Hundreds of Thousands Infected by Malware Spread Through Torrents

Experts from Positive Technologies have uncovered a malicious campaign that has affected more than 250,000 users across 164 countries. Most of the victims are located in Russia, Ukraine, Belarus, and Uzbekistan, and were downloading software from torrent trackers.

How the Attack Began

The incident was first detected in August 2023, when Positive Technologies experts noticed unusual activity involving an unnamed Russian company. A user had been compromised by a relatively simple but previously unknown piece of malware. Investigators found no evidence of phishing, perimeter breaches, or other common attack techniques. Instead, they discovered that the user had installed a program downloaded via torrent from the site topsoft[.]space.

Malicious Distribution

The infected installer contained both a legitimate and a malicious component. The malware consisted of several separate programs, mainly compiled AutoIt scripts further obfuscated with the Themida packer. According to researchers, the malware was not particularly sophisticated and followed a straightforward, textbook approach to carrying out the attack.

The report also notes that the malware was quite noisy on infected systems. It collected information about the victim’s computer, installed RMS (Remote Manipulator System) and the XMRig miner, and archived the contents of the user’s Telegram folder (tdata). The collected data was then sent to a Telegram bot, which acted as the command and control server.

The likely goal of the attack, according to researchers, was to resell access to compromised accounts both online and within Telegram. There are numerous reports online of people buying tdata files.

Scale and Impact

Through detailed analysis of the threat, infection chain, and Telegram bot, experts identified more than 250,000 infected devices in 164 countries. The vast majority of victims (over 200,000) are in Russia, Ukraine, Belarus, and Uzbekistan. Other countries in the top ten include India, the Philippines, Brazil, Poland, and Germany. Positive Technologies believes the real number of victims is even higher than 250,000.

Most victims are individual users who downloaded pirated software onto their home computers. However, government agencies, educational institutions, oil and gas companies, medical facilities, construction and mining companies, retail, and IT organizations were also compromised. All identified companies have already been notified.