Hackers are spoofing MSI’s Afterburner utility to infect gamers with malware

msi afterburner screen
A cyber risk and security analysis company called Cyble has discovered that there are a number of websites distributing a version of MSI Afterburner mixed with various strains of malware. Those who accidentally download this widely popular graphics card utility via one of the cleverly crafted fake domains might face malware issues like; unwanted cryptomining software and information theft software.

MSI Afterburner is a very popular free utility for graphics card owners, owners of all brands (not just MSI) and architectures (AMD or Nvidia). However, enthusiasts looking to install Afterburner on a new PC, or get an update via the web, should be very careful where they get it from. Cyble Research & Intelligence Labs (CRIL) has observed nearly 50 dubious domains come and go since early September, where MSI Afterburner is sneakily bundled with a selection of malware.

Specific malware applications that are being tricked with a genuine version of MSI Afterburner include; XMR Miner and Redline Stealer. CRIL provides some technical details of both malware installations. For informational purposes, it is enough to say that these malware applications are secretly installed together with the genuine MSI Afterburner, without user prompting, from download files with harmless names like browser_assistant.exe, install.exe and comp.cab, distributed by fake sites. .

Unofficial MSI afterburner sites set up by the threat actors (TAs) behind this malware campaign often contain text strings like msi-afterburner-download and use less popular domain extensions like .tech, .online, etc. We haven’t listed any overclocking-honey-trap sites here, in case a reader looking for an Afterburner download comes across this article, then nonchalantly copy-paste a malware site into their browser’s search/URL combo box . According to the source, the target sites look very similar to the MSI official site. Below you can compare the screenshot from the fake CRIL site to one we just took directly from the genuine https://www.msi.com/Landing/afterburner/graphics-cards today.

fake and real afterburner download
Top image (malware site) via CRIL, bottom image shows the original MSI site.


In a Google search for MSI Afterburner, none of the fake sites appeared on our first page of results, and the first result was the genuine official link as reproduced in the previous paragraph. However, some users on other platforms, in other regions, who may not ‘Google’ things, might somehow choose to download from one of the non-genuine links with the malware-infused download. Readers, be careful, or some TAs might steal your computer’s power, or your personal information and passwords.

Leave a Comment