cyber daily logo

Breaking news and updates daily. Subscribe to our Newsletter

Breaking news and updates daily. Subscribe to our Newsletter X facebook linkedin Instagram Instagram

Hackers access Windows devices through fake Pokémon game

Hackers have launched a fake Pokémon game and are using it as a vessel to distribute a remote access tool (RAT) and gain control of Windows devices.

user icon Daniel Croft
Tue, 10 Jan 2023
Hackers access Windows devices through fake Pokémon game
expand image

Aiming to draw users in on both the popularity of Pokémon and the potential financial gain of NFTs, Pokemon-go[.]io allows users to download what they believe is the game’s installer by clicking the “Play on PC” button.

Instead, those who open the proverbial Poké ball and try to download the game will unknowingly install the NetSupport RAT, allowing bad actors to take control of the victim’s device.

The use of Pokémon as a draw poses an additional risk, with the scam enticing young children, who are less likely to be able to identify a non-legitimate website.

NetSupport RAT is a legitimate program that was designed for use by administrators, allowing them to remotely access devices and fix issues. It is a powerful tool that allows for screen recording, remote control, system monitoring, network traffic encryption and much more.

However, bad actors are well known to abuse the software to gain control of victims’ devices and lock them and steal data in return for a ransom, as well as for other intentions.

Once a victim downloads and runs the “client32.exe” installer, the software is installed in the hidden %APPDATA% path, which is home to important files such as application settings. Furthermore, the software files are set to hidden, making it hard for victims to find.

The Windows Start-up folder is also modified so that it runs upon the system booting up.

The fake game first appeared in 2022, following in the footsteps of a similar scam by the same operators which advertised a file for Adobe Visual Studio.

The AhnLab Security Emergency-response Center (ASEC) discovered the scam, revealing that the executable was originally available on a second website — betapokemoncards[.]io. The second site has since gone offline.

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.