Security Experts:

Connect with us

Hi, what are you looking for?



Archive Server of Pale Moon Open Source Browser Hacked

Developers of the open source web browser Pale Moon revealed on Wednesday that the project’s archive server was compromised and all executable files were infected with malware.

Developers of the open source web browser Pale Moon revealed on Wednesday that the project’s archive server was compromised and all executable files were infected with malware.

Pale Moon is an open source browser that focuses on customization and efficiency. The project is forked from Firefox code, but it uses its own layout engine (Goanna) and still provides support for some legacy Firefox extensions. Last year, it reported having somewhere between 750,000 and 1.25 million users.

Pale Moon informed users that its archive server hosted at was hacked and archived executables, including installers and PE files, were altered to include a malware dropper tracked by ESET as Win32/ClipBanker.DY. When users would run the malicious files, a piece of malware described as a “trojan/backdoor” would be dropped on their systems.

The incident was discovered on July 9 and the impacted server was immediately shut down. However, an investigation revealed, based on the timestamps of infected files, that the attackers may have gained access to the server as early as December 27, 2017.

“It is possible that these date/time stamps were forged, but considering the backups taken from the files, it is likely that this is the actual date and time of the breach,” Pale Moon developers said in a post on their forum.

The targeted files were likely infected locally rather than being uploaded remotely, with roughly 3 Mb of data being added to each of them.

However, Pale Moon developers have limited data for their investigation due to the fact that the archive server became completely inoperable in late May 2019, which resulted in system logs that could have contained information on how the attacker got in getting lost. The incident in May might have been caused by the same attackers or someone with similar access.

The most likely scenario, Pale Moon maintainers believe, is that the attack was possible due to poor security on the part of the VM provider, which is why a new hosting service will be used.

Pale Moon determined that the hackers altered all archived executable files for version 27.6.2 and below of the browser. Files stored outside the archive server were not affected.

Users who haven’t downloaded files from are “almost certainly in the clear.” Users who are concerned that they may have downloaded a malicious file have been advised to use the PGP signature files or other methods described in the forum post to make sure they haven’t been tampered with.

“If you have inadvertently run an infected installer or portable self-extractor, I suggest you do a full scan and clean of your system with reputable antivirus software to clean this malware,” users have been advised.

Related: Attacker Offers Advice to After Hacking Its Systems

Related: Coverity Scan Hacked, Abused for Cryptocurrency Mining

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.