Crypto: Nitrokod, this malware disguised as Google Translate

Thu 01 Sep 2022 ▪ 6:00 PM ▪

min read – by

This malware, masquerading as Google Translate, was able to mine cryptocurrency for quite some time without the knowledge of 112,000 computer owners. Fortunately, Check Point Software was able to expose this malware-signed Nitrokod.

A fake Google Translate app to mine XMR

Last Monday, Check Point Software Technologies made public the existence of malware published by an entity called “Nitrokod”. This software, masquerading as Google Translate, is in fact malicious and has long avoided the radar of the US-Israeli cybersecurity specialist.

Here’s the ad:

@_CPResearch_ has detected a #cryptominer #malware campaign, which may have infected thousands of machines worldwide. The attack, dubbed “Nitrokod”, was initially discovered by Check Point XDR.»

To date, this software developed by Nitrokod INC has been able to infect nearly 112,000 computers. Here, “infect” is an understatement, as its installation has enabled the mining of cryptocurrencies, especially Monero (XMR).

Users didn’t suspect anything because they apparently downloaded “free and safe software”. They can be downloaded from popular sites like Uptodown, Softpedia, etc. and have many positive reviews. Many people have been misled by this fake desktop version of Google Translate as it has an average rating of 9.3/10 on Softpedia.

Screenshot on Softpedia

This shows how cunning the Nitrokod team is. Moreover, offering a desktop version of a widely used application such as Google Translate or Youtube Music Desktop is a very fruitful practice for these hackers.

Nitrokod .’s modus operandi

According to CPR, Nitrokod is the author of a crypto mining campaign that has infected thousands of machines in 11 countries. Active since 2019, this software developer does the following:

  • edit popular software without official desktop version;
  • provide easy-to-develop programs from official web pages based on Chromium;
  • separate malicious activities from the Nitrokod program to dispel mistrust;
  • make sure the user installs the Google Translate application without asking any questions;
  • suggest installing an update file to sneak in the real malware;
  • connect the malware to the C&C server to get a configuration for the XMRig cryptominer;
  • then start the crypto mining itself.
Nitrokod Attack Stages

It should be noted that detecting this malware was very difficult for Check Point Software Technologies. Maya Horowitz, vice president of the company’s research division, confessed:

What is most interesting to me is the fact that this malware is so popular, yet has remained under the radar for so long.»

The imitation of the real software seems perfect, to the point of fooling people who live in Israel, Cyprus and even Australia.

If you want to avoid these kinds of apps, here’s Horowitz’s advice:

Watch out for similar domains, misspellings on websites, and unknown email senders. Only download software from well-known, authorized publishers or suppliers and ensure a high level of security for complete protection.»


With the advent of cryptocurrencies, various forms of cybercrime have emerged on both sides of the planet. This fake Google Translate app falls into AVG’s “cryptojacking” category. So, once installed on your computer, it will pump all of your system’s resources, and as a result, increase your electricity bill. Note that cryptojacking is limited to mining cryptocurrencies that yield money to the attacker. So your data will remain safe unless hackers decide to change their process.

Get an overview of news in the world of cryptocurrencies by subscribing to our new service from newsletter daily and weekly, so you don’t miss out on the essential Coinstand!


The blockchain and crypto revolution is underway! And the day the impact will be felt on the world’s most vulnerable economy, against all odds, I’ll say I had something to do with it

Leave a Comment