Security Experts:

Connect with us

Hi, what are you looking for?



Fake Meltdown/Spectre Patch Installs Malware

Cybercriminals are already taking advantage of the massive attent

Cybercriminals are already taking advantage of the massive attention the recently detailed Meltdown and Spectre CPU flaws have received, in an attempt to trick users into installing malware instead, Malwarebytes warns.

Made public in early January, Meltdown and Spectre are two new side-channel attack methods against modern processors and are said to impact billions of devices. Based on vulnerabilities at the CPU level, the flaws allow malicious apps to access data as it is being processed, including passwords, photos, documents, emails, and the like.

Chip makers and vendors were alerted on the bugs last year, and some started working on patches for their users several months ago, but waited for a coordinated public disclosure set for last week. Apple, Microsoft, Google, Canonical, and IBM are just a few of the vendors that have already deployed patches.

Soon after the patches began rolling out, however, attacks taking advantage of the Meltdown/Spectre fever surfaced. One of them, Malwarebytes reports, is targeting German users with the SmokeLoader malware.

The attack was spotted soon after the German authorities issued a warning on phishing emails trying to take advantage of infamous bugs started to appear.

The emails appeared to come from the German Federal Office for Information Security (BSI), and Malwarebytes discovered a domain that also posed as the BSI website. Recently registered, the SSL-enabled phishing site isn’t affiliated with a legitimate or official government entity, but attempts to trick users into installing malware.

The website is offering an information page that supposedly provides links to resources about Meltdown and Spectre, bug also links to a ZIP archive ( that contains malware instead of the promised security patch.

Once a user downloads and runs the file, the SmokeLoader malware, which is capable of downloading and running additional payloads, is installed. The security researchers have observed the threat attempting to connect to various domains and sending encrypted information.

By analyzing the SSL certificate used by the fraudulent domain, the security researchers discovered other properties associated with the .bid domain, including a German template for a fake Adobe Flash Player update.

The security researchers have already contacted Comodo and CloudFlare to report the fraudulent website, and the domain stopped resolving within minutes after CloudFlare was informed on the issue.

“Online criminals are notorious for taking advantage of publicized events and rapidly exploiting them, typically via phishing campaigns. This particular one is interesting because people were told to apply a patch, which is exactly what the crooks are offering under disguise,” Malwarebytes concludes.

Related: Microsoft Patches for CPU Flaws Break Windows, Apps

Related: Meltdown Patch Broke Some Ubuntu Systems

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...