Dangerous malware stealing bitcoin hosted on Download.com for years (Mar 14, 2018)
ESET researchers, after searching on the website "download[.]com," have discovered trojanized applications that steal bitcoin. The applications contain a simple dropper that extracts both the legitimate installer of the purported application and the malware to the temp folder, and both are subsequently executed. The malware copies itself to a different location in the "appdata" folder and adds itself to a registry key to maintain persistence. The malware simply checks copied text in the user's clipboard by regexing for a bitcoin address and replacing it with the attacker's Bitcoin address.
Recommendation: Malicious actors are always trying new ways to infect users with simple malware to steal cryptocurrency. Always practice Defense in Depth (do not rely on single security mechanisms - security measures should be layered, redundant, and failsafe). If you believe you have been injected, follow the removal instructions located "here" or use an antivirus solution. Always manually check the address you are about to send cryptocurrency to, especially if you have copied and pasted in the address.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.