Phishing has changed. Slowly but surely, cybercriminals are turning to infostealers instead.
Traditional phishing hasn’t gone away. Far from it. But many attackers are no longer focused solely on tricking victims into entering usernames and passwords on fake login pages. Instead, they are using infostealers to quietly collect passwords, cookies, browser data, and other sensitive information from infected devices.
This approach is attractive because it scales well and reduces friction. Instead of relying on a victim to type credentials into a fake site, the malware can harvest logins already saved in browsers, session tokens, autofill data, cryptocurrency wallet details, and even files that contain useful information.
This makes the attack chain less visible. A traditional phishing email often leaves obvious clues: a suspicious link, a fake login page, or a strange attachment. Infostealers are different. They can arrive through malicious online ads (malvertising), cracked software, fake browser updates, game cheats, or dubious download sites, and once installed, they work in the background, stealing whatever the victim’s device has in store.
Part of this shift could be due to the widespread adoption of multi-factor authentication (MFA). By stealing session cookies, cybercriminals can bypass MFA, so they can access accounts without needing a password or authentication code.
Another factor is the rise of the malware-as-a-service (MaaS) ecosystem. Infostealers are cheap to deploy, easy to scale, and highly profitable. Rather than building a full attack chain themselves, many criminals buy access to ready-made stealer kits, loaders, or initial access services from underground vendors. This lowers the barrier to entry and allows less-skilled attackers to run credential theft operations.
In many cases, infostealers are just the first stage of a larger criminal operation. The stolen data is collected, packaged, and sold to other criminals interested in the harvested information. These buyers may specialize in fraud, account takeover, business email compromise, or ransomware. A single infected machine can generate multiple revenue streams: credentials for one buyer, session cookies for another, and corporate access or wallet data for a third.
That division of labor is one reason infostealers have become so persistent. Operators can update their code, rotate infrastructure, and launch new campaigns with minimal effort, while affiliates handle distribution through phishing, malvertising, fake downloads, or social media lures.
How to stay safe
Because infostealers commonly arrive through malvertising, fake browser updates, and one-click downloads, it’s worth treating ads and pop-ups with healthy skepticism. My personal tip: Never click on sponsored ads. Instead, visit official websites directly and download software only from trusted sources such as official vendor sites or app stores.
Another increasingly popular technique is ClickFix, a social engineering attack that tricks users into infecting their own devices. Never run commands or scripts copied from websites, emails, or messages unless you trust the source and understand the action’s purpose. If a website tells you to execute a command or perform a technical action, check official documentation or contact support before proceeding.
Pirated software, game cheats, and cracked tools remain some of the most common delivery methods for infostealers. These downloads often come bundled with malware that installs alongside the software you intended to get. The same caution applies to many browser extensions and add-ons that promise extra features or convenience. Stick to extensions from reputable developers, check reviews and permissions carefully, and avoid installing any add-on that asks for more access than it plausibly needs.
Phishing emails are still a major threat, but many can be spotted if you slow down and verify before clicking. Even if an email looks like it comes from a trusted brand, treat unsolicited attachments and links with caution, especially when they urge you to open a file, install something urgently, or fix a billing issue. If you’re unsure, check the sender address, look for typos or odd phrasing, and confirm the request through a separate channel such as the company’s official website rather than the link in the email.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
Phishing has changed. Slowly but surely, cybercriminals are turning to infostealers instead.
Traditional phishing hasn’t gone away. Far from it. But many attackers are no longer focused solely on tricking victims into entering usernames and passwords on fake login pages. Instead, they are using infostealers to quietly collect passwords, cookies, browser data, and other sensitive information from infected devices.
This approach is attractive because it scales well and reduces friction. Instead of relying on a victim to type credentials into a fake site, the malware can harvest logins already saved in browsers, session tokens, autofill data, cryptocurrency wallet details, and even files that contain useful information.
This makes the attack chain less visible. A traditional phishing email often leaves obvious clues: a suspicious link, a fake login page, or a strange attachment. Infostealers are different. They can arrive through malicious online ads (malvertising), cracked software, fake browser updates, game cheats, or dubious download sites, and once installed, they work in the background, stealing whatever the victim’s device has in store.
Part of this shift could be due to the widespread adoption of multi-factor authentication (MFA). By stealing session cookies, cybercriminals can bypass MFA, so they can access accounts without needing a password or authentication code.
Another factor is the rise of the malware-as-a-service (MaaS) ecosystem. Infostealers are cheap to deploy, easy to scale, and highly profitable. Rather than building a full attack chain themselves, many criminals buy access to ready-made stealer kits, loaders, or initial access services from underground vendors. This lowers the barrier to entry and allows less-skilled attackers to run credential theft operations.
In many cases, infostealers are just the first stage of a larger criminal operation. The stolen data is collected, packaged, and sold to other criminals interested in the harvested information. These buyers may specialize in fraud, account takeover, business email compromise, or ransomware. A single infected machine can generate multiple revenue streams: credentials for one buyer, session cookies for another, and corporate access or wallet data for a third.
That division of labor is one reason infostealers have become so persistent. Operators can update their code, rotate infrastructure, and launch new campaigns with minimal effort, while affiliates handle distribution through phishing, malvertising, fake downloads, or social media lures.
How to stay safe
Because infostealers commonly arrive through malvertising, fake browser updates, and one-click downloads, it’s worth treating ads and pop-ups with healthy skepticism. My personal tip: Never click on sponsored ads. Instead, visit official websites directly and download software only from trusted sources such as official vendor sites or app stores.
Another increasingly popular technique is ClickFix, a social engineering attack that tricks users into infecting their own devices. Never run commands or scripts copied from websites, emails, or messages unless you trust the source and understand the action’s purpose. If a website tells you to execute a command or perform a technical action, check official documentation or contact support before proceeding.
Pirated software, game cheats, and cracked tools remain some of the most common delivery methods for infostealers. These downloads often come bundled with malware that installs alongside the software you intended to get. The same caution applies to many browser extensions and add-ons that promise extra features or convenience. Stick to extensions from reputable developers, check reviews and permissions carefully, and avoid installing any add-on that asks for more access than it plausibly needs.
Phishing emails are still a major threat, but many can be spotted if you slow down and verify before clicking. Even if an email looks like it comes from a trusted brand, treat unsolicited attachments and links with caution, especially when they urge you to open a file, install something urgently, or fix a billing issue. If you’re unsure, check the sender address, look for typos or odd phrasing, and confirm the request through a separate channel such as the company’s official website rather than the link in the email.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
It starts with the familiar: a short message, a trusted name, a routine tone. Delivery updates, work pings, brand alerts hum in the background, rarely attracting scrutiny. You check, you answer… — until minutes later you’ve slipped into a trap built to lower your guard and hijack your trust.
That’s why messaging scams cut deep: they exploit everyday habits where instinct, not caution, leads. Communication once moved slowly, leaving room for doubt. Now it’s instant — and that speed is a weapon in criminal hands.
On our blog, we’ve already examined numerous scam schemes in messaging apps — from pig butchering, where the victim is groomed for a very long time, or catfishing, where the scammer creates a fake identity, to phishing via chatbots or through gift-giving campaigns in messaging apps.
Now, for the first time, Kaspersky has set out to capture the full end-to-end reality of messaging-based scams to understand how quickly harm occurs, how they impact trust and what remains after the interaction ends. What emerges is a highly organized and industrialized scam ecosystem embedded within everyday messaging channels such as SMS, WhatsApp, and email.
Kaspersky experts have prepared a report on targeted scams in messaging apps, detailing not only the financial but also the emotional damage caused by such attacks, as well as providing tips on how to protect yourself and avoid them. In this post, we explore the most interesting facts, but you can find more details in the full report.
The damage is underestimated
How much do you think a single successful attack via a messaging app costs the average victim? Ten dollars? Or maybe 50? You’re underestimating the scammers. Although more than a third (36%) of victims incur losses of less than $135, on average a victim loses… $733!
Country
Average loss per victim
Senegal
$392.94
Serbia
$493.32
Morocco
$504.28
Greece
$609.32
United Kingdom
$617.38
Côte d’Ivoire
$654.11
Spain
$672.67
United States
$724.73
Portugal
$868.20
Italy
$896.02
France
$1,193.58
Germany
$1,369.35
The average amount lost by a victim in a successful attack via a messaging app
On the one hand, the financial hit doesn’t look catastrophic in isolation. These are micro-losses by design. Small enough that some never report them to the police. Small enough that banks don’t always investigate. Small enough to be dismissed as bad luck rather than organized crime.
But $733 is not nothing. It’s enough to cover a month’s worth of groceries, school or daycare fees, or utility bills. Against the backdrop of the global cost-of-living crisis, a single such loss can seriously dent a family’s budget.
In 11% of cases, losses exceed $1,350, and more than a quarter of victims (28%) report having been scammed three or more times in the past six months. Once scammers discover that a phone number responds, that contact becomes an asset, circulating from one database to another.
Now imagine the scale of the problem: if just 10% of the three billion messaging‑app users worldwide fell victim with the average loss, the total damage would amount to… nearly $220 billion! This is comparable to the GDP of Greece, and exceeds that of Morocco, Serbia, or Côte d’Ivoire.
It becomes clear that behind the daily flood of fraudulent schemes lie large scam cartels operating on an industrial scale, using AI to personalize messages that mimic those of family members, friends, and familiar brands. This, in essence, forms the basis of a full-fledged economy built on digital identity theft.
Speed beats scrutiny
More than half of successful messaging scams (52%) unfold in under 30 minutes — from first contact to the moment money or personal data changes hands — or even faster, before the victim begins to doubt the legitimacy of the sender. In fact, one in seven scams takes less than five minutes — quicker than boiling an egg!
The speed isn’t accidental. It’s the method. Scammers structure their schemes to deny the victim a chance to come to their senses. Every element is engineered to compress the decision-making window: the urgency of the scenario, the familiarity of the format, the plausibility of the request.
They rush you — faster, faster, don’t tell anyone, you only have a few minutes, solve the problem, don’t ask questions. Click the link, fill in the details, approve the transaction, or else… Or else what? The scammers’ imagination knows no bounds here, but if you don’t do something right now, you’ll definitely regret it.
Alas, the realization of what has happened usually comes when the damage is already irreversible. More than half of victims (51%) lose money; another 43% hand over their personal data — most commonly phone numbers, names, and email addresses — to scammers, and often the victim loses both.
Where and how attacks occur
A delivery notification, a bank alert, a message from a merchant you ordered from last week — messaging apps permeate every aspect of everyday life, making such interactions completely normal. An attack shouldn’t feel like an attack. It should feel like the same message you’ve received hundreds of times.
It’s no surprise that scammers focus their attention on this method of communication first and foremost. The most popular platforms for scams are predictable: WhatsApp (43%), SMS/iMessage (40%), Facebook (27%), Telegram (22%), and Instagram (19%) — these are the ones that people trust most.
A wide variety of schemes is used. Brand impersonation is now one of the three most common types of messaging scam worldwide — accounting for 31% of cases. Fake delivery notifications top the list at 38%, followed by investment scams at 37%.
At the same time, nearly two-thirds (63%) of fraudulent schemes span multiple platforms, moving from SMS to WhatsApp, from WhatsApp to Telegram, etc. In this way, scammers achieve two goals: they mimic organic messaging and evade moderation algorithms.
AI has taken scams to a new level
Just a couple of years ago, fraudulent messages gave themselves away with bad grammar, awkward phrasing, illogical requests, and an obsessive sense of urgency. Today, a phishing message looks, sounds, and reads just like the real thing.
Scam cartels want to catch people in motion — between meetings, on a commute, or during everyday tasks — when your attention is already fragmented. They mimic your mother’s turn of phrase. They match your bank’s tone of voice. They copy your courier’s format exactly. They mirror the rhythm, structure, and style of authentic brand communications across messaging platforms. And AI is accelerating all of it.
What this creates is overlap. Legitimate and fraudulent messages appear in the same environment, using the same formats, language, and triggers. The difference between them is no longer obvious.
The data shows that two-thirds of victims (66%) believe AI was used in the scam against them, 42% cite messages written by AI, 31% report generated or cloned voices, and 25% encountered deepfake images or videos.
That’s why mere awareness and “tech-savviness” may no longer be enough to protect oneself. From Gen Z to Gen X, messaging scams cut across every generation.
And what about the emotional toll?
But money is far from the only problem a victim is left with after an attack. After what they’ve been through, people develop distrust toward incoming messages, unfamiliar numbers, and any requests for action. As a result, 99% of fraud victims say they no longer trust incoming notifications in messaging apps.
This creates a crisis of trust in all digital channels in general. Every legitimate message can now be perceived as a scam. Brands, banks, and delivery services are forced to operate in an environment where the customer is, by default, in a state of distrust.
Dr. Elizabeth Carter, a forensic linguist and criminologist at Kingston University in London, notes that scammers use familiar contexts, common social settings and embedded linguistic norms to create the illusion for the victim that their decision-making is rational and reasonable in the moment. However, what is actually happening is that they construct false realities in which those decisions end up causing financial and psychological harm. She also notes that it is very hard to identify a false reality while you are in it.
After realizing they had been deceived, more than half of victims felt anger — the kind that comes from having trusted something and discovering it was used against you. 42% of victims report frustration, 38% — feeling upset. Moreover, several months later, these feelings haven’t gone away: nearly half of all victims (48%) are still angry, a third (33%) remain frustrated, and 30% are upset.
And nearly one in 10 victims don’t tell anyone what happened. They feel shame, a sense of having fallen for something so obvious. This leaves a significant portion of the actual damage unreported: only 24% of victims contact the police, and only 23% report it to their bank.
So what can be done?
The crisis of trust — and even a touch of paranoia — that has arisen due to widespread attacks on users can linger in victims’ minds for a long time, affecting their quality of life. To prevent this, follow these guidelines:
Pause before you act. The sense of urgency you feel is almost always artificial. A legitimate bank, retailer, or delivery service won’t penalize you for taking 30 seconds to verify before clicking a link or confirming details. It’s precisely this instinct to resolve the situation quickly that scammers are counting on.
Verify through another channel. If a message appears to be from a relative, colleague, or company you trust — contact them through another channel before taking any action. Use secure verification methods, and cross-check identities when something doesn’t feel right. For families, agreeing on a “safe word” in advance can defeat even the most convincing voice clones.
Use a password manager. It will not only help you generate strong, unique passwords for all your accounts and store them securely, syncing them across all your devices, but also protect you from spoofed sites. Even if you click a phishing link and land on such a site, our password manager will notify you about the domain mismatch and refuse to autofill your username and password.
Use protection that works in real time. Modern security solutions, such as Kaspersky Premium, provide real-time protection against malicious links and phishing attempts in the apps and websites you use every day. On Android devices, a dedicated layer of anti-phishing security scans and neutralizes suspicious links as they appear, even within notifications, before you even have a chance to click them.
We’ve covered other threats in messaging apps in similar articles:
The 2026 World Cup presents major cyber risks from ransomware groups, state-aligned actors, and other groups targeting critical infrastructure. Learn more here.
In late April 2026, a client reached out to us for incident response support after discovering a miner running on users’ computers. We later discovered that the malware was being distributed via illegal movie and TV show streaming sites. The infection chain leveraged a fake update for a video player plugin. When the user attempted to watch a video, the player displayed a message saying the plugin version was outdated and asking to install an update to continue.
Clicking the link downloaded a ZIP archive with the following contents:
The archive contained a legitimate executable, HLS Installer.874.exe, alongside a malicious DLL. Launching the EXE triggered a DLL side-loading mechanism, injecting the malicious module into a legitimate program process and executing code within its context. The library contained the logic for deploying the miner and establishing persistence on the device.
At the time of the investigation, the infection risk was associated with two pirated video sites in the .ru and .top TLDs.
Link to previous campaigns
The current incident does not appear to be an isolated case. After analyzing the infection vector and the logic of the DLL, we concluded that this activity is a continuation of a campaign involving pirated digital libraries, which was previously described by another cybersecurity company.
The delivery mechanism for the malicious archive has remained virtually unchanged. Previously, the archive was downloaded in parts from the domain file[.]ipfs[.]us[.]69[.]mu, but this domain was unavailable at the time of our investigation. Instead, the threat actor employed a new website, urush1bar4[.]online.
The structure of the archive has also been preserved: inside is a legitimate executable and a large malicious DLL (see the screenshot below).
In the course of our research, we also discovered a blog post by NTT Security describing a similar delivery method for a malicious archive. In that instance, the threat actors displayed a fake browser crash page (shown below) while simultaneously downloading an archive to the device with a name starting with chromium-patch-nightly.
This scenario resembles the current scheme involving the fake video player plugin update. Given the previously described activity, it’s safe to assume that this campaign has been active since at least 2022. Throughout this entire period, the threat actor has been updating both the downloadable malware and individual parts of the infection mechanism.
Potential distribution scale
As in previous episodes of the campaign, infections occur via highly popular websites. As of late April 2026, sites linked to the campaign typically displayed extremely high monthly traffic. For instance, the audience for the smallest of the free digital libraries stood at 11,000 users, while the largest reached 4.7 million. For pirated movie and TV show streaming sites, this figure ranged from 2.1 million to 27.4 million. In April, the total number of visits to websites where the malware described in this study was detected reached 40 million.
The popularity of these sites increases the potential scale of the miner’s distribution. Furthermore, the campaign is not limited to a single type of platform: the malicious archive is being distributed through both online digital libraries and movie and TV show streaming sites. This broadens the potential range of victims and makes it more difficult to attribute the threat to a single infection vector.
The downloadable archive
The current version of the downloadable malware is a ZIP archive containing a legitimate EXE file and a malicious DLL. When the executable runs, the library side-loads into its process, triggering the malicious logic.
The technical analysis that follows covers the current version of this malware. This version was first observed in April 2025 and has been distributed unmodified for over a year.
DLL analysis
Most of the data inside the DLL carries no meaningful weight and was randomly generated just to inflate the file size and impede analysis.
Amidst the large volume of junk code inside the DLL, there is a single function that triggers a stack overflow during execution:
Based on the code, the size of the stackBuf buffer on the stack is only 64 bytes, and the SmashStack function overwrites this buffer without validating the length of the input data.
This overflow constructs a ROP chain that decrypts the next stage. After decryption, it transfers execution to code located within the modified DOS header of the PE file:
The header was intentionally modified to make it into valid shellcode:
pop r10
push r10
call $+5
pop rcx
sub rcx, 9
mov rax, rcx
add rax, 5C1000h
call rax
retn
This shellcode passes control to a function located at offset 0x5C1000 from the base of the PE file. This function then reflectively loads the same PE file into memory.
Going forward, we will refer to this decrypted PE file as the main module.
Main module
The module’s behavior across its different operational stages is detailed below:
Upon an initial run, the main module checks whether it has permission to proceed with execution. To do this, it collects the following data from the victim’s device:
Processor information
The serial number of the C:/ drive
Whether the process was launched with elevated privileges
The process start time in Unix timestamp format
The information is transmitted as a single large DNS query using the DNS tunneling technique. An example of the DNS query is shown below:
The attackers disguise the DNS query as legitimate traffic through low-level packet crafting and by using a domain name ending in microsoft.com. However, the IP address to which the query is actually sent has no relation to Microsoft.
DNS query crafting code
The execution of the main module proceeds only if the following byte sequence is detected in the response: 01 02 03 04. Following a successful check, the main module launches, and the subsequent logic is adjusted depending on whether the process has elevated privileges on the compromised host.
Let’s look at both scenarios:
1. The process is launched with elevated privileges.
In this case, preparatory steps precede the miner launch:
The malware adds Windows Defender exclusions for EXE and DLL files, as well as for the %USERPROFILE%, %PROGRAMDATA%, and %WINDIR% folders.
It kills Microsoft’s Malicious Software Removal Tool (MSRT) by calling ZwSetInformationFile with the FileDispositionInformation type, which causes the mrt.exe file to be deleted upon closing. To prevent MSRT from being automatically installed during the next update, the DontOfferThroughWUAU parameter is created with a value of 1 under the HKLM\Software\Policies\Microsoft\MRT registry key.
Automatic hibernation and sleep mode are disabled for when the device is running on both AC power and battery.
This is done to maximize the miner’s potential runtime on the device.
Next, to achieve persistence, a copy is created in the C:\ProgramData\Google\Chrome directory, after which the GoogleUpdateTaskMachineQC service is registered and configured to launch automatically at system startup.
Finally, four reflexive loads are executed: the components are injected directly into the memory of the target processes without writing to disk, having bypassed standard Windows loading mechanisms. Each implant is injected into its own host process:
RAT agent → into conhost.exe
Watchdog → into explorer.exe
CPU miner → into explorer.exe
GPU miner → into explorer.exe, but only if a discrete GPU is present in the system. This is verified by enumerating all display adapters in the system.
2. The process is launched with standard privileges.
In this scenario, the miner begins repeatedly triggering User Account Control (UAC) prompts until it is successfully executed with elevated privileges. The workflow is as follows:
Upon initial execution, a copy is made to the %USERPROFILE%\AppData\Roaming\Sandboxie directory and relaunched from there. Simultaneously, an attempt is made to launch it with elevated privileges via UAC.
If execution occurs from the Sandboxie folder:
Persistence is configured for the miner copy in this folder by adding an entry to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
Every three minutes, an attempt is made to launch with elevated privileges via UAC until the GoogleUpdateTaskMachineQC service is successfully installed.
A successful installation requires all of the following conditions to be met:
The GoogleUpdateTaskMachineQC service exists in the system.
The Start value for this service is set to 2 (Automatic).
The ImagePath value points to a file in the C:\ProgramData\Google\Chrome folder.
This file exists on disk.
Watchdog
The purpose of this component is to ensure the uninterrupted operation of the miner. At the very beginning of its execution, it copies all files from the C:\ProgramData\Google\Chrome folder and encrypts the contents of each file using a cyclic XOR algorithm with the key AFeIboiOmImJS2ypJU0pTpAO61SELkUc. After that, the encrypted contents are written into the process memory, and the following structure is created in memory for each file:
class FileContainer{
wchar_t* fullPath; // full path to file
size_t* ptrSize; // pointer to file size
uint8_t* xorEncryptedFile; //pointer to buffer containing encrypted file contents
};
As soon as the contents of all files are saved in memory, Watchdog enters an infinite loop, where every five seconds, it checks the integrity of the installed GoogleUpdateTaskMachineQC service, just as the main module does. If the service is found to be incorrectly installed, the miner overwrites its files in the C:\ProgramData\Google\Chrome path with the contents acquired at startup.
To successfully remediate the miner, this module, which runs inside the explorer.exe process, must be terminated first.
RAT agent
This module provides remote control capabilities via four commands, which are described at the end of this section. The command-and-control addresses used to receive these commands follow this format:
http://{domain}.space/index.php?authorization=1
http://{domain}.site/index.php? backup version
The {domain} is calculated based on the current date. The process starts with the current year, then adds the zone identifier for the current month. All 12 months are divided into four zones. Finally, the word microsoft is appended to the resulting string. This final string is used as the input for subsequent double hashing using the MurmurHash64 algorithm. The hash output is the domain for the implant to communicate with.
At the time of writing this, the following domains were registered:
2025, April-July → 5d14vnfb[.]space
2025, August-November → r7mvjl67[.]space
2025, December → zgj1tam9[.]space
2026, January-March → jeaw520i[.]space
2026, April–July → qdmagva5[.]space
An example of a request to the C2 server is provided below:
As can be seen, the request contains an encrypted body consisting of data encrypted via AES-CBC with the key 0123456789abcdef0123456789abcdef and the initialization vector 000102030405060708090a0b0c0d0e0f. The data contains a list of installed programs on the system, along with processor information and the serial number of the C: drive.
This information is likely used by the backend to check for virtual or debugging environments.
The first 16 bytes of the server response body represent the initialization vector for the AES-CBC algorithm with the key 0123456789abcdef0123456789abcdef, while the remaining bytes are the data encrypted with this algorithm. The decrypted data contains a malicious payload, as well as its RSA-SHA256 signature (sign):
The authenticity of the message is verified via the sign signature using the server’s public key, which is embedded in the executable.
Inside the malicious payload is a 4-byte code that determines the subsequent behavior of the program, along with additional data whose meaning depends on the code.
The table below lists the four remote control commands for the RAT agent module.
Code
Purpose
1
Execution of an arbitrary command
2
Reflexive execution of the provided PE file within the explorer.exe process
3
Execution of the provided shellcode
4
Exit
The miners
Depending on whether a discrete GPU is present in the system, either the CPU miner alone or a combination of the CPU and GPU miners is launched. The CPU miner is based on XMRig, while the GPU miner supports multiple algorithms.
Upon initial execution, both miners attempt to retrieve their startup configuration from a remote server. The potential addresses are listed below:
“{domain}.strangled.net”
“{domain}.ignorelist.com”
“{domain}.ftp.sh”
“{domain}.zanity.net”
As with the RAT agent component, the server address is generated from the current date — in this case, the server address changes every week. This results in quite a large number of domains for the 2020–2030 period; however, all of them point to the same IP address: 107[.]172[.]212[.]235. The first available domain out of the four potential domains listed above will be used.
The algorithm for retrieving the configuration from the server is completely identical to that used by the RAT agent, with the sole exception that th1s1sth3key0f4n1ntere5t1ngw0rld is used as the AES-CBC key in this scenario, and the configuration resides within the payload. The retrieved configuration is encrypted via AES-CBC using the key UXUUXUUXUUCommandULineUUXUUXUUXU and the initialization vector UUCommandULineUU. The encrypted data is then converted into a base64 string, which is passed as a command-line parameter to launch the miner inside the explorer.exe process through process hollowing.
Conclusion
Our investigation focused on an ongoing campaign distributing miners via popular illegal content sites. The threat actors leverage a variety of sites, ranging from online libraries to movie and TV show streaming platforms. There is no telling what channels they will use to distribute the malicious archive in the future. However, the current case shows that users visiting pirated websites continue to take a serious risk.
Our products detect this malware with the following Generic verdicts:
In late April 2026, a client reached out to us for incident response support after discovering a miner running on users’ computers. We later discovered that the malware was being distributed via illegal movie and TV show streaming sites. The infection chain leveraged a fake update for a video player plugin. When the user attempted to watch a video, the player displayed a message saying the plugin version was outdated and asking to install an update to continue.
Clicking the link downloaded a ZIP archive with the following contents:
The archive contained a legitimate executable, HLS Installer.874.exe, alongside a malicious DLL. Launching the EXE triggered a DLL side-loading mechanism, injecting the malicious module into a legitimate program process and executing code within its context. The library contained the logic for deploying the miner and establishing persistence on the device.
At the time of the investigation, the infection risk was associated with two pirated video sites in the .ru and .top TLDs.
Link to previous campaigns
The current incident does not appear to be an isolated case. After analyzing the infection vector and the logic of the DLL, we concluded that this activity is a continuation of a campaign involving pirated digital libraries, which was previously described by another cybersecurity company.
The delivery mechanism for the malicious archive has remained virtually unchanged. Previously, the archive was downloaded in parts from the domain file[.]ipfs[.]us[.]69[.]mu, but this domain was unavailable at the time of our investigation. Instead, the threat actor employed a new website, urush1bar4[.]online.
The structure of the archive has also been preserved: inside is a legitimate executable and a large malicious DLL (see the screenshot below).
In the course of our research, we also discovered a blog post by NTT Security describing a similar delivery method for a malicious archive. In that instance, the threat actors displayed a fake browser crash page (shown below) while simultaneously downloading an archive to the device with a name starting with chromium-patch-nightly.
This scenario resembles the current scheme involving the fake video player plugin update. Given the previously described activity, it’s safe to assume that this campaign has been active since at least 2022. Throughout this entire period, the threat actor has been updating both the downloadable malware and individual parts of the infection mechanism.
Potential distribution scale
As in previous episodes of the campaign, infections occur via highly popular websites. As of late April 2026, sites linked to the campaign typically displayed extremely high monthly traffic. For instance, the audience for the smallest of the free digital libraries stood at 11,000 users, while the largest reached 4.7 million. For pirated movie and TV show streaming sites, this figure ranged from 2.1 million to 27.4 million. In April, the total number of visits to websites where the malware described in this study was detected reached 40 million.
The popularity of these sites increases the potential scale of the miner’s distribution. Furthermore, the campaign is not limited to a single type of platform: the malicious archive is being distributed through both online digital libraries and movie and TV show streaming sites. This broadens the potential range of victims and makes it more difficult to attribute the threat to a single infection vector.
The downloadable archive
The current version of the downloadable malware is a ZIP archive containing a legitimate EXE file and a malicious DLL. When the executable runs, the library side-loads into its process, triggering the malicious logic.
The technical analysis that follows covers the current version of this malware. This version was first observed in April 2025 and has been distributed unmodified for over a year.
DLL analysis
Most of the data inside the DLL carries no meaningful weight and was randomly generated just to inflate the file size and impede analysis.
Amidst the large volume of junk code inside the DLL, there is a single function that triggers a stack overflow during execution:
Based on the code, the size of the stackBuf buffer on the stack is only 64 bytes, and the SmashStack function overwrites this buffer without validating the length of the input data.
This overflow constructs a ROP chain that decrypts the next stage. After decryption, it transfers execution to code located within the modified DOS header of the PE file:
The header was intentionally modified to make it into valid shellcode:
pop r10
push r10
call $+5
pop rcx
sub rcx, 9
mov rax, rcx
add rax, 5C1000h
call rax
retn
This shellcode passes control to a function located at offset 0x5C1000 from the base of the PE file. This function then reflectively loads the same PE file into memory.
Going forward, we will refer to this decrypted PE file as the main module.
Main module
The module’s behavior across its different operational stages is detailed below:
Upon an initial run, the main module checks whether it has permission to proceed with execution. To do this, it collects the following data from the victim’s device:
Processor information
The serial number of the C:/ drive
Whether the process was launched with elevated privileges
The process start time in Unix timestamp format
The information is transmitted as a single large DNS query using the DNS tunneling technique. An example of the DNS query is shown below:
The attackers disguise the DNS query as legitimate traffic through low-level packet crafting and by using a domain name ending in microsoft.com. However, the IP address to which the query is actually sent has no relation to Microsoft.
DNS query crafting code
The execution of the main module proceeds only if the following byte sequence is detected in the response: 01 02 03 04. Following a successful check, the main module launches, and the subsequent logic is adjusted depending on whether the process has elevated privileges on the compromised host.
Let’s look at both scenarios:
1. The process is launched with elevated privileges.
In this case, preparatory steps precede the miner launch:
The malware adds Windows Defender exclusions for EXE and DLL files, as well as for the %USERPROFILE%, %PROGRAMDATA%, and %WINDIR% folders.
It kills Microsoft’s Malicious Software Removal Tool (MSRT) by calling ZwSetInformationFile with the FileDispositionInformation type, which causes the mrt.exe file to be deleted upon closing. To prevent MSRT from being automatically installed during the next update, the DontOfferThroughWUAU parameter is created with a value of 1 under the HKLM\Software\Policies\Microsoft\MRT registry key.
Automatic hibernation and sleep mode are disabled for when the device is running on both AC power and battery.
This is done to maximize the miner’s potential runtime on the device.
Next, to achieve persistence, a copy is created in the C:\ProgramData\Google\Chrome directory, after which the GoogleUpdateTaskMachineQC service is registered and configured to launch automatically at system startup.
Finally, four reflexive loads are executed: the components are injected directly into the memory of the target processes without writing to disk, having bypassed standard Windows loading mechanisms. Each implant is injected into its own host process:
RAT agent → into conhost.exe
Watchdog → into explorer.exe
CPU miner → into explorer.exe
GPU miner → into explorer.exe, but only if a discrete GPU is present in the system. This is verified by enumerating all display adapters in the system.
2. The process is launched with standard privileges.
In this scenario, the miner begins repeatedly triggering User Account Control (UAC) prompts until it is successfully executed with elevated privileges. The workflow is as follows:
Upon initial execution, a copy is made to the %USERPROFILE%\AppData\Roaming\Sandboxie directory and relaunched from there. Simultaneously, an attempt is made to launch it with elevated privileges via UAC.
If execution occurs from the Sandboxie folder:
Persistence is configured for the miner copy in this folder by adding an entry to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
Every three minutes, an attempt is made to launch with elevated privileges via UAC until the GoogleUpdateTaskMachineQC service is successfully installed.
A successful installation requires all of the following conditions to be met:
The GoogleUpdateTaskMachineQC service exists in the system.
The Start value for this service is set to 2 (Automatic).
The ImagePath value points to a file in the C:\ProgramData\Google\Chrome folder.
This file exists on disk.
Watchdog
The purpose of this component is to ensure the uninterrupted operation of the miner. At the very beginning of its execution, it copies all files from the C:\ProgramData\Google\Chrome folder and encrypts the contents of each file using a cyclic XOR algorithm with the key AFeIboiOmImJS2ypJU0pTpAO61SELkUc. After that, the encrypted contents are written into the process memory, and the following structure is created in memory for each file:
class FileContainer{
wchar_t* fullPath; // full path to file
size_t* ptrSize; // pointer to file size
uint8_t* xorEncryptedFile; //pointer to buffer containing encrypted file contents
};
As soon as the contents of all files are saved in memory, Watchdog enters an infinite loop, where every five seconds, it checks the integrity of the installed GoogleUpdateTaskMachineQC service, just as the main module does. If the service is found to be incorrectly installed, the miner overwrites its files in the C:\ProgramData\Google\Chrome path with the contents acquired at startup.
To successfully remediate the miner, this module, which runs inside the explorer.exe process, must be terminated first.
RAT agent
This module provides remote control capabilities via four commands, which are described at the end of this section. The command-and-control addresses used to receive these commands follow this format:
http://{domain}.space/index.php?authorization=1
http://{domain}.site/index.php? backup version
The {domain} is calculated based on the current date. The process starts with the current year, then adds the zone identifier for the current month. All 12 months are divided into four zones. Finally, the word microsoft is appended to the resulting string. This final string is used as the input for subsequent double hashing using the MurmurHash64 algorithm. The hash output is the domain for the implant to communicate with.
At the time of writing this, the following domains were registered:
2025, April-July → 5d14vnfb[.]space
2025, August-November → r7mvjl67[.]space
2025, December → zgj1tam9[.]space
2026, January-March → jeaw520i[.]space
2026, April–July → qdmagva5[.]space
An example of a request to the C2 server is provided below:
As can be seen, the request contains an encrypted body consisting of data encrypted via AES-CBC with the key 0123456789abcdef0123456789abcdef and the initialization vector 000102030405060708090a0b0c0d0e0f. The data contains a list of installed programs on the system, along with processor information and the serial number of the C: drive.
This information is likely used by the backend to check for virtual or debugging environments.
The first 16 bytes of the server response body represent the initialization vector for the AES-CBC algorithm with the key 0123456789abcdef0123456789abcdef, while the remaining bytes are the data encrypted with this algorithm. The decrypted data contains a malicious payload, as well as its RSA-SHA256 signature (sign):
The authenticity of the message is verified via the sign signature using the server’s public key, which is embedded in the executable.
Inside the malicious payload is a 4-byte code that determines the subsequent behavior of the program, along with additional data whose meaning depends on the code.
The table below lists the four remote control commands for the RAT agent module.
Code
Purpose
1
Execution of an arbitrary command
2
Reflexive execution of the provided PE file within the explorer.exe process
3
Execution of the provided shellcode
4
Exit
The miners
Depending on whether a discrete GPU is present in the system, either the CPU miner alone or a combination of the CPU and GPU miners is launched. The CPU miner is based on XMRig, while the GPU miner supports multiple algorithms.
Upon initial execution, both miners attempt to retrieve their startup configuration from a remote server. The potential addresses are listed below:
“{domain}.strangled.net”
“{domain}.ignorelist.com”
“{domain}.ftp.sh”
“{domain}.zanity.net”
As with the RAT agent component, the server address is generated from the current date — in this case, the server address changes every week. This results in quite a large number of domains for the 2020–2030 period; however, all of them point to the same IP address: 107[.]172[.]212[.]235. The first available domain out of the four potential domains listed above will be used.
The algorithm for retrieving the configuration from the server is completely identical to that used by the RAT agent, with the sole exception that th1s1sth3key0f4n1ntere5t1ngw0rld is used as the AES-CBC key in this scenario, and the configuration resides within the payload. The retrieved configuration is encrypted via AES-CBC using the key UXUUXUUXUUCommandULineUUXUUXUUXU and the initialization vector UUCommandULineUU. The encrypted data is then converted into a base64 string, which is passed as a command-line parameter to launch the miner inside the explorer.exe process through process hollowing.
Conclusion
Our investigation focused on an ongoing campaign distributing miners via popular illegal content sites. The threat actors leverage a variety of sites, ranging from online libraries to movie and TV show streaming platforms. There is no telling what channels they will use to distribute the malicious archive in the future. However, the current case shows that users visiting pirated websites continue to take a serious risk.
Our products detect this malware with the following Generic verdicts:
Phishing campaigns have become significantly more sophisticated and convincing in recent years. Sender addresses are now nearly identical to the real deal, emails are flawlessly written, and users are called by their names. But what do you do when a suspicious email comes from a clearly legitimate email address?
Lately, phishers have been exploiting the Google AppSheet platform to set up email blasts that originate from an official Google-linked address. Following a successful attack, they walk away with their victims’ accounts and sensitive data.
In this post, we break down how this new data theft scheme works, and how to protect yourself from these sneaky phishing attacks.
Google is offering you a job. Or Coca-Cola. Or maybe Volvo. Or are they?
AppSheet is a Google service for building apps without any coding skills. It’s frequently used by small businesses to automate routine workflows. Unfortunately, it’s precisely this simplicity that makes AppSheet so attractive to cybercriminals. All it takes to pull off a phishing scam these days are a few dollars and an app quickly thrown together using pre-made commands and blocks.
The playbook for AppSheet phishing attacks is pretty run-of-the-mill. The victim receives an email on behalf of a major company — and these messages often begin by addressing the recipient by name. It appears the attackers are parsing leaked data to match names with specific email addresses.
Next, the attackers play on the recipient’s emotions — employing either stick or carrot. They might panic the victim with urgent warnings that demand immediate action — think “Your account will be disabled soon” or “Suspicious activity detected”. Alternatively, they lure them in with irresistible bait, like the promise of a verified badge or an interview invitation from a tech giant. These fake HR emails are engineered to give victims an immediate rush. They make it look like the recipient’s application was already fast-tracked and highly rated, teasing a job offer that could drop as early as tomorrow.
For most people, these messages don’t raise a single red flag. The email bypasses the spam folder completely, and the From field displays the exact name of the company they expect to see. Unfortunately, none of it means the email is authentic: attackers can put whatever they want in the display name. And let’s be honest: very few people actually stop to scrutinize the sender’s email address.
In AppSheet-based phishing campaigns, the sender is always the same: noreply{@}appsheet.com. But here’s the real kicker: that address is 100% legitimate. Because it’s tied directly to Google’s own infrastructure, there’s a good chance that standard anti-spam filters greenlight these emails without blinking.
Naturally, to secure that coveted interview or fix their account, the victim clicks the link — and then voluntarily hands over their entire digital identity on a copycat website: full name, address, phone number, etc. From there, the attackers can sell the harvested data on the dark web, or weaponize it for secondary, targeted attacks. To top it all off, the victim is redirected to a phishing login page, which allows the attackers to steal their accounts.
Here’s a step-by-step breakdown of how a victim goes from receiving a fake Google Careers portal email to having their account completely compromised:
Greetings, Candidate! Why don't you click the link to our fake Google site to schedule an interview?
The link in the email leads to a spoofed site with a design indistinguishable from the original. The user is prompted to fill out a form: provide their full name, work email, phone number, and preferred date for interview…
…Once the victim completes the form, they see a prompt asking them to log in with their Google credentials. All of this data goes straight to the attackers.
Similar phishing campaigns are launched on behalf of other major tech brands — and the users who hand over their Apple account data risk losing not just their account but also control of all their Apple devices. The attackers might pressure the victim into signing out of their personal Apple ID, and in to a “corporate account” for verification — which is in reality an Apple account they own. The moment the victim does so, the criminals take complete remote control of the used device, often using Lost Mode to lock the victim out and hold their phone to ransom.
To make matters worse, attackers don’t always drop a malicious link in the initial email. Instead, they play the long game — hooking the target into a conversation by asking them to reply and confirm their interest. This pretexting creates an illusion of chatting with a real recruiter. And this playbook isn’t reserved exclusively for Silicon Valley, either. Attackers frequently impersonate globally recognized household names, like Volvo or Coca-Cola. Of course, it’s highly unlikely that attackers want someone’s Coca-Cola account — if the user even has one to begin with. Most likely, the goal is to steal sensitive data or convince the user to log in to a phishing form using their Google/Apple/Facebook, etc. credentials.
An "HR team member" from Coca-Cola reaches out to praise the victim, laying it on thick about their expertise and achievements, analytical thinking, and creativity… The attackers intentionally keep the endgame under wraps — whether that means routing the victim to a phishing site, orchestrating a full account takeover, or pulling off a straight-up financial scam
A similar email pretending to be from the Volvo talent acquisition team
Do you want to become Meta-verified?
Of course, “dream jobs” aren’t the only bait used. We’ve seen campaigns where “Facebook Support” reaches out to tell a user they’ve been deemed eligible for the prestigious Meta Verified badge — a blue checkmark normally reserved for top-tier celebrities and global brands. To secure the coveted blue checkmark, the victim is directed to a phishing page where they’re asked to complete an identity form — before handing over the ultimate prize: their Facebook username and password. And it’s all in the name of security, naturally!
These spoofed sites are created in a wide variety of languages, and tailored to users in different countries. Below is the Dutch version.
To get the blue checkmark, the user is required to provide "additional information". Miss the deadline by just a few days and the offer expires
After the victim fills out the standard fields — name, phone number, personal and work emails, and birthdate — a prompt appears asking for their Facebook password
In other campaigns, attackers abuse Google’s AppSheet to weaponize sheer panic, trying to unsettle the user with claims that they’ve violated Meta’s intellectual property policy — and threatening to permanently close their Facebook account. To appeal, the victim must click a link to… a phishing site, provide their personal information, and, of course, enter their Facebook username and password.
For the sake of plausibility, the user is not only asked to fill out fields with personal information, but also to describe in detail why the decision to close the account was a mistake
Finally, the user is prompted to confirm their appeal request by signing in to “Facebook”. In reality, the victim is simply handing their credentials over to the attackers
How to spot phishing and protect your accounts
Sadly, phishing attacks are becoming increasingly sophisticated, with attackers routinely hijacking the reputation of legitimate services and domains. Here’s how to keep from falling into their traps, and safeguard your data:
Remember: not all phishing emails end up in the spam folder. Standard spam filters in email clients often fail to detect advanced attacks — and the AppSheet case is a prime example. To avoid accidentally taking the bait, use Kaspersky Premium on all your devices. It intercepts phishing emails and instantly blocks links to spoof websites — even if the attacker is hiding behind a completely legitimate domain. Additionally, the Android version can detect malicious and phishing links in messages from any app.
Check the email for odd typos. To keep their messages from setting off alarms, attackers frequently resort to sneakily inserting extra spaces or swapping out characters. Take this example from one of the emails we found: Fac eb o ok S u ppo r t instead of Facebook Support.
Before taking any action on a website, carefully check its domain name against the official address. Bad actors frequently create addresses that only appear to be the real thing until you look close enough. Install Kaspersky Premium to always be sure you don’t land on a spoofed site.
Look at the sender’s address first, not just the display name. If an email claims to be from Google Careers, Apple HR, or Facebook Support, but the sender address points to AppSheet or another unrelated service, don’t even bother reading this message. That domain mismatch is a dead giveaway that you’re looking at a trap. Cross-reference email addresses with the ones listed on the companies’ official websites.
Check for email signatures. For instance, all emails sent via AppSheet include a disclosure note at the very bottom. You are much more likely to receive a legitimate AppSheet notification from a small company or business, but definitely not from a tech giant. Major corporations typically use their own domains for their emails.
Usea password manager. Even if you land on a spoofed site and try to enter your password, a reliable password manager will notify you about the domain mismatch and refuse to autofill your username and password.
Don’t forget about two-factor authentication. If it’s enabled, just having your username and password won’t help the attackers access your account — they’ll also need a one-time code. However, they might still try to trick you into giving that up too, so be doubly careful whenever you enter two-factor authentication codes anywhere.
Use passkeys instead of passwords whenever possible. This technology provides excellent protection against phishing: even if you visit a malicious site and try to sign in, the passkey won’t work on the spoofed domain. You can store and sync passkeys across different devices in Kaspersky Password Manager. Read our post on the subject to learn more about how passkeys work.
Phishing attacks are growing increasingly sophisticated. Here’s what else you should know about phishing:
In 2025, we observed pervasive SSH tunnel activity, which has remained active into 2026, affecting many government organizations and commercial companies in Russia and Belarus. Behind some of this activity is Cloud Atlas, a group we have known since 2014. During our investigation, we identified new tools used by this group, as well as indicators of compromise.
The group is back to sending out archives containing malicious shortcuts that launch PowerShell scripts. This technique is employed in addition to the previously described use of malicious documents, which exploit an old vulnerability in the Microsoft Office Equation Editor process (CVE-2018-0802) to download and execute malicious code. We have observed the use of third-party public utilities (Tor/SSH/RevSocks) to gain a foothold in infected systems and create additional backup control channels.
Technical details
Initial infection
As for the primary compromise, Cloud Atlas remains consistent in using phishing. In the observed campaigns, the attackers emailed a ZIP archive containing an LNK file as an attachment.
Malware execution flow
Attackers use LNK shortcuts to covertly execute PowerShell scripts hosted on external resources. The command line of the shortcut:
Example of the PowerShell script downloaded and executed by the shortcut:
Example of the PowerShell script downloaded by the shortcut
Actions performed by the downloaded PowerShell:
Step
Action
Description
1
Drops “$temp\fixed.ps1”
Pre-staging: places the main payload locally in advance to ensure an execution capability independent of subsequent network connectivity or C2 availability.
2
Creates “Run” registry key “YandexBrowser_setup” for “$temp\fixed.ps1” startup
Early persistence: guarantees execution upon the next logon or reboot. If the script is interrupted during later stages, the payload will still activate automatically.
3
Downloads and drops “$temp\rar.zip”
Extracts “*.pdf” from the downloaded “$temp\rar.zip”
Payload delivery: retrieves the decoy archive from the remote server to prepare user-facing content for the distraction phase.
4
Extracts “*.pdf” from the downloaded “$temp\rar.zip”
Decoy preparation: unpacks the legitimate-looking document so it can be executed silently without requiring user interaction.
6
Opens extracted decoy document “*.pdf” with user’s default software
User distraction: opens a convincing document to maintain user engagement and creates a legitimate workflow appearance to buy additional 30–120 seconds for background operations.
6
Executes “taskkill.exe /F /Im winrar.exe”
Process concealment: terminates the archive extractor to prevent the user from seeing the archive contents or noticing unexpected file extraction activity.
7
Searches and deletes “rar.zip”, “*.pdf.zip” and “*.pdf.lnk”
Anti-forensic cleanup: removes the initial infection artifacts before activating the main payload, reducing the number of disk traces available for incident response or EDR correlation.
8
Executes “$temp\fixed.ps1”
Controlled execution: launches the main payload only after persistence is secured, the user is distracted, and access traces are cleaned up.
Fixed.ps1 (loader)
The primary purpose of the Fixed.ps1 script is to deliver and install subsequent malware onto the compromised system, specifically VBCloud and PowerShower. Fixed.ps1 establishes persistence (by adding itself to registry Run keys), creates a decoy for the user (by opening a PDF document), and executes the next stages of the attack.
Fixed.ps1::Payload (VBCloud dropper)
Example of the fixed.ps1::Payload (VBCloud dropper)
This module functions as a dropper for the VBCloud backdoor. It drops two files onto the infected machine:
video.vbs: the loader of the backdoor,VBCloud::Launcher. This is a VBScript that decrypts the contents of video.mds (typically using RC4 with a hardcoded key) and executes it in memory.
video.mds: the encrypted body of the backdoor, VBCloud::Backdoor. This is the main module that connects to a C2 server to receive additional scripts or execute built-in commands. This backdoor is designed to function as a stealer, specifically targeting files with extensions of interest (such as DOC, PDF, XLS) and exfiltrating them.
Fixed.ps1::Payload (PowerShower)
This module installs a second backdoor called PowerShower on the system. We don’t have the specific script that performs this installation, but we assume it’s performed by a script similar to fixed.ps1::Payload (VBCloud dropper).
Unlike VBCloud, which focuses on file theft, PowerShower is primarily used for network reconnaissance and lateral movement within the victim’s infrastructure. PowerShower can perform the following tasks:
Collect information about running processes, administrator groups, and domain controllers.
Download and execute PowerShell scripts from the C2 server.
Conduct “Kerberoasting” attacks (stealing password hashes of Active Directory accounts).
PowerShower is dropped onto the system via the path ‘C:\Users\[username]\Pictures\googleearth.ps1’.
Contents of the googleearth.ps1(PowerShower)
PowerShower::Payload (credential grabber)
PowerShower downloads an additional script for stealing credentials. It performs the following actions:
Creates a Volume Shadow Copy of the C:\ drive.
Copies the SAM (stores local user password hashes) and SECURITY system files from this shadow copy to C:\Users\Public\Documents\, disguising them as PDF files.
The script is launched in several stages. To execute with high privileges, the script uses a UAC bypass technique via fodhelper.exe (a built-in Windows utility). This allows PowerShell to run as an administrator without directly prompting the user, which could otherwise raise suspicion.
The full launch chain looks like this:
The full Base64-decoded script is given below.
Multi-user RDP by patching termsrv.dll
Moving laterally across the victim’s network, the attackers executed a suspicious PowerShell script named rdp_new.ps1 (MD5 1A11B26DD0261EF27A112CE8B361C247):
The script is designed to allow multiple RDP sessions in Windows 10 by patching the termsrv.dll file. Termsrv.dll is the core Windows library that enforces Remote Desktop Services rules.
By default, Windows limits the number of simultaneous RDP sessions. Removing this restriction allows attackers to operate on the machine in the background without disconnecting the legitimate user, thereby reducing the likelihood of detection.
At first, the script enables RDP on the firewall and downgrades the RDP security settings:
Before modifying termsrv.dll, the script takes ownership and assigns itself full permissions. Then the script finds the sequence of bytes 39 81 3C 06 00 00 ?? ?? ?? ?? ?? ?? and replaces it with B8 00 01 00 00 89 81 38 06 00 00 90. After these manipulations, the script restarts the RDP service.
Example of script
The patched version allows multiple concurrent logins so attackers can stay connected without disrupting the legitimate user, thereby reducing suspicion.
Reverse SSH tunneling
As mentioned above, during this wave of attacks, the adversaries widely deployed reverse SSH tunnels to many hosts of interest. The compromised machine initiates an SSH connection to an attacker-controlled server, which allows attackers to bypass standard firewall rules via establishing outbound connections.
That way, even if the primary backdoor is discovered, the attackers can maintain control through the SSH tunnel.
To install a reverse SSH tunnel on a victim’s host, the attackers run VBS scripts via PAExec or PsExec.
We’ve seen three types of scripts:
Gen.vbs (WriteToSchedulerGenerateKey.vbs) generates key for SSH tunnel.
Kill.vbs (WriteToSchedulerKillSSH.vbs) stops reverse SSH tunnel via taskkill.exe.
To achieve persistence, the attackers added a new scheduled task in Windows:
In some cases, before establishing a reverse SSH tunnel, attackers set new access permissions to the folder containing the private key to prevent the legitimate user or system administrators from easily accessing or modifying it:
Patched OpenSSH
Some OpenSSH binaries used by the attackers had their imports modified. Instead of libcrypto.dll, the SSH executable imports syruntime.dll, which was placed in the same folder as the binary. This was likely done to evade detection and ensure stealth.
In addition, we found a portable version of OpenSSH, presumably compiled by the adversaries:
RevSocks
In addition to Reverse SSH tunnels, the attackers installed RevSocks using the same infrastructure. RevSocks is an alternative tool to SSH for establishing tunnels and proxy connections, written in Golang. This tool allows direct connection to workstations on the local network. It also allows attackers to gain access to other segments of the victim’s network by using the machine as a gateway. In some cases, C2 addresses were hardcoded into the binary; in other cases, the C2 was passed in command line arguments.
There were also reverse SOCKS samples with hardcoded C2 addresses:
Tor tunneling
To maintain control over the compromised host, the Tor network was used in some cases. A minimal set of a Tor executable and configuration files, necessary for launching HiddenService, was copied to the system directories of infected devices. The name of the Tor Browser executable file was modified. As a result, the infected machine was accessible via RDP from the Tor network when accessing the generated .onion domain.
Below is an example of a configuration file for routing connections from Tor to RDP ports on the local network, as well as example command lines for logging into Tor.
Example of TOR configuration file
PowerCloud
We analyzed a new Cloud Atlas tool, PowerCloud. It collects user data with administrator privileges and writes this information to Google Sheets in Base64 format.
The tool represents an obfuscated PowerShell script. In most cases, it is packaged into an executable file using the PS2EXE utility, but we have also encountered variants in the form of a separate PowerShell script.
To find administrators on the victim host, the tool executes the following command:
This information is appended with the computer name and current date, the data is encoded in base64, and then the collected data is added to an existing Google Sheet.
PowerCloud script
Browser checker
Additionally, the attackers used another PowerShell script (MD5 5329F7BFF9D0D5DB28821B86C26D628F), compiled into an executable file via PS2EXE, which checks whether browser processes (Chrome, Edge, Firefox, and other) are running. This helps detect when the user is working on the computer. This can be used to choose the optimal time for conducting attacks (for example, when the user is away but their browser is still open) or simply to gather information about the victim’s habits.
The information about running browsers is written to a log file on the local host.
Fragment of the deobfuscated script
Victims
According to our telemetry, in late 2025 and early 2026, the identified targets of the described malicious activities are located in Russia and Belarus. The targeted industries mostly include government agencies and diplomatic entities.
We attribute the activity described in this report to the Cloud Atlas APT group with a high degree of confidence. The group used techniques and tools described previously, such as the initial access vector, the Python script for information gathering, and the Tor application for forwarding ports to the Tor network. The victim profile and geography also matches the Cloud Atlas targets.
We couldn’t help but notice some parallels with recent Head Mare activity. The PhantomHeart backdoor (available in Russian only), attributed to Head Mare and used to create an SSH tunnel, was placed in directories actively used by Cloud Atlas:
C:\Windows\ime
C:\Windows\System32\ime
C:\Windows\pla
C:\Windows\inf
C:\Windows\migration
C:\Windows\System32\timecontrolsvc
C:\Windows\SKB
However, TTPs are still differentiated.
Conclusion
For more than ten years, the Cloud Atlas group has continued its activities and expanded its arsenal. Over the course of last year, many targeted campaigns in general were found to employ ReverseSocks, SSH and Tor, and the use of these utilities was no exception for Cloud Atlas. Creating such backup control channels using publicly available utilities significantly complicates the complete disruption of attackers’ actions on compromised systems. We will continue to closely monitor the group’s activity and describe their new tools and techniques.
In 2025, we observed pervasive SSH tunnel activity, which has remained active into 2026, affecting many government organizations and commercial companies in Russia and Belarus. Behind some of this activity is Cloud Atlas, a group we have known since 2014. During our investigation, we identified new tools used by this group, as well as indicators of compromise.
The group is back to sending out archives containing malicious shortcuts that launch PowerShell scripts. This technique is employed in addition to the previously described use of malicious documents, which exploit an old vulnerability in the Microsoft Office Equation Editor process (CVE-2018-0802) to download and execute malicious code. We have observed the use of third-party public utilities (Tor/SSH/RevSocks) to gain a foothold in infected systems and create additional backup control channels.
Technical details
Initial infection
As for the primary compromise, Cloud Atlas remains consistent in using phishing. In the observed campaigns, the attackers emailed a ZIP archive containing an LNK file as an attachment.
Malware execution flow
Attackers use LNK shortcuts to covertly execute PowerShell scripts hosted on external resources. The command line of the shortcut:
Example of the PowerShell script downloaded and executed by the shortcut:
Example of the PowerShell script downloaded by the shortcut
Actions performed by the downloaded PowerShell:
Step
Action
Description
1
Drops “$temp\fixed.ps1”
Pre-staging: places the main payload locally in advance to ensure an execution capability independent of subsequent network connectivity or C2 availability.
2
Creates “Run” registry key “YandexBrowser_setup” for “$temp\fixed.ps1” startup
Early persistence: guarantees execution upon the next logon or reboot. If the script is interrupted during later stages, the payload will still activate automatically.
3
Downloads and drops “$temp\rar.zip”
Extracts “*.pdf” from the downloaded “$temp\rar.zip”
Payload delivery: retrieves the decoy archive from the remote server to prepare user-facing content for the distraction phase.
4
Extracts “*.pdf” from the downloaded “$temp\rar.zip”
Decoy preparation: unpacks the legitimate-looking document so it can be executed silently without requiring user interaction.
6
Opens extracted decoy document “*.pdf” with user’s default software
User distraction: opens a convincing document to maintain user engagement and creates a legitimate workflow appearance to buy additional 30–120 seconds for background operations.
6
Executes “taskkill.exe /F /Im winrar.exe”
Process concealment: terminates the archive extractor to prevent the user from seeing the archive contents or noticing unexpected file extraction activity.
7
Searches and deletes “rar.zip”, “*.pdf.zip” and “*.pdf.lnk”
Anti-forensic cleanup: removes the initial infection artifacts before activating the main payload, reducing the number of disk traces available for incident response or EDR correlation.
8
Executes “$temp\fixed.ps1”
Controlled execution: launches the main payload only after persistence is secured, the user is distracted, and access traces are cleaned up.
Fixed.ps1 (loader)
The primary purpose of the Fixed.ps1 script is to deliver and install subsequent malware onto the compromised system, specifically VBCloud and PowerShower. Fixed.ps1 establishes persistence (by adding itself to registry Run keys), creates a decoy for the user (by opening a PDF document), and executes the next stages of the attack.
Fixed.ps1::Payload (VBCloud dropper)
Example of the fixed.ps1::Payload (VBCloud dropper)
This module functions as a dropper for the VBCloud backdoor. It drops two files onto the infected machine:
video.vbs: the loader of the backdoor,VBCloud::Launcher. This is a VBScript that decrypts the contents of video.mds (typically using RC4 with a hardcoded key) and executes it in memory.
video.mds: the encrypted body of the backdoor, VBCloud::Backdoor. This is the main module that connects to a C2 server to receive additional scripts or execute built-in commands. This backdoor is designed to function as a stealer, specifically targeting files with extensions of interest (such as DOC, PDF, XLS) and exfiltrating them.
Fixed.ps1::Payload (PowerShower)
This module installs a second backdoor called PowerShower on the system. We don’t have the specific script that performs this installation, but we assume it’s performed by a script similar to fixed.ps1::Payload (VBCloud dropper).
Unlike VBCloud, which focuses on file theft, PowerShower is primarily used for network reconnaissance and lateral movement within the victim’s infrastructure. PowerShower can perform the following tasks:
Collect information about running processes, administrator groups, and domain controllers.
Download and execute PowerShell scripts from the C2 server.
Conduct “Kerberoasting” attacks (stealing password hashes of Active Directory accounts).
PowerShower is dropped onto the system via the path ‘C:\Users\[username]\Pictures\googleearth.ps1’.
Contents of the googleearth.ps1(PowerShower)
PowerShower::Payload (credential grabber)
PowerShower downloads an additional script for stealing credentials. It performs the following actions:
Creates a Volume Shadow Copy of the C:\ drive.
Copies the SAM (stores local user password hashes) and SECURITY system files from this shadow copy to C:\Users\Public\Documents\, disguising them as PDF files.
The script is launched in several stages. To execute with high privileges, the script uses a UAC bypass technique via fodhelper.exe (a built-in Windows utility). This allows PowerShell to run as an administrator without directly prompting the user, which could otherwise raise suspicion.
The full launch chain looks like this:
The full Base64-decoded script is given below.
Multi-user RDP by patching termsrv.dll
Moving laterally across the victim’s network, the attackers executed a suspicious PowerShell script named rdp_new.ps1 (MD5 1A11B26DD0261EF27A112CE8B361C247):
The script is designed to allow multiple RDP sessions in Windows 10 by patching the termsrv.dll file. Termsrv.dll is the core Windows library that enforces Remote Desktop Services rules.
By default, Windows limits the number of simultaneous RDP sessions. Removing this restriction allows attackers to operate on the machine in the background without disconnecting the legitimate user, thereby reducing the likelihood of detection.
At first, the script enables RDP on the firewall and downgrades the RDP security settings:
Before modifying termsrv.dll, the script takes ownership and assigns itself full permissions. Then the script finds the sequence of bytes 39 81 3C 06 00 00 ?? ?? ?? ?? ?? ?? and replaces it with B8 00 01 00 00 89 81 38 06 00 00 90. After these manipulations, the script restarts the RDP service.
Example of script
The patched version allows multiple concurrent logins so attackers can stay connected without disrupting the legitimate user, thereby reducing suspicion.
Reverse SSH tunneling
As mentioned above, during this wave of attacks, the adversaries widely deployed reverse SSH tunnels to many hosts of interest. The compromised machine initiates an SSH connection to an attacker-controlled server, which allows attackers to bypass standard firewall rules via establishing outbound connections.
That way, even if the primary backdoor is discovered, the attackers can maintain control through the SSH tunnel.
To install a reverse SSH tunnel on a victim’s host, the attackers run VBS scripts via PAExec or PsExec.
We’ve seen three types of scripts:
Gen.vbs (WriteToSchedulerGenerateKey.vbs) generates key for SSH tunnel.
Kill.vbs (WriteToSchedulerKillSSH.vbs) stops reverse SSH tunnel via taskkill.exe.
To achieve persistence, the attackers added a new scheduled task in Windows:
In some cases, before establishing a reverse SSH tunnel, attackers set new access permissions to the folder containing the private key to prevent the legitimate user or system administrators from easily accessing or modifying it:
Patched OpenSSH
Some OpenSSH binaries used by the attackers had their imports modified. Instead of libcrypto.dll, the SSH executable imports syruntime.dll, which was placed in the same folder as the binary. This was likely done to evade detection and ensure stealth.
In addition, we found a portable version of OpenSSH, presumably compiled by the adversaries:
RevSocks
In addition to Reverse SSH tunnels, the attackers installed RevSocks using the same infrastructure. RevSocks is an alternative tool to SSH for establishing tunnels and proxy connections, written in Golang. This tool allows direct connection to workstations on the local network. It also allows attackers to gain access to other segments of the victim’s network by using the machine as a gateway. In some cases, C2 addresses were hardcoded into the binary; in other cases, the C2 was passed in command line arguments.
There were also reverse SOCKS samples with hardcoded C2 addresses:
Tor tunneling
To maintain control over the compromised host, the Tor network was used in some cases. A minimal set of a Tor executable and configuration files, necessary for launching HiddenService, was copied to the system directories of infected devices. The name of the Tor Browser executable file was modified. As a result, the infected machine was accessible via RDP from the Tor network when accessing the generated .onion domain.
Below is an example of a configuration file for routing connections from Tor to RDP ports on the local network, as well as example command lines for logging into Tor.
Example of TOR configuration file
PowerCloud
We analyzed a new Cloud Atlas tool, PowerCloud. It collects user data with administrator privileges and writes this information to Google Sheets in Base64 format.
The tool represents an obfuscated PowerShell script. In most cases, it is packaged into an executable file using the PS2EXE utility, but we have also encountered variants in the form of a separate PowerShell script.
To find administrators on the victim host, the tool executes the following command:
This information is appended with the computer name and current date, the data is encoded in base64, and then the collected data is added to an existing Google Sheet.
PowerCloud script
Browser checker
Additionally, the attackers used another PowerShell script (MD5 5329F7BFF9D0D5DB28821B86C26D628F), compiled into an executable file via PS2EXE, which checks whether browser processes (Chrome, Edge, Firefox, and other) are running. This helps detect when the user is working on the computer. This can be used to choose the optimal time for conducting attacks (for example, when the user is away but their browser is still open) or simply to gather information about the victim’s habits.
The information about running browsers is written to a log file on the local host.
Fragment of the deobfuscated script
Victims
According to our telemetry, in late 2025 and early 2026, the identified targets of the described malicious activities are located in Russia and Belarus. The targeted industries mostly include government agencies and diplomatic entities.
We attribute the activity described in this report to the Cloud Atlas APT group with a high degree of confidence. The group used techniques and tools described previously, such as the initial access vector, the Python script for information gathering, and the Tor application for forwarding ports to the Tor network. The victim profile and geography also matches the Cloud Atlas targets.
We couldn’t help but notice some parallels with recent Head Mare activity. The PhantomHeart backdoor (available in Russian only), attributed to Head Mare and used to create an SSH tunnel, was placed in directories actively used by Cloud Atlas:
C:\Windows\ime
C:\Windows\System32\ime
C:\Windows\pla
C:\Windows\inf
C:\Windows\migration
C:\Windows\System32\timecontrolsvc
C:\Windows\SKB
However, TTPs are still differentiated.
Conclusion
For more than ten years, the Cloud Atlas group has continued its activities and expanded its arsenal. Over the course of last year, many targeted campaigns in general were found to employ ReverseSocks, SSH and Tor, and the use of these utilities was no exception for Cloud Atlas. Creating such backup control channels using publicly available utilities significantly complicates the complete disruption of attackers’ actions on compromised systems. We will continue to closely monitor the group’s activity and describe their new tools and techniques.