Avoiding Trojanised Installers

Recognize and prevent compromised software downloads

Last updated: January 14, 2026

Who This Guide Is For

This guide teaches you to recognize risky download sources and adopt safer software sourcing habits. Whether you're downloading encryption utilities, media players, or system tools, these practices reduce your exposure to trojanised (malware-infected) installers. No technical expertise required— just careful attention to where and how you download software.

What Are Trojanised Installers?

A trojanised installer looks like legitimate software but includes hidden malware. Attackers repackage popular software with keyloggers, ransomware, or credential stealers, then distribute it through unofficial mirrors, search ads, or compromised websites. Users install what they think is a trusted utility—and unknowingly infect their system.

Trojanised installers are common for:

  • Encryption tools (VeraCrypt, TrueCrypt clones)
  • Media codecs and players (VLC, K-Lite)
  • System utilities (CCleaner, download managers)
  • Older or discontinued software (CryptoExpert, legacy tools)

Real Threat

In 2023, security researchers found trojanised VLC and VeraCrypt installers ranking high in search engine ads. Users clicked what looked like official downloads—but got malware. This isn't theoretical. It happens regularly.

Red Flags: Recognizing Risky Downloads

Red Flag 1: Search Engine Ads

Attackers pay for ads that appear above organic search results. You search "download veracrypt," see an ad labeled "VeraCrypt Official," and click. The ad leads to a fake site hosting malware. Solution: Skip ads. Scroll past them and click organic results, or type the URL directly.

Red Flag 2: Mirror Sites You've Never Heard Of

Legitimate software is often mirrored on download portals like SourceForge, Softpedia, or CNET. Some mirrors are trustworthy; many are not. Obscure mirrors ("download-center24.com") are high-risk. Solution: Stick to official websites or well-known mirrors explicitly linked by the developer.

Red Flag 3: Bundled Installers

Some download sites wrap installers in their own "download manager" that bundles adware or toolbars. Even if the core software is clean, the wrapper isn't. Solution: Avoid download sites that require installing their downloader. Get the standalone installer from the official source.

Red Flag 4: Missing HTTPS or Suspicious Domains

If the download page lacks HTTPS or the domain looks off ("veracrypt-official.biz" instead of "veracrypt.fr"), don't download. Attackers register typo domains and fake lookalikes. Solution: Verify the domain carefully. Bookmark official sites to avoid typos.

Red Flag 5: No Checksums or Signatures

Reputable developers of security software publish checksums or GPG signatures. If there's no way to verify the download, that's suspicious—especially for encryption tools. Solution: Don't install software you can't verify, particularly if it handles sensitive data.

Safe Download Practices

Practice 1: Go Directly to Official Websites

Don't rely on search engines for every download. Bookmark official sites for software you use regularly. Examples: veracrypt.fr for VeraCrypt, microsoft.com for Windows utilities. Type URLs directly or use bookmarks.

Practice 2: Verify Checksums Before Installing

Always compute and compare checksums for security-critical software. See our guide: How to Verify Checksums. This is non-negotiable for encryption tools and anything running with admin privileges.

Practice 3: Check Developer Reputation

Before downloading unfamiliar software, research the developer. Do they have a GitHub presence? Community forum? Security audits? If Google turns up nothing but shady download portals, that's a warning sign.

Practice 4: Use Windows Defender or Third-Party Scanning

Scan downloads with Windows Defender or a reputable antivirus before running them. This isn't foolproof (new malware may not be detected), but it catches known threats. Right-click the installer and select "Scan with Windows Defender."

Practice 5: Prefer Official Repositories

For open-source tools, download from official repositories (GitHub releases, official project sites). Avoid re-uploads on third-party forums or file-sharing sites—those are prime targets for trojanisation.

Common Mistakes in the Real World

Mistake 1: Trusting "Top Result" in Search

Search engines rank ads above organic results, and ads can be bought by anyone. The top result for "download X" is often a paid ad leading to malware. Always scroll past ads or type URLs directly.

Mistake 2: Downloading from the First Link

People click the first link without checking the domain. Attackers exploit this with lookalike domains. Take five seconds to verify you're on the official site.

Mistake 3: Ignoring Browser Warnings

If your browser or Windows Defender flags a download as potentially dangerous, don't override the warning without understanding why. "This file is not commonly downloaded" is a valid concern for obscure utilities.

Mistake 4: Installing Without Reading Prompts

Even legitimate installers sometimes bundle optional software. Read each screen. Uncheck unwanted toolbars, browser extensions, or "partner offers." Blindly clicking "Next" can install junk.

What to Do If You Installed a Trojanised File

If you suspect you've installed compromised software:

  1. Disconnect from the internet immediately to limit potential data exfiltration.
  2. Run a full system scan with Windows Defender and Malwarebytes (free version is fine).
  3. Change passwords for critical accounts (email, banking, work) from a clean device.
  4. Monitor for unusual activity in your accounts and credit reports.
  5. Consider a clean reinstall of Windows if malware persists or if encryption keys were exposed.

Encryption Tools Are High-Value Targets

If you installed a trojanised encryption tool, assume your encryption keys and passwords were compromised. Re-encrypt sensitive data using verified software and change all passwords stored in encrypted vaults.

Download Safety Checklist

  1. Navigate directly to the official website (skip search engine ads)
  2. Verify the domain name and HTTPS certificate
  3. Download the standalone installer (avoid download managers)
  4. Compute and verify the SHA-256 checksum
  5. Scan the file with Windows Defender before running
  6. Read each installer prompt carefully (uncheck bundled software)
  7. Monitor system behavior after installation for unusual activity

Frequently Asked Questions

Are all download mirrors unsafe?

No. Mirrors explicitly endorsed by developers (listed on their official site) are generally safe. Obscure, unlisted mirrors are risky. When in doubt, download from the official source.

Can I trust SourceForge or Softpedia?

These sites have mixed reputations. They host legitimate software but also bundle ads and wrappers. Prefer official websites. If you use a mirror, verify checksums.

What if the official website is down?

Wait or use the Internet Archive (archive.org) to access cached versions of the official site. Avoid downloading from random mirrors when the official source is unavailable.

How can I tell if an installer is trojanised before running it?

Checksum verification and antivirus scans catch many trojans, but not all. New malware may evade detection. The best defense is downloading from verified official sources.

Is it safe to download old versions of software?

Old versions may have unpatched vulnerabilities. If you need an older version, get it from the official project archives or Internet Archive—never from random download sites.

Should I use a sandbox or virtual machine for untrusted installers?

Yes, if you frequently test software. Running installers in a VM or Windows Sandbox limits damage if they're malicious. This is overkill for most users but valuable for researchers.

Next Steps

Related guides for safer downloads: