Fake Software Sites Spreading Dangerous TookPS Trojan, Experts Warn

Cybersecurity researchers have uncovered a widespread malware campaign using fake websites disguised as download sources for popular software to distribute a Trojan-Downloader known as TookPS. The malware, first identified in early March, is being used to secretly infect personal and organisational systems with backdoors that enable stealthy remote access.

According to threat analysts, attackers are crafting convincing clones of legitimate websites for widely used software including UltraViewer, AutoCAD, and SketchUp. These tools are commonly used across industries for remote access, 3D modeling, and design tasks. The fraudulent sites often advertise free downloads, but instead deliver the TookPS Trojan to unsuspecting users.

Once installed, TookPS launches a series of malicious scripts to implant a backdoor on the infected system. This backdoor grants attackers unauthorized control, enabling them to execute arbitrary commands without the user’s knowledge. The threat targets both individual users and organisations, raising concerns about the scope and potential impact of the campaign.

Security researchers believe the operation may extend beyond just a few software brands. Technical analysis indicates the same tactic could be used to spoof additional platforms such as Ableton, a digital audio workstation, and Quicken, a financial management tool, as bait for spreading the malware.

“Earlier, we discovered malicious campaigns using the DeepSeek brand as bait. TookPS was one of the threats we found then, but that was only the beginning. This new wave shows a much broader strategy—malware is now being embedded behind various well-known software names,” said Vasily Kolesnikov, a security expert. “Users must remain cautious. Always verify URLs and avoid pirated or unofficial software sources.”

The Trojan’s evolution reflects a growing trend of cybercriminals using social engineering and brand impersonation to increase infection rates. Even tech-savvy users may struggle to differentiate between genuine and counterfeit pages without close scrutiny.

Cybersecurity firm Kaspersky, which identified the threat, has published a technical report detailing the campaign. Their researchers urge users to adopt safe browsing habits and avoid clicking on software links from unverified sources—especially those promising free downloads of premium tools.

Recommended Safety Measures

To protect against similar cyberthreats, security experts recommend the following:

• Use trusted security software with real-time protection features that can block access to fake websites and prevent malicious downloads.
• Verify URLs manually by typing them directly into the browser, and avoid relying on links from emails or untrusted websites.
• Educate staff in organisations about the risks of downloading unlicensed or pirated software, and implement policies that restrict access to such sources.

For businesses, comprehensive endpoint protection and regular cybersecurity awareness training can help mitigate the risk of infection across networks.

This campaign serves as a reminder of the ever-evolving tactics cybercriminals use to deceive users. As attackers grow more sophisticated in mimicking popular brands, vigilance and proactive security remain the best defense.