Back

Malware Distribution via Fake Video Player Updates on Pirated Streaming Sites

Severity: High (Score: 66.5)

Sources: Cybersecuritynews, Gbhackers, Securelist

Published: 2026-05-29 · Updated: 2026-05-29

Keywords: malware, users, hackers, fake, video, player, updates

Severity indicators: pla, malware, rat

Summary

In late April 2026, a cybercrime gang exploited illegal streaming platforms to distribute malware, primarily a miner and RAT, through fake video player updates. Users attempting to watch pirated content encountered alerts claiming their video player plugin was outdated, leading them to download a malicious ZIP file containing a legitimate executable and a harmful DLL. This infection vector has been active since at least 2022, with the malware delivered through popular pirated sites that attracted millions of visitors monthly. The sites linked to this campaign had a total of 40 million visits in April 2026. The threat actor has adapted their delivery mechanism, moving from a previously used domain to a new one, while maintaining the structure of the malicious archive. The ongoing campaign poses a significant risk to users of these platforms, as many remain unaware of the malware's presence. Key Points: • Malware is distributed via fake updates on illegal streaming sites. • The infection method has been active since at least 2022 and affects millions of users. • The campaign has adapted its delivery mechanisms while maintaining high traffic levels.

Detailed Analysis

**Impact** Users of pirated movie, TV show streaming sites, and digital libraries are affected, with monthly site visits reaching up to 40 million across platforms. The campaign targets a broad audience, including 2.1 to 27.4 million visitors on streaming sites and up to 4.7 million on digital libraries, primarily impacting consumers of pirated content globally. The malware deploys cryptocurrency miners and RATs, potentially degrading device performance and enabling unauthorized remote access, but no specific data exfiltration or sector-targeted impact is reported. **Technical Details** The attack vector involves fake video player plugin update prompts on compromised pirated streaming and digital library websites, delivering a ZIP archive containing a legitimate executable (HLS Installer.874.exe) and a malicious DLL. The DLL side-loads into the legitimate process to execute a miner and establish persistence. The campaign has been active since at least 2022, using domains such as urush1bar4[.]online and previously file[.]ipfs[.]us[.]69[.]mu. No CVEs or specific vulnerabilities exploited are mentioned. The infection occurs at the delivery and execution stages of the kill chain. **Recommended Response** Block access to known malicious domains such as urush1bar4[.]online and monitor for execution of HLS Installer.874.exe and associated DLL side-loading behaviors. Deploy endpoint detection rules for suspicious DLL injection and persistence mechanisms linked to miner and RAT activity. Educate users to avoid pirated streaming sites and fake update prompts. No patches or CVEs are specified; focus on network filtering and behavioral detection.

Source articles (3)

  • Pirates in the crosshairs: how one cybercrime gang has been infecting book, movie, and TV show fans for years — Securelist · 2026-05-28
    In late April 2026, a client reached out to us for incident response support after discovering a miner running on users' computers. We later discovered that the malware was being distributed via illeg…
  • Fake Video Player Updates Spread Miner and RAT Malware — Gbhackers · 2026-05-29
    Hackers are actively exploiting illegal streaming platforms to distribute advanced malware, using fake video player updates as a lure to infect unsuspecting users. The attack begins when users attempt…
  • Hackers Use Fake Video Player Updates to Deploy Miner and RAT Malware — Cybersecuritynews · 2026-05-29
    Hackers are using a clever trick to get people to install dangerous malware, and most victims have no idea it is happening. By visiting pirated movie and TV show streaming sites, users are met with a…

Timeline

  • 2026-04-30 — Incident response initiated for malware infection: A client reported a miner running on users' computers, linked to illegal streaming sites.
  • 2026-05-28 — Investigation reveals ongoing malware campaign: Analysis confirmed that the malware distribution method has been active since at least 2022, with high traffic sites involved.
  • 2026-05-29 — Multiple reports on fake video player updates: Cybersecurity articles detail the use of fake updates to spread malware, confirming the ongoing threat to users.
  • 2026-05-29 — Cybersecurity news highlights malware distribution method: Reports emphasize the clever tactics used by hackers to infect users through fake alerts on streaming sites.

Related entities

  • Malware (Attack Type)
  • CWE-120 - Classic Buffer Overflow (Cwe)
  • 5d14vnfb.space (Domain)
  • file.ipfs.us.69.mu (Domain)
  • jeaw520i.space (Domain)
  • m4yuri.online (Domain)
  • qdmagva5.space (Domain)
  • r7mvjl67.space (Domain)
  • zgj1tam9.space (Domain)
  • 107.172.212.235 (Ipv4)
  • SilentCryptoMiner (Malware)
  • 02A43B3423367B9DDDC24CC7DFC070DF (Md5)
  • 6A0FE6065D76715FEEBC1526D456DB73 (Md5)
  • 7F624407AE489324E96A708A09C17E6F (Md5)
  • T1055.012 - Process Hollowing (Mitre Attack)
  • T1055 - Process Injection (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1543.003 - Windows Service (Mitre Attack)
  • T1574 - Hijack Execution Flow (Mitre Attack)
  • Windows (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed