KMPlayer updater pushed fake malware release
KMPlayer's update flow offered a fake 3.7.0.87 release that installed malware. KMP Media confirmed external attack activity and warned July-August 2013 users.
Story
KMPlayer users saw an update prompt for version 3.7.0.87 even though the vendor's current clean release was 3.6.0.87. The updater connected to cdn.kmplayer.com/player/update and downloaded KMP_3.7.0.87.exe, which did not perform a normal upgrade.
Taiwanese security reporting said the fake updater installed malware into a hidden folder. It also described relay or command domains under abacocafe.com, including pen.abacocafe.com, pens.abacocafe.com, cdn.abacocafe.com, and vpen.abacocafe.com.
KMP Media acknowledged an external attack through a KMPlayer emergency notice. The company warned users who downloaded or installed KMPlayer between 2013-07-26 and 2013-08-08 to scan their systems, said it had strengthened software security, and referred the matter to investigators.
This record replaces weaker 2018 adware-bundling notes. The 2013 event fits the archive better: a real product update path, a fake release executable, a vendor confirmation, and concrete infrastructure indicators.
Affected Artifacts
- Observed
- 2013-07-26 to 2013-08-08
- Compromised Versions
- Fixed
- 3.6.0.87
- Evidence
- distribution: cdn.kmplayer.com/player/update, mirror: ithome.com.tw/news/82002, mirror: informationsecurity.com.tw/article/article_detail.aspx, file: KMP_3.7.0.87.exe , +4 more
- Taiwanese reporting described 3.6.0.87 as the current legitimate vendor release while the update mechanism presented a fake 3.7.0.87 update.
Incident Context
- Cause
- Update Infrastructure Compromise
- Transitive
- No
External References
- KMPlayer officially confirms malware distribution and refers case to investigatorsithome.com.tw
- KM Player compromised, update mechanism downloads malwareinformationsecurity.com.tw
Source record: proprietary/kmplayer/meta.yaml