Kaspersky finds fake sites spreading Trojan-Downloader TookPS under the guise of popular software

Kaspersky has uncovered that a Trojan-Downloader dubbed TookPS is being spread through malicious websites imitating popular remote access and 3D modeling software. First observed by Kaspersky experts in early March, this Trojan infects users’ devices with backdoors, allowing for unauthorized stealth access to the victim’s system.

Kaspersky Threat Research experts warn that users are being lured to fake websites that mimic official pages or falsely claim to offer free downloads of popular software, such as UltraViewer, AutoCAD, and SketchUp, commonly utilized both for business and personal purposes.

However, when users click the ‘download’ buttons, they unknowingly get TookPS instead of the application they were looking for. The potential victims of this campaign could include both individuals and organizations.

Examples of malicious websites capitalizing on legitimate software brands

Once on the device, TookPS runs a series of scripts and technical processes that allow attackers to install a backdoor on the victim’s system, granting them hidden remote access and the ability to execute arbitrary commands.

Based on technical analysis of the malicious files, Kaspersky researchers also believe that there may be other lures — for example, those capitalizing on well-known software brands such as Ableton (used for music production) or Quicken (used for personal finance management).

“Earlier, we discovered several malicious campaigns that used DeepSeek’s brand as bait. One of the threats described was the TookPS. As we now observe, it isn’t just pretending to be an AI tool, that was only the tip of the iceberg. This is a broader campaign, targeting both individuals and organizations, where malware is hidden under different guises to lure in as many potential victims as possible,” explains Vasily Kolesnikov, security expert at Kaspersky. “To avoid falling victim to such attacks, we urge users to stay vigilant: always double-check links and websites, and avoid searching for pirated software online.”

Learn more in the technical report on Securelist.

Kaspersky shares the following recommendations to avoid general cyberthreats when surfing the internet:

• Modern security solutions such as Kaspersky Next for organizations and Kaspersky Premium for individuals provide users with safe browsing features, protecting against dangerous websites, downloads and extensions. 
• It’s safe practice to enter your web address directly into the web browser. If an email contains a link, instead of clicking the link, first hover over it to see if it looks accurate.  If it looks okay, search for the link on your own versus linking to a website. Dangerous websites can look identical to authentic ones. 
• For organizations, Kaspersky advises implementing a robust security policy that prohibits downloading software from unverified or pirated sources. Regular cybersecurity training should also be conducted to ensure employees remain informed and alert to potential threats.