Kaspersky has uncovered that a Trojan-Downloader dubbed TookPS is being spread through malicious websites imitating popular remote access and 3D modeling software.
First observed by Kaspersky experts in early March, this Trojan infects users’ devices with backdoors, allowing for unauthorised stealth access to the victim’s system.
Kaspersky Threat Research experts warn that users are being lured to fake websites that mimic official pages or falsely claim to offer free downloads of popular software, such as UltraViewer, AutoCAD, and SketchUp, commonly utilised both for business and personal purposes.
However, when users click the ‘download’ buttons, they unknowingly get TookPS instead of the application they were looking for. The potential victims of this campaign could include both individuals and organisations.
Once on the device, TookPS runs a series of scripts and technical processes that allow attackers to install a backdoor on the victim’s system, granting them hidden remote access and the ability to execute arbitrary commands.
Based on technical analysis of the malicious files, Kaspersky researchers also believe that there may be other lures — for example, those capitalising on well-known software brands such as Ableton (used for music production) or Quicken (used for personal finance management).
“Earlier, we discovered several malicious campaigns that used DeepSeek’s brand as bait. One of the threats described was the TookPS. As we now observe, it isn’t just pretending to be an AI tool, that was only the tip of the iceberg. This is a broader campaign, targeting both individuals and organisations, where malware is hidden under different guises to lure in as many potential victims as possible,” explains Vasily Kolesnikov, security expert at Kaspersky.
“To avoid falling victim to such attacks, we urge users to stay vigilant: always double-check links and websites, and avoid searching for pirated software online.”