BleepingComputer reports that a fake Microsoft DirectX 12 download page is spreading cryptocurrency-stealing malware.

The fake website comes with a disclaimer, a DMCA infringement page, a contact form and a privacy policy, which makes it appear legitimate. However, upon clicking the download button, users will be sent to an external page that instructs them to download a file that is either named or, depending on the 32-bit or 64-bit version chosen. Both files will attempt to steal the victim’s passwords, files and cryptocurrency wallets, including those for Aomtic, Coinomi, Electron Cash, Jaxx and Ledger Live.

This information-stealing malware will try to steal the user’s cookies, installed programs, system information and files, and will even take a screenshot of the victim’s desktop. These data will be gathered in a %Temp% folder, which will then be zipped and sent back to the attacker, and may be used for other malicious activities.