Crypto: Nitrokod, this malware disguised as Google Translate

Impersonating Google Translate, this malware was able to mine cryptocurrency without the knowledge of 112,000 computer owners for quite some time. Fortunately, Check Point Software was able to expose this malware signed Nitrokod.

A fake Google Translate app to mine XMR

Last Monday, Check Point Software Technologies made public the existence of malware published by an entity called “Nitrokod”. This software, posing as Google Translate, is in fact malicious and has, for a long time, avoided the radar of the American-Israeli specialist in cybersecurity.

Here is the ad:

@_CPResearch_ has detected a #cryptominer #malware campaign, which has potentially infected thousands of machines worldwide. Dubbed “Nitrokod”, the attack was initially discovered by Check Point XDR.»

To date, this software developed by Nitrokod INC has been able to infect nearly 112,000 computers. Here, “infecting” is an understatement, since its installation has enabled the mining of cryptocurrencies, in particular Monero (XMR).

Users suspected nothing since they had downloaded apparently “free and safe software”. They are downloadable from popular sites like Uptodown, Softpedia, etc. and have many positive reviews. Many people have been misled by this fake desktop version of Google Translate as it has an average rating of 9.3/10 on Softpedia.

Screenshot on Softpedia

This demonstrates how very cunning the Nitrokod team is. Moreover, offering a desktop version of a widely used application such as Google Translate or Youtube Music Desktop is a very fruitful practice for these pirates.

The modus operandi of Nitrokod

According to CPR, Nitrokod is the author of a crypto mining campaign that has infected thousands of machines in 11 countries. Active since 2019, this software developer does the following:

  • edit popular software free of official desktop version;
  • offer easy-to-develop programs from official web pages based on Chromium;
  • segregate malicious activity from the Nitrokod program to eliminate mistrust;
  • ensure that the user installs the Google Translate application without having to ask questions;
  • suggest installing an update file to sneak in the real malware;
  • connect the malware to the C&C server in order to obtain a configuration for the XMRig crypto miner;
  • then launch the crypto mining itself.
Nitrokod Attack Stages

It should be noted that the detection of this malware was very difficult for Check Point Software Technologies. Maya Horowitz, vice president of the company’s research department, confessed:

What is most interesting to me is the fact that this malware is so popular, yet has been under the radar for so long.»

The imitation of the real software seems perfect, to the point of fooling people residing in Israel, Cyprus, even Australia.

If you want to avoid this kind of app, here’s Horowitz’s advice:

Beware of similar domains, misspellings in websites, and unknown email senders. Only download software from known, authorized publishers or vendors, and make sure you have a high level of security for complete protection.»


With the arrival of cryptocurrencies, several forms of cybercrime have emerged on both sides of the planet. This fake Google Translate app falls into the “cryptojacking” category ofAVG. So, once installed in your computer, it will make sure to pump all the resources of your system, and as a corollary, to increase your electricity bill. Note that cryptojacking is limited to the mining of cryptocurrencies which will make money for the attacker. Your data will therefore remain safe, unless hackers decide to change their process.

Receive a digest of news in the world of cryptocurrencies by subscribing to our new service of newsletter daily and weekly so you don’t miss any of the essential!

Similar Posts