Malware Alert: Torrented Microsoft Office Packs a Nasty Surprise, here is what to know

Microsoft Office

Malware Alert: Torrented Microsoft Office Packs a Nasty Surprise, here is what to know

Cybercriminals have been distributing a dangerous malware cocktail through cracked versions of Microsoft Office, which are often promoted on torrent sites. This illicit software distribution poses a significant threat to users, as it includes a mix of malicious programs that can compromise system security and put sensitive information at risk.

Microsoft Office

The Malware Strains

The malware delivered to unsuspecting users includes the following strains:

  1. Remote Access Trojans (RATs): These insidious tools allow threat actors to gain unauthorized access to compromised systems. They can collect system information, execute commands, and even exfiltrate data via keylogging and webcams.
  2. Cryptocurrency Miners: The malware cocktail includes XMRig, a crypto miner that halts mining when system resources are heavily utilized (e.g., during gaming or graphics processing) to avoid detection.
  3. Proxy Tools: The attackers inject 3Proxy, an open-source proxy server, into legitimate processes. This allows them to abuse the infected system as a proxy, potentially facilitating further attacks.
  4. Anti-AV Programs: The malware also includes tools designed to deactivate security software, leaving the system vulnerable to additional threats.

How the Malware Spreads from Cracked Microsoft Office

The cybercriminals disguise their malware as cracked versions of legitimate software, such as WindowsMicrosoft Office, and the Hangul Word Processor (a popular tool in Korea). Users who download and install these cracked versions unknowingly introduce the malware into their systems.

The attackers have been upgrading their malware by registering with the Task Scheduler on infected systems. This allows them to execute PowerShell commands that install the malware. If the Task Scheduler is not remediated, new malware strains are repeatedly installed, maintaining the attacker’s control over the system.

Interestingly, users who have installed V3 (presumably a security solution) do not experience repeated malware installations, as V3 remediates the tasks installed by the malware.

Persistent Infection

The malware strains include an update feature, ensuring that the infection persists even after blocking previous URLs. The PowerShell commands registered with the Task Scheduler change constantly, making it challenging to eradicate the malware completely.

Consequences for Users using Cracked Microsoft Office

Once the attacker gains control of an infected system, they can utilize it for various purposes:

  • Proxy Usage: The compromised system may be used as a proxy, allowing the attacker to anonymize their activities.
  • Cryptocurrency Mining: The system’s resources can be harnessed for mining cryptocurrencies, potentially draining performance and energy.
  • Sensitive Information at Risk: Users’ sensitive data becomes vulnerable to theft, putting their privacy and security in jeopardy.

Recent Developments

A recently detected malware distribution case involved a cracked version of Microsoft Office developed using .NET. Before obfuscation, the malware accessed Telegram channels to obtain download URLs. The downloaded data contained encrypted PowerShell commands responsible for installing various malware strains.


Users must exercise caution when downloading software from unofficial sources. Cracked versions of legitimate software may seem tempting, but they often come with hidden dangers. To protect themselves, users should stick to authorized channels for software acquisition and maintain robust security practices.

Remember: Malware cocktails served via pirated software can have severe consequences for unsuspecting users. Stay vigilant and prioritize security to avoid falling victim to cybercriminals’ tricks.

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it.

Share this content:

Post Comment