5 ways to mitigate the risks of “cracked” software

COMMENTARY: The human element remains one of the top threat vectors within organizations. Well-intentioned employees trying to get their work done quickly and efficiently can sometimes unknowingly introduce new security risks in doing so.

For instance, an employee needs a PDF editor or design tool, but can’t find an IT-approved option or doesn’t want to wait for access. So they download a free or “cracked” version from the web. It feels harmless. In reality, it creates a direct path into the organization’s IT environment.

[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]

This represents shadow IT at its most dangerous. The user isn’t acting maliciously, but that action can introduce malware, open the door to data theft, or give attackers a foothold.

And it’s not a theoretical risk. Our SOC team has recently observed multiple attempts by users to download and install pirated or cracked software, as well as unauthorized installers, on corporate endpoints.

Cracked software delivers what attackers need, hidden in something users trust. These programs don’t just run a single malicious script and stop. They often install multiple components at once.

Some scrape data from the system or the browser and quietly send it out. Others escalate privileges to move deeper into the environment. Many try to disable or bypass security controls, then reach out to command-and-control (C2) infrastructure to pull down additional payloads. From there, it can turn into credential theft, lateral movement, or ransomware.

The delivery method matters just as much as what’s inside. Most cracked tools rely on executable files to install and activate the software. That’s a problem on its own. Our research found that 87% of executable files delivered by email were malicious.

This isn’t a niche threat. It uses the same mechanisms that attackers already rely on every day.

Security teams don’t have to guess. Cracked software leaves a clear trail of user-driven behavior.

It often starts with executable files showing up in places they don’t belong, like Downloads or temp folders. In many cases, those files arrive bundled inside ZIP or RAR archives pulled from torrent or file-sharing sites.

From there, the user extracts the files manually using tools like WinRAR or 7-Zip and installs them step by step, opening individual files instead of running a standard installer. Filenames like “activate.exe” or similar variants appear frequently in these cases, along with attempts to bypass license checks or modify how the application runs.

While none of these actions looks sophisticated on its own, together they form a pattern. Software installs and updates are typically automated, so it's unusual for a single user to download, unpack, and execute files manually.

It's a pattern we have observed across multiple incidents. Someone needs a tool to get their job done. Maybe it’s a PDF editor or a design application. The licensed version costs money or takes time to request, so they look for a free option instead. A cracked version solves the immediate problem, so they take the shortcut.

Additionally, employees may not know what their organization already offers. If they can’t find an approved tool quickly, they resort to a web search for a solution instead.

Weak execution controls make it worse. In some environments, users can still download and run whatever they want. If that’s the case, the risk is already there. It doesn’t take a sophisticated attacker, just an open path.

Security teams can reduce this risk, but it takes a shift in focus from policy to control. Taking the following five steps won’t eliminate shadow IT, but they will make it much harder for a quick download to turn into a serious incident:

Block unauthorized executables at runtime: Stop unknown binaries from running, even if a user downloads them manually.

Restrict local admin rights: Limit who can install or modify software so a single download can’t change the system.

Apply a zero-trust approach to application control:  Allow only approved applications to run, block everything else.

Use advanced endpoint protection to monitor for behavioral indicators, not just signatures: Look for patterns like manual installs, archive extraction, and unusual execution paths.

Reinforce acceptable use policies and user awareness: Make expectations clear and explain the risks.

When a user downloads and runs a cracked tool, they don’t just break a rule. They create an entry point that attackers know how to exploit, it’s a predictable breach path.

Fortunately, the signals are there. It’s a consistent behavior, yet an avoidable outcome. Security teams need to treat these “cracked” software cases for what they are: a user-driven attack path hiding in plain sight.

Eric Russo, director of SOC defensive security, Office of the CTO, Barracuda Networks

SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.