Moonlock Lab

Pirate sites spread malware posing as CleanMyMac and Photoshop

Kseniia Yamburh

Apr 16, 20245 min read

Pirate sites spread malware posing as CleanMyMac and Photoshop: Header image

The most important duty of cybersecurity researchers is to keep users informed about emerging threats and vulnerabilities. So today, we delve into the world of cracked software distribution and discover how threat actors exploit the trust of unsuspecting users to deceive them into installing malware.

In response to the high demand for cracked software, sites have emerged that distribute a wide array of applications, offering pirated versions of popular pieces of software whose copy protection mechanisms have been circumvented. One such site that has come under our scrutiny is haxmac[.]cc, a famous hub for users seeking cracked applications for macOS. 

Sites hosting cracked macOS apps are spreading malware

Interestingly, haxmac[.]cc is visited by half a million users per month, with 207,000 of those users being unique. This constitutes significant traffic and, in the event of malware being hosted, poses the possibility that many devices could be infected.

An image showing the web analytics of haxmac[.]cc.
Web analytics of haxmac[.]cc.

A whopping 26.97% of the site’s traffic originates from organic search results. It looks like threat actors exploit trust in Google’s search rankings. By allegedly manipulating search engine optimization (SEO) tactics, they can elevate haxmac[.]cc to the top of search results for queries such as “download crack app macOS.”

An image showing geography and traffic info for haxmac[.]cc.
Geography and traffic info for haxmac[.]cc.
A screenshot of the search results for “download crack app macOS” query.
Google Search results for a “download crack app macOS” query. Google Search is a trademark of Google LLC.

The website in question positions itself as a repository for cracked macOS software, serving as a haven for individuals seeking cracked versions of Adobe Photoshop, Adobe Illustrator, SQLPro, CleanMyMac X, and numerous other macOS applications.

A screenshot of the main page of haxmac[.]cc.

While the site appears to offer a range of legitimate software downloads, redirecting users to other services where non-malicious files are available for download, it has been discovered that clicking on the “Download Now” or the “Direct Download” button triggers the download of a malicious dmg file named “app_SM_v1.1.1.dmg,” which contains the Atomic Stealer malware. 

Atomic Stealer malware found disguised as trusted software

Atomic Stealer is a sophisticated malware strain known for its stealthy capabilities and advanced functionality in stealing sensitive information. In its latest versions, it employs intricate techniques to evade detection by security software.

Once inside a system, Atomic Stealer can harvest a wide range of data, including credentials, financial information, and intellectual property, transmitting it back to its operators for exploitation.

Notably, it doesn’t matter which app from the catalog you want to download. Whether it’s CleanMyMac X, Adobe Photoshop, or something else, clicking “Download Now” or “Direct Download” will lead to the same DMG file being downloaded.

A screenshot of the a deceptive software download page for a cracked version of CleanMyMac X.
An image of app_SM_v1.1.1.dmg rate on VirusTotal.

What we know about the distribution method

What sets this scheme apart is the cunning targeting that is being employed by the threat actors. Rather than casting a wide net and delivering the same malware to all users, they tailor their attacks based on the victim’s browser by leveraging the User-Agent header.

Safari users are served the macOS-specific Atomic Stealer, while those using Chromium-based browsers are redirected to a page hosting a zip archive containing the Remcos RAT, a notorious piece of Windows-targeting malware. By adapting their payload according to the victim’s browser, the threat actors increase the likelihood of successful infection.

An image of the results of a click from Safari browser.
An image of the results of a click from Chrome browser.

While preparing this article, we also noted that this is still an active campaign. When we posted about this case via our X account, Chrome users were redirected to https[:]//6ejj9u56155[.]cfd. After a few days, however, they began to be redirected to https[:]//18jmx150pt[.]cfd.

Now, the buttons that previously led to malicious software have been removed, most likely to avoid detection. This adaptiveness may indicate the agility of the threat actors behind the campaign.

A screenshot of the haxmac[.]cc page after the "Download Now" and "Direct Download" buttons were removed.

It’s worth noting that haxmac[.]cc is not an isolated case. While searching for “download crack pc app,” we encountered another similar page: haxpc[.]net.

A screenshot of the search results for “download crack pc app” query.
Google Search is a trademark of Google LLC.

On this site, we found familiar buttons that led to downloading App_v1.0.4.dmg, a file containing a new variant of Atomic Stealer, which was detected by only 5 vendors on VirusTotal.

A screenshot of haxpc[.]net with "Download Now" and the "Direct Download" buttons.
An image of the App_v1.0.4.dmg rate on VirusTotal.

Moreover, many similar cracked software distribution sites have been found to distribute the Atomic Stealer malware. This seems to suggest a coordinated effort across multiple platforms.

Threat actors leveraging PPI through affiliate networks

It has become apparent that the distribution method is likely tied to a pay-per-install (PPI) service. This model incentivizes threat actors to distribute malware through affiliate networks, earning them a commission for each successful installation on a victim’s system.

In addition, we have observed PPI services being advertised and endorsed across multiple channels on Telegram, a popular messaging platform known for its privacy features, which often serve as hubs for cybercriminal collaboration and the exchange of malicious tools and techniques.

A screenshot of a Telegram channel where PPI service is constantly being promoted.

How to stay safe: Avoid cracked software

Our investigation into cracked software distribution revealed a complex web of deceit orchestrated by threat actors, posing significant risks to millions of users. The dynamic nature of these campaigns, as evidenced by the changing redirection URLs and the removal of incriminating buttons on haxmac[.]cc, underscores the adaptability and persistence of these adversaries. 

For users, it’s crucial to avoid downloading cracked software or software from untrusted sources. Stick to official app stores and reputable websites.

Always keep your software and operating systems up to date. Additionally, using antivirus software such as CleanMyMac X, powered by Moonlock Engine, and being cautious of suspicious links or downloads can greatly reduce your risk of malware infections.

Indicators of Compromise (IOC)

IndicatorsIndicator TypeDescription
075bf6fcdeb6433eaa801925355cfa35a20f81624b6ff5d960592a74e04b70e1SHA256Atomic Stealer (dmg)
d54056a79251b9cdea612dc8e43cea32e66f7a64ff949962903a7841cb30e196SHA256Atomic Stealer (dmg)
6e0e9e33c3930290b4daa8cc9dc784aae5b209d733c732e308a908e6bde020f2SHA256Atomic Stealer (dmg)
3c39bf4ab58e21e3991e4a47caaa69c8a3f6e64f2eddffd3a40c2cd243a8b9ffSHA256Atomic Stealer (dmg)
7336719f7e294f02a282f7c8d43758288e8f5a6823b8d917cbd9e744370ee2cfSHA256Atomic Stealer (macho)
9f40383a6d1af5184034a21befaef19a87695aee925c5cf75db8291105a87936SHA256Atomic Stealer (macho)
666d38cf4c0512b7b44323ef802638260f79999e7e7190589f7773f4cdec21d2SHA256Atomic Stealer (macho)
b1622c437d1684813f89a7e6bf24bbec73937eb563431d11341210babbe95ac9SHA256Atomic Stealer (macho)
24783036f50017905f5402286e40b767db808116396635ed26f64eed0eea2135SHA256Remcos RAT (peexe)
haxmac[.]ccDomainMalicious Site with Cracked Apps
haxpc[.]net DomainMalicious Site with Cracked Apps
torrentmac[.]net DomainMalicious Site with Cracked Apps
9to5crack[.]comDomainMalicious Site with Cracked Apps
https[:]//6ejj9u56155[.]cfdURLMalware Download URL
https[:]//18jmx150pt[.]cfdURLMalware Download URL
https[:]//imranfootwear[.]comURLMalware Download URL
coinpepe[.]xyzDomainMalware Download Domain

Co-author: Artem Chumak

Kseniia Yamburh Kseniia Yamburh
Kseniia is a malware research engineer at Moonlock, specializing in OSINT intelligence gathering and analysis. Her passion lies in writing about new investigations and findings in the field of cybersecurity.