Vigilante Malware Locks Out Software Pirates

Deyan Georgiev
Deyan Georgiev

Updated · Mar 16, 2022


Techjury is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more.

Andrew Brandt, the principal researcher at Sophos, shared the discovery of an unusual malware in a blog post on 17th June. It calls out people for downloading software without authorization.

In a tweet, Brandt wrote that a colleague at the British software and hardware security firm had previously told him about it.

How it Works

This isn't typical malware that aims to steal data or extort ransom. To users, it appears like they are downloading pirated copies.

Once a user tries to download it, Vigilante reports the IP address and file name to an attacker-controlled server (1flchiercom) in the form of an HTTP GET request.

While it might appear as the reputable cloud hosting company 1fichier, it isn’t. The malware has a lowercase L instead of i after letter f.

It then modifies the HOST’s file, allowing it to block infected computers from visiting about 1000 piracy sites. It pairs a distinct IP address ( with the various domain addresses.

In addition, it also downloads and delivers an executable file named ProcessHacker.jpg.

A search using Virustotal to find related samples disclosed that some of the Trojans' software was on Discord, a chat service. These were lone executable files.

Others were on BitTorrent and appeared under popular names of security programs, productivity tools, and games. This is how sharing of pirated copies typically occurs under the protocol.

Andrew Brandt’s tweets also revealed that the creators named the malware after Malwarebytes, a popular antivirus product. 

More Oddities

Bogus tools have signed off the executable Trojans digitally to help them pass rudimentary checks. More evaluation shows that the certificates will expire on December 21st, 2039.

The file names and property, however, don’t align. They also contain 18 lower and upper-case characters with no apparent pattern. 

They display racial slurs when viewing them using Hex Editor. The wording shows up about 1000 times throughout the executables. What follows is a randomized block of alphabets.

Andrew Brandt believes that padding out using racial epithets revealed to him some things about the creator. He also added that the seemingly purposeless files, however, could mask the modification of the hash value.

There are lots of malicious malware lurking around. Statistics show that  64% of organizations have experienced some form of cyberattack, hence the need for antivirus software and VPNs.


Deyan Georgiev

Deyan Georgiev

Deyan has been fascinated by technology his whole life. From the first Tetris game all the way to Falcon Heavy. Working for TechJury is like a dream come true, combining both his passions – writing and technology. In his free time (which is pretty scarce, thanks to his three kids), Deyan enjoys traveling and exploring new places. Always with a few chargers and a couple of gadgets in the backpack. He makes mean dizzying Island Paradise cocktails too.

Leave your comment

Your email address will not be published.