Wednesday, 09 July 2025

Scammers spread malware under the guise of the Brave browser

Google specialists stopped malicious advertising campaign in which scammers lured users to the fake Brave browser site. Fake website contained ArechClient (SectopRAT) trojan hiding under the guise of a browser. To drive traffic to the fake site, the scammers bought ads on Google that were displayed when people searched for something related to browsers.

The researchers said that they identified ads that redirected visitors to the malicious site. The resource was located at bravė.com, where the word «Brave» was written with the Lithuanian letter «ė» instead of the normal Latin alphabet «e».

In a modern browser, the malicious domain bravė.com would become xn--brav-epa.com, but users could ignore the address bar without noticing the substitution.

The site completely imitated the legitimate Brave site, but there users were offered to download an ISO file that was 303MB in size, allegedly containing the Brave installer. Oddly enough, the browser was also present in this file, but along with it the ArechClient (SectopRAT) malware was distributed, the main task of which is to steal data from browsers.

It should also be noted that after the discovery, other fraudulent sites were disabled, which masqueraded as the legitimate resources such as Signal and Telegram (sīgnal.com, teleģram.com).

Source: xakep.ru

04 August 2021

-
86