Krita art app users targeted by ransomware posing as paid 'collaboration' opportunities

Artists advised to delete emails asking them to download 'media bundle'

Krita, an open-source cross-platform digital painting application, has become the latest victim of ransomware – but rather than being attacked directly, its name is being used to spread malware among users via emails offering advertising revenue.

In one example of the emails seen by The Register the recipient was offered a fee to mention the app on YouTube in a 30 to 45-second advertising spot. The fees on offer: $350 for accounts with 10,000-80,000 subscribers, rising to $1,700 for those with up to a million – or "individually" priced for larger accounts.

Those looking to take advantage of the "offer" are asked to "register as a Krita partner" and sent a link to download the Windows version of the app and a "media pack" of assets – the link, naturally, pointing to a convincingly named domain outside the control of the Krita project and hosting a ransomware dropper which takes over the victim's system, encrypts their files, and demands payment to reverse the process.

"Some fraudsters are sending mails to artists with offers pretending to be from official Krita team or Foundation," artist Raghavendra Kamath wrote in one of the earliest warnings about the attack. "They have registered some domains like '' which redirect to [the] official .org domain. This confused people and tricks them in believing that the mail they received is from official team.

"I would like to make everyone aware that these mails are fraud mails and if you receive any communication from Krita team which originates from the email address other than then please mark it as spam and report for phishing. Also spread this word to your friends who may have got such mails."

"If you receive mail pretending to come from the Krita team from an email address that does not end in, like or, please be aware that these mails are scams," the project's maintainers wrote in their own warning on the topic.

"This is a ransomware attack. If you reply, you will get a link to a '' file that contains two programs masquerading as videos. There are now also fake installers that you are asked to run. Only download Krita from this website, Steam, Windows Store or Epic Store!"

"I almost downloaded this," wrote artist and Krita user Philip Hartshorn, one of the targets of the ongoing attack, "as it's a fairly convincing collaboration email/offer. I just happened to check the Krita Twitter before I did."

The waters are slightly muddied by the fact that while is indeed the official domain for the software's distribution, the project maintains a second domain for its forum:

While the first reports of the attack date back to nearly a month ago, evidence shows it is ongoing with the most recent examples dating to 11 September. Many of the sites used in the attack, however, are no longer responding, with registrar Namecheap confirming at least one termination following user reports – but with the attackers jumping onto new domains, the battle continues.

Those looking to download the real Krita are advised to do so from the official website – and to delete any unexpected emails offering collaborations. ®

Similar topics

Broader topics

Narrower topics

Other stories you might like

  • Now Windows Follina zero-day exploited to infect PCs with Qbot
    Data-stealing malware also paired with Black Basta ransomware gang

    Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

    The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

    This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

    Continue reading
  • HelloXD ransomware bulked up with better encryption, nastier payload
    Russian-based group doubles the extortion by exfiltrating the corporate data before encrypting it.

    Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

    The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

    "While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

    Continue reading
  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading

Biting the hand that feeds IT © 1998–2022