Threat actors have leveraged messaging app Pidgin’s ScreenShareOTR plugin for Windows and Linux to facilitate the distribution of the DarkGate malware, BleepingComputer reports.

Attacks involved the malicious ‘ss-otr’ plugin installer, which had a signature from Polish firm Interrex and enabled retrieval of an Interrex certificate-signed DarkGate payload or PowerShell scripts from a controlled server, according to an analysis from ESET. Such server, which has already been dismantled, has also been leveraged to host the Pidgin Paranoia, Window Merge, HTTP File Upload, OMEMO, and Master Password plugins believed to have been used for DarkGate malware deployment. Pidgin has already moved to pull out the ss-otr plugin following a report indicating the presence of keylogging and screenshot capturing capabilities. “On August 16th we received a report from 0xFFFC0000 that the plugin contained a key logger and shared screenshots with unwanted parties. We quietly pulled the plugin from the list immediately and started investigating. On August 22nd Johnny Xmas was able to confirm that a keylogger was present,” said Pidgin.