
The gaming peripherals manufacturer Endgame Gear has reported that malware was embedded in the tool for configuring the OP1w 4k v2 mouse on the company’s official website from June 26 to July 9, 2025.
Reports of malware in the configuration tool for the OP1 appeared on Reddit about two weeks ago.
Users reported several key differences indicating that the company’s website hosted a trojanized installer. They noted the driver’s size had increased to 2.8 MB (compared to 2.3 MB in the “clean” version) and the fact that the file properties listed “Synaptics Pointing Device Driver” instead of “Endgame Gear OP1w 4k v2 Configuration Tool”.
After being uploaded to VirusTotal, the malware was identified as the XRed backdoor. However, representatives of Endgame Gear state that the analysis of the malicious payload is not yet complete.
Last week, the company confirmed that the tool Endgame_Gear_OP1w_4k_v2_Configuration_Tool_v1_00.exe hosted on their website was indeed infected with malware. However, Endgame Gear did not explain how exactly this happened.
A malicious file was published on the page endgamegear.com/gaming-mice/op1w-4k-v2, and the manufacturer emphasizes that everyone who downloaded the utility from this page during the specified period was infected. Meanwhile, users who downloaded the utility from the main downloads page (endgamegear.com/downloads), via GitHub, and Discord were not affected, as a “clean” version was distributed through these channels.
It has been reported that the malware has now been removed.
Endgame Gear recommends that users who have downloaded the malicious version of the tool delete all files from the C:\ProgramData\Synaptics folder and re-download the safe version from this page.
Since the malware has keylogger functionality, can open remote shell access to the system, and steal data, affected users are advised to conduct a full system scan using antivirus software and ensure that all remnants of the infection are eliminated.
Additionally, it is recommended to change the passwords for all important accounts, including online banking, email services, and work profiles.
Endgame Gear reports that in the future, the company will eliminate separate download pages and will add SHA-hash verification and digital signatures for all files, allowing users to confirm their integrity and the authenticity of the source.
It is worth noting that back in February 2024, analysts from eSentire warned that XRed could disguise itself as a Synaptics Pointing Device Driver. At that time, the malware was also distributed through trojanized software that was supplied with USB-C hubs sold on Amazon.

2025.04.30 — Coinbase fixes 2FA bug that made customers panic
Cryptocurrency exchange Coinbase has fixed a bug in its Account Activity logs that caused customers to think their credentials were compromised. Earlier this month, BleepingComputer…
Full article →
2025.03.12 — Mass exploitation of PHP-CGI vulnerability in attacks targeting Japanese companies
GreyNoise and Cisco Talos experts warn that hackers are actively exploiting CVE-2024-4577, a critical PHP-CGI vulnerability that was discovered and fixed in early June 2024. CVE-2024-457…
Full article →
2025.04.10 — April updates released by Microsoft cause issues with Windows Hello
Microsoft warns that some Windows users who have installed the April updates might be unable to login to their Windows services using Windows Hello facial recognition…
Full article →
2025.02.03 — PyPI introduces a project archival system to combat malicious updates
The Python Package Index (PyPI) introduces a new project archival system: a project can now be archived to notify users that it's not expected to be updated…
Full article →
2025.04.16 — Android devices will restart every three days to protect user data
Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…
Full article →
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack
Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…
Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024
According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…
Full article →
2025.01.24 — Hundreds of websites impersonating Reddit and WeTransfer spread Lumma Stealer
Sekoia researcher crep1x discovered that hackers are currently using some 1,000 pages impersonating Reddit and WeTransfer. Victims visiting these sites are tricked into…
Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers
Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…
Full article →