Bitly Imitation Leads to Malware Download

Bitly Imitation Leads to Malware Download

URL shortening services can be a marketing person’s and social media buff’s best friend. However, they can become a cause of worry for users who are conscious about the security of their systems and personal information.

Not only do these services trim down the character count of a URL while monitoring clicks, online criminals also use such services to mask malicious URLs.

Among the URL shorteners available online, Bitly remains one of the three most popular brands, alongside and

Although the URL has been in service since 2008, we’re only beginning to see several bogus iterations of it being used in the wild.

We’ve seen a number of accounts on YouTube and others sharing various links to game cracks from the imitation Bitly URL, btly[DOT]pw. These links usually follow the format btly[DOT]pw/{name of video game}. Below are some of the titles that malicious actors use to get interested parties to click and share such links with others in their network:

  • ARMA 2
  • Alien: Isolation
  • Bulletstorm
  • Chivalry: Medieval Warfare
  • Counter Strike 3
  • Dead Rising 3
  • Don’t Starve Together
  • Endless Legend
  • F1 2014
  • Fable: Anniversary Edition
  • Far Cry 4
  • Farming Simulator 2015
  • FIFA 15
  • Five Nights at Freddie’s 2
  • Garry’s Mod
  • Heroes of Might and Magic 3
  • Huniepop
  • Kerbal Space Program
  • Killing Floor
  • Left 4 Dead 2
  • Legend of Grimrock
  • Life is Feudal
  • Metro 2033
  • Minecraft
  • NBA 2K15
  • Payday: The Heist
  • Plague Inc. – Evolved
  • Rust
  • Saints Row: Gat Out of Hell
  • Sims 4 Deluxe Edition
  • South Park: The Stick of Truth
  • Space Engineers
  • SpeedRunners
  • Starbound
  • Stronghold Crusader 2
  • Terraria
  • The Elders Scrolls V: Skyrim
  • The Forest
  • The Hunter Primal
  • The Talos Principle
  • The Walking Dead Season 2
  • Train Fever
  • Train Simulator 2013
  • Trine
  • Viking Conquest
  • Wasteland 2
  • Watch_Dogs
  • XCOM: Enemy Unknown
  • Xenonauts

We’re still working our way to testing links pertaining to the above games, but for the sake of brevity, we have picked Left 4 Dead 2, a highly popular zombie apocalypse FPS from Valve, to illustrate how this particular .pw campaign works.

The URL is btly[DOT]pw/left4dead2. Users visiting this are led to a free file-sharing site, in this case ZippyShare, where they can download and extract the file. Screenshot below:

Left 4 Dead 2

click to enlarge

Ads pretending to be the download button for the file may cause confusion for some users. The real one is at the rightmost side of the text.

Below is a screenshot of the RAR-compressed file once extracted with a snapshot of the executable’s property, which shows that it was once a “Steam Installer”:


click to enlarge

Here is what the read me text file says:


click to enlarge

Nothing too difficult - this is an easy crack! In order for this setup to run without any difficulty, please disable your anti-virus for at least 10 minutes while everything is being installed.  You can re-enable it after the installation is complete.

1. Install the setup (by clicking setup.exe).

* Disable anti-virus for at least 10 minutes during the installation. * Make sure you are connected to the internet. * Wait for the installer to download all the game files from the developer's server. 2. Locate the directory where you installed the game. 3. Copy all the items inside the "Crack" folder & paste to the game directory. 4. Run the game.

* You can now re-enable your anti-virus.

You're done! Enjoy, and have a nice day!

The Crack folder contains two DLL files, Steam_api.dll and User_license.dll, and keyinfo.ini, which contains further instructions. The two DLL files are actually duplicates of each other.


click to enlarge

Copy the dll files and paste and replace each of the dll files in the program directory.

Malwarebytes Anti-Malware (MBAM) detects the main executable, Left 4 Dead 2 Setup.exe, as Trojan.Dropper.NS.

Elsewhere, another imitation Bitly link—this time, btly[DOT]org—is said to be used in a spam campaign that led recipients to a fake BBC site that advertises questionable Garcinia Cambogia dietary supplements.

Please be reminded that the official website for Bitly where users can visit to shorten URLs is Shortened URLs always begin with Everything else that resembles the real thing may need to be ignored, reported, and/or blacklisted.

Jovi Umawing


Jovi Umawing

Knows a bit about everything and a lot about several somethings. Writes about those somethings, usually in long-form.