The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Fake Cracked Software Sites Delivering Stealers

Jan 24, 2023 11:02:41 AM / by PolySwarm Tech Team

FakeCrackedRelated Families: Raccoon, Vidar

Executive Summary

Sekoia recently reported on a campaign leveraging fake cracked software sites to deliver information stealers, including Raccoon and Vidar.

Key Takeaways

  • A campaign active since 2020 leveraged fake cracked software sites to deliver Vidar and Raccoon.
  • The infection chain uses SEO-poisoned websites and multiple redirects to eventually point the victim to the malicious payload hosted on GitHub.
  • Raccoon and Vidar are infostealers, allowing threat actors to steal multiple types of information, including login credentials, payment information, cryptocurrency wallets, and browser history.

The Campaign

Sekoia recently reported on a campaign leveraging fake cracked software to deliver information stealers, including Raccoon and Vidar. Researchers at Sekoia estimated activity leveraging the involved infrastructure has been ongoing since early 2020. The threat actors used over 250 domains and around 100 fake cracked software websites that ultimately led to a payload hosted on the file-sharing platform GitHub. The threat actors responsible for the infrastructure may be running a Traffic Distribution System.

The infection chain begins with SEO-poisoned websites advertising cracked software. The sites typically have information on the cracked software being advertised, along with a download link. When a user clicks the download button, a new window opens with a series of redirects, ultimately leading to a web page with download instructions, a shortened link, and a password. When users browse the link, they are redirected to an archive download hosted on GitHub. When the victim decompresses the archive and attempts to launch Setup.exe, the payload is delivered. Both Raccoon and Vidar infostealers were observed as final payloads.

What is Raccoon?

Raccoon infostealer, also known as Racealer or Mohazo, is a relatively unsophisticated malware as a service (MaaS) written in C/C++ and targeting Windows systems. It was first seen in the wild in late 2019. Raccoon is often used to steal login credentials, credit card information, cryptocurrency wallets, and browser information. In 2021, the threat actors behind Raccoon announced an additional module called Racoon Clipper in underground forums. Racoon Clipper is available as an add-on and targets Bitcoin, Dogecoin, Ethereum, Litecoin, and Monero cryptocurrency wallets.

What is Vidar?

Vidar, a variant of Arkei written in C++, is an infostealer that employs password grabbing. It has been active since late 2018. Vidar steals browser autofill information, cookies, saved payment information, browser history, coin wallets, and Telegram databases. It can also take screenshots. In late 2022, a new Vidar spin-off named RisePro was discovered.


PolySwarm has multiple samples of Raccoon and Vidar.























You can use the following CLI command to search for all Raccoon samples in our portal:

$ polyswarm link list -f Raccoon

You can use the following CLI command to search for all Vidar samples in our portal:

$ polyswarm link list -f Vidar

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at | Check out our blog | Subscribe to our reports

Topics: Threat Bulletin, Stealer, Infostealer, Racoon

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts