โŒ

Normal view

Open the wrong โ€œPDFโ€ and attackers gain remote access to your PC

5 February 2026 at 14:48

Cybercriminals behind a campaign dubbed DEAD#VAX are taking phishing one step further by delivering malware inside virtual hard disks that pretend to be ordinary PDF documents. Open the wrong โ€œinvoiceโ€ or โ€œpurchase orderโ€ and you wonโ€™t see a document at all. Instead, Windows mounts a virtual drive that quietly installs AsyncRAT, a backdoor Trojan that allows attackers to remotely monitor and control your computer.

Itโ€™s a remote access tool, which means attackers gain remote handsโ€‘onโ€‘keyboard control, while traditional fileโ€‘based defenses see almost nothing suspicious on disk.

From a high-level view, the infection chain is long, but every step looks just legitimate enough on its own to slip past casual checks.

Victims receive phishing emails that look like routine business messages, often referencingย purchase ordersย or invoices and sometimes impersonating real companies. The email doesnโ€™t attach a document directly. Instead, it links to a file hosted onย IPFS (InterPlanetary File System), a decentralized storage network increasingly abused in phishing campaigns because content is harder to take down and can be accessed through normal web gateways.

The linked file is named as a PDF and has the PDF icon, but is actually a virtual hard disk (VHD)ย file. When the user doubleโ€‘clicks it, Windowsย mounts it as a new driveย (for example, drive E:) instead of opening a document viewer. Mounting VHDs is perfectly legitimate Windows behavior, which makes this step less likely to ring alarm bells.

Inside the mounted drive is what appears to be the expected document, but itโ€™s actually aย Windows Script File (WSF). When the user opens it, Windows executes the code in the file instead of displaying a PDF.

After some checks to avoid analysis and detection, the script injects the payloadโ€”AsyncRAT shellcodeโ€”into trusted, Microsoftโ€‘signed processes such as RuntimeBroker.exe, OneDrive.exe, taskhostw.exe, or sihost.exe. The malware never writes an actual executable file to disk. It lives and runs entirely in memory inside these legitimate processes, making detection and eventually at a later stage, forensics much harder. It also avoids sudden spikes in activity or memory usage that could draw attention.

For an individual user, falling for this phishing email can result in:

  • Theft of saved and typed passwords, including for email, banking, and social media.
  • Exposure of confidential documents, photos, or other sensitive files taken straight from the system.
  • Surveillance via periodic screenshots or, where configured, webcam capture.
  • Use of the machine as a foothold to attack other devices on the same home or office network.

How to stay safe

Because detection can be hard, it is crucial that users apply certain checks:

  • Donโ€™t open email attachments until after verifying, with a trusted source, that they are legitimate.
  • Make sure you can see the actual file extensions. Unfortunately, Windows allows users to hide them. So, when in reality the file would be called invoice.pdf.vhd the user would only see invoice.pdf. To find out how to do this, see below.
  • Use an up-to-date, real-time anti-malware solution that can detect malware hiding in memory.

Showing file extensions on Windows 10 and 11

To show file extensions in Windows 10 and 11:

  • Openย Explorerย (Windows key + E)
  • In Windows 10, selectย Viewย and check the box forย File name extensions.
  • In Windows 11, this is found underย View > Show > File name extensions.

Alternatively, search for File Explorer Options to uncheck Hide extensions for known file types.

For older versions of Windows, refer to this article.


We donโ€™t just report on threatsโ€”we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices byย downloading Malwarebytes today.

[updated] A fake cloud storage alert that ends at Freecash

3 February 2026 at 11:38

Last week we talked about an app that promises users they can make money testing games, or even just by scrolling through TikTok.

Imagine our surprise when we ended up on a site promoting that same Freecash app while investigating a โ€œcloud storageโ€ phish. Weโ€™ve all probably seen one of those. Theyโ€™re common enough and according to recent investigation by BleepingComputer, thereโ€™s a

โ€œlarge-scale cloud storage subscription scam campaign targeting users worldwide with repeated emails falsely warning recipients that their photos, files, and accounts are about to be blocked or deleted due to an alleged payment failure.โ€

Based on the description in that article, the email we found appears to be part of this campaign.

Cloud storage payment issue email

The subject line of the email is:

โ€œ{Recipient}. Your Cloud Account has been locked on Sat, 24 Jan 2026 09:57:55 -0500. Your photos and videos will be removed!โ€

This matches one of the subject lines that BleepingComputer listed.

And the content of the email:

โ€œPayment Issue โ€“ Cloud Storage

Dear User,

We encountered an issue while attempting to renew your Cloud Storage subscription.

Unfortunately, your payment method has expired. To ensure your Cloud continues without interruption, please update your payment details.

Subscription ID: 9371188

Product: Cloud Storage Premium

Expiration Date: Sat,24 Jan-2026

If you do not update your payment information, you may lose access to your Cloud Storage, which may prevent you from saving and syncing your data such as photos, videos, and documents.

Update Payment Details {link button}

Security Recommendations:

  • Always access your account through our official website
  • Never share your password with anyone
  • Ensure your contact and billing information are up to dateโ€

The link in the email leads to ย https://storage.googleapis[.]com/qzsdqdqsd/dsfsdxc.html#/redirect.html, which helps the scammer establish a certain amount of trust because it points to Google Cloud Storage (GCS). GCS is a legitimate service that allows authorized users to store and manage data such as files, images, and videos in buckets. However, as in this case, attackers can abuse it for phishing.

The redirect carries some parameters to the next website.

first redirect

The feed.headquartoonjpn[.]com domain was blocked by Malwarebytes. Weโ€™ve seen it before in an earlier campaign involving an Endurance-themed phish.

Endiurance phish

After a few more redirects, we ended up at hx5.submitloading[.]com, where a fake CAPTCHA triggered the last redirect to freecash[.]com, once it was solved.

slider captcha

The end goal of this phish likely depends on the parameters passed along during the redirects, so results may vary.

Rather than stealing credentials directly, the campaign appears designed to monetize traffic, funneling victims into affiliate offers where the operators get paid for sign-ups or conversions.

BleepingComputer noted that they were redirected to affiliate marketing websites for various products.

โ€œProducts promoted in this phishing campaign include VPN services, little-known security software, and other subscription-based offerings with no connection to cloud storage.โ€

How to stay safe

Ironically, the phishing email itself includes some solid advice:

  • Always access your account through our official website.
  • Never share your password with anyone.

Weโ€™d like to add:

  • Never click on links in unsolicited emails without verifying with a trusted source.
  • Use an up-to-date, real-time anti-malware solution with a web protection component.
  • Do not engage with websites that attract visitors like this.

Pro tip: Malwarebytes Scam Guard would have helped you identify this email as a scam and provided advice on how to proceed.

Redirect flow (IOCs)

storage.googleapis[.]com/qzsdqdqsd/dsfsdxc.html

feed.headquartoonjpn[.]com

revivejudgemental[.]com

hx5.submitloading[.]com

freecash[.]com

Update February 5, 2026

Almedia GmbH, the company behind the Freecash platform, reached out to us for information about the chain of redirects that lead to their platform. And after an investigation they notified us that:

โ€œFollowing Malwarebytesโ€™ reporting and the additional information they shared with us, we investigated the issue and identified an affiliate operating in breach of our policies. That partner has been removed from our network.

Almedia does not sell user data, and we take compliance, user trust, and responsible advertising seriously.โ€


We donโ€™t just report on scamsโ€”we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if itโ€™s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and weโ€™llย tell you if itโ€™s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

How fake party invitations are being used to install remote access tools

2 February 2026 at 11:18

โ€œYouโ€™re invited!โ€ย 

It soundsย friendly,ย familiarย and quiteย harmless.ย But in aย scamย we recentlyย spotted, thatย simpleย phrase is beingย usedย to trick victims into installing a full remote access tool on theirย Windowsย computersโ€”giving attackers complete control of the system.ย 

What appears to be aย casual party or event invitationย leads toย the silent installation ofย ScreenConnect, a legitimate remoteย supportย toolย quietly installedย in the background and abused byย attackers.ย 

Hereโ€™s how theย scamย works, whyย itโ€™sย effective, andย how to protect yourself.ย 

Theย email: Aย partyย invitationย 

Victims receive an email framed as a personal invitationโ€”often written to look like it came from a friend or acquaintance. The message is deliberately informal and social, lowering suspicion and encouraging quick action.ย 

In the screenshot below, the email arrived from a friend whose email account had been hacked, but it could just as easily come from a sender you donโ€™t know.

So far,ย weโ€™veย only seenย thisย campaignย targetingย peopleย in theย UK,ย butย thereโ€™s nothingย stoppingย it from expandingย elsewhere.ย 

Clicking the link in the email leadsย to a polishedย invitationย page hosted on an attacker-controlled domain.ย 

Party invitation email from a contact

Theย invite: Theย landing pageย thatย leads to an installerย 

The landing page leans heavily into theย partyย theme,ย but instead of showing event details, the pageย nudgesย the user toward opening a file. None of them look dangerous on their own, but together theyย keep the user focused on theย โ€œinvitationโ€ย file:ย 

  • A boldย โ€œYouโ€™re Invited!โ€ย headlineย 
  • The suggestion that aย friend had sent the invitationย 
  • Aย messageย sayingย the invitation is best viewed on aย Windows laptop or desktop
  • A countdownย suggestingย yourย invitation is already โ€œdownloadingโ€ย 
  • A message implying urgency and social proof (โ€œI opened mine and it was so easy!โ€)ย 

Within seconds, the browser is redirected to downloadย RSVPPartyInvitationCard.msiย 

The page even triggers the download automatically to keep the victim moving forward without stopping to think.ย 

This MSI fileย isnโ€™tย an invitation.ย Itโ€™sย an installer.ย 

The landing page

Theย guest: What the MSIย actuallyย doesย 

When theย user opens theย MSI file, it launchesย msiexec.exeย andย silentlyย installsย ScreenConnectย Client, a legitimate remote access tool often used by IT support teams.ย ย 

Thereโ€™sย noย invitation, RSVP form, or calendar entry.ย 

What happens instead:ย 

  • ScreenConnectย binaries areย installedย underย C:\Program Files (x86)\ScreenConnectย Client\ย 
  • Aย persistent Windows serviceย is createdย (for example,ย ScreenConnectย Clientย 18d1648b87bb3023)ย 
  • ScreenConnectย installsย multiple .NET-based componentsย 
  • There is no clear user-facingย indicationย that a remote access tool is being installedย 

From the victimโ€™s perspective,ย very littleย seems to happen. But at this point, the attackerย can now remotely accessย theirย computer.ย 

Theย after-party: Remoteย accessย isย establishedย 

Once installed, the ScreenConnect client initiates encrypted outbound connections to ScreenConnectโ€™s relay servers, including a uniquely assigned instance domain.

That connectionย givesย the attacker theย same level of access as a remote ITย technician, including theย ability to:ย 

  • Seeย the victimโ€™s screen in real time
  • Controlย theย mouse and keyboardย 
  • Upload or downloadย filesย 
  • Keepย accessย even after the computer is restartedย 

Becauseย ScreenConnectย is legitimate softwareย commonlyย usedย for remote support,ย its presenceย isnโ€™tย always obvious. On a personal computer, the first signs are often behavioral, such as unexplained cursor movement, windows opening on their own, or a ScreenConnect process the user doesnโ€™t remember installing.ย 

Whyย thisย scamย worksย 

This campaign is effective because it targetsย normal, predictable human behavior. From a behavioral security standpoint, it exploitsย our naturalย curiosityย andย appears to beย a lowย risk.ย 

Most peopleย donโ€™tย think of invitations as dangerous. Opening one feels passive,ย like glancing at a flyer or checking a message, not installing software.ย 

Even security-aware users are trained to watch out for warnings and pressure. A friendly โ€œyouโ€™re invitedโ€ messageย doesnโ€™tย trigger those alarms.ย 

By the time something feels off, the software is already installed.ย 

Signs your computer may be affectedย 

Watch for:ย 

  • A download or executed file namedย RSVPPartyInvitationCard.msiย 
  • Anย unexpected installation ofย ScreenConnectย Clientย 
  • Aย Windows serviceย namedย ScreenConnectย Clientย with random charactersย ย 
  • Your computer makes outbound HTTPS connections toย ScreenConnectย relay domainsย 
  • Your system resolvesย the invitation-hosting domain used in this campaign,ย xnyr[.]digitalย 

How to stay safeย ย 

This campaign is a reminder that modern attacks oftenย donโ€™tย break inโ€”theyโ€™reย invited in.ย Remote access tools give attackers deep control over a system. Acting quickly can limitย the damage.ย ย 

For individualsย 

If you receive an email like this:ย 

  • Be suspicious of invitations that ask you to download or open softwareย 
  • Never run MSI files from unsolicited emailsย 
  • Verify invitations through another channel before opening anythingย 

If you already clicked or ran the file:ย ย 

  • Disconnect from the internetย immediatelyย 
  • Check forย ScreenConnectย and uninstall it if presentย 
  • Run a full security scanย 
  • Change important passwords from a clean, unaffected deviceย 

Forย organisationsย (especially in the UK)ย 

  • Alert onย unauthorizedย ScreenConnectย installations
  • Restrict MSI execution whereย feasibleย 
  • Treat โ€œremote support toolsโ€ as high-risk software
  • Educate users:ย invitationsย donโ€™tย come as installersย 

This scam works by installing a legitimate remote access tool without clear user intent. Thatโ€™s exactly the gap Malwarebytes is designed to catch.

Malwarebytes now detects newly installed remote access tools and alerts you when one appears on your system. Youโ€™re then given a choice: confirm that the tool is expected and trusted, or remove it if it isnโ€™t.


We donโ€™t just report on threatsโ€”we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices byย downloading Malwarebytes today.

Clawdbotโ€™s rename to Moltbot sparks impersonation campaign

29 January 2026 at 15:26

After the viral AI assistant Clawdbot was forced to rename to Moltbot due to a trademark dispute, opportunists moved quickly. Within days, typosquat domains and a cloned GitHub repository appearedโ€”impersonating the projectโ€™s creator and positioning infrastructure for a potential supply-chain attack.

The code is clean. The infrastructure is not. With the GitHub downloads and star rating rapidly rising, we took a deep dive into how fake domains target viral open source projects.

Fake domains spring up to impersonate Moltbot's landing page

The background: Why was Clawdbot renamed?

In early 2026, Peter Steinbergerโ€™s Clawdbot became one of the fastest-growing open source projects on GitHub. The self-hosted assistantโ€”described as โ€œClaude with handsโ€โ€”allowed users to control their computer through WhatsApp, Telegram, Discord, and similar platforms.

Anthropic later objected to the name. Steinberger complied and rebranded the project to Moltbot (โ€œmoltโ€ being what lobsters do when they shed their shell).

During the rename, both the GitHub organization and X (formerly Twitter) handle were briefly released before being reclaimed. Attackers monitoring the transition grabbed them within seconds.

โ€œHad to rename our accounts for trademark stuff and messed up the GitHub rename and the X rename got snatched by crypto shills.โ€ โ€” Peter Steinberger

โ€œHad to rename our accounts for trademark stuff and messed up the GitHub rename and the X rename got snatched by crypto shills.โ€ โ€” Peter Steinberger

That brief gap was enough.

Impersonation infrastructure emerged

While investigating a suspicious repository, I uncovered a coordinated set of assets designed to impersonate Moltbot.

Domains

  • moltbot[.]you
  • clawbot[.]ai
  • clawdbot[.]you

Repository

  • github[.]com/gstarwd/clawbot โ€” a cloned repository using a typosquatted variant of the former Clawdbot project name

Website

A polished marketing site featuring:

  • professional design closely matching the real project
  • SEO optimization and structured metadata
  • download buttons, tutorials, and FAQs
  • claims of 61,500+ GitHub stars lifted from the real repository

Evidence of impersonation

False attribution: The siteโ€™s schema.org metadata falsely claims authorship by Peter Steinberger, linking directly to his real GitHub and X profiles. This is explicit identity misrepresentation.

The site's metadata

Misdirection to an unauthorized repository: โ€œView on GitHubโ€ links send users to gstarwd/clawbot, not the official moltbot/moltbot repository.

Stolen credibility:The site prominently advertises tens of thousands of stars that belong to the real project. The clone has virtually none (although at the time of writing, that number is steadily rising).

The site advertises 61,500+ GitHub stars

Mixing legitimate and fraudulent links: Some links point to real assets, such as official documentation or legitimate binaries. Others redirect to impersonation infrastructure. This selective legitimacy defeats casual verification and appears deliberate.

Full SEO optimization: Canonical tags, Open Graph metadata, Twitter cards, and analytics are all presentโ€”clearly intended to rank the impersonation site ahead of legitimate project resources.

The ironic security warning: The impersonation site even warns users about scams involving fake cryptocurrency tokensโ€”while itself impersonating the project.

The site warms about crypto scams.

Code analysis: Clean by design

I performed a static audit of the gstarwd/clawbot repository:

  • no malicious npm scripts
  • no credential exfiltration
  • no obfuscation or payload staging
  • no cryptomining
  • no suspicious network activity

The code is functionally identical to the legitimate project, which is not reassuring.

The threat model

The absence of malware is the strategy. Nothing here suggests an opportunistic malware campaign. Instead, the setup points to early preparation for a supply-chain attack.

The likely chain of events:

A user searches for โ€œclawbot GitHubโ€ or โ€œmoltbot downloadโ€ and finds moltbot[.]you or gstarwd/clawbot.

The code looks legitimate and passes a security audit.

The user installs the project and configures it, adding API keys and messaging tokens. Trust is established.

At a later point, a routine update is pulled through npm update or git pull. A malicious payload is delivered into an installation the user already trusts.

An attacker can then harvest:

  • Anthropic API keys
  • OpenAI API keys
  • WhatsApp session credentials
  • Telegram bot tokens
  • Discord OAuth tokens
  • Slack credentials
  • Signal identity keys
  • full conversation histories
  • command execution access on the compromised machine

Whatโ€™s malicious, and what isnโ€™t

Clearly malicious

  • false attribution to a real individual
  • misrepresentation of popularity metrics
  • deliberate redirection to an unauthorized repository

Deceptive but not yet malware

  • typosquat domains
  • SEO manipulation
  • cloned repositories with clean code

Not present (yet)

  • active malware
  • data exfiltration
  • cryptomining

Clean code today lowers suspicion tomorrow.

A familiar pattern

This follows a well-known pattern in open source supply-chain attacks.

A user searches for a popular project and lands on a convincing-looking site or cloned repository. The code appears legitimate and passes a security audit.

They install the project and configure it, adding API keys or messaging tokens so it can work as intended. Trust is established.

Later, a routine update arrives through a standard npm update or git pull. That update introduces a malicious payload into an installation the user already trusts.

From there, an attacker can harvest credentials, conversation data, and potentially execute commands on the compromised system.

No exploit is required. The entire chain relies on trust rather than technical vulnerabilities.

How to stay safe

Impersonation infrastructure like this is designed to look legitimate long before anything malicious appears. By the time a harmful update arrivesโ€”if it arrives at allโ€”the software may already be widely installed and trusted.

Thatโ€™s why basic source verification still matters, especially when popular projects rename or move quickly.

Advice for users

  • Verify GitHub organization ownership
  • Bookmark official repositories directly
  • Treat renamed projects as higher risk during transitions

Advice for maintainers

  • Pre-register likely typosquat domains before public renames
  • Coordinate renames and handle changes carefully
  • Monitor for cloned repositories and impersonation sites

Pro tip: Malwarebytes customers are protected. Malwarebytes is actively blocking all known indicators of compromise (IOCs) associated with this impersonation infrastructure, preventing users from accessing the fraudulent domains and related assets identified in this investigation.


We donโ€™t just report on threatsโ€”we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices byย downloading Malwarebytes today.

Watch out for AT&T rewards phishing text that wants your personal details

27 January 2026 at 18:43

A coworker shared this suspicious SMS where AT&T supposedly warns the recipient that their reward points are about to expire.

Phishing attacks are growing increasingly sophisticated, likely with help from AI. Theyโ€™re getting better at mimicking major brandsโ€”not just in look, but in behavior. Recently, we uncovered a well-executed phishing campaign targeting AT&T customers that combines realistic branding, clever social engineering, and layered data theft tactics.

In this post, weโ€™ll walk you through the investigation, screen by screen, explaining how the campaign tricks its victims and where the stolen data ends up.

This is the text message that started the investigation.

โ€œDear Customer,
Your AT&T account currently holds 11,430 reward points scheduled to expire on January 26, 2026.
Recommended redemption methods:
โ€“ AT&T Rewards Center: {Shortened link}
โ€“ AT&T Mobile App: Rewards section
AT&T is dedicated to serving you.โ€

The shortened URL led to https://att.hgfxp[.]cc/pay/, a website designed to look like an AT&T site in name and appearance.

All branding, headers, and menus were copied over, and the page was full of real links out to att.com.

But the โ€œmain eventโ€ was a special section explaining how to access your AT&T reward points.

After โ€œverifyingโ€ their account with a phone number, the victim is shown a dashboard warning that their AT&T points are due to expire in two days. This short window is a common phishing tactic that exploits urgency and FOMO (fear of missing out).

The rewards on offerโ€”such as Amazon gift cards, headphones, smartwatches, and moreโ€”are enticing and reinforce the illusion that the victim is dealing with a legitimate loyalty program.

To add even more credibility, after submitting a phone number, the victim gets to see a list of available gifts, followed by a final confirmation prompt.

At that point, the target is prompted to fill out a โ€œDelivery Informationโ€ form requesting sensitive personal information, including name, address, phone number, email, and more. This is where the actual data theft takes place.

The formโ€™s visible submission flow is smooth and professional, with real-time validation and error highlightingโ€”just like youโ€™d expect from a top brand. This is deliberate. The attackers use advanced front-end validation code to maximize the quality and completeness of the stolen information.

Behind the slick UI, the form is connected to JavaScript code that, when the victim hits โ€œContinue,โ€ collects everything theyโ€™ve entered and transmits it directly to the attackers. In our investigation, we deobfuscated their code and found a large โ€œdataโ€ section.

The stolen data gets sent in JSON format via POST to https://att.hgfxp[.]cc/api/open/cvvInterface.

This endpoint is hosted on the attackerโ€™s domain, giving them immediate access to everything the victim submits.

What makes this campaign effective and dangerous

  • Sophisticated mimicry: Every page is an accurate clone of att.com, complete with working navigation links and logos.
  • Layered social engineering: Victims are lured step by step, each page lowering their guard and increasing trust.
  • Quality assurance: Custom JavaScript form validation reduces errors and increases successful data capture.
  • Obfuscated code: Malicious scripts are wrapped in obfuscation, slowing analysis and takedown.
  • Centralized exfiltration: All harvested data is POSTed directly to the attackerโ€™s command-and-control endpoint.

How to defend yourself

A number of red flags could have alerted the target that this was a phishing attempt:

  • The text was sent to 18 recipients at once.
  • It used a generic greeting (โ€œDear Customerโ€) instead of personal identification.
  • The senderโ€™s number was not a recognized AT&T contact.
  • The expiration date changed if the victim visited the fake site on a later date.

Beyond avoiding unsolicited links, here are a few ways to stay safe:

  • Only access your accounts through official apps or by typing the official website (att.com) directly into your browser.
  • Check URLs carefully. Even if a page looks perfect, hover over links and check the address bar for official domains.
  • Enable multi-factor authenticationย for your AT&T and other critical accounts.
  • Use an up to date real-time anti-malware solution with a web protection module.

Pro tip: Malwarebytes Scam Guard recognized this text as a scam.


We donโ€™t just report on scamsโ€”we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if itโ€™s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and weโ€™llย tell you if itโ€™s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

โŒ