Opera.com hacked, distributed malware signed with their certificate to probably thousand of users (Update)

According to a post on the Opera Security Blog, the company suffered on June 19th “a targeted attack on  internal network infrastructure”. The attackers were able to obtain at least one old and expired Opera code signing certificate, which they have used to sign some malware. This has allowed them to distribute malicious software which incorrectly appears to have been published by Opera Software, or appears to be the Opera browser.


What Opera is describing here is the nightmare of any company having millions of users:

– Internal network breached

– Signing certificates stolen

Certificates used to sign malware

Can it go worse?

Yes, it can.

– the website distributed automatically company signed malware to their users:

It is possible that a few thousand Windows users, who were using Opera between 01.00 and 01.36 UTC on June 19th, may automatically have received and installed the malicious software.


If you are or were using Opera, here is what can you do to make sure your computer is clean:

– Uninstall Opera

– Install any Avira product from here.

– Start the “System Scanner” to scan all your computer on demand


– If you see a detection of TR/Ransom.GR.1 or any of the malware names below (see Update), then here you go: you’ve been affected. Let the scanner remove all the files found.

– After cleaning up the computer, you may want to reinstall the Opera browser. Do note that there are plenty of alternatives like Firefox, Chrome and others.



Here are more details about this malware:

The behavior of the file includes stealing stored credentials from several popular file browsers, internet browsers, FTP clients, and email clients. The list is very very long and includes Opera, Thunderbird, Chrome, Firefox, Total Commander, Far, Filezilla, The Bat!, CuteFTP and many others.

It also downloads additional malware from a special URL which appears to be still alive. The file at that URL changes on a regular basis. Since we started monitoring the URL last week we observed there:

– a screen locking ransomware impersonating the local authorities (detected as TR/Ransom.GQ.1)

– an information stealing trojan (detected as TR/Kazy.adag)

– a backdoor which allows that communicates with several remote servers and may allow 3rd party control of the infected system. (detected as BDS/ZAccess.BS)


Many thanks to Andrei Gherman from the VLAB in Bucharest for the quick analysis.



Sorin Mustaca

IT Security Expert