Cybersecurity firm Cisco Talos is warning of the potential for hackers to target architects and other designers with crypto-mining malware. The hacking campaign, which has largely targeted French-speaking architects, engineers, and graphic designers, sees the victim’s computer infected with malware via installer tools.

“Cybercriminals are abusing Advanced Installer, a legitimate Windows tool used for creating software packages, to drop cryptocurrency-mining malware on infected machines,” Cisco Talos explains.

The vulnerability centers on Advanced Installer, a package used in the installations of legitimate software installers such as Adobe Illustrator, Autodesk Revit, and SketchUp. The hackers package such installers with malicious scripts and use Advanced Installer’s Custom Actions feature to make the software installers execute the malicious scripts.

The resulting malware allows hackers to establish a backdoor to the computer, which they have used to mine cryptocurrencies such as Ethereum.

Cisco Talos believes that architects, engineers, and graphic designers have been targeted due to the common need among AEC professionals for computers with high GPU power to facilitate heavy software applications such as Revit and 3ds Max. Such high-spec computers are also often necessary to mine cryptocurrency.

According to the cybersecurity firm, the activity has been ongoing since at least November 2021. While attacks have predominantly targeted users in France and Switzerland, cases have also been reported in the United States, Canada, Algeria, Sweden, Germany, Tunisia, Madagascar, Singapore, and Vietnam.

While the hacking campaign has been extensive in its reach, its financial gains for the hackers have been relatively modest. According to Cisco Talos, in January 2023, the attackers managed to mine over 50 Ethereum Classic coins, equivalent to about $800, based on current values. Then, in July 2023, they mined a similar amount. This indicates that while the hackers have been persistent in their efforts, their monetary rewards have been limited.