VSDC links served stealer chain

The first documented VSDC compromise was a direct attack on the vendor website. Qihoo 360 reported that the official videosoftdev.com download links were changed on 2018-06-18, 2018-07-02, and 2018-07-06.

The substituted links did not serve the normal installer. They redirected users to 5.79.100.218/_files/file.php or drbillbailey.us/tw/file.php, where a JavaScript file posed as VSDC software. That script launched PowerShell and pulled additional payloads from attacker infrastructure.

The payload chain included AZORult Stealer, X-Key Keylogger, and DarkVNC. 360 described stolen data going to system-check.xyz; BleepingComputer also reported Telegram, Steam, Skype, Electrum, screenshots, keystrokes, and remote-control capability.

VSDC confirmed that attackers reached the administrative side of the website and tried to replace distribution-file links, while the distributives themselves were not damaged. The company said it restored site files, removed fake files, changed passwords, added two-factor access controls, and installed server-side file validation.

Motive

Financial Gain

Attribution

Group

Cause

Website Compromise

Transitive

No

Actor

Cybercriminal

• Popular Software Site Hacked to Redirect Users to Keylogger, Infostealer, Morebleepingcomputer.com
• Famous software VSDC official website was hacked and affected more than 30 countriesblog.360totalsecurity.com
• VSDC Video Editor team has detected and stopped hacker attacks on the websitevideosoftdev.com