Connect with us

Hi, what are you looking for?



Archive Server of Pale Moon Open Source Browser Hacked

Developers of the open source web browser Pale Moon revealed on Wednesday that the project’s archive server was compromised and all executable files were infected with malware.

Developers of the open source web browser Pale Moon revealed on Wednesday that the project’s archive server was compromised and all executable files were infected with malware.

Pale Moon is an open source browser that focuses on customization and efficiency. The project is forked from Firefox code, but it uses its own layout engine (Goanna) and still provides support for some legacy Firefox extensions. Last year, it reported having somewhere between 750,000 and 1.25 million users.

Pale Moon informed users that its archive server hosted at was hacked and archived executables, including installers and PE files, were altered to include a malware dropper tracked by ESET as Win32/ClipBanker.DY. When users would run the malicious files, a piece of malware described as a “trojan/backdoor” would be dropped on their systems.

The incident was discovered on July 9 and the impacted server was immediately shut down. However, an investigation revealed, based on the timestamps of infected files, that the attackers may have gained access to the server as early as December 27, 2017.

“It is possible that these date/time stamps were forged, but considering the backups taken from the files, it is likely that this is the actual date and time of the breach,” Pale Moon developers said in a post on their forum.

The targeted files were likely infected locally rather than being uploaded remotely, with roughly 3 Mb of data being added to each of them.

However, Pale Moon developers have limited data for their investigation due to the fact that the archive server became completely inoperable in late May 2019, which resulted in system logs that could have contained information on how the attacker got in getting lost. The incident in May might have been caused by the same attackers or someone with similar access.

Advertisement. Scroll to continue reading.

The most likely scenario, Pale Moon maintainers believe, is that the attack was possible due to poor security on the part of the VM provider, which is why a new hosting service will be used.

Pale Moon determined that the hackers altered all archived executable files for version 27.6.2 and below of the browser. Files stored outside the archive server were not affected.

Users who haven’t downloaded files from are “almost certainly in the clear.” Users who are concerned that they may have downloaded a malicious file have been advised to use the PGP signature files or other methods described in the forum post to make sure they haven’t been tampered with.

“If you have inadvertently run an infected installer or portable self-extractor, I suggest you do a full scan and clean of your system with reputable antivirus software to clean this malware,” users have been advised.

Related: Attacker Offers Advice to After Hacking Its Systems

Related: Coverity Scan Hacked, Abused for Cryptocurrency Mining

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...