A new malware campaign named SteelFox has emerged, targeting Windows users who download pirated software, particularly impersonating popular applications like Foxit PDF Editor and AutoCAD.

Since its discovery in early 2023, SteelFox has infected tens of thousands of PCs, gaining notoriety for its sophisticated methods of executing malware.

Additionally, SteelFox deploys XMRig, a cryptocurrency miner that consumes the victim's computer resources, rendering it nearly unusable.

SteelFox spreads through various channels, including forum posts, torrent trackers, and blogs, often disguised as legitimate software.

The initial infection occurs when users download malicious droppers that masquerade as software cracks, which install both the expected functionality and malware.

Once installed, SteelFox establishes secure communication with its command and control servers using TLS 1.3 and SSL pinning, enhancing its operational security.

The malware includes an infostealer that collects sensitive data from web browsers, such as browsing history, session cookies, and credit card information.

SteelFox exploits vulnerabilities in the WinRing0.sys driver, allowing attackers to gain elevated privileges and full access to infected systems.

The malware's ability to escalate privileges makes it particularly dangerous, as it can maintain persistence and evade detection.

Kaspersky has reported blocking over 11,000 attacks related to SteelFox, with significant impacts on users in countries like Brazil, China, and Russia.

Experts emphasize the importance of downloading software only from official sources and using reliable security solutions to mitigate the risks associated with such malware.

SteelFox operates opportunistically, affecting users who unknowingly download compromised software, highlighting the need for increased cybersecurity awareness.