Privacy Ninja

Poisoned CCleaner Search Results Spread Information-stealing Malware

Poisoned CCleaner Search Results Spread Information-stealing Malware

Malware that steals your passwords, credit cards, and crypto wallets is being promoted through search results for a pirated copy of the CCleaner Pro Windows optimization program.

This new malware distribution campaign is dubbed “FakeCrack,” and was discovered by analysts at Avast, who report detecting an average of 10,000 infection attempts every day from its customer telemetry data. Most of these victims are based in France, Brazil, Indonesia, and India.

The malware distributed in this campaign is a powerful information stealer that can harvest personal data and cryptocurrency assets and route internet traffic through data-snatching proxies.

Also Read: 3 Reasons Why You Must Take A PDPA Singapore Course

A Black Hat SEO campaign

The threat actors follow Black Hat SEO techniques to rank their malware-distribution websites high in Google Search results so that more people will be tricked into downloading laced executables.

The lure seen by Avast is a cracked version of CCleaner Professional, a popular Windows system cleaner and performance optimizer that is still considered a “must-have” utility by many users.

Google Search results pointing to malicious sites
Google Search results pointing to malicious sites (Avast)

The poisoned search results take the victim through several websites that ultimately display a landing page offering a ZIP file download. This landing page is commonly hosted on a legitimate file hosting platform like or

Malware-distribution portal
Malware-distribution portal (Avast)

The ZIP is password-protected using a weak PIN like “1234,” which is merely there to protect the payload from anti-virus detection.

The file inside the archive is usually named “setup.exe” or “cracksetup.exe,” but Avast has seen eight different executables used in this campaign.

Also Read: What You Should Know About The Data Protection Obligation Singapore

A dangerous info-stealing malware

The malware victims are tricked into installing attempts to steal information stored in web browsers, like account passwords, saved credit cards, and cryptocurrency wallet credentials.

Additionally, it monitors the clipboard for copied wallet addresses and replaces them with those under the malware operators’ control to divert payments. This clipboard hijacking feature works with various cryptocurrency addresses, including those for Bitcoin, Ethereum, Cardano, Terra, Nano, Ronin, and Bitcoin Cash addresses.

Malware monitoring the clipboard
Script monitoring the clipboard (Avast)

The malware also uses proxies to steal cryptocurrency market account credentials using a man-in-the-middle attack that’s very hard for the victim to detect or realize.

“Attackers were able to set up an IP address to download a malicious Proxy Auto-Configuration script (PAC),” explains Avast in the report.

“By setting this IP address in the system, every time the victim accesses any of the listed domains, the traffic is redirected to a proxy server under the attacker’s control.”

This proxying mechanism is added via a new registry key in “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings”.

Victims can disable it by navigating to Network & internet on Windows Settings and switching the “Use a proxy server” option to Off.

The campaign is already widespread, and the infection rates are high, so avoid downloading cracked software from anywhere, even if the download sites rank high on Google Search.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us