Phony Websites for KeePass, Audacity, 7Zip & Others Discovered Pushing Adware

Fake Websites for KeePass, Audacity, 7Zip & Others Discovered Pushing Adware.

A French security researcher has stumbled upon an adware delivery scheme that involves clone websites that use legitimately-looking domain names to trick victims into downloading famous apps, but which are actually laced with adware.

The first of these websites was discovered three days ago by Ivan Kwiatkowski. This website was located at, a domain name trying to pass as the app’s official site located at

Apps downloaded from these sites push InstallCore adware

The version of KeePass downloaded from this fake website contained a legitimate and fully-working version of the password manager, but also the InstallCore adware.

This type of adware is a modular threat that works by bundling free software with third-party “offers” as part of the application’s installation process. For example, here’s a version of the ImgBurn bundle prompting users to install a free version of the AVG antivirus. For every successful installation of an additional program, the adware bundler earns a commission.

Some of these “offers” are legitimate apps, but these types of software bundles have also been known to push apps that are more malicious in nature. For example, in the past, bundles have pushed cryptocurrency miners, adware, search hijackers, tab hijackers, and others.

After these offers have been accepted, declined, and installed, the bundler will then install the free application that the users were expecting.

Tens of similar websites discovered

The fake website was not the only such site. It was part of a larger collection of typosquatted domains, all registered using the same email address.

Other domains registered by this individual/group tried to pose as websites for other famous software such as 7Zip,, Inkscape, Scribus, GParted, Celestia, Audacity, Filezilla, Truecrypt, Blender, AdBlock, and more.

Most of these domains were registered using a .fr or .es TLD. The content on these sites was also available only in French or Spanish, suggesting the person behind these sites was trying to push the adware-infested apps to French-speaking or Spanish-speaking users only. A few sites were also available using international TLDs and in English.

Below are sites that pushed copies of legitimate software bundled with this adware:

The sites below pushed clean copies of the legitimate software, but this doesn’t mean they didn’t push adware-infested versions in the past.

According to Kwiatkowski, all these sites appear to be hosted on the same server, making the entire operation susceptible to an easy takedown.

For situations like these, some basic advice is necessary. When downloading any software, even from official websites, it is recommended to scan the software with an antivirus or upload it on VirusTotal for a quick check-up. VirusTotal may not be perfect, but it will detect some threats and spare users from occasional headaches.

Credit: BleepingComputer

Free Demo Session on “Ethical Hacking & Mobile Security”

CEH Course In pune | Slink

Jai Prajapati

Jai Prajapati is a security analyst and author for Securityleaks, where he passion for covering latest happening in cybersecurity world such as malware, breaches, vulnerabilities, exploits, white-papers, hacking newsbytes, Dark Web, hacking tutorials and a few more.

Leave a Reply

Your email address will not be published. Required fields are marked *