domains<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"40.803288314739\">\n<div readability=\"29.416324133881\">\n<p>This malicious payload also exhibits backdoor behavior. We can see that the attackers are listening on these channels: 127.0.0.1:53711 and 127.0.0.1:53713. This lets the attacker keep a foothold in the computer; through this, they can possibly move laterally across the network and, if it is an enterprise device, compromise a critical company asset. <\/p>\n<p>The other fake installers also had similar behavior that exploits users that attempt to download either an unauthorized application cracker\/activator or an illegal full version. These infections then create persistence for later access. <\/p>\n<p><span class=\"body-subhead-title\">How widespread is the threat?<\/span><\/p>\n<p>Camouflaged malicious installers and apps are often used to load malware onto victim\u2019s devices. A few recent examples are widespread <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/h\/fake-cryptocurrency-mining-apps-trick-victims-into-watching-ads-.html\" target=\"_blank\" rel=\"noopener\">fake cryptocurrency-mining applications<\/a> that took advantage of neophyte cryptominers and <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/20\/d\/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware.html\" target=\"_blank\" rel=\"noopener\">fake Covid-19 update apps<\/a>. In tracking this current batch of fake installers, we were able to detect incidents around the world. We initially do not classify these particular events as targeted attacks, mostly because in all cases the users actively searched for application crackers or unlocked versions of software. But even if these were not initially targeted attacks, they can later lead to opportunistic hacks because the attacker already has a presence in the computer. Aside from loading malware, the attackers can use their initial access to conduct malicious activity, like compromising a company\u2019s virtual private network (VPN). They could even sell the access to other cybercrime gangs, such as ransomware operators. It\u2019s important to stress that attackers use every tool within reach, and even <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/cybercrime-and-digital-threats\/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021\" target=\"_blank\" rel=\"noopener\">legitimate applications<\/a> can be weaponized. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/i\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers\/Fake%20Installer-01.png\" alt=\"Figure 6. Unique detections per region of the indicators of compromise (IOCs) listed in the following. The data is sourced from Trend Micro\u2122 Smart Protection Network\u2122 for the month of August.\"><figcaption>Figure 6. Unique detections per region of the indicators of compromise (IOCs) listed in the following. The data is sourced from Trend Micro\u2122 Smart Protection Network\u2122 for the month of August.<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"40.5\">\n<div readability=\"26\">\n<p>Of course, we also know that software piracy is prevalent in many regions. From the data in Figure 6, we can surmise that it is still a major threat to security. Users have to be more aware of the threats these illegal installers can hold and implement stricter security practices for installing and executing applications from the internet onto their personal and work devices. <\/p>\n<p>The global pandemic has pushed users out of offices and into work-from-home (WFH) situations where there are other \u201cphysically\u201d connected devices like the internet of things (IoT), personal mobiles, and personal computers that have weak security. These present a problem because malware can quickly spread from personal devices to business computers on the same network. <\/p>\n<p><span class=\"body-subhead-title\">Malicious capabilities of the fake installers <\/span><\/p>\n<p>We were able to analyze some of the malicious files bundled into the installers. Their capabilities are varied, from cryptocurrency mining to stealing credentials from social media applications. We enumerate them in this table:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\">\n<tbody readability=\"16\">\n<tr>\n<td valign=\"middle\">Malicious file<\/td>\n<td valign=\"middle\">Actions<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td readability=\"5\">\n<p>Trojan.Win32.MULTDROPEX.A<\/p>\n<\/td>\n<td>\n<ul>\n<li><span class=\"rte-red-bullet\"><b data-rte-class=\"rte-temp\">Main dropper of the malicious file<\/b><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b data-rte-class=\"rte-temp\">Disguised as cracker\/installer of legitimate applications<\/b><\/span><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>Trojan.Win32.SOCELARS.D<\/td>\n<td>\n<ul>\n<li><span class=\"rte-red-bullet\"><b data-rte-class=\"rte-temp\">Gathers information regarding the machine<\/b><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b data-rte-class=\"rte-temp\">Collects browser information<\/b><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b data-rte-class=\"rte-temp\">Collects social media information (Instagram and Facebook)<\/b><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b data-rte-class=\"rte-temp\">Collects information from Steam application<\/b><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b data-rte-class=\"rte-temp\">Drops Google Chrome extension responsible for further stealing of Facebook\/credit card\/payment credentials<\/b><\/span><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td>\n<p>Trojan.Win32.DEALOADER.A<\/p>\n<\/td>\n<td>\n<ul>\n<li><span class=\"rte-red-bullet\">Malware downloader<br \/><\/span><\/li>\n<li><span class=\"rte-red-bullet\">URL inactive, but based on research possibly another stealer<\/span><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>TrojanSpy.Win32.BROWALL.A<\/td>\n<td>\n<ul>\n<li><span class=\"rte-red-bullet\">Collects browser information<br \/><\/span><\/li>\n<li><span class=\"rte-red-bullet\">Collects cryptocurrency wallet information<\/span><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>TrojanSpy.Win32.VIDAR.D<\/td>\n<td>\n<ul>\n<li><span class=\"rte-red-bullet\">Collects browser information<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Collects credentials<\/span><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr readability=\"8\">\n<td>Trojan.Win64.REDLINESTEALER.N<\/td>\n<td>\n<ul>\n<li><span class=\"rte-red-bullet\">Executes command from remote user<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Gathers information regarding the machine<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Collects browser information<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Collects FTP client information<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Collects VPN information<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Collects cryptocurrency wallet information<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Collects information from other applications (Discord, Steam, Telegram)<\/span><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<tr readability=\"5\">\n<td>Coinminer.MSIL.MALXMR.TIAOODBL<\/td>\n<td>\n<ul>\n<li><span class=\"rte-red-bullet\">Downloads miner module hosted on Discord<br \/><\/span><\/li>\n<li><span class=\"rte-red-bullet\">XMR miner<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Installs persistence via scheduled tasks and AutoRun registry<\/span><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"37\">\n<div readability=\"19\">\n<p><span class=\"body-subhead-title\">How to protect yourself from the threat of malware<\/span><\/p>\n<p>As aforementioned, fake installers are not new, but they are still a widely used delivery system for malware. Attackers are uploading more and more of these files for a simple reason: They work. Users download and execute these installers, and this lets attackers maintain persistence in personal devices and gives them a way into company networks as well. <\/p>\n<p>To combat this threat, it is important for users to be educated on the effects of downloading files from untrusted websites. There are also other security measures to take:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">A multilayered security approach is necessary when protecting the environment. If one layer of protection fails, there are still others in place that can prevent the threat.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Application control will help prevent execution of suspicious files.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Restricting admin rights for users that do not need access is also a good preventive measure. <\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div>\n<p><span class=\"body-subhead-title\">Indicators of Compromise<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table cellpadding=\"1\" cellspacing=\"0\" border=\"1\">\n<tbody readability=\"26\">\n<tr>\n<td><b>File name<\/b><\/td>\n<td><b>SHA256 <\/b><\/td>\n<td><b>Detection name<\/b><\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>setup-installv1.3.exe<\/td>\n<td>787939d2fc30c7b6ff6ddb7f4e7f981c2a2bad0788b2f4d858c3bb10186d42f6<\/td>\n<td>Trojan.Win32.MULTDROPEX.A<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>setup_installer.exe<\/td>\n<td>bdf727b2ac0b42a955c4744bf7768cbb9fa67167321e4fb5639ee5529ccbcfa4<\/td>\n<td>Trojan.Win32.MULTDROPEX.A<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>setup_install.exe<\/td>\n<td>97f18d430b68ac9379ecd267492e58734b3c57ffd66615e27ff621ea2bce8e6b<\/td>\n<td>Trojan.Win32.MULTDROPEX.A<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>5f9a813bc385231.exe<\/td>\n<td>9dcacda3913e30cafd92c909648b5bffde14b8e39e6adbfb15628006c0d4d3c2<\/td>\n<td>Trojan.Win32.SOCELARS.CDK<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>sqlite.dll<\/td>\n<td>5c41a6b98890b743dd67caa3a186bf248b31eba525bec19896eb7e23666ed872<\/td>\n<td>TrojanSpy.Win32.SOCELARS.CDK<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>b5203513d7.exe<\/td>\n<td>a5f373f8bcfae3d9f4895c477206de63f66f08e66b413114cf2666bed798eb71<\/td>\n<td>Coinminer.MSIL.MALXMR.TIAOODBH<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>5f9a813bc38523010.exe<\/td>\n<td>8bd8f7a32de3d979cae2f487ad2cc5a495afa1bfb1c740e337c47d1e2196e1f2<\/td>\n<td>Trojan.Win32.DEALOADER.A<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>aae15d524bc2.exe<\/td>\n<td>1cdddf182f161ab789edfcc68a0706d0b8412a9ba67a3f918fe60fab270eabff<\/td>\n<td>TrojanSpy.Win32.BROWALL.A<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>bf2e8642ac5.exe<\/td>\n<td>e3c9119e809a1240caaaf4b6d5420352f037cc2585cb321cb746f05ed0ec0e43<\/td>\n<td>TrojanSpy.Win32.SOCELARS.D<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>745d0d3ff9cc2c3.exe<\/td>\n<td>b151ffd0f57b21600a05bb28c5d1f047f423bba9750985ab6c3ffba7a33fa0ff<\/td>\n<td>TrojanSpy.Win32.VIDAR.D<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>438dc1669.exe<\/td>\n<td>e254914f5f7feb6bf10041e2c705d469bc2b292d709dc944381db5911beb1d9f<\/td>\n<td>Trojan.Win64.REDLINESTEALER.N<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>1cr.exe<\/td>\n<td>949eec48613bd1ce5dd05631602e1e1571fa9d6b0034ab1bffe313e923aff29c<\/td>\n<td>TrojanSpy.MSIL.REDLINESTEALER.N<\/td>\n<\/tr>\n<tr readability=\"4\">\n<td>a6168f1f756.exe<\/td>\n<td>c5483b2acbb352dc5c9a811d9616c4519f0e07c13905552be5ec869613ada775<\/td>\n<td>Coinminer.MSIL.MALXMR.TIAOODBL<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>f65dc44f3b4.exe<\/td>\n<td>dc5bbf1ea15c5235185184007d3e6183c7aaeb51e6684fbd106489af3255a378<\/td>\n<td>Mal_HPGen-50<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td>a070c3838.exe<\/td>\n<td>9e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e<\/td>\n<td>TROJ_GEN.R053C0PHC21<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p><b>Malicious URLs:<\/b><\/p>\n<p>hxxp:\/\/fsstoragecloudservice[.]com\/data\/data[.]7z<\/p>\n<p>hxxp:\/\/3[.]128[.]66[.]194\/<\/p>\n<p>45[.]14[.]49[.]68<\/p>\n<p>plugnetx[.]com<\/p>\n<p>znegs[.]xyz<\/p>\n<p>iryarahara[.]xyz<\/p>\n<p>swiftlaunchx[.]com<\/p>\n<p>bluewavecdn[.]com<\/p>\n<p>sproutfrost[.]com<\/p>\n<p>hxxp:\/\/37[.]0[.]11[.]8\/<\/p>\n<p>hxxp:\/\/52[.]51[.]116[.]220\/<\/p>\n<p>195[.]181[.]169[.]68<\/p>\n<p>88[.]99[.]66[.]31<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>   <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/i\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We recently spotted fake installers of popular software being used to deliver bundles of malware onto victims\u2019 devices. These installers are widely used lures that trick users into opening malicious documents or installing unwanted applications. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":43087,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9511,9508,9513,9509],"class_list":["post-43086","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-endpoints","tag-trend-micro-research-malware","tag-trend-micro-research-research"],"yoast_head":"\n<title>Fake Installers Drop Malware and Open Doors for Opportunistic Attackers Threats Analyst 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Fake Installers Drop Malware and Open Doors for Opportunistic Attackers Threats Analyst 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-09-27T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst.png\" \/>\n\t<meta property=\"og:image:width\" content=\"752\" \/>\n\t<meta property=\"og:image:height\" content=\"363\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Fake Installers Drop Malware and Open Doors for Opportunistic Attackers Threats Analyst\",\"datePublished\":\"2021-09-27T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst\\\/\"},\"wordCount\":1858,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/09\\\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst\\\/\",\"name\":\"Fake Installers Drop Malware and Open Doors for Opportunistic Attackers Threats Analyst 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/09\\\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst.png\",\"datePublished\":\"2021-09-27T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/09\\\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/09\\\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst.png\",\"width\":752,\"height\":363},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Fake Installers Drop Malware and Open Doors for Opportunistic Attackers Threats Analyst\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"Fake Installers Drop Malware and Open Doors for Opportunistic Attackers Threats Analyst 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst\/","og_locale":"en_US","og_type":"article","og_title":"Fake Installers Drop Malware and Open Doors for Opportunistic Attackers Threats Analyst 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-09-27T00:00:00+00:00","og_image":[{"width":752,"height":363,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst.png","type":"image\/png"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Fake Installers Drop Malware and Open Doors for Opportunistic Attackers Threats Analyst","datePublished":"2021-09-27T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst\/"},"wordCount":1858,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Threats","Trend Micro Research : Endpoints","Trend Micro Research : Malware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst\/","url":"https:\/\/www.threatshub.org\/blog\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst\/","name":"Fake Installers Drop Malware and Open Doors for Opportunistic Attackers Threats Analyst 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst.png","datePublished":"2021-09-27T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/09\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst.png","width":752,"height":363},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Fake Installers Drop Malware and Open Doors for Opportunistic Attackers Threats Analyst"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/43086","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=43086"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/43086\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/43087"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=43086"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=43086"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=43086"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":43086,"date":"2021-09-27T00:00:00","date_gmt":"2021-09-27T00:00:00","guid":{"rendered":"https:\/\/www.trendmicro.com\/en_us\/research\/21\/i\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html"},"modified":"2021-09-27T00:00:00","modified_gmt":"2021-09-27T00:00:00","slug":"fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers-threats-analyst\/","title":{"rendered":"Fake Installers Drop Malware and Open Doors for Opportunistic Attackers Threats Analyst"},"content":{"rendered":"