Popular Software Site Hacked to Redirect Users to Keylogger, Infostealer, More


Hackers have breached the website of VSDC, a popular company that provides free audio and video conversion and editing software.

Three different incidents have been recorded during which hackers changed the download links on the VSDC website with links that initiated downloads from servers operated by the attackers.

Below is a timeline of the hacks and link swaps, according to Chinese security firm Qihoo 360 Total Security, whose experts spotted the hijacks last week.

First hack: June 18
Download link swapped with: hxxp://

Second hack: July 2
Download link swapped with: hxxp://

Third hack: July 6
Download link swapped with: hxxp://

Qihoo experts said the first and third hijacks were the ones at a larger scale and affected the most users.


Users infected with three different malware strains

Users who downloaded VSDC software on those days have been infected with three different malware strains. Qihoo says victims received a JavaScript file disguised as VSDC software. This file would download a PowerShell script, which, in turn, would download three other files —an infostealer, a keylogger, and a remote access trojan (RAT).

The infostealer is capable of recovering Telegram account passwords, Steam account passwords, Skype chats, Electrum wallet data, and can also take screengrabs of the victim’s PC. All collected data is uploaded on an attacker’s server at

The keylogger is nothing special, collecting keystrokes and uploading them to

Qihoo describes the third file as a VNC module that grants the attacker control over an infected user’s PC. But security researcher MalwareHunter told Bleeping Computer this is just a mundane version of the TVRAT.


VSDC admits to breach, says it fixed its site

To its credit and unlike many companies nowadays, VSDC admitted to the hacks in an email to Bleeping Computer.

“Unfortunately, we did have hacker attacks, but they have already been stopped and all the vulnerabilities detected and removed,” Alexander Galkin, a VSDC Project Manager told us.

Galkin added:

Using both our own resources and third-party experts, an unscheduled audit of the VSDC website has been conducted. It’s been revealed that the attackers hacked the administrative part of the site and replaced the links to the distribution file of the program. It is worth mentioning that the distributives themselves were not damaged.

Attacks were registered from an IP address in Lithuania –

What has been done to cope with that:

1. All the source files of the site have been restored, the fake ones have been deleted.
All the passwords have been changed. As our experience has shown, 10-12 character passwords made of random characters are not complex enough, so now they have their length and complexity significantly increased.
2. The two-level authentication of access to the administrative part at the IIS server level has been introduced.
3. A special antivirus utility installed has been installed on the server that checks all the files for validity.

We’d like to assure all our users that all the required security and prevention measures have been taken and will be regularly updated. The access to the administrative server part will be regularly checked.