In one of the stranger cases of malware to date, Andrew Brandt of Sophos detailed a malware campaign with the sole purpose of preventing the victim from accessing sites used for software piracy. To do so, the malware modifies the HOSTS file which can be used to manually set an IP address for a given host name like example.com. One use this file has seen over the years is to add entries for domain names to point them to 127.0.0.1 (also known as localhost). That blocks access to those domains, which is exactly what this malware is doing. Brandt goes on to say that hundreds to thousands of domains are added to the HOSTS file when the malware is executed in the sample he looked at. To spread, the malware was disguised in various ways through different platforms such as popular video games and security software through Discord. It could also be found on popular torrent sites, packaged to look similar to other cracked software releases complete with READMEs and internet shortcut files. While the true purpose of this campaign has not been determined, the malware also had one more surprise. Before doing anything, the malware rats out the victim by sending the name of the pirated software to a website which then downloads a secondary payload responsible for the HOSTS file modification.