Software pirates are infected by new info-stealer malware via fake cracks websites

The PrivateLoader malware distribution service is spreading a new, information-stealing malware called ‘RisePro.’

RisePro was created to assist attackers in stealing victims’ passwords and credit cards from infected machines.

Analysts at , and spotted the malware this week. Both cybersecurity companies confirmed that RisePro, a previously unknown information stealer, is now being distributed through fake key generators and software cracks.

Flashpoint has reported that Russian hackers have begun selling thousands of RisePro logs, which are data packages stolen from infected devices.

Sekoia also discovered code similarities between PrivateLoader, RisePro and other malware distribution platforms, which suggests that this platform may now be spreading its own information-stealer either as a standalone service or for itself.

RisePro can be purchased via Telegram. Users have the option to interact with both the developer (Telegram bot) and infected hosts (Telegrambot).

The RisePro C2 panel


RisePro information and capabilities

Flashpoint suggests that RisePro, a C++ malware, may be inspired by Vidar’s password-stealing malware. It uses embedded DLL dependencies.

DLLs dropped in the malware’s working directory


Sekoia explains further that RisePro samples embed DLLs while others fetch them via POST requests from the C2 Server.

First, the info-stealer examines registry keys and writes the stolen data into a text file. Next, he takes a screen shot, then bundles all the files in a ZIP file. Finally, he sends it to the attacker.

RisePro tries to steal data from browsers and applications.

  • Web browsers: Google Chrome, Firefox, Maxthon3, K-Melon, Sputnik, Nichrome, Uran, Chromodo, Netbox, Comodo, Torch, Orbitum, QIP Surf, Coowon, CatalinaGroup Citrio, Chromium, Elements, Vivaldi, Chedot, CentBrowser, 7start, ChomePlus, Iridium, Amigo, Opera, Brave, CryptoTab, Yandex, IceDragon, BlackHaw, Pale Moon, Atom.
  • Browser extensions Authenticator.
  • Software Discord,, Authy Desktop.
  • Cryptocurrency assets: Bitcoin, Dogecoin, Anoncoin, BBQCoin, BBQCoin, DashCore, Florincoin, Franko, Freicoin, GoldCoin (GLD), IOCoin, Infinitecoin, Ixcoin, Megacoin, Mincoin, Namecoin, Primecoin, Terracoin, YACoin, Zcash, devcoin, digitalcoin, Litecoin, Reddcoin.

RisePro also scans filesystem folders to find interesting data, such as receipts that contain credit card information.

PrivateLoader Link

PrivateLoader, a malware distribution company that charges a fee per installation, disguises itself as game mods, key generators and software cracks.

Threat actors send the malware samples they want to distribute and the targeting criteria. They also pay the PrivateLoader group, who uses their fake websites and hacks to spread malware.

The first time the service was spotted by was February 20,22. Trend Micro also observed PrivateLoader pushing an unknown remote access trojan, RAT, in May 2022. It was dubbed ‘.

PrivateLoader was distributing almost exclusively RedLine and Raccoon until recently. These are two very popular information thieves.

Sekoia reports that RisePro has been added to the malware’s loader capability. She also notes that the code of this section of the program is very similar to that of PrivateLoader.

These similarities are the string obfuscation method, the HTTP message obsfuscation and the HTTP/port setup.

Code similarity of 30% in HTTP port setup


It is possible that PrivateLoader was developed by the same team as RisePro.

One other hypothesis suggests that RisePro may be the evolution of PrivateLoader, or the creation by a former developer who promotes similar PPI services.

Sekoia could not determine the connection between these two projects based on all the evidence.