Security software provider Kaspersky has identified a form of cryptomining malware that has taken root in multiple sites where pirated textbooks are upload and downloaded. The delivery agent, WinLNK.Agent.gen, has been active since 2011 but now its payload is a bit more lucrative for the folks who spread it.

The malware masquerades as a book or essay packed in an executable file which allows the hacker’s command-and-control system to send other pieces of malware, including cryptominers and spam delivery systems, onto an infected computer. How do we know the malware is targeting students? Kaspersky watched its logs and saw “233,000 cases” of malicious essays and “122,000 attacks by malware that was disguised as textbooks.”

“More than 30,000 users tried to open these files [this year],” they wrote.

Downloading out-of-copyright ebooks and library books is quite simple and safe so this malware targets harder-to-find textbooks. Our own quick Google search found a number of ebook versions of various beginning college texts that cost $150 or more online. While most of them were PDFs, there were a number of executable files that were flagged as malware.

Far more pernicious, interestingly, are the ads masquerading as download links that send you to malware sites rather than the correct PDF or ePub file. While you can save money pirating these books online – when you can find them – it’s clear the results can sometimes be nasty.

Skull image via Shutterstock