Popular Switch Serial Checker Website damota.me infected with infostealer malware

  • Thread starter Thread starter Maq47
  • Start date Start date
  • Views Views 476
  • Replies Replies 4

Maq47

#1 Anaxa Fan
Member
Joined
Jan 7, 2012
Messages
1,620
Reaction score
1,076
Trophies
2
Location
Your basement
XP
4,445
Country
United States
When you access damota.me's Switch serial checker via certain browsers (I use Firefox), it downloads a file that hijacks the user profile and sets hacked domains to open silently upon loading the browser. For me, the program that sets it was stored at C;\Users\<myname>\AppData\Roaming\Mozilla\Extensions\damota.exe. It's target box in Properties gave its nature away. I noticed it when it appeared in recently installed programs yesterday evening. I highly recommend NOT using this site for the foreseeable future. I have reported the site to Google as well.
 
  • Wow
Reactions: console
Just use this....

 
  • Like
Reactions: digdat0
Seem false, the path point to extension, I just tried it nothing happens.
So you also have the shortcut? So I'm not going crazy? Yes, it points to the extensions folder, but it also silently opens a connection to a random-looking website. Silently, as in, it doesn't open a tab or anything. This web page takes a 'logs' folder that actually contains a copy of all of your cookies, passwords, literally everything in your browser. It puts it in a folder in Chrome if it is installed, otherwise it writes to a renamed .zip file contained in C:\Users\YourName\AppData\Local\Temp\. I was able to find it there as well on my system, so it's probably redundancy from the virus and it tries to write it everywhere it can. The problem is, the virus didn't come from damota itself. It came from an ad-affiliated link to damota from Google. So there's nothing that can be done in that department, since not everyone gets it recommended to them due to targeted advertising these days.
 
So you also have the shortcut? So I'm not going crazy? Yes, it points to the extensions folder, but it also silently opens a connection to a random-looking website. Silently, as in, it doesn't open a tab or anything. This web page takes a 'logs' folder that actually contains a copy of all of your cookies, passwords, literally everything in your browser. It puts it in a folder in Chrome if it is installed, otherwise it writes to a renamed .zip file contained in C:\Users\YourName\AppData\Local\Temp\. I was able to find it there as well on my system, so it's probably redundancy from the virus and it tries to write it everywhere it can. The problem is, the virus didn't come from damota itself. It came from an ad-affiliated link to damota from Google. So there's nothing that can be done in that department, since not everyone gets it recommended to them due to targeted advertising these days.

Nothing on my end
 

Site & Scene News

Popular threads in this forum