Cybercriminals Use Popular Turkish and Arabic Books as Bait to Steal Personal Data, Kaspersky Warns
Kaspersky’s Global Research & Analysis Team (GReAT) has uncovered a sophisticated malware-as-a-service (MaaS) campaign targeting ebook readers in Turkey, Egypt, Bangladesh and Germany. Cybercriminals are disguising advanced malicious software as bestselling Turkish and Arabic books, deceiving hundreds of readers into downloading files designed to steal passwords, cryptocurrency wallet data and other sensitive information from their computers.
According to Kaspersky researchers, the attackers are leveraging LazyGo—a newly identified loader written in Go capable of delivering multiple families of information-stealing malware. The campaign primarily targets users searching for popular titles, including the Turkish translation of John Buchan’s The Thirty-Nine Steps, as well as Arabic works on poetry, folklore and religious traditions. The fraudulent ebooks cover a broad range of genres, from Turkish business management titles such as Tamer Koçel’s İşletme Yöneticiliği, to contemporary fiction and Arabic literary criticism, including The Literary and Linguistic Movement in the Sultanate of Oman.
The malicious files imitate PDF ebooks but are, in fact, executable programs carrying PDF-like icons. Once users open these fake files, the LazyGo loader initiates the deployment of infostealers such as StealC, Vidar and ArechClient2. Kaspersky analysts discovered three distinct LazyGo variants, each employing different evasion techniques, including API unhooking, AMSI bypassing, disabling Windows Event Tracing (ETW) and virtual machine detection.
The stolen data includes:
• Browser information: saved passwords, cookies, autofill data and browsing history from Chrome, Edge, Firefox and other browsers.
• Financial data: cryptocurrency wallet extensions, configuration files and storage data.
• Developer credentials: AWS access keys, Azure CLI tokens and Microsoft Identity Platform tokens.
• Communication platform data: Discord tokens, Telegram Desktop data and Steam session files.
• System information: device specifications, installed applications and running processes.
Victims infected with ArechClient2/SectopRAT face an even higher risk, as attackers gain full remote control over compromised systems.
“What makes this campaign particularly alarming is its use of a malware-as-a-service model combined with highly targeted social engineering,” said Yossef Abdelmonem, Senior Security Researcher at Kaspersky GReAT. “The multiple LazyGo variants and their sophisticated evasion mechanisms underscore that this is not opportunistic cybercrime—it is a structured operation designed to harvest credentials at scale. Organizations should be extremely cautious, as stolen developer tokens and cloud credentials can grant attackers deep access to corporate infrastructure.”
Kaspersky telemetry indicates that the campaign is impacting government entities, educational institutions, IT service providers and other sectors. The threat remains active, with attackers continuously uploading new malicious ebooks to GitHub and compromised websites.
Kaspersky experts strongly advise users to verify the source of ebooks before downloading, inspect file properties carefully and ensure their security software is up-to-date and capable of detecting stealthy malware techniques. Kaspersky Premium recently achieved a 99.99% malware protection rate in an AV-Comparatives assessment of 9,995 samples—demonstrating its effectiveness against highly evasive threats