CryptBot infostealer has been modified and spreading via websites offering cracked and pirated software. The operators are continuously refreshing their C2, dropper sites, and malware, says report.

The recent CryptBot campaign

CryptBot operators are using search engine optimization to rank up the distribution sites to display them at top of Google search results, allowing increased chances of infection.
  • On the basis of shared screenshots of distribution sites, it was found that the attackers are using custom domains or websites hosted on Amazon AWS.
  • The malicious websites have a wide variety of lures to attract users onto the distribution sites. 
  • The visitors face multiple redirections and end up at a delivery page, which could be on a legitimate site compromised for SEO poisoning attacks.

Technical changes in the new version

Recent samples of CryptBot revealed that the new version is lighter, leaner, and has higher chances of avoiding detection. The newest version has an anti-VM CPU core count check-in.
  • The authors want to simplify the trojan’s functionality, and hence, they removed the anti-sandbox routine, redundant second C2 connection, and two exfiltration folders where stolen information is stored.
  • The code shows that when sending files, the tactic of manually adding the sent file data to the header is now changed to using a simple API, along with a change in a user-agent value.
  • The previous version called the function two times to send each to a different C2. However, the new version has a hard-coded C2 URL in the function.
  • Additionally, CryptBot’s authors removed the screenshot function and the option of gathering data on TXT files on the desktop, which could be easily noticed during exfiltration.
  • The new strain has made targeted additions and improvements for better effectiveness. Now, it searches all file paths, user data anywhere, and infiltrates them regardless of the Chrome version.


CryptBot only targets those who look for fake or pirated software on malicious sites. Thus, downloading pirated software and cracks from dubious sites is never advisable. Further, use a reliable anti-malware solution to stay protected from such threats.
Cyware Publisher