Cybersecurity News that Matters

Cybersecurity News that Matters

Counterfeit Notion website distributes malware to harvest user data

Screen capture of phishing website of Notion. Source: AhnLab

by Chanwoo Yong

Mar. 05, 2024
11:30 AM GMT+9

A counterfeit installer for Notion, a popular collaboration platform boasting over 30 million users globally, has been identified. This fraudulent installer is designed to disseminate malware with the intent of stealing personal data, including cryptocurrency details.

On February 27, AhnLab, a cybersecurity firm based in South Korea, identified phishing pages that were distributing malicious files. Two days following their discovery, AhnLab announced that the malware was being spread via three websites, which bear a striking resemblance to the official Notion website.

When a user clicks the download button on a counterfeit website, a file labeled “Notion-x86.msix” is downloaded to their device. During installation, this file executes a malicious script designed to activate code that pilfers private information from the victim’s computer. This can include details from cryptocurrency wallet applications, screenshots, browser data, and information about other installed software. To evade detection and reduce suspicion, the attackers employ a two-pronged strategy: they attach a valid digital signature to the downloaded file and simultaneously install the legitimate Notion application alongside the malware.

In an interview with The Readable, AhnLab disclosed that it was unable to determine the origin of these counterfeit websites. However, the company noted a significant detail: the name of the malicious file being distributed matches that of a file discovered in March of the previous year. Based on this similarity, AhnLab suggested the possibility that the same cyberattack group identified earlier might be responsible. This group had previously utilized the malicious file named “LummaC2,” which they distributed through counterfeit crack installers that masqueraded as legitimate software.

Furthermore, reports have emerged indicating that additional malicious files are impersonating well-known software applications, including Slack, WinRar, and Bandicam. These applications, which offer business messaging, file compression, and screen recording functionalities, respectively, have a vast user base worldwide. AhnLab has emphasized the importance of downloading files exclusively from official websites and ensuring that the publisher’s signature matches the official source, even if the signature initially seems legitimate. Particularly, the cybersecurity firm has recommended heightened vigilance with files ending in “msix,” signaling a potential risk.


Subscribe to our newsletter for the latest insights and trends. Tailor your subscription to fit your interests:

By subscribing, you agree to our Privacy Policy. We respect your privacy and are committed to protecting your personal data. Your email address will only be used to send you the information you have requested, and you can unsubscribe at any time through the link provided in our emails.

  • Chanwoo Yong
    : Author

    Chanwoo Yong is a reporting intern for The Readable. Majoring in cybersecurity at Korea University, Yong has an intense interest in cybercrime and cybercriminals as well as a passion for making cybers...

    View all posts
Stay Ahead with The Readable's Cybersecurity Insights