Pidgin removed the ScreenShareOTR plugin from its official third-party plugin repository on August 16, 2024, after reports confirmed it contained a keylogger and was distributing the DarkGate malware. The plugin had been listed since July 6, 2024 — a 41-day window during which any Pidgin user who installed it from the official list was exposed to credential theft and initial access broker activity.
ScreenShareOTR: Signed Malware Disguised as an OTR Screen Sharing Tool
ScreenShareOTR was presented as a screen sharing plugin using the Off-The-Record (OTR) encryption protocol, available for Pidgin on both Windows and Linux. ESET analysts identified its actual function: the installer, signed with a valid digital certificate issued to the real Polish company INTERREX SP. Z O.O., contacted a command-and-control server at jabberplugins[.]net to download additional payloads. The delivered payloads varied between PowerShell scripts and DarkGate malware — both signed with the same Interrex certificate, providing a veneer of legitimacy that bypassed many signature-based detection tools.
DarkGate: The Payload Behind the Plugin
DarkGate is a full-featured malware loader that emerged as a preferred tool for initial access brokers following the 2023 law enforcement takedown of QBot infrastructure. Its capabilities include keylogging, screenshot capture, credential harvesting from browsers and applications, remote desktop access, and the ability to load additional modules. The use of DarkGate in this campaign indicates the intent to sell access to compromised networks rather than immediate financial fraud.
Additional Plugins Served from the Same C2 Infrastructure
Investigation of the jabberplugins[.]net server revealed that the same infrastructure hosted additional potentially compromised Pidgin plugins: OMEMO, Pidgin Paranoia, Master Password, Window Merge, and HTTP File Upload. These plugins followed the same distribution pattern as ScreenShareOTR, suggesting a coordinated campaign to establish a malicious mirror of Pidgin’s third-party plugin ecosystem.
Pidgin Users Who Installed Third-Party Plugins Between July 6 and August 16, 2024
Anyone who installed ScreenShareOTR, or any of the other listed plugins (OMEMO, Pidgin Paranoia, Master Password, Window Merge, HTTP File Upload) from the official Pidgin plugin list during the exposure window should assume system compromise. Corporate environments using Pidgin for internal communications are at elevated risk because DarkGate is specifically designed to enable persistent access for follow-on attacks.
Removing the Malicious Plugin and Assessing Compromise
- Uninstall ScreenShareOTR and the other listed plugins immediately. On Windows, check Program Files and AppData\Roaming\.purple\plugins; on Linux, check ~/.purple/plugins.
- Run a full system scan with an updated endpoint security tool — ESET, which discovered this campaign, provides detection for DarkGate variants.
- Audit credential stores: DarkGate harvests saved passwords from browsers and applications. Rotate passwords for email, VPN, and any corporate accounts accessible from the affected machine.
- Check for persistence mechanisms: DarkGate creates scheduled tasks and registry run keys. Review Task Scheduler and
HKCU\Software\Microsoft\Windows\CurrentVersion\Runfor unfamiliar entries. - For corporate environments: isolate the affected machine and conduct network log review to identify C2 communications with jabberplugins[.]net and any downstream lateral movement.
Pidgin has not announced a code-signing requirement or automated binary verification for third-party plugins in response to this incident. Users sourcing plugins from outside the official repository should treat any binary-only plugin without published source code as untrusted until independently verified.
