This Mutant Adware Is Killing Antivirus: What to Do

Prominent Romanian cybersecurity and antivirus software company Bitdefender has revealed the latest resilient weapon for crooks looking to breach Windows operating systems: a piece of adware the researchers are calling Zacinlo.

The phony VPN's interface allowed users to believe they were enabling a connection rather than downloading adware. (Credit: Bitdefender)

It turns out that around 2,500 machines have, since 2012, installed a fake VPN application called S5Mark that, unbeknownst to the machines' users, came bundled with this sophisticated bit of adware. 

What to Do

Removing a Zacinlo infection is quite difficult, but a Bitdefender researcher told ZDNet that the best way would be to use an antivirus rescue disk, which uses a USB stick or optical disk to boot the infected machine into a specialized form of Linux that then scans the Windows drive without running Windows. Rescue disk images are offered for free by many antivirus vendors -- Bitdefender has instructions on how to create one here

MORE: Best Antivirus Software and Apps

Where Did Zacinlo Come From?

The masterminds behind Zacinlo have been spreading it since 2012 and are believed to have optimized it for Windows 10 sometime in the past two years.

Zacinlo activity saw big spikes in 2014 and 2015, but the adware was most active late in 2017. Its victims are heavily concentrated in the U.S. and on Windows 10 machines --  about 90 percent of Zacinlo-infected systems were running Windows 10. 

Two factors now make Zacinlo a bigger threat than it was a year ago. First, it can survive most traditional defenses against malware. The adware is able to upload your system's configuration information to a remote command-and-control server for analysis. The command-and-control server can then instruct the adware to disable and uninstall other applications on your computer -- namely, your antivirus and anti-malware programs, as well as competing strains of adware. 

Second,  Zacinlo is now a rootkit, operating at the lowest level of the operating system, which makes it very hard to detect. It also writes reinstallation information to the Windows Registry so that it will survive reboots and perhaps even systems upgrades.

Additionally, it's dangerous. Zacinlo has (so far) mainly been deployed to inject ads into web pages and to run a "headless browser" (an invisible browser without a user interface) to click ads in the background of victims' computers. 

It Could Mess with Online Payments

But the adware is capable of more sinister business. Because it uses a stolen It's also capable of intercepting even encrypted communication, which could enable it to view and tamper with your online payments.

It can redirect browser requests, meaning it can load fake web pages that look exactly like the real thing. And it contains a module that can remotely take and transfer screenshots of your screen -- which could compromise a lot of your personal information. 

Bottom Line

This discovery should serve as a wake-up call: Don't download shady software. Before installing VPN software, do your research and make sure it's one you can trust.

Latest in Antivirus & Cyber-security
TP-Link routers targeted by Chinese state-sponsored cyber attacks
TP-Link routers may face nationwide ban after 'significantly alarming' link to US cyberattacks
What is a VPN kill switch — and why you should use one
You need a VPN for school, here are 3 services we recommend
The AMD Ryzen and NVIDIA RTX stickers on the Acer Nitro 17
'You basically have to throw your computer away': Researchers explain AMD 'Sinkclose' vulnerability, but do you need to worry?
Google Search
This malware is posing as Google Authenticator using Google ads — here's how to protect yourself
Windows 10 BSOD saying "It's not you, it's me."
Microsoft reveals CrowdStrike outage could have a surprising long-term impact on everyday users
MANILA, PHILIPPINES - JULY 19: Long queues of passengers form at the check-in counters at Ninoy Aquino International Airport, amid a global IT disruption caused by a Microsoft outage and a Crowdstrike IT problem, on July 19, 2024 in Manila, Philippines. A significant global outage affecting Microsoft services, particularly Microsoft 365, has caused widespread disruptions across various sectors, including airlines, banks, and health systems. The outage was attributed to a glitch in CrowdStrike's "Falcon Sensor" software, which impacted Windows systems, leading to thousands of flight cancellations and operational chaos in multiple industries. Microsoft has reported that the underlying cause of the outage has been fixed, but residual effects continue to impact some users as the company works on full recovery. (Photo by Ezra Acayan/Getty Images)
The CrowdStrike outage spotlights major vulnerabilities in the global information ecosystem
Latest in News
A close-up of a light-colored computer keyboard shows the keys T, Y, G, and H replaced by the logos of OpenAI, DeepSeek, Grok, and Gemini, the leading competitors in the artificial intelligence market. This serves as a visual metaphor for the intense rivalry and innovation in the AI industry. (Photo by Matteo Della Torre/NurPhoto via Getty Images)
Is generative AI inadvertently reducing the voices of many to the banality of one?
WWDC 2025 could mark the beginning of the end for certain iPhone users
Error when installing Google Chrome on the Asus Vivobook 16 Flip, on a white desk against a blue background.
"This app can't run on your PC": Google's Chrome Installer broke on Windows, but there's a fix
Nintendo Switch 2 handheld gaming console
Nintendo Switch 2 preorder date: It might be a lot closer than you think, say tipsters
Microsoft Surface Laptop (7th Edition, 2024)
Windows-on-Arm woes: Amazon warns customers about Surface laptop returns
Apple Watch Series 8
Siri is the biggest obstacle to making the Apple Watch an AI hit