New NullMixer Malware Campaign Stealing Users” Payment Data and Credentials (7th October 2022)

Ref# AL2022_64 | Date: Oct 7th 2022


A new malware dropper known as “NullMixer” is simultaneously infecting Windows devices with a dozen different malware families via fake software cracks promoted on malicious sites in Google Search results. 


NullMixer acts as an infection funnel, launching a dozen different malware families with a single Windows executable, resulting in over two dozen infections on a single device. Password-stealing trojans, backdoors, spyware, bankers, phony Windows system cleaners, clipboard hijackers, cryptocurrency miners and even more malware loaders are among the infections. Malware distributors use “black hat SEO” (Black hat SEO is a practice that violates search engine guidelines and is used to boost a website”s ranking in search results.) to promote websites promoting fake game cracks and pirated software activators in high search result positions on Google.  

Because software cracks and cheats commonly need to modify game files, users downloading them disregard AV warnings about unsigned and potentially dangerous executables, bypassing security controls and executing them manually. 

The operators may choose to cause havoc for the sake of fame, promote their tool as a highly effective malware dropper, or achieve absurd levels of redundancy. 

Remediation and Mitigation 

In any case, it would be nearly impossible for all of those malware families to run on a compromised computer without causing a slew of symptoms that would alert the victim to the infection. These symptoms include heavy hard disk activity, increased CPU and memory utilization, unusual windows opening for no apparent reason or simply a noticeable performance issue on the infected device are examples of these symptoms. As a result, NullMixer is no longer a stealthy threat but a catastrophic encounter that will almost certainly require a Windows reinstall. When downloading executables from unknown sources, users should always think about the risks. 

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.  

PDF Download: NullMixer Malware Campaign Stealing Users Payment Data and Credentials.pdf