New JavaScript Trojan Propagated on Russian Game Cheat Websites

Last updated June 23, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

Researchers at the Doctor Web Anti-Virus lab have received a tip from Yandex and analyzed a rare sample of a Node.js trojan that pretends to be a video game cheat, but it’s actually a malware downloader. People may find the malicious 7zip file in various game cheat websites, possibly uploaded by users who took advantage of the lax policies and non-existent checks there. Gamers who search for game cheats end up on these websites and then download the archive in the hope that they are getting a working game cheat.

When the downloaded file is executed onto the victim’s computer, the Trojan downloads and installs all of the required components, while it also gathers system information and sends it to the C2 server. Known websites that host the malicious archive include cheatfiles.ru, worldcodes.ru, torrent-igri.com, minecraft-chiter.ru, mmotalks.com, and clearcheats.ru. These websites are owned by the malware developers but are not the only ones that offer the archive. Unfortunately, the actors have managed to upload it on other locations as well like the proplaying.ru, corteli.com, and fasrworm.ru. According to the Doctor Web's estimations, the victims are already counted in the thousands.

monsterinstall code

image source: news.drweb.com

For a full list of the indicators of compromise by the “MonsterInstall” trojan, check out this GitHub document. In there, you will notice the existence of xmrig libraries, which are crypto-mining modules that the malware runs on the infected system, and on the account of the attacker. Processes such as user-initiated crypto-mining activities or even Windows-update tasks are terminated in order to free up resources for the malicious activity to take place. The cryptocurrency that is mined through this process is the TurtleCoin, a versatile and private crypto-coin that was launched in December 2017 and continues to grow steadily thanks to the fact that it’s easy to mine on CPUs or GPUs.

Systems belonging to gamers feature particularly powerful hardware, so they are a natural target for crypto-jacking campaigners. Right now, the domains that were owned by the malicious actors were taken down after Doctor Web informed the associated registrar, while all of the infected websites have also been informed accordingly. If you like to risk it by downloading and installing game cheats and add-ons, at least use an up-to-date anti-virus tool that may detect the trojan and stop it before it’s too late.

Are you a game cheater or do you prefer to play it as it comes? Let us know in the comments section below, and help us reach a wider audience by sharing this post through our socials, on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: