Fake DirectX12 download site installs crypto-stealing malware

Reading time icon 2 min. read

Readers help support MSPoweruser. When you make a purchase using links on our site, we may earn an affiliate commission. Tooltip Icon

Read the affiliate disclosure page to find out how can you help MSPoweruser effortlessly and without spending any money. Read more


It seems malware owners have found a new way to trick users into installing their software, and unfortunately, Google is helping.

Security researcher Oliver Hough discovered that hackers have created a fake DirectX 12 download site, which appears fully formed with a security certificate, privacy policy, disclaimer, DMCA policy and more, but which instead pushes malware that will scan your PC for private information.


That information includes items such as a screenshot of your desktop, your PC detail, cookies and importantly any crypto-currency wallets you may have, with the malware searching for Ledger Live, Waves.Exchange, Coinomi, Electrum, Electron Cash, BTCP Electrum, Jaxx, Exodus, MultiBit HD, Aomtic, and Monero.

The information is then saved in a temporary directory and uploaded to the hacker’s network.

The approach is part of a new wave of hackers using faked but legitimate-looking download pages, with us reporting recently of hackers faking Microsoft Store pages and Spotify download pages. Other download pages which have been cloned include ProtonVPN, Windows system cleaners, and BleachBit.

Hackers have been using hacked websites to link to their fake pages, increasing the page’s Google Search Rank and tricking more users into clicking on their fake download links.

It is therefore increasingly important that users be more vigilant when search for software to download, even when typing “Spotify download” into Google for example, and carefully check a page’s credentials and URL before downloading, and not assume the first link will be the legitimate one.

BleepingComputer notes that ideally, users should stick to the app store built into their PCs, though we have seen even these services being used to push malware.

More about the topics: malware, security

Leave a Reply

Your email address will not be published. Required fields are marked *