When Installers Turn Evil The Pascal Script Behind Inno Setup Malware Campaign

Software installer packages are a cornerstone of user-friendly software distribution. Tools like Inno Setup, NSIS (Nullsoft Scriptable Install System), and InstallShield help developers bundle their applications into a single, streamlined installer that users can run with just a few clicks. These installers often include everything needed to set up a program, files, configurations, and even system dependencies, making software installation seamless and accessible.

But what happens when this convenience is turned against us?

For several years, cybercriminals have increasingly exploited these legitimate installer frameworks as delivery vehicles for malware. Among them, Inno Setup has emerged as a common tool of abuse. Originally designed to simplify software deployment on Windows, it’s now being abused by threat actors to disguise malicious payloads inside trusted-looking installation packages.

By wrapping malware inside a seemingly normal installer, attackers bypass many users’ suspicions and even evade some antivirus detections. This tactic allows malicious software to spread through phishing campaigns, cracked software downloads, and even poisoned updates—all under the guise of legitimate software.

In this blog, the Splunk Threat Research Team (STRT) analyzes a malicious Inno Setup installer that leverages Inno Setup’s Pascal scripting capabilities to retrieve and execute the next-stage payload in a compromised or targeted host. This campaign ultimately leads to the execution of shellcode and the use of HijackLoader, a known loader used to evade detection and deliver the final payload in this case, RedLine Stealer, a widely distributed information-stealing malware.

To read the complete article see: Read More