Hackers fake MSI’s Afterburner utility to infect gamers with malware

msi afterburner screen
A cyber risk and security analysis company called Cyble has discovered that there are a number of websites distributing a version of MSI Afterburner that is riddled with various types of malware. Those who accidentally download this widely used graphics card utility via one of the cunningly designed spoof domains might face malware issues such as: unwanted crypto-mining software and information-stealing software.

MSI’s Afterburner is a very popular free utility for owners of graphics cards, for owners of all brands (not just MSI) and architectures (AMD or Nvidia). However, enthusiasts who want to install Afterburner on a new PC or download an update over the Internet should be extra careful about where they get it. Cyble Research & Intelligence Labs (CRIL) has seen nearly 50 shady domains come and go since early September in which MSI Afterburner is covertly bundled with an assortment of malware.

Specific malware apps that are duplicated with a genuine version of MSI Afterburner include: XMR Miner and Redline Stealer. CRIL provides some technical details of both malware installations. For news purposes, suffice it to say that these malware apps stealthily install alongside genuine MSI Afterburner, without user prompting, from download files with harmless names like browser_assistant.exe, install.exe and comp.cab – distributed by the fake sites .

The unofficial MSI Afterburner sites set up by the threat actors (TAs) behind this malware campaign often contain text strings like msi-afterburner-download and use less popular domain extensions like .tech, .online and so on. We haven’t listed a specific overclocking honeytrap site here, just in case a reader looking for an Afterburner download finds this article, then casually copies a malware site and puts it in the search/URL combo box of theirs browser inserts. According to the source, the landing pages look very similar to the official MSI page. Below you can compare CRIL’s fake site screenshot with one we took today directly from the real one https://www.msi.com/Landing/afterburner/graphics-cards.

Download afterburner fake and real
Top image (malware site) about CRIL, bottom image shows the real MSI site.

A Google search for MSI Afterburner didn’t show up any of the fake websites on our first page of results, and the top result was the genuine official link as reflected in the paragraph above. However, some users on other platforms in other regions who might not “google” might somehow choose to download from one of the fake links with the malware-infused download. Dear readers, please be careful out there, or some TAs might be able to steal your computer performance or your personal information and passwords.


Leave a Reply

Your email address will not be published. Required fields are marked *