{"id":53278,"date":"2025-04-08T06:02:38","date_gmt":"2025-04-08T10:02:38","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=53278"},"modified":"2025-04-08T06:02:38","modified_gmt":"2025-04-08T10:02:38","slug":"what-happens-if-you-download-cracked-program","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/what-happens-if-you-download-cracked-program\/53278\/","title":{"rendered":"What happens if you download a cracked program?"},"content":{"rendered":"

What do you do when you need a program but can\u2019t buy an official license yet? Correct answer: \u201cUse the trial version\u201d<\/em> or \u201cFind a free alternative.\u201d<\/em> Wrong answer: \u201cSearch online for a cracked version.\u201d<\/em><\/p>\n

Sketchy alternative sources are known to offer cracked versions of software, along with other goodies<\/em>. After wading through sites stuffed with ads, you may get the program you want (usually minus the future updates and network functionality), but with a miner, stealer, or whatever else thrown in for good measure.<\/p>\n

Based on real-world examples, we explain why you should avoid sites that offer instant downloads of in-demand programs.<\/p>\n

Miner and stealer on SourceForge<\/h2>\n

SourceForge was once the largest site for all things open source, the forerunner of GitHub. But don\u2019t think that SourceForge is dead \u2013 today it provides software hosting and distribution services. Its software portal hosts multiple projects, uploaded by anyone who wants to.<\/p>\n

And, as with GitHub<\/a>, it\u2019s this cosmopolitanism that is a barrier to high-level security. Let\u2019s take just one example: our experts found a project called officepackage<\/em> on SourceForge. At first glance, it looks harmless: a clear description, no-nonsense name, even a positive review.<\/p>\n

<\/a>

\u201cOfficepackage\u201d page on SourceForge<\/p><\/div>\n

But what if we told you that the description and files were copied outright from an unrelated project on GitHub? Alarm bells are already ringing. That said, no malware lands on your computer when you click the Download<\/strong> button \u2013 the project is apparently clean. Apparently, because the malicious payload was not distributed directly through the officepackage<\/em> project, but through the web page associated with it. How is this possible?<\/p>\n

The fact is that every project created on SourceForge gets its own domain name and hosting on sourceforge.io<\/em>. So a project named officepackage<\/em> is given a web page at officepackage.sourceforge[.]io. <\/em>Such pages are easily indexed by search engines and rank high in search results. This is how attackers attract victims.<\/p>\n

When visiting officepackage.sourceforge[.]io<\/em> from a search engine brought users to a page offering downloads of almost any version of the Microsoft Office suite. But, as ever, the devil was in the detail: when you hovered over the Download<\/strong> button, the browser\u2019s status bar showed a link to https[:]\/\/loading.sourceforge[.]io\/download<\/em>. Spotted the trap? The new link has nothing to do with officepackage<\/em>; loading<\/em> is an entirely different project.<\/p>\n

<\/a>

The \u201cDownload\u201d button on the \u201cofficepackage\u201d page of the SourceForge software portal leads to a completely different project<\/p><\/div>\n

And after clicking, users were redirected not to the page of the loading<\/em> project, but to another intermediary site with another Download<\/strong> button. And only after clicking this did the user, weary of surfing, finally receive a file \u2013 an archive named vinstaller.zip<\/em>. Inside was another archive, and inside this second archive was a malicious Windows Installer.<\/p>\n

At the heart of this evil nesting doll were two nasties: instead of Microsoft products, a miner and ClipBanker \u2013 malware for substituting crypto wallet addresses in the clipboard \u2013 were let loose on the victim\u2019s device after running the installer. Details of the infection scheme can be found in the full version of the study on our Securelist blog<\/a>.<\/p>\n

Malicious TookPS installer disguised as legitimate software<\/h2>\n

Cybercriminals do not limit themselves to SourceForge and GitHub<\/a>. In another recent case unearthed by our experts, attackers were found distributing the malicious TookPS downloader, already familiar to us from the fake DeepSeek and Grok clients<\/a>, through fake websites offering free downloads of specialized software. We discovered a whole series of such sites offering users cracked versions<\/a> of UltraViewer, AutoCAD, SketchUp and other popular professional software, meaning that the attack was not only aimed at home users, but also at professional freelancers and organizations. Other malicious files detected included the names Ableton.exe<\/em> and QuickenApp.exe<\/em>, purported versions of the popular music creation and money management applications.<\/p>\n

\"Fake<\/a>

Fake pages distributing TookPS<\/p><\/div>\n

By circuitous means, the installer downloaded two backdoors<\/a> to the victim\u2019s device: Backdoor.Win32.TeviRat<\/strong> and Backdoor.Win32.Lapmon<\/strong>. See another Securelist post<\/a> to find out exactly how the malware was delivered to the victim\u2019s device. The malware gave the attackers full access to the victim\u2019s computer.<\/p>\n

How to protect yourself<\/h2>\n

First, do not download pirated software. Under any circumstances. Ever. A cracked program may be temptingly free and instantly available, but the price you pay will be measured not in money, but in data \u2013 your data. And no, that doesn\u2019t mean family photos and chats with friends. Cybercriminals are after your crypto wallets, payment card details, account passwords \u2013 and even your computer\u2019s resources for cryptocurrency mining.<\/p>\n

Here\u2019s a list of rules we recommend for anyone who uses SourceForge, GitHub<\/a> and other software portals.<\/p>\n