The gaming peripherals manufacturer Endgame Gear has reported that malware was embedded in the tool for configuring the OP1w 4k v2 mouse on the company’s official website from June 26 to July 9, 2025.
Reports of malware in the configuration tool for the OP1 appeared on Reddit about two weeks ago.
Users reported several key differences indicating that the company’s website hosted a trojanized installer. They noted the driver’s size had increased to 2.8 MB (compared to 2.3 MB in the “clean” version) and the fact that the file properties listed “Synaptics Pointing Device Driver” instead of “Endgame Gear OP1w 4k v2 Configuration Tool”.
After being uploaded to VirusTotal, the malware was identified as the XRed backdoor. However, representatives of Endgame Gear state that the analysis of the malicious payload is not yet complete.
Last week, the company confirmed that the tool Endgame_Gear_OP1w_4k_v2_Configuration_Tool_v1_00.exe hosted on their website was indeed infected with malware. However, Endgame Gear did not explain how exactly this happened.
A malicious file was published on the page endgamegear.com/gaming-mice/op1w-4k-v2, and the manufacturer emphasizes that everyone who downloaded the utility from this page during the specified period was infected. Meanwhile, users who downloaded the utility from the main downloads page (endgamegear.com/downloads), via GitHub, and Discord were not affected, as a “clean” version was distributed through these channels.
It has been reported that the malware has now been removed.
Endgame Gear recommends that users who have downloaded the malicious version of the tool delete all files from the C:\ProgramData\Synaptics folder and re-download the safe version from this page.
Since the malware has keylogger functionality, can open remote shell access to the system, and steal data, affected users are advised to conduct a full system scan using antivirus software and ensure that all remnants of the infection are eliminated.
Additionally, it is recommended to change the passwords for all important accounts, including online banking, email services, and work profiles.
Endgame Gear reports that in the future, the company will eliminate separate download pages and will add SHA-hash verification and digital signatures for all files, allowing users to confirm their integrity and the authenticity of the source.
It is worth noting that back in February 2024, analysts from eSentire warned that XRed could disguise itself as a Synaptics Pointing Device Driver. At that time, the malware was also distributed through trojanized software that was supplied with USB-C hubs sold on Amazon.
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →
2025.02.07 — 768 vulnerabilities were exploited by hackers in 2024
According to VulnCheck, 768 CVEs were registered as exploited in real-life attacks in 2024. This is 20% greater compared to 2023 when hackers exploited 639 vulnerabilities. Interestingly,…
Full article →
2025.02.20 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks
OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…
Full article →
2025.03.07 — YouTube warns of scam video featuring its CEO
According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched
Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…
Full article →
2025.01.26 — Cisco patched a critical vulnerability in Meeting Management
Cisco released updates to fix a critical (CVSS score: 9.9) vulnerability in Meeting Management. The bug enables an unprivileged remote authenticated attacker to gain administrative privileges. The vulnerability…
Full article →