PrivateLoader: The first step in many malware schemes

PrivateLoader is delivered through a network of websites that claim to provide "cracked" software, which is modified versions of popular legitimate applications that people commonly use. These websites are SEO optimized and usually appear at the top of search queries that contain keywords such as "crack" or "crack download" preceded by the software name. Visitors are lured into clicking a "Download Crack" or "Download Now" button to obtain an allegedly cracked version of the software. The JavaScript for the download button is retrieved from a remote server. After a few redirections, the final payload is served to the user as a password-protected compressed (.zip) archive which contains one of the malware payloads mentioned above.