Fake CCleaner search results link to malware (information stealer)

Sicherheit (Pexels, allgemeine Nutzung)[German]AVAST has discovered a malware campaign (FakeCleaner) in which cybercriminals manipulated search results for a cracked CCleaner Pro in such a way that they acted as malware launchers. If users follow the links of these hits, they download malware onto the system that steals information (Trojan or information stealer). Of course, it could also happen that a search for "CCleaner" turns up such manipulated results.


CCleaner is a free optimization program for Windows, macOS and Android operating systems. In addition, there are other versions for Windows, which are offered for a fee as Business Solutions. According to the manufacturer, the program has been downloaded more than two and a half billion times by 2020. The developer, Piriform Ltd. has belonged to Czech antivirus provider AVAST since 2017. And AVAST was bought by Norton in 2021 (see Avast is bought by Norton for 8.6 billion US dollars).

I don't recommend CCleaner – it's a kind of snake oil. Microsoft had even classified the part as a potentially unwanted program (PUP) for a short time (see Windows Defender flags CCleaner as PUP – Part 1). But I have to note that millions of users still swear by CCleaner. So much for the background.

Cracked CCleaner Pro used as bait for malware trap

Where a software is coveted and also available in a paid Pro variant, lies and scams are not far. Some users want CCleaner Pro, but do not want to pay anything. So search the pages of the wide Internet for cracked versions. Czech antivirus provider AVAST has recently discovered that cyber criminals want to lure users into installing a malware, Trojan that steals information, using a supposedly cracked CCleaner Pro as a bait.

Piriform CCleaner Pro as info stealer trap

I became aware of this topic via the above tweet from colleagues. In a blackhat SEO campaign, cyber criminals succeeded in catapulting search results for their own offer to the top of the search engine hit list.


Blackhat SEO is a term used in search engine optimization to bring websites to the top of the hit list, using (illegal) methods frowned upon by search engines. This includes, among other things, the automatic generation of texts and the intrusion into other people's systems to set backlinks in order to improve the ranking of one's own page.

Avast analysts noticed recently a malware spreading campaign, called FakeCrack, because the telemetry of AVAST security solutions suddenly kicked in. Every day, about 10,000 users, mainly from Brazil, India, Indonesia and France, were protected from infection. When security experts took a closer look, they found that users had searched for "ccleaner pro crack" on Google. 

ccleaner pro crack search results in malware campaign
Fake "ccleaner pro crack" search results in Google, source: AVAST.

The search results were displayed by Google on the first positions (see screenshot above). I did a quick test, there are still a lot of such hits displayed – although AVAST was able to place a link entry in between, which explains how to get CCleaner Pro.

At this point I assume that the following info from AVAST is not also a FAKE message to discourage people from searching for cracked CCleaner Pro variants.

Protected ZIP archive with Trojan

Those who clicked on the links in question were redirected to an extensive infrastructure that delivers malware, according to AVAST. The AVAST people wonder about the scope of this infrastructure. After clicking on the link, the user is redirected to the target site via a network of domains. These domains have a similar pattern and are registered on Cloudflare using some name servers. The first type of domain uses the pattern freefilesXX.xyz, where XX stands for digits. This domain usually serves as a redirect only. The redirect leads to another page with the top-level domain cfd. These cfd domains serve both as redirects and landing pages.

In any case, the user ended up with a download of a supposedly cracked CCleaner Pro version. The link referred to a legitimate file-sharing platform (e.g. the Japanese file-sharing site filesend.jp or mediafire.com). However, the actors behind the campaign then delivered a ZIP archive protected with the password (usually 1234). The password prevents the archive from being scanned by antivirus software. The ZIP file usually contained a single executable file, which was usually called setup.exe or cracksetup.exe. AVAST found eight different executables distributed by this campaign.

Whoever executed this file got a malware (Trojan) on the system that stole personal and other sensitive data. The actors focus on scanning the user's PC and collecting private information, such as passwords or credit card details, from browsers found there. Data is also collected from electronic wallets. The data was transferred to C2 servers in an encrypted ZIP format. However, the key to encrypt the ZIP file is hardcoded into the binary, so it was not difficult to get at the contents. The encrypted ZIP file contains all the previously mentioned information, such as information about the system, installed software, screenshots and data collected by the browser, including passwords or private data of crypto extensions.

Those who are interested in the topic can go through AVAST's report. There, it also explains how to remove the proxy left by the malware infection in the Windows registry.    

Similar articles:
CCleaner has been infected with malware
CCleaner comes mit AVAST PUP
CCleaner forces update from v5.38 to v5.46
AVAST CCleaner 5.45 and the telemetry thing
CCleaner 5.45 pulled and other peculiarities
CCleaner V 5.46 with improved data settings
CCleaner forces update from v5.38 to v5.46
CCleaner v5.52.6967 released
Update to CCleaner 5.59.7230 installs CCleaner Browser PUP
CCleaner v5.60.7307 released
CCleaner v5.64.7613 released
CCleaner v5.70 fixes Firefox bug

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.