Beware of fake MSI Afterburner that installs cryptojacking and information-stealing malware


Posts: 8,324   +103
Staff member
In brief: If you downloaded MSI Afterburner recently, it might be prudent to check your system for any malicious software. Researchers have found that a large number of websites have been impersonating MSI's official site to trick users into downloading malware alongside the overclocking tool.

Cyble Intelligence and Research Lab (CRIL) discovered several phishing campaigns that use MSI Afterburner to deliver XMR (Monero) cryptomining and information-stealing malware via 50+ fake replica websites.

MSI Afterburner is a free utility that lets you overclock, monitor, benchmark, and video capture. It works on all graphics cards, making it very popular for those looking to squeeze every drop out of their GPU. You can download it safely here.

But that popularity has seen cybercriminals turn to MSI Afterburner as a way of distributing malware. CRIL writes that the campaigns involve phishing emails, online ads, and various other means of spreading links to the fake websites. Some of the domain names include,, and

Anyone who downloads and executes the fake MSI Afterburner setup file will find that the real version of the software is installed. However, the installer also adds the RedLine information-stealing malware and an XMR miner to the device.

As with other cryptojacking malware, the miner, which connects to a mining pool to mine Monero using a hardcoded username and password, takes up a huge amount of system resources, severely impacting performance. Bleeping Computer writes that the miner only activates 60 minutes after the CPU has entered idling, so the computer is not running any resource-intensive programs. It also means the device has probably been left unattended.

While this is happening, the RedLine Stealer is running in the background, pilfering passwords, cookies, browser information, and (potentially) cryptocurrency wallets.

Worst of all, the campaigns' malicious elements are only detected by a tiny number of antivirus programs, so discovering you've been infected might not be as easy as running a security tool.

This isn't the first time Afterburner has been used to deliver malicious programs. MSI last year warned people not to visit a duplicate of its official website created by hackers, which contained a malware-loaded piece of software disguised as the overclocking app.

Permalink to story.



Posts: 81   +121
First I thought to ask "why even bother OCing todays dynamic boosted GPUs anyway?"...
...but then I remember that you need to downvolt those fission reactors they sell nowadays.


Posts: 707   +451
Uh, any info on determining if you have the malware? I see that it might be difficult to determine, but no info on how to determine if you're infected.


Posts: 352   +43
If computer goes like sirup you most likely infected. download malwarebytes free scan.or uninstall and get if from real www site. easy. the infection cant stay in pc forever. as antivirus geting updaten windows defender eset avg and so on.ifit running hot repaste it and run it offline to se if it would connect to servers but cant. install GLASS program.
Last edited:


Posts: 251   +182
Excellent place to hide an XMR mining module. Users actually expect their GPU to melt when running MSI Afterburner, so nothing is suspicious.
Last edited: