Microsoft Logo

Recent Malware Scare with Windows OS Torrents


A recent study conducted by Doctor Web has revealed a concerning association between pirated versions of Windows 10 and the distribution of clipper malware. This particular malware is cleverly concealed within EFI partitions, enabling it to evade standard detection methods effectively.

Identification of

Clipper malware is a specific type of malicious software designed to illicitly obtain currencies from compromised systems by intercepting or modifying data on the Windows clipboard. This malware primarily targets cryptocurrency wallet addresses, manipulating the data involved. In the past, it has masqueraded as legitimate cryptocurrency applications to deceive users. Once installed in a system, the malware gains access to and, in specific circumstances, modifies the data stored in the Windows Clipboard utility. For instance, the Laplas variant of clipper malware has the capability to substitute wallet addresses associated with various cryptocurrencies like Bitcoin, Bitcoin Cash, Litecoin, Ethereum, Tron, and others.

The Extensible Firmware Interface (EFI) partition, which is a small section of the hard drive reserved for installing operating systems and essential system utilities, has historically been exploited to conceal certain malware components. However, it has become evident that EFI partitions can harbor an entire malware entity, posing a significant threat. Detecting malware within EFI partitions presents challenges for most antivirus software, either due to their limited capability or technical obstacles. This evasion technique allows the clipper malware to persist undetected, often causing considerable damage before its discovery.

torrent example


The report indicates that the malware is discreetly embedded within the following applications found in the system directory:

\Windows\Installer\iscsicli.exe (dropper)

\Windows\Installer\recovery.exe (injector)

\Windows\Installer\kd_08_5e78.dll (clipper)

When a pirated version of the operating system is downloaded, a scheduled task is created to trigger the execution of a dropper named iscsicli.exe. This dropper then proceeds to mount the EFI partition as the “M:” drive.

Subsequently, the dropper duplicates the other two files, recovery.exe and kd_08_5e78.dll, onto the C:\ drive. The clipper malware is then injected into the legitimate %WINDIR%\System32\Lsaiso.exe system process using the installed recovery.exe file.

This incident highlights the hazards associated with downloading pirated software. It serves as a reminder of the inherent risks involved. In an effort to raise public awareness, Dr. Web has disclosed some of the identified malicious torrents, while acknowledging the possibility of numerous others circulating.

Confirmed Files

The following torrents have been identified as malicious:

  • Windows 10 Pro 22H2 19045.2728 + Office 2021 x64 by BoJlIIIebnik RU.iso
  • Windows 10 Pro 22H2 19045.2846 + Office 2021 x64 by BoJlIIIebnik RU.iso
  • Windows 10 Pro 22H2 19045.2846 x64 by BoJlIIIebnik RU.iso
  • Windows 10 Pro 22H2 19045.2913 + Office 2021 x64 by BoJlIIIebnik [RU, EN].iso
  • Windows 10 Pro 22H2 19045.2913 x64 by BoJlIIIebnik [RU, EN].iso

Need help with your Puget Systems PC?

If something is wrong with your Puget Systems PC. We are readily accessible, and our support team comes from a wide range of technological backgrounds to better assist you!

Contact Puget Systems Support

Looking for more support guides?

If you are looking for a solution to a problem you are having with your PC, we also have a number of other support guides that may be able to assist you with other issues.

Puget Systems Online Help Guides