On Friday, August 21, 2020, we began detecting fake Malwarebytes installation files containing a backdoor that loads a Monero miner based on XMRig onto infected PCs. The most prevalent filename under which one of the installation files is being distributed is “MBSetup2.exe”. Avast has protected nearly 100K Avast and AVG users from the fake installation files, which are mostly spreading in Russia, the Ukraine, and Eastern Europe. As of yet, we do not know where or how the fake installation file is being distributed, but we can confirm that the installation files are not being distributed via official Malwarebytes channels, which remain trusted sources.