{"id":47149,"date":"2022-06-17T00:00:00","date_gmt":"2022-06-17T00:00:00","guid":{"rendered":"urn:uuid:959141ee-fc58-0cd2-c071-a7d9a3c021ba"},"modified":"2022-06-17T00:00:00","modified_gmt":"2022-06-17T00:00:00","slug":"websites-hosting-fake-cracks-spread-updated-copperstealer-malware","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/","title":{"rendered":"Websites Hosting Fake Cracks Spread Updated CopperStealer Malware"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/f\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/COVER-websites-hosting-fake-cracks-spread-updated-copperstealer-malware.jpg\"><!-- OneTrust Cookies Consent Notice start for trendmicro.com --><!-- OneTrust Cookies Consent Notice end for trendmicro.com --> <!-- Begin mPulse library --> <!-- END mPulse library --> <head> <meta charset=\"UTF-8\"> <meta name=\"viewport\" content=\"width=device-width\"> <meta name=\"description\" content=\"We found updated samples of the CopperStealer malware infecting systems via websites hosting fake software.\"> <meta name=\"robots\" content=\"index,follow\"> <meta name=\"keywords\" content=\"malware,endpoints,articles, news, reports\"> <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge,chrome=1\"> <meta name=\"template\" content=\"article1withouthero\"> <meta property=\"article:published_time\" content=\"2022-06-17\"> <meta property=\"article:tag\" content=\"malware\"> <meta property=\"article:section\"> <link rel=\"icon\" type=\"image\/ico\" href=\"\/content\/dam\/trendmicro\/favicon.ico\"> <link rel=\"canonical\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/f\/websites-hosting-fake-cracks-spread-updated-copperstealer.html\"> <title>Websites Hosting Fake Cracks Spread Updated CopperStealer Malware<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/f\/websites-hosting-fake-cracks-spread-updated-copperstealer.html\"><br \/>\n<meta property=\"og:title\" content=\"Websites Hosting Fake Cracks Spread Updated CopperStealer Malware\"><br \/>\n<meta property=\"og:description\" content=\"We found updated samples of the CopperStealer malware infecting systems via websites hosting fake software.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/f\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/COVER-websites-hosting-fake-cracks-spread-updated-copperstealer-malware.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"Websites Hosting Fake Cracks Spread Updated CopperStealer Malware\"><br \/>\n<meta name=\"twitter:description\" content=\"We found updated samples of the CopperStealer malware infecting systems via websites hosting fake software.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/f\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/COVER-websites-hosting-fake-cracks-spread-updated-copperstealer-malware.jpg\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"51.241949521323\"> <!-- Page Scroll: Back to Top --> <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a> <!-- \/* Data Layer *\/ --> <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"1771792499\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"8.2228260869565\">\n<div class=\"article-details\" role=\"heading\" readability=\"35.79347826087\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Malware<\/p>\n<p class=\"article-details__description\">We found updated samples of the CopperStealer malware infecting systems via websites hosting fake software.<\/p>\n<p class=\"article-details__author-by\">By: Joseph C Chen, Jaromir Horejsi <time class=\"article-details__date\">June 17, 2022<\/time> <span>Read time:&nbsp;<\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"34.046208530806\">\n<div readability=\"14.591232227488\">\n<p>We noticed a new version of <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/c\/websites-hosting-cracks-spread-malware-adware.html\">CopperStealer<\/a> and analyzed these samples to be related to a previous campaign we\u2019ve documented. We examined this new version reusing parts of code and observed the following similarities from previous versions:<\/p>\n<ol>\n<li>The same cryptor<\/li>\n<li>Use of Data Encryption Standard (DES) with the same key<\/li>\n<li>The same name of the DLL export function (for later versions of CopperStealer)<\/li>\n<li>Data exfiltration to a Telegram channel (for later versions of CopperStealer)<\/li>\n<li>Use of the executable utility MiniThunderPlatform<\/li>\n<\/ol>\n<p><span class=\"body-subhead-title\">First Stage: Cryptor<\/span><\/p>\n<p>We observed CopperStealer\u2018s binary being encrypted and appended to a legitimate application with its entry point overwritten by a shellcode. This shellcode reads an offset of the payload and XOR decryption key from the executable file header, which is the same method that we described in <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/21\/c\/websites-hosting-cracks-spread-malware-adware.html#:~:text=the%20PPI%20networks.-,First%20Stage,-The%20.exe%20file\">our report<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/f\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/figure1-updated-copperstealer.png\" alt=\"fig1-websites-hosting-fake-software-spread-updated-copperstealer-malware\"><figcaption>Figure 1. XOR encryption key stored in the executable header<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>As highlighted in the screenshot, the encryption key is 0x001eb1c0, which is 2011584 in decimal. The decimal value is both the offset and the encryption key. All the samples we analyzed use the same scheme. The following screenshot shows the beginning of the encrypted data. The decryption is an XOR function with the same key as offset in decimal.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/f\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/figure2-updated-copperstealer.png\" alt=\"fig2-websites-hosting-fake-software-spread-updated-copperstealer-malware\"><figcaption>Figure 2. Beginning of the encrypted data<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p>The decrypted second stage is an Ultimate Packer for Executables (UPX)-packed DLL and has one exported function called HelloWorld<i>. <\/i>It&#8217;s important to note that in older versions of CopperStealer, this was called WorkIn, while newer versions already had HelloWorld.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/f\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/figure3-updated-copperstealer.png\" alt=\"fig3-websites-hosting-fake-software-spread-updated-copperstealer-malware\"><figcaption>Figure 3. The exported function name for UPX-packed DLL is HelloWorld.<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<p><span class=\"body-subhead-title\">Second Stage: Dropper<\/span><\/p>\n<p>We analyzed the second stage as a dropper embedding two additional executables (compressed with 7-Zip), internally named A and B. These resources are dropped under the names \u201cbuild\u201d and \u201cshrdp\u201d and subsequently executed. We looked into their component functions as \u201cbrowser stealer\u201d and \u201cremote desktop\u201d.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/f\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/figure4-updated-copperstealer.png\" alt=\"fig4-websites-hosting-fake-software-spread-updated-copperstealer-malware\"><figcaption>Figure 4. Two resources named A and B<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/f\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/figure5-updated-copperstealer.png\" alt=\"fig5-websites-hosting-fake-software-spread-updated-copperstealer-malware\"><figcaption>Figure 5. Components \u201cbuild\u201d and \u201cshrdp\u201d<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.453125\">\n<div readability=\"11.625\">\n<p><b>First component: Browser stealer<\/b><\/p>\n<p>This component uses the same payload encryption technique and the same export method name as the routine discussed in the first stage. The component installs a certificate with a thumbprint 6c0ce2dd0584c47cac18839f14055f19fa270cdd in the Certificates folder of the current user. The same certificate is mentioned in the indicators of compromise (IOC) section of <a href=\"https:\/\/blog.talosintelligence.com\/2021\/04\/threat-roundup-0423-0430.html\">another report<\/a> and is also assigned to CopperStealer.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/f\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/figure6-updated-copperstealer.png\" alt=\"fig6-websites-hosting-fake-software-spread-updated-copperstealer-malware\"><figcaption>Figure 6. Installed certificate<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"41\">\n<div readability=\"27\">\n<p>The browser stealer then extracts a \u201cMachineGuid\u201d value from &lt;<i>Software\\\\Microsoft\\\\Cryptography<\/i>&gt; and uses this string value as the name of the directory where it stores all the stolen data. It then searches for and steals cookies from the following browsers:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Brave-Browser<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Chrome<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Chromium<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Edge<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Firefox<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Opera<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Yandex<\/span><\/li>\n<\/ul>\n<p>The cookies in Chromium-based browsers are encrypted. For that purpose, the stealer reads <i>os_crypt<\/i> and <i>encrypted_key<\/i> from the &lt;<i>%APPDATA%\\Local\\Google\\Chrome\\User Data\\Local State<\/i>&gt; file, decrypts the key, and stores its encrypted value. We analyzed this encrypted value to be base64-encoded, then DES-encrypted with key<i> \u201c<\/i>loadfa1d\u201d and IV \u201cunsigned\u201d, followed by another base64-encoding. This encrypted and encoded value is then saved to a file named &lt;<i>%APPDATA%\\Local\\Google\\Chrome\\User Data\\History<\/i>&gt;.<\/p>\n<p>The stealer starts taking the data, creates directories labeled \u201cbrowsers\u201d and \u201ccookies\u201d in the directory named MachineGuid, and stores the stolen data in the said directories based on the file content. These file names are self-explanatory of the data stolen from the infected system, as follows:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">passwords.txt<\/span><\/li>\n<li><span class=\"rte-red-bullet\">passwords_urls.txt<\/span><\/li>\n<li><span class=\"rte-red-bullet\">_cookie.txt<\/span><\/li>\n<li><span class=\"rte-red-bullet\">cookies_urls.txt<\/span><\/li>\n<li><span class=\"rte-red-bullet\">CC.txt<\/span><\/li>\n<li><span class=\"rte-red-bullet\">chrome_autofill.txt<\/span><\/li>\n<li><span class=\"rte-red-bullet\">_token.txt<\/span><\/li>\n<li><span class=\"rte-red-bullet\">outlook.txt<\/span><\/li>\n<li><span class=\"rte-red-bullet\">thunderbird.txt<\/span><\/li>\n<li><span class=\"rte-red-bullet\">eventlog.txt<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/f\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/figure7-updated-copperstealer.png\" alt=\"fig7-websites-hosting-fake-software-spread-updated-copperstealer-malware\"><figcaption>Figure 7. Example of file and directory structure of stolen data<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"38.362254025045\">\n<div readability=\"21.921288014311\">\n<p>Aside from stealing web browser data, the stealer also gathers user data from online messenger platforms Telegram, Discord, and Elements, game distribution service Steam, and email clients Outlook and Thunderbird. The stealer copies all the important files with settings and configurations and sends them back to the command-and-control (C&amp;C) server:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Telegram: The stealer scans for \u201ctdata\u201d folder wherein all data such as sessions, messages, and images are stored.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Discord: It looks for \u201cuserDataCache.json\u201d file.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Elements: It looks for \u201cIndexeDB\u201d directory where the messenger app stores information such as access tokens.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Steam: It searches for \u201cconfig\u201d file with the settings in a number of locations being discussed <a href=\"https:\/\/steamcommunity.com\/discussions\/forum\/1\/1700542332336283932\/\">here<\/a>.<\/span><\/li>\n<\/ul>\n<p>Firefox stores its saved logins encrypted in a logins.json file. The stealer contains a resource utility called FFNSS332 for a 32-bit system (or FFNSS364 for a 64-bit system), which parses the logins.json and prints its results on the command-line output. We also noticed embedded files DLL7Z and EXE7Z, which contain all the stolen data in one archive compressed with 7-Zip.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/f\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/figure8-updated-copperstealer.png\" alt=\"fig8-websites-hosting-fake-software-spread-updated-copperstealer-malware\"><figcaption>Figure 8. Embedded utilities in the stealer\u2019s resources<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"45.5\">\n<div readability=\"36\">\n<p>The stealer runs a Windows Events Command-Line Utility and lists the dates of events 6005 (when the event log service was started) and 6006 (when the event log service was stopped), and saves these output to eventlog.txt file. The entire directory of stolen files is compressed into a password-protected 7-Zip archive (wherein 7z.dll and 7z.exe are included as resources), and the archive password is <i>md5[duplicated directory name]<\/i>. The archive is then uploaded to a dedicated Telegram channel and a message about a successful upload is sent to the notification channel.<\/p>\n<p><b>Second component: Remote desktop<\/b><\/p>\n<p>Similar to the first component, the second component uses the same payload encryption and the same export method naming convention as explained in the first section.<\/p>\n<p>This component starts to decrypt the C&amp;C server address, stored in an encrypted form on Pastebin. After a base64 decoding, the decryption algorithm is DES with keys \u201ctaskhost\u201d and IV \u201cwinlogon\u201d. This is exactly the same settings mentioned in our previous CopperStealer analysis. After the C&amp;C address is obtained, the component registers its machine identifier (under the value \u201cMachineGuid,\u201d the same identifier in the first component) and periodically starts querying for tasks to be performed.<\/p>\n<p>Following this finding, we looked into the account responsible for sharing this on Pastebin. The account\u2019s name is Javalinkcrash, and it was created with only one paste with the encrypted C&amp;C server address. According to the statistics provided on the detailed view, the paste was created on March and has garnered more than 23,000 views as of this writing. We believe the view number could be an estimate of the number of victims infected with this new variant of CopperStealer.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/f\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/figure9-updated-copperstealer.png\" alt=\"fig9-websites-hosting-fake-software-spread-updated-copperstealer-malware\"><figcaption>Figure 9. The detailed view of the encrypted C&amp;C server address paste showing the number of total views<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.601265822785\">\n<div readability=\"15.594936708861\">\n<p>The supported tasks are \u201cinstall\u201d and \u201ckillme\u201d. The \u201cinstall\u201d task performs the following operations:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Adds a new user account to the machine, wherein the password is the same as the username<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Adds this user account to the administrators\u2019 group and \u201cRemote Desktop Users\u201d group<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Hides this account from the login screen by modifying the &lt;\\\\Winlogon\\\\SpecialAccounts\\\\UserList&gt; registry key<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Disables the firewall<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Allows remote desktop connections.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Disables <a href=\"https:\/\/docs.microsoft.com\/en-us\/previous-versions\/windows\/it-pro\/windows-server-2008-R2-and-2008\/cc732713(v=ws.11)\">Network Level Authentication<\/a><\/span><\/li>\n<li><span class=\"rte-red-bullet\">Extracts and installs RDP wrapper (named as \u201cSHRDP\u201d in resources), derived from the <a href=\"https:\/\/github.com\/stascorp\/rdpwrap\">rdpwrap<\/a> project and once installed, enables the Remote Desktop function on its host system<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Extracts and installs OpenVPN (drivers and certificate, OEMVISTAxxx, and TAPxxx in resources + OP in resources).<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Extracts and installs MiniThunderPlatform (named \u201cTHUNDERFW\u201d in resources), another utility that we also mentioned in our previous analysis of CopperStealer<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Extracts and installs <a href=\"https:\/\/github.com\/ntop\/n2n\">n2n<\/a> (named as \u201cEDGE\u201d in resources), a tool for creating virtual networks &nbsp;(The execution parameters \u201c-k\u201d, a secret encryption key, \u201c-a\u201d, a private IP address, and \u201c-l\u201d, a supernode IP and port, must be received from the C&amp;C server.)<\/span><\/li>\n<\/ul>\n<p>The \u201ckillme\u201d task kills the running processes, deletes files, and removes the users that were started, dropped, or added during the \u201cinstall\u201d task. All the Remote Desktop-related files are also supplied in resources and the component simply extracts and installs them.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/f\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/figure10-updated-copperstealer.png\" alt=\"fig10-websites-hosting-fake-software-spread-updated-copperstealer-malware\"><figcaption>Figure 10. List of resources embedded in a Remote Desktop component<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>To prevent Windows Defender from detecting the dropped files, the component adds the directory in the exclusion list.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/f\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/figure11-updated-copperstealer.png\" alt=\"fig11-websites-hosting-fake-software-spread-updated-copperstealer-malware\"><figcaption>Figure 11. Adding a folder to Windows Defender\u2019s exclusion list<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p><span class=\"body-subhead-title\">Infection vector<\/span><\/p>\n<p>Similar to the previous analysis of CopperStealer, the infection vector starts with a website offering fake cracks. These websites usually display two buttons, one offering to download and the other to set up the desired cracks. Selecting either button begins the redirection chain, requiring the user to select another \u201cDownload\u201d button. Afterward, a download prompt appears and the user is prompted to save the file to the computer.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/f\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/figure12-updated-copperstealer.png\" alt=\"fig12-websites-hosting-fake-software-spread-updated-copperstealer-malware\"><figcaption>Figure 12. Website offering a fake crack<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/f\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/figure13-updated-copperstealer.png\" alt=\"fig13-websites-hosting-fake-software-spread-updated-copperstealer-malware\"><figcaption>Figure 13. A user is prompted to interact with the page and initiate redirection, followed by the download prompt.<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>To prevent security solutions from immediately detecting the malicious files, the downloaded archive usually contains a text file with a password and another encrypted archive. After the password mentioned in the text file is entered, the decrypted archive shows the executable files. In this sample, there are two files CopperStealer and Vidar Stealer.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/f\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/figure14-updated-copperstealer.png\" alt=\"fig14-websites-hosting-fake-software-spread-updated-copperstealer-malware\"><figcaption>Figure 14. Zipped file with encrypted archive and text file with password<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/f\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/figure15-updated-copperstealer.png\" alt=\"fig15-websites-hosting-fake-software-spread-updated-copperstealer-malware\"><figcaption>Figure 15. Final stage with two executables, CopperStealer and Vidar Stealer<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"42.663194444444\">\n<div readability=\"31.997395833333\">\n<p><span class=\"body-subhead-title\">Additional findings<\/span><\/p>\n<p>Aside from the updated malware, we noticed that the operation of CopperStealer\u2019s C&amp;C infrastructure has also changed. The previous CopperStealer\u2019s communication leveraged Domain Generation Algorithms (DGA) to randomize its C&amp;C domains and abused the content delivery network (CDN) proxy to hide the real IP address of the C&amp;C server. The DGA and CDN proxy help the stealer increase the stability of its network communication and help avoid detection from network protection solutions of its C&amp;C domains and IP addresses. However, a collaborative sinkhole <a href=\"https:\/\/www.proofpoint.com\/us\/blog\/threat-insight\/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft\">operation<\/a> of threat researchers and service providers disrupted CopperStealer\u2019s previous infrastructure.<\/p>\n<p>Likely due to the disruption, CopperStealer\u2019s infrastructure is now constructed differently. The C&amp;C is no longer generated with DGA; rather, it is specified with an encrypted configuration hosted on a third-party webpage (in this sample, Pastebin was abused). Instead of using a CDN proxy, we found that its C&amp;C domain adopted a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Fast_flux\">fast flux<\/a> DNS service provided in the underground forum. The fast flux DNS service could switch CopperStealer\u2019s C&amp;C domain between different IP addresses every few hours and add a layer of proxy to protect its C&amp;C server. While the technique is not new, we observed the switch occurring up to two times per day on a daily basis.<\/p>\n<p>With the help of search engine <a href=\"https:\/\/search.censys.io\/\">Censys<\/a>, we identified the real IP address of the C&amp;C server that was hiding behind the fast flux DNS service. The server has port 8443 open for C&amp;C communications with the infected machines (as clients). It has other open ports, which are listened to using open-source hosting <a href=\"https:\/\/vestacp.com\/\">Vesta Control Panel<\/a> (VestaCP). Upon looking into the associated certificates, we observed that while their organization name is \u201cVesta Control Panel,\u201d their subject common name is different from the stealer\u2019s C&amp;C domain. The certificates also contain a distinct subject email address, \u201ca@ya.ru.\u201d By searching for this email address, we identified similar VestaCP servers hosted among multiple providers. We also noticed that some of these servers are used for hosting phishing websites and other C&amp;C behavior. These details led us to believe that these servers were probably managed by a <a href=\"https:\/\/www.trendmicro.com\/vinfo\/us\/security\/news\/cybercrime-and-digital-threats\/inside-the-bulletproof-hosting-business-cybercrime-methods-opsec\">bulletproof hosting service<\/a> for illegal purposes.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/f\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/figure16-updated-copperstealer.png\" alt=\"fig16-websites-hosting-fake-software-spread-updated-copperstealer-malware\"><figcaption>Figure 16. Identifying the servers<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"41.868338557994\">\n<div readability=\"28.909090909091\">\n<p><span class=\"body-subhead-title\">Conclusion<\/span><\/p>\n<p>From the outset, organizations and users are highly discouraged from downloading cracks from third-party websites. Some unofficial sites host functioning software but can be attached with hidden and additional illicit components unrelated to the advertised functions. Moreover, fake software can potentially be abused for multiple attacks and infections, and data stealers like CopperStealer can be used by the attackers to take sensitive information for more illicit activities.<\/p>\n<p>Moreover, despite CopperStealer\u2019s basic capabilities for stealing data in infected systems via a dated technique, the development that involves using new platforms such as Telegram and redundant encryptions shows that the attackers themselves are learning to vary their evasion and communication procedures. From a functional perspective and at scale, this increases the consequences and impact of their infections financially.<\/p>\n<p>Users are advised to keep their systems constantly patched and their security solutions updated. We also recommend enabling basic security detection and prevention solutions such as a firewall and antivirus prevention engines to protect systems from threats like CopperStealer. &nbsp;&nbsp;<\/p>\n<p><span class=\"body-subhead-title\">Indicators of Compromise (IOCs)<\/span><\/p>\n<p>You can find the full list of IOCs <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/f\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/IOCs-websites-hosting-fake-cracks-spread-updated-copperstealer.txt\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p> <!-- \/* Core functionality javascripts, absolute URL to leverage Akamai CDN *\/ --> <!--For Modal-start--> <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p> <!--For Modal-end--> <!-- Go to www.addthis.com\/dashboard to customize your tools --> <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/f\/websites-hosting-fake-cracks-spread-updated-copperstealer.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We found updated samples of the CopperStealer malware infecting systems via websites hosting fake software. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":47150,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9508,9513],"class_list":["post-47149","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-endpoints","tag-trend-micro-research-malware"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Websites Hosting Fake Cracks Spread Updated CopperStealer Malware 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Websites Hosting Fake Cracks Spread Updated CopperStealer Malware 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-06-17T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/f\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/COVER-websites-hosting-fake-cracks-spread-updated-copperstealer-malware.jpg\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Websites Hosting Fake Cracks Spread Updated CopperStealer Malware\",\"datePublished\":\"2022-06-17T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\\\/\"},\"wordCount\":2142,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware.png\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Malware\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\\\/\",\"name\":\"Websites Hosting Fake Cracks Spread Updated CopperStealer Malware 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware.png\",\"datePublished\":\"2022-06-17T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/06\\\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware.png\",\"width\":552,\"height\":116},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Websites Hosting Fake Cracks Spread Updated CopperStealer Malware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Websites Hosting Fake Cracks Spread Updated CopperStealer Malware 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/","og_locale":"en_US","og_type":"article","og_title":"Websites Hosting Fake Cracks Spread Updated CopperStealer Malware 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-06-17T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/f\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/COVER-websites-hosting-fake-cracks-spread-updated-copperstealer-malware.jpg","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Websites Hosting Fake Cracks Spread Updated CopperStealer Malware","datePublished":"2022-06-17T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/"},"wordCount":2142,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/06\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware.png","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Endpoints","Trend Micro Research : Malware"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/","url":"https:\/\/www.threatshub.org\/blog\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/","name":"Websites Hosting Fake Cracks Spread Updated CopperStealer Malware 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/06\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware.png","datePublished":"2022-06-17T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/06\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/06\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware.png","width":552,"height":116},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/websites-hosting-fake-cracks-spread-updated-copperstealer-malware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"Websites Hosting Fake Cracks Spread Updated CopperStealer Malware"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/47149","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=47149"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/47149\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/47150"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=47149"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=47149"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=47149"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}