A cryptomining campaign from Turkey has been observed infecting thousands of systems in around 11 countries by offering desktop versions of well-known software. The attacker behind this campaign is “Nitrokod.”

The campaign

Researchers found a campaign, ongoing since 2019, that spreads through disguised desktop apps for Google Translate and infected over 111,000 victims to date in 11 countries.
  • The campaign serves malware via free software hosted on sites such as Uptodown and Softpedia.
  • The executable starts a four-stage attack sequence, each dropper further pulling the next one. This eventually leads to the download of actual malware (XMRig) dropping in the seventh stage.
  • The campaign victims are located in different countries such as the U.K, Sri Lanka, the U.S., Greece, Australia, Israel, Turkey, Cyprus, Mongolia, Poland, and Germany.

Hackers were seen offering fake software desktop apps that do not have an official desktop version. It includes YouTube Music, Yandex Translate, Microsoft Translate, and more.

More insights

The malware is dropped almost after a month of initial infection.
  • The stage 3 dropper runs after a gap of five days, while the fourth stage dropper further creates four scheduled tasks with an interval of 1 to 15 days. After the creation of these tasks, the stages are deleted.
  • This makes it very challenging for the investigators to identify the attack and trace it back to the fake installer.
  • Further, the malware establishes a connection to a remote C2 server to get a configuration file to start the mining activity using XMRig.


Hackers managed to stay under the radar for months owing to longer infection chains and stage-wise infection, also providing attackers with ample time to alter the final payload as cryptominers or ransomware. In such cases, users are generally urged to avoid downloading any free software from unknown sources and ensure the reliability of the source to avoid any risks.
Cyware Publisher