TookPS Malware Impersonates UltraViewer, AutoCAD, SketchUp, Ableton Software

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity & Streaming Writer

A new malicious downloader, TookPS, is spreading under the guise of well-known software applications such as UltraViewer, AutoCAD, SketchUp, and Ableton. The attackers behind TookPS have created fake websites of popular business and personal software. 

Security researchers at Kaspersky revealed this advanced campaign in a recent report. These websites lure victims with free download offers for applications used in industries such as remote desktop services, 3D modeling, and music production. 

The downloader, disguised as executable files like “Ableton.exe” and “QuickenApp.exe,” infects devices and establishes access for further exploitation.

Fake websites
Fake websites | Source: Kaspersky

Once a device is infiltrated, TookPS initiates communication with its command-and-control (C2) server via embedded domains in its code. It then retrieves and executes PowerShell scripts, deploying additional malware such as “sshd.exe” to establish an SSH tunnel for remote control.

Part of the script that downloads Backdoor.Win32 TeviRat
Part of the script that downloads Backdoor.Win32 TeviRat | Source: Kaspersky

Modified versions of backdoors like Backdoor.Win32.TeviRat and Backdoor.Win32.Lapmon are then installed to enable attackers to gain covert access and execute arbitrary commands.

One notable tactic observed in the TookPS campaign involves using DLL sideloading with legitimate software such as TeamViewer. This process replaces the original software's behavior with malicious functionality while remaining undetected by the user, offering attackers covert remote access.

C2 domains and corresponding IPs
C2 domains and corresponding IPs | Source: Kaspersky

The malicious activities were traced back to domains registered in early 2024, hosted under specific IP addresses. These domains primarily served as C2 hubs, hosting the scripts and payloads necessary for the attacks. 

URLs:

Alongside domains used in the current campaign, researchers uncovered evidence of previous malicious activities tied to the same infrastructure, indicating the attackers’ extended operations.

Research into attacks leveraging DeepSeek, a popular lure in earlier campaigns, revealed that they were only one component of a broader strategy by attackers. By targeting widely used software, TookPS represents a sophisticated effort capable of infiltrating both personal and organizational environments.


For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: