Skip to content
July 18, 2026
  • Linkedin
  • Twitter
  • Facebook
  • Youtube

Daily CyberSecurity

Zero-hour alerts. Unmatched analysis.

Primary Menu
  • Home
  • CVE Data
    • CVE Watchtower
    • Top Exploited CVEs
    • CVE Stats by Vendor
    • Q2 2026 Report
  • Cyber Criminals
  • Data Leak
  • Linux
  • Malware
  • Vulnerability
  • Submit Press Release
  • Weekly Recap
Light/Dark Button
  • Home
  • News
  • Malware
  • ESET found malware that steal bitcoin hosted on Download.com for years
  • Malware

ESET found malware that steal bitcoin hosted on Download.com for years

Do Son March 15, 2018 4 minutes read
Add Daily CyberSecurity as a preferred source on Google

In an article published yesterday, ESET stated that they found three applications that carry Trojan horses on the CNET Download site (163th Alexa ranking). This is the world’s largest Internet download directory site. Founded in 1996, it has more than 100,000 free-to-use software (including MAC computers, Windows computers, and other mobile devices). In addition, it also offers free downloads of music, games, and videos.

The reason why ESET will do such a survey comes from a forum post published by a Monroe coin investor named Crawsh.

When Crawsh tried to copy and paste his Monroe wallet address to another location, he was prompted “invalid address.” This caused Crawsh’s attention, he immediately began to check and think that the biggest possibility is due to malicious software.

It turns out that he is right. Crawsh copied the pasted wallet address and was intercepted by the malware when it entered the clipboard and was replaced by the attacker’s hard-coded Bitcoin wallet address. Fortunately for Crawsh, because the malware seems to be targeting Bitcoin only and does not apply to the Monroe trades that Crawsh is trying to do.

Crawsh’s post caught the attention of ESET security researchers and they decided to see if anyone on the network had encountered the same thing. They used the hard-coded Bitcoin wallet address of the attacker to search Google, and some other victims were quickly discovered. In a blog post, the author’s Bitcoin wallet address was replaced with the hard-coded Bitcoin wallet address of the attacker Crawsh encountered, indicating that the author of this blog post also became a victim of Bitcoin theft software.

On the other hand, ESET discovered that the source of Crawsh infection was the Win32 Disk Imager application downloaded from the CNET Download site. Since May 2, 2016, the application has been hosted on this site, with a total of more than 4,500 downloads and only 311 downloads last week. Unsurprisingly, ESET detected Trojans in this application, which is a variant of the MSIL/ TrojanDropper.Agent.DQJ Trojan.

At the end of the survey, ESET discovered that the Win32 Disk Imager is not the only Trojanization application hosted on CNET Download. The other two Trojanization applications from the same author were also found. One of them is CodeBlocks. The carried Trojan virus is detected as MSIL/CLipBanker.DF and can replace the Bitcoin wallet address in the clipboard.

 

The other is MinGW-w64, which can be downloaded at the beginning of the ESET survey. It contains several malicious payloads, including Bitcoin stealers and Trojans.

 

The download status of these two applications on the CNET Download site is as follows, where CodeBlock recently downloaded 0 because it has been deleted by CNET. According to ESET telemetry data, it may be deleted around March 2017.

 

ESET has now notified these discoveries to CNET and these applications have been removed. In addition, if you suspect that you are also infected with this Trojan virus, then you need to manually perform the following steps:

  • Delete the downloaded installers called win32diskimager.exe (SHA1: 0B1F49656DC5E4097441B04731DDDD02D4617566) resp. codeblocks.exe (SHA1: 7242AE29D2B5678C1429F57176DDEBA2679EF6EB) resp. mingw-w64-install.exe (SHA1: 590D0B13B6C8A7E39558D45DFEC4BDE3BBF24918) from your Download folder location
  • Remove exe in the %appdata%\dibifu_8\ folder (SHA1: E0BB415E858C379A859B8454BC9BA2370E239266)
  • Remove y3_temp008.exe from %temp%\ folder (SHA1: 3AF17CDEBFE52B7064A0D8337CAE91ABE9B7E4E3, resp. C758F832935A30A865274AA683957B8CBC65DFDE )
  • Delete ScdBcd registry value from the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Source,Image: welivesecurity

 

Related coverage

  • GigaWiper Backdoor Bundles Disk Wiping Malware and Fake Ransomware
  • BTMOB RAT: Beware of Fake Streaming and Crypto Mining Apps
  • Team Cymru Mapped the Yurei Ransomware Toolkit Before It Could Strike
  • Zyklon Malware spreads through Microsoft Office vulnerabilities
  • Android Under Attack: Crocodilus Trojan Captures OTPs from Google Authenticator
Track all actively exploited CVEs →

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee Logo Buy Me a Coffee PayPal
Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Share this article:

Facebook Post LinkedIn Telegram
Written by
@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.

Tags: malware stealing bitcoin

Search

Translation

CVE WATCHTOWER
🚨

Receive alerts for vulnerabilities being exploited in the wild.

⚡

Get notified instantly when a Proof of Concept (PoC) exploit is published.

🔍

Access critical info on vulnerabilities even when marked as "RESERVED".

🧠

Insights powered by decades of expertise and global intelligence sources.

🎯

Customize alerts with up to 10 keywords for your specific tech stack.

📊

Export the raw CVE database for SIEM integration and reporting.

Upgrade Package

🚨 Active Exploits in the Wild

  • CVE-2026-6875CVSS 9.5
    ServiceNow has addressed a remote code execution vulnerability that was identified in the ServiceNow AI platform. This vulnerability...
    Admin intel📅 Updated: Jul 18, 2026
  • CVE-2026-39808CVSS 9.8
    A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox...
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2026-25089CVSS 9.8
    A improper neutralization of special elements used in an os command ('os command injection') vulnerability in Fortinet FortiSandbox...
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2026-58644CVSS 9.8
    Deserialization of untrusted data in Microsoft Office SharePoint allows an unauthorized attacker to execute code over a network.
    CISA KEV📅 Added to KEV: Jul 16, 2026
  • CVE-2023-4346CVSS 7.5
    KNX devices that use KNX Connection Authorization and support Option 1 are, depending on the implementation, vulnerable to...
    CISA KEV📅 Added to KEV: Jul 15, 2026
  • CVE-2026-53362
    In the Linux kernel, the following vulnerability has been resolved: ipv6: account for fraggap on the paged allocation...
    Admin intel📅 Updated: Jul 14, 2026
  • CVE-2026-46242CVSS 7.8
    In the Linux kernel, the following vulnerability has been resolved: eventpoll: fix ep_remove struct eventpoll / struct file...
    Admin intel📅 Updated: Jul 14, 2026
  • CVE-2026-56155CVSS 7.8
    Insufficient granularity of access control in Active Directory Federation Services (AD FS) allows an authorized attacker to elevate...
    CISA KEV📅 Added to KEV: Jul 14, 2026
Powered by CVE Watchtower

🔴 Live Critical Threats

  • CVE-2026-16117CVSS 10.0
    Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the...
  • CVE-2026-47865CVSS 9.8
    VMware Avi Load Balancer contains an authentication bypass vulnerability. A malicious user...
  • CVE-2026-55518CVSS 9.6
    Avo is a framework to create admin panels for Ruby on Rails...
  • CVE-2026-54159CVSS 10.0
    PrestaShop ps_facetedsearch is a module that adds layered navigation filters. From 3.0.0...
  • CVE-2026-48062CVSS 9.8
    CodeIgniter is a PHP full-stack web framework. Prior to 4.7.3, the ext_in...
  • CVE-2026-13446CVSS 9.8
    IBM Langflow OSS 1.0.0 through 1.10.1 contains hard-coded credentials, such as a password...
  • CVE-2026-8859CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 Langflow could allow an attacker to...
  • CVE-2026-8635CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated users to escalate privileges...
  • CVE-2026-8505CVSS 9.8
    IBM Langflow OSS 1.0.0 through 1.10.0 has a vulnerability in Langflow's webhook...
  • CVE-2026-8476CVSS 9.9
    IBM Langflow OSS 1.0.0 through 1.10.0 contain a critical remote code execution...
Powered by CVE WATCHTOWER

Our Websites
  • Penetration Testing Tools
  • The Daily Information Technology
  • Top Exploited CVEs
  • Daily CyberSecurity

    • About SecurityOnline.info
    • Advertise with us
    • Announcement
    • Contact
    • Contributor Register
    • Login
    • Disclaimer
    • DCMA
    • Privacy Policy
    • About SecurityOnline.info
    • Advertise on SecurityOnline.info
    • Contact Us

    When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works

    • CVE Watchtower
    • CVE Statistics by Vendor 2026
    • Q2 2026 Report
    • Top Exploited CVEs
    • Linkedin
    • Twitter
    • Facebook
    • Youtube
    © 2017 - 2026 Daily CyberSecurity. All Rights Reserved.