The gaming peripherals manufacturer Endgame Gear has reported that malware was embedded in the tool for configuring the OP1w 4k v2 mouse on the company’s official website from June 26 to July 9, 2025.
Reports of malware in the configuration tool for the OP1 appeared on Reddit about two weeks ago.
Users reported several key differences indicating that the company’s website hosted a trojanized installer. They noted the driver’s size had increased to 2.8 MB (compared to 2.3 MB in the “clean” version) and the fact that the file properties listed “Synaptics Pointing Device Driver” instead of “Endgame Gear OP1w 4k v2 Configuration Tool”.
After being uploaded to VirusTotal, the malware was identified as the XRed backdoor. However, representatives of Endgame Gear state that the analysis of the malicious payload is not yet complete.
Last week, the company confirmed that the tool Endgame_Gear_OP1w_4k_v2_Configuration_Tool_v1_00.exe hosted on their website was indeed infected with malware. However, Endgame Gear did not explain how exactly this happened.
A malicious file was published on the page endgamegear.com/gaming-mice/op1w-4k-v2, and the manufacturer emphasizes that everyone who downloaded the utility from this page during the specified period was infected. Meanwhile, users who downloaded the utility from the main downloads page (endgamegear.com/downloads), via GitHub, and Discord were not affected, as a “clean” version was distributed through these channels.
It has been reported that the malware has now been removed.
Endgame Gear recommends that users who have downloaded the malicious version of the tool delete all files from the C:\ProgramData\Synaptics folder and re-download the safe version from this page.
Since the malware has keylogger functionality, can open remote shell access to the system, and steal data, affected users are advised to conduct a full system scan using antivirus software and ensure that all remnants of the infection are eliminated.
Additionally, it is recommended to change the passwords for all important accounts, including online banking, email services, and work profiles.
Endgame Gear reports that in the future, the company will eliminate separate download pages and will add SHA-hash verification and digital signatures for all files, allowing users to confirm their integrity and the authenticity of the source.
It is worth noting that back in February 2024, analysts from eSentire warned that XRed could disguise itself as a Synaptics Pointing Device Driver. At that time, the malware was also distributed through trojanized software that was supplied with USB-C hubs sold on Amazon.
2025.02.05 — Google patches Android zero-day vulnerability exploited by hackers
Google released the February set of patches for Android. In total, they fix 48 bugs, including a kernel zero-day vulnerability actively exploited by hackers. The zero-day's…
Full article →
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains
watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…
Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →
2025.02.20 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks
OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…
Full article →
2025.04.12 — Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems
The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had…
Full article →
2025.04.23 — Improper authentication control vulnerability affects ASUS routers with AiCloud
ASUSTeK Computer Inc. fixed an improper authentication control vulnerability in routers with AiCloud. The bug allows remote attackers to perform unauthorized actions on vulnerable devices. The issue…
Full article →
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched
Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…
Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →
2025.01.27 — YouTube plays hour-long ads to users with ad blockers
Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…
Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks
Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…
Full article →