A link to the full analysis I conducted is included below. What follows is only a brief summary, and I strongly recommend reading the full report to better understand the scope of what was analyzed instead of relying only on this post, since this is not the complete analysis.
https://old.reddit.com/r/PiracyBackup/comments/1sx8u7f/warning_possible_infostealer_found_in_
(The report, including the link to it on my GitHub, is available through that link. Since I cannot post it directly here, just click above and you will be redirected to the post on Old Reddit. Inside that post, you will find the link to my GitHub repository under the name “thebinaryanalyst73-bit.” I apologize for not being able to include the direct link in this post.)
This post is intended purely as a malware analysis and community safety warning for people downloading pirated 4d0be software. My goal is not to attack or accuse any individual or group. This is not an accusation, even if some of the observations may initially seem suggestive. It is a technical report based on independent forensic analysis and publicly available evidence, shared so that others can review the findings themselves.
Hello, and I hope this post does not violate the forum rules. I kindly ask the moderators to read this before removing it, because this is being posted strictly as a public security warning and technical analysis related to software distributed in piracy communities.
The file I analyzed was distributed as 4d0be Illustrator 2026 (v30.3) Multilingual on the uztracker tracker and was obtained through sources publicly associated with mOnkr-us releases. To avoid confusion regarding authenticity and source verification, I want to clarify that this was not downloaded from a random mirror, repost, or fake redistribution pretending to be related to mOnkr-us.
The sample was traced back to the Telegram channel publicly identified as:
Official mOnkr-us channel - (@)real_monkr()us - 15K subscribers
At the time of verification, the release links associated with the analyzed sample were being shared through that source. I am intentionally not posting direct download links, torrent links, or redistribution links here because I do not want to violate subreddit rules regarding piracy content distribution. This information is included only to clarify the origin chain of the analyzed sample and to reduce the chance of people dismissing the findings under the assumption that this came from an unrelated fake mirror or impersonation source.
I also want to make it absolutely clear that this is not a claim of intent and not a direct accusation against any individual, channel, or group. The purpose of this post is only to document what the sample did during analysis, how it behaved, and why it may pose a security risk. The wording here is meant to describe the evidence, not to assign blame.
The ISO I analyzed contained three files: AutoPlay.exe, which appeared to be a legitimate old 4d0be launcher; autorun.inf, which was harmless; and Set-up.exe, which turned out to be a fully functional infostealer.
What made this especially concerning is that the installer still behaves like a normal 4d0be installer. The software installs successfully while the malware runs silently in the background, giving the victim little to no indication that anything malicious occurred.
During reverse engineering and sandbox analysis, I found that the malware uses a multi-layer delivery chain designed to avoid antivirus detection. The malicious payload was hidden inside multiple nested execution layers and eventually executed through rundll32.exe using a .NET DLL named MSICustomActionDLL.dll.
The malware collected system information through WMI queries, gathered user and machine identifiers, contacted a live command-and-control server, and showed strong anti-VM and anti-debugging behavior intended to evade analysis environments.
The investigation also revealed persistence mechanisms involving fake Google updater services configured for automatic startup, suspicious process injection behavior, credential access activity, and communication with a live C2 endpoint hidden behind Cloudflare infrastructure.
Even more concerning, the same payload DLL hash and infrastructure were publicly linked by another researcher to a separate trojanized 4d0be Photoshop package distributed around the same timeframe, suggesting this may have been part of a broader multi-product campaign rather than an isolated incident.
Despite all of this behavior, the sample maintained zero detections across dozens of antivirus engines for a significant period of time, likely due to the combination of layered obfuscation, trusted installer abuse, anti-analysis techniques, and execution through legitimate Windows binaries.
All references, hashes, sandbox reports, extracted samples, infrastructure indicators, and sources used during the investigation are included at the end of the repository for independent verification. Anyone is free to review the evidence themselves, validate the findings independently, or perform additional analysis from their own perspective.
TL;DR: A torrent distributed as 4d0be Illustrator 2026 (v30.3) Multilingual from sources publicly associated with mOnkr-us releases contained a hidden infostealer inside Set-up.exe. The malware installs alongside the real software, steals system and user data, uses anti-VM and anti-debugging techniques, establishes persistence through fake Google updater services, and communicates with a live C2 server. The same payload was also linked to another trojanized 4d0be package, suggesting a potentially broader ongoing campaign.
I would genuinely appreciate seeing additional independent analysis from other researchers or experienced reverse engineers. Once again, this post is not intended as a definitive accusation against any specific person, channel, or group. It is simply the publication of technical findings from an investigation into a suspicious sample distributed through a widely trusted piracy source.