Kaspersky’s Global Research and Analysis Team (GReAT) has discovered an ongoing cyberattack campaign named SteelFox, which exploits popular software like Foxit PDF Editor, AutoCAD, and JetBrains to steal banking information and secretly mine cryptocurrency.
According to the cybersecurity solutions provider, the attackers use malware to collect sensitive data from victims’ devices and covertly utilize their computer power for cryptocurrency mining.
The SteelFox campaign, uncovered in August 2024, targets users by promoting counterfeit software activators on forums and torrent sites. These “cracks” claim to provide free access to legitimate programs but secretly install malware. The malware has two main components: a stealer and a cryptominer. The stealer gathers detailed information, including credit card numbers, browser data, Wi-Fi passwords, and installed software details, while the cryptominer uses infected devices to mine Monero, a type of cryptocurrency.
Since February 2023, the SteelFox campaign has been active, with Kaspersky detecting over 11,000 attack attempts in just three months. The majority of affected users are located in countries like Brazil, China, Russia, and Mexico. The attackers initially targeted Foxit PDF Editor users but have since expanded their reach to JetBrains and AutoCAD software. The cybercriminals continue to refine their methods to evade detection and may soon distribute the malware under the guise of other popular software.
“This campaign has evolved over time, with the attackers shifting from one software target to another,” said Dmitry Galov, head of Research Center for Russia and CIS at Kaspersky. “The SteelFox campaign remains a serious threat, and users are advised to be cautious when downloading software from unofficial sources.”