IObit forum hacked in a DeroHE ransomware attack

IObit forum hacked in a DeroHE ransomware attack

A forum of IOBit, a developer of anti-malware and anti-virus programs for the Microsoft Windows operating system, was compromised to distribute the DeroHE ransomware to its forum members.

According to BleepingComputer, over the weekend, IObit forum users started receiving emails ostensibly from IObit offering a free 1-year license to their software as a special bonus of being a forum member. The email contained a link that led to a forum webpage, which was distributing a .zip file containing digitally signed files from the legitimate IObit License Manager program, but with the IObitUnlocker.dll replaced with an unsigned malicious version.

Once executed, the malicious IObitUnlocker.dll would install the DeroHE ransomware to C:\Program Files (x86)\IObit\iobit.dll and execute it. As per Emsisoft researcher Elise van Dorp, who analyzed the ransomware, the malicious software adds several Windows Defender exclusions to allow the DLL to run.

When encrypting victims, the DeroHE ransomware will append the .DeroHE extension to encrypted files and append a string of information to the end of the file. The ransomware creates two files, one of which is named FILES_ENCRYPTED.html and contains a list of all encrypted files, and the other is a READ_TO_DECRYPT.html ransom note.

This ransom note promotes a cryptocurrency called DERO and instructs the victim to send 200 coins, worth about $100, to the address included in the note to receive a decryptor. The note also includes the ransomware's Tor payment site, a message on which states that IObit can send $100,000 in DERO coins to decrypt all victims, because, as per the attackers, it is IObit’s fault that victims’ computers got infected.

At the time of writing, IObit did not provide any statements regarding the issue. It is unknown, how the hackers managed to compromise the forum to host malware, but it is possible that they gained access to an administrative account.

Just this week, OpenWrt Project revealed a security breach, in which attackers gained access to an administrator account on the OpenWrt forum and stole a copy of the user list that contains email addresses, handles, and other statistical information about the users.

Back to the list

Latest Posts

AI chatbots fall for phishing scams

AI chatbots fall for phishing scams

The models provided the correct URL only 66% of the time; nearly 30% of responses pointed users to dead or suspended domains.
3 July 2025
Chinese hackers exploited Ivanti flaws in attacks against French government

Chinese hackers exploited Ivanti flaws in attacks against French government

ANSSI believes that the Houken campaign is operated by ‘UNC5174’, an entity believed to act as an initial access broker for China’s Ministry of State Security.
2 July 2025
Threat actors exploit Vercel's AI tool v0 to build sophisticated phishing pages

Threat actors exploit Vercel's AI tool v0 to build sophisticated phishing pages

The malicious actors used v0.dev to create fake login pages mimicking legitimate brands.
2 July 2025