The subdomain forms.google.ss-o[.]com is a clear attempt to impersonate the legitimate forms.google.com. The “ss-o” is likely introduced to look like “single sign-on,” an authentication method that allows users to securely log in to multiple, independent applications or websites using one single set of credentials (username and password).
Unfortunately, when we tried to visit the URLs we were redirected to the local Google search website. This is a common phisher’s tactic to prevent victims from sharing their personalized links with researchers or online analysis.
After some digging, we found a file called generation_form.php on the same domain, which we believe the phishing crew used to create these links. The landing page for the campaign was: https://forms.google.ss-o[.]com/generation_form.php?form=opportunitysec
The generation_form.php script does what the name implies: It creates a personalized URL for the person clicking that link.
With that knowledge in hand, we could check what the phish was all about. Our personalized link brought us to this website:
Fake Google Forms site
The greyed out “form” behind the prompt promises:
We’re Hiring! Customer Support Executive (International Process)
Are you looking to kick-start or advance your career…
The fields in the form: Full Name, Email address, and an essay field “Please describe in detail why we should choose you”
Buttons: “Submit” and “Clear form.”
The whole web page emulates Google Forms, including logo images, color schemes, a notice about not “submitting passwords,” and legal links. At the bottom, it even includes the typical Google Forms disclaimer (“This content is neither created nor endorsed by Google.”) for authenticity.
Clicking the “Sign in” button took us to https://id-v4[.]com/generation.php, which has now been taken down. The domain id-v4.com has been used in several phishing campaigns for almost a year. In this case, it asked for Google account credentials.
Given the “job opportunity” angle, we suspect links were distributed through targeted emails or LinkedIn messages.
How to stay safe
Lures that promise remote job opportunities are very common these days. Here are a few pointers to help keep you safe from targeted attacks like this:
Do not click on links in unsolicited job offers.
Use a password manager, which would not have filled in your Google username and password on a fake website.
Pro tip: Malwarebytes Scam Guard identified this attack as a scam just by looking at the URL.
IOCs
id-v4[.]com
forms.google.ss-o[.]com
Blocked by Malwarebytes
We don’t just report on scams—we help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard. Submit a screenshot, paste suspicious content, or share a link, text or phone number, and we’ll tell you if it’s a scam or legit. Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.
The subdomain forms.google.ss-o[.]com is a clear attempt to impersonate the legitimate forms.google.com. The “ss-o” is likely introduced to look like “single sign-on,” an authentication method that allows users to securely log in to multiple, independent applications or websites using one single set of credentials (username and password).
Unfortunately, when we tried to visit the URLs we were redirected to the local Google search website. This is a common phisher’s tactic to prevent victims from sharing their personalized links with researchers or online analysis.
After some digging, we found a file called generation_form.php on the same domain, which we believe the phishing crew used to create these links. The landing page for the campaign was: https://forms.google.ss-o[.]com/generation_form.php?form=opportunitysec
The generation_form.php script does what the name implies: It creates a personalized URL for the person clicking that link.
With that knowledge in hand, we could check what the phish was all about. Our personalized link brought us to this website:
Fake Google Forms site
The greyed out “form” behind the prompt promises:
We’re Hiring! Customer Support Executive (International Process)
Are you looking to kick-start or advance your career…
The fields in the form: Full Name, Email address, and an essay field “Please describe in detail why we should choose you”
Buttons: “Submit” and “Clear form.”
The whole web page emulates Google Forms, including logo images, color schemes, a notice about not “submitting passwords,” and legal links. At the bottom, it even includes the typical Google Forms disclaimer (“This content is neither created nor endorsed by Google.”) for authenticity.
Clicking the “Sign in” button took us to https://id-v4[.]com/generation.php, which has now been taken down. The domain id-v4.com has been used in several phishing campaigns for almost a year. In this case, it asked for Google account credentials.
Given the “job opportunity” angle, we suspect links were distributed through targeted emails or LinkedIn messages.
How to stay safe
Lures that promise remote job opportunities are very common these days. Here are a few pointers to help keep you safe from targeted attacks like this:
Do not click on links in unsolicited job offers.
Use a password manager, which would not have filled in your Google username and password on a fake website.
Pro tip: Malwarebytes Scam Guard identified this attack as a scam just by looking at the URL.
IOCs
id-v4[.]com
forms.google.ss-o[.]com
Blocked by Malwarebytes
We don’t just report on scams—we help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard. Submit a screenshot, paste suspicious content, or share a link, text or phone number, and we’ll tell you if it’s a scam or legit. Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.
Scammers have found a new use for AI: creating custom chatbots posing as real AI assistants to pressure victims into buying worthless cryptocurrencies.
We recently came across a live “Google Coin” presale site featuring a chatbot that claimed to be Google’s Gemini AI assistant. The bot guided visitors through a polished sales pitch, answered their questions about investment, projecting returns, and ultimately ended with victims sending an irreversible crypto payment to the scammers.
Google does not have a cryptocurrency. But as “Google Coin” has appeared before in scams, anyone checking it out might think it’s real. And the chatbot was very convincing.
AI as the closer
The chatbot introduced itself as,
“Gemini — your AI assistant for the Google Coin platform.”
It used Gemini-style branding, including the sparkle icon and a green “Online” status indicator, creating the immediate impression that it was an official Google product.
When asked, “Will I get rich if I buy 100 coins?”, the bot responded with specific financial projections. A $395 investment at the current presale price would be worth $2,755 at listing, it claimed, representing “approximately 7x” growth. It cited a presale price of $3.95 per token, an expected listing price of $27.55, and invited further questions about “how to participate.”
This is the kind of personalized, responsive engagement that used to require a human scammer on the other end of a Telegram chat. Now the AI does it automatically.
A persona that never breaks
What stood out during our analysis was how tightly controlled the bot’s persona was. We found that it:
Claimed consistently to be “the official helper for the Google Coin platform”
Refused to provide any verifiable company details, such as a registered entity, regulator, license number, audit firm, or official email address
Dismissed concerns and redirected them to vague claims about “transparency” and “security”
Refused to acknowledge any scenario in which the project could be a scam
Redirected tougher questions to an unnamed “manager” (likely a human closer waiting in the wings)
When pressed, the bot doesn’t get confused or break character. It loops back to the same scripted claims: a “detailed 2026 roadmap,” “military-grade encryption,” “AI integration,” and a “growing community of investors.”
Whoever built this chatbot locked it into a sales script designed to build trust, overcome doubt, and move visitors toward one outcome: sending cryptocurrency.
Why AI chatbots change the scam model
Scammers have always relied on social engineering. Build trust. Create urgency. Overcome skepticism. Close the deal.
Traditionally, that required human operators, which limited how many victims could be engaged at once. AI chatbots remove that bottleneck entirely.
A single scam operation can now deploy a chatbot that:
Engages hundreds of visitors simultaneously, 24 hours a day
Delivers consistent, polished messaging that sounds authoritative
Impersonates a trusted brand’s AI assistant (in this case, Google’s Gemini)
Responds to individual questions with tailored financial projections
Escalates to human operators only when necessary
This matches a broader trend identified by researchers. According to Chainalysis, roughly 60% of all funds flowing into crypto scam wallets were tied to scammers using AI tools. AI-powered scam infrastructure is becoming the norm, not the exception. The chatbot is just one piece of a broader AI-assisted fraud toolkit—but it may be the most effective piece, because it creates the illusion of a real, interactive relationship between the victim and the “brand.”
The bait: a polished fake
The chatbot sits on top of a convincing scam operation. The Google Coin website mimics Google’s visual identity with a clean, professional design, complete with the “G” logo, navigation menus, and a presale dashboard. It claims to be in “Stage 5 of 5” with over 9.9 million tokens sold and a listing date of February 18—all manufactured urgency.
To borrow credibility, the site displays logos of major companies—OpenAI, Google, Binance, Squarespace, Coinbase, and SpaceX—under a “Trusted By Industry” banner. None of these companies have any connection to the project.
If a visitor clicks “Buy,” they’re taken to a wallet dashboard that looks like a legitimate crypto platform, showing balances for “Google” (on a fictional “Google-Chain”), Bitcoin, and Ethereum.
The purchase flow lets users buy any number of tokens they want and generates a corresponding Bitcoin payment request to a specific wallet address. The site also layers on a tiered bonus system that kicks in at 100 tokens and scales up to 100,000: buy more and the bonuses climb from 5% up to 30% at the top tier. It’s a classic upsell tactic designed to make you think it’s smarter to spend more.
Every payment is irreversible. There is no exchange listing, no token with real value, and no way to get your money back.
What to watch for
We’re entering an era where the first point of contact in a scam may not be a human at all. AI chatbots give scammers something they’ve never had before: a tireless, consistent, scalable front-end that can engage victims in what feels like a real conversation. When that chatbot is dressed up as a trusted brand’s official AI assistant, the effect is even more convincing.
According to the FTC’s Consumer Sentinel data, US consumers reported losing $5.7 billion to investment scams in 2024 (more than any other type of fraud, and up 24% on the previous year). Cryptocurrency remains the second-largest payment method scammers use to extract funds, because transactions are fast and irreversible. Now add AI that can pitch, persuade, and handle objections without a human operator—and you have a scalable fraud model.
AI chatbots on scam sites will become more common. Here’s how to spot them:
They impersonate known AI brands. A chatbot calling itself “Gemini,” “ChatGPT,” or “Copilot” on a third-party crypto site is almost certainly not what it claims to be. Anyone can name a chatbot anything.
They won’t answer due diligence questions. Ask what legal entity operates the platform, what financial regulator oversees it, or where the company is registered. Legitimate operations can answer those questions, scam bots try to avoid them (and if they do answer, verify it).
They project specific returns. No legitimate investment product promises a specific future price. A chatbot telling you that your $395 will become $2,755 is not giving you financial information—it’s running a script.
They create urgency. Pressure tactics like, “stage 5 ends soon,” “listing date approaching,” “limited presale” are designed to push you into making fast decisions.
How to protect yourself
Google does not have a cryptocurrency. It has not launched a presale. And its Gemini AI is not operating as a sales assistant on third-party crypto sites. If you encounter anything suggesting otherwise, close the tab.
Verify claim on the official website of the company being referenced.
Don’t rely on a chatbot’s branding. Anyone can name a bot anything.
Never send cryptocurrency based on projected returns.
Search the project name along with “scam” or “review” before sending any money.
Use web protection tools like Malwarebytes Browser Guard, which is free to use and blocks known and unknown scam sites.
If you’ve already sent funds, report it to your local law enforcement, the FTC at reportfraud.ftc.gov, and the FBI’s IC3 at ic3.gov.
IOCs
0xEc7a42609D5CC9aF7a3dBa66823C5f9E5764d6DA
98388xymWKS6EgYSC9baFuQkCpE8rYsnScV4L5Vu8jt
DHyDmJdr9hjDUH5kcNjeyfzonyeBt19g6G
TWqzJ9sF1w9aWwMevq4b15KkJgAFTfH5im
bc1qw0yfcp8pevzvwp2zrz4pu3vuygnwvl6mstlnh6
r9BHQMUdSgM8iFKXaGiZ3hhXz5SyLDxupY
We don’t just report on scams—we help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard. Submit a screenshot, paste suspicious content, or share a link, text or phone number, and we’ll tell you if it’s a scam or legit. Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.
Scammers have found a new use for AI: creating custom chatbots posing as real AI assistants to pressure victims into buying worthless cryptocurrencies.
We recently came across a live “Google Coin” presale site featuring a chatbot that claimed to be Google’s Gemini AI assistant. The bot guided visitors through a polished sales pitch, answered their questions about investment, projecting returns, and ultimately ended with victims sending an irreversible crypto payment to the scammers.
Google does not have a cryptocurrency. But as “Google Coin” has appeared before in scams, anyone checking it out might think it’s real. And the chatbot was very convincing.
AI as the closer
The chatbot introduced itself as,
“Gemini — your AI assistant for the Google Coin platform.”
It used Gemini-style branding, including the sparkle icon and a green “Online” status indicator, creating the immediate impression that it was an official Google product.
When asked, “Will I get rich if I buy 100 coins?”, the bot responded with specific financial projections. A $395 investment at the current presale price would be worth $2,755 at listing, it claimed, representing “approximately 7x” growth. It cited a presale price of $3.95 per token, an expected listing price of $27.55, and invited further questions about “how to participate.”
This is the kind of personalized, responsive engagement that used to require a human scammer on the other end of a Telegram chat. Now the AI does it automatically.
A persona that never breaks
What stood out during our analysis was how tightly controlled the bot’s persona was. We found that it:
Claimed consistently to be “the official helper for the Google Coin platform”
Refused to provide any verifiable company details, such as a registered entity, regulator, license number, audit firm, or official email address
Dismissed concerns and redirected them to vague claims about “transparency” and “security”
Refused to acknowledge any scenario in which the project could be a scam
Redirected tougher questions to an unnamed “manager” (likely a human closer waiting in the wings)
When pressed, the bot doesn’t get confused or break character. It loops back to the same scripted claims: a “detailed 2026 roadmap,” “military-grade encryption,” “AI integration,” and a “growing community of investors.”
Whoever built this chatbot locked it into a sales script designed to build trust, overcome doubt, and move visitors toward one outcome: sending cryptocurrency.
Why AI chatbots change the scam model
Scammers have always relied on social engineering. Build trust. Create urgency. Overcome skepticism. Close the deal.
Traditionally, that required human operators, which limited how many victims could be engaged at once. AI chatbots remove that bottleneck entirely.
A single scam operation can now deploy a chatbot that:
Engages hundreds of visitors simultaneously, 24 hours a day
Delivers consistent, polished messaging that sounds authoritative
Impersonates a trusted brand’s AI assistant (in this case, Google’s Gemini)
Responds to individual questions with tailored financial projections
Escalates to human operators only when necessary
This matches a broader trend identified by researchers. According to Chainalysis, roughly 60% of all funds flowing into crypto scam wallets were tied to scammers using AI tools. AI-powered scam infrastructure is becoming the norm, not the exception. The chatbot is just one piece of a broader AI-assisted fraud toolkit—but it may be the most effective piece, because it creates the illusion of a real, interactive relationship between the victim and the “brand.”
The bait: a polished fake
The chatbot sits on top of a convincing scam operation. The Google Coin website mimics Google’s visual identity with a clean, professional design, complete with the “G” logo, navigation menus, and a presale dashboard. It claims to be in “Stage 5 of 5” with over 9.9 million tokens sold and a listing date of February 18—all manufactured urgency.
To borrow credibility, the site displays logos of major companies—OpenAI, Google, Binance, Squarespace, Coinbase, and SpaceX—under a “Trusted By Industry” banner. None of these companies have any connection to the project.
If a visitor clicks “Buy,” they’re taken to a wallet dashboard that looks like a legitimate crypto platform, showing balances for “Google” (on a fictional “Google-Chain”), Bitcoin, and Ethereum.
The purchase flow lets users buy any number of tokens they want and generates a corresponding Bitcoin payment request to a specific wallet address. The site also layers on a tiered bonus system that kicks in at 100 tokens and scales up to 100,000: buy more and the bonuses climb from 5% up to 30% at the top tier. It’s a classic upsell tactic designed to make you think it’s smarter to spend more.
Every payment is irreversible. There is no exchange listing, no token with real value, and no way to get your money back.
What to watch for
We’re entering an era where the first point of contact in a scam may not be a human at all. AI chatbots give scammers something they’ve never had before: a tireless, consistent, scalable front-end that can engage victims in what feels like a real conversation. When that chatbot is dressed up as a trusted brand’s official AI assistant, the effect is even more convincing.
According to the FTC’s Consumer Sentinel data, US consumers reported losing $5.7 billion to investment scams in 2024 (more than any other type of fraud, and up 24% on the previous year). Cryptocurrency remains the second-largest payment method scammers use to extract funds, because transactions are fast and irreversible. Now add AI that can pitch, persuade, and handle objections without a human operator—and you have a scalable fraud model.
AI chatbots on scam sites will become more common. Here’s how to spot them:
They impersonate known AI brands. A chatbot calling itself “Gemini,” “ChatGPT,” or “Copilot” on a third-party crypto site is almost certainly not what it claims to be. Anyone can name a chatbot anything.
They won’t answer due diligence questions. Ask what legal entity operates the platform, what financial regulator oversees it, or where the company is registered. Legitimate operations can answer those questions, scam bots try to avoid them (and if they do answer, verify it).
They project specific returns. No legitimate investment product promises a specific future price. A chatbot telling you that your $395 will become $2,755 is not giving you financial information—it’s running a script.
They create urgency. Pressure tactics like, “stage 5 ends soon,” “listing date approaching,” “limited presale” are designed to push you into making fast decisions.
How to protect yourself
Google does not have a cryptocurrency. It has not launched a presale. And its Gemini AI is not operating as a sales assistant on third-party crypto sites. If you encounter anything suggesting otherwise, close the tab.
Verify claim on the official website of the company being referenced.
Don’t rely on a chatbot’s branding. Anyone can name a bot anything.
Never send cryptocurrency based on projected returns.
Search the project name along with “scam” or “review” before sending any money.
Use web protection tools like Malwarebytes Browser Guard, which is free to use and blocks known and unknown scam sites.
If you’ve already sent funds, report it to your local law enforcement, the FTC at reportfraud.ftc.gov, and the FBI’s IC3 at ic3.gov.
IOCs
0xEc7a42609D5CC9aF7a3dBa66823C5f9E5764d6DA
98388xymWKS6EgYSC9baFuQkCpE8rYsnScV4L5Vu8jt
DHyDmJdr9hjDUH5kcNjeyfzonyeBt19g6G
TWqzJ9sF1w9aWwMevq4b15KkJgAFTfH5im
bc1qw0yfcp8pevzvwp2zrz4pu3vuygnwvl6mstlnh6
r9BHQMUdSgM8iFKXaGiZ3hhXz5SyLDxupY
We don’t just report on scams—we help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard. Submit a screenshot, paste suspicious content, or share a link, text or phone number, and we’ll tell you if it’s a scam or legit. Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.
If you’ve seen the two stoat siblings serving as official mascots of the Milano Cortina 2026 Winter Olympics, you already know Tina and Milo are irresistible.
Designed by Italian schoolchildren and chosen from more than 1,600 entries in a public poll, the duo has already captured hearts worldwide. So much so that the official 27 cm Tina plush toy on the official Olympics web shop is listed at €40 and currently marked out of stock.
Tina and Milo are in huge demand, and scammers have noticed.
When supply runs out, scam sites rush in
In roughly the past week alone, we’ve identified nearly 20 lookalike domains designed to imitate the official Olympic merchandise store.
These aren’t crude copies thrown together overnight. The sites use the same polished storefront template, complete with promotional videos and background music designed to mirror the official shop.olympics.com experience.
Fake site offering Tina at a huge discountReal Olympic site showing Tina out of stock
The layout and product pages are the same—the only thing that changes is the domain name. At a quick glance, most people wouldn’t notice anything unusual.
Here’s a sample of the domains we’ve been tracking:
2026winterdeals[.]top olympics-save[.]top olympics2026[.]top postolympicsale[.]com sale-olympics[.]top shopolympics-eu[.]top winter0lympicsstore[.]top (note the zero replacing the letter “o”) winterolympics[.]top 2026olympics[.]shop olympics-2026[.]shop olympics-2026[.]top olympics-eu[.]top olympics-hot[.]shop olympics-hot[.]top olympics-sale[.]shop olympics-sale[.]top olympics-top[.]shop olympics2026[.]store olympics2026[.]top
Based on telemetry, additional registrations are actively emerging.
Reports show users checking these domains from multiple regions including Ireland, the Czech Republic, the United States, Italy, and China—suggesting this is a global campaign targeting fans worldwide.
Malwarebytes blocks these domains as scams.
Anatomy of a fake Olympic shop
The fake sites are practically identical. Each one loads the same storefront, with the same layout, product pages, and promotional banners.
That’s usually a sign the scammers are using a ready-made template and copying it across multiple domains. One obvious giveaway, however, is the pricing.
On the official store, the Tina plush costs €40 and is currently out of stock. On the fake sites, it suddenly reappears at a hugely discounted price—in one case €20, with banners shouting “UP & SAVE 80%.” When an item is sold out everywhere official and a random .top domain has it for half price, you’re looking at bait.
Delivering malware through fake order confirmations or “tracking” links
Taking your money and shipping nothing at all
The Olympics are a scammer’s playground
This isn’t the first time cybercriminals have piggybacked on Olympic fever. Fake ticket sites proliferated as far back as the Beijing 2008 Games. During Paris 2024, analysts observed significant spikes in Olympics-themed phishing and DDoS activity.
The formula is simple. Take a globally recognized brand, add urgency and emotional appeal (who doesn’t want an adorable stoat plush for their kid?), mix in limited availability, and serve it up on a convincing-looking website. With over 3 billion viewers expected for Milano Cortina, the pool of potential victims is enormous.
Scammers are getting smarter. AI-powered tools now let them generate convincing phishing pages in multiple languages at scale. The days of spotting a scam by its broken images and multiple typos are fading fast.
Protect yourself from Winter Olympics scams
As excitement builds ahead of the Winter Olympics in Milano Cortina, expect scammers to ramp up their efforts across fake shops, fraudulent ticket sites, bogus livestreams, and social media phishing campaigns.
Buy only from shop.olympics.com. Type the address directly into your browser and bookmark it. Don’t click links from ads or emails.
Don’t trust extreme discounts. If it’s sold out officially but “50–80% off” elsewhere, it’s likely a scam.
Check the domain closely. Watch for odd extensions like .top or .shop, extra hyphens, or letter swaps like “winter0lympicsstore.”
Never enter payment details on unfamiliar sites. If something feels off, leave immediately.
Use browser protection. Tools like Malwarebytes Browser Guard block known scam sites in real time, for free. Scam Guard can help you check suspicious websites before you buy.
We don’t just report on scams—we help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard. Submit a screenshot, paste suspicious content, or share a link, text or phone number, and we’ll tell you if it’s a scam or legit. Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.
If you’ve seen the two stoat siblings serving as official mascots of the Milano Cortina 2026 Winter Olympics, you already know Tina and Milo are irresistible.
Designed by Italian schoolchildren and chosen from more than 1,600 entries in a public poll, the duo has already captured hearts worldwide. So much so that the official 27 cm Tina plush toy on the official Olympics web shop is listed at €40 and currently marked out of stock.
Tina and Milo are in huge demand, and scammers have noticed.
When supply runs out, scam sites rush in
In roughly the past week alone, we’ve identified nearly 20 lookalike domains designed to imitate the official Olympic merchandise store.
These aren’t crude copies thrown together overnight. The sites use the same polished storefront template, complete with promotional videos and background music designed to mirror the official shop.olympics.com experience.
Fake site offering Tina at a huge discountReal Olympic site showing Tina out of stock
The layout and product pages are the same—the only thing that changes is the domain name. At a quick glance, most people wouldn’t notice anything unusual.
Here’s a sample of the domains we’ve been tracking:
2026winterdeals[.]top olympics-save[.]top olympics2026[.]top postolympicsale[.]com sale-olympics[.]top shopolympics-eu[.]top winter0lympicsstore[.]top (note the zero replacing the letter “o”) winterolympics[.]top 2026olympics[.]shop olympics-2026[.]shop olympics-2026[.]top olympics-eu[.]top olympics-hot[.]shop olympics-hot[.]top olympics-sale[.]shop olympics-sale[.]top olympics-top[.]shop olympics2026[.]store olympics2026[.]top
Based on telemetry, additional registrations are actively emerging.
Reports show users checking these domains from multiple regions including Ireland, the Czech Republic, the United States, Italy, and China—suggesting this is a global campaign targeting fans worldwide.
Malwarebytes blocks these domains as scams.
Anatomy of a fake Olympic shop
The fake sites are practically identical. Each one loads the same storefront, with the same layout, product pages, and promotional banners.
That’s usually a sign the scammers are using a ready-made template and copying it across multiple domains. One obvious giveaway, however, is the pricing.
On the official store, the Tina plush costs €40 and is currently out of stock. On the fake sites, it suddenly reappears at a hugely discounted price—in one case €20, with banners shouting “UP & SAVE 80%.” When an item is sold out everywhere official and a random .top domain has it for half price, you’re looking at bait.
Delivering malware through fake order confirmations or “tracking” links
Taking your money and shipping nothing at all
The Olympics are a scammer’s playground
This isn’t the first time cybercriminals have piggybacked on Olympic fever. Fake ticket sites proliferated as far back as the Beijing 2008 Games. During Paris 2024, analysts observed significant spikes in Olympics-themed phishing and DDoS activity.
The formula is simple. Take a globally recognized brand, add urgency and emotional appeal (who doesn’t want an adorable stoat plush for their kid?), mix in limited availability, and serve it up on a convincing-looking website. With over 3 billion viewers expected for Milano Cortina, the pool of potential victims is enormous.
Scammers are getting smarter. AI-powered tools now let them generate convincing phishing pages in multiple languages at scale. The days of spotting a scam by its broken images and multiple typos are fading fast.
Protect yourself from Winter Olympics scams
As excitement builds ahead of the Winter Olympics in Milano Cortina, expect scammers to ramp up their efforts across fake shops, fraudulent ticket sites, bogus livestreams, and social media phishing campaigns.
Buy only from shop.olympics.com. Type the address directly into your browser and bookmark it. Don’t click links from ads or emails.
Don’t trust extreme discounts. If it’s sold out officially but “50–80% off” elsewhere, it’s likely a scam.
Check the domain closely. Watch for odd extensions like .top or .shop, extra hyphens, or letter swaps like “winter0lympicsstore.”
Never enter payment details on unfamiliar sites. If something feels off, leave immediately.
Use browser protection. Tools like Malwarebytes Browser Guard block known scam sites in real time, for free. Scam Guard can help you check suspicious websites before you buy.
We don’t just report on scams—we help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard. Submit a screenshot, paste suspicious content, or share a link, text or phone number, and we’ll tell you if it’s a scam or legit. Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.
AI tool Vercel was abused by cybercriminals to create a Malwarebytes lookalike website.
Cybercriminals no longer need design or coding skills to create a convincing fake brand site. All they need is a domain name and an AI website builder. In minutes, they can clone a site’s look and feel, plug in payment or credential-stealing flows, and start luring victims through search, social media, and spam.
One side effect of being an established and trusted brand is that you attract copycats who want a slice of that trust without doing any of the work. Cybercriminals have always known it is much easier to trick users by impersonating something they already recognize than by inventing something new—and developments in AI have made it trivial for scammers to create convincing fake sites.
Registering a plausible-looking domain is cheap and fast, especially through registrars and resellers that do little or no upfront vetting. Once attackers have a name that looks close enough to the real thing, they can use AI-powered tools to copy layouts, colors, and branding elements, and generate product pages, sign-up flows, and FAQs that look “on brand.”
Over a three‑month period leading into the 2025 shopping season, researchers observed more than 18,000 holiday‑themed domains with lures like “Christmas,” “Black Friday,” and “Flash Sale,” with at least 750 confirmed as malicious and many more still under investigation. In the same window, about 19,000 additional domains were registered explicitly to impersonate major retail brands, nearly 3,000 of which were already hosting phishing pages or fraudulent storefronts.
These sites are used for everything from credential harvesting and payment fraud to malware delivery disguised as “order trackers” or “security updates.”
Attackers then boost visibility using SEO poisoning, ad abuse, and comment spam, nudging their lookalike sites into search results and promoting them in social feeds right next to the legitimate ones. From a user’s perspective, especially on mobile without the hover function, that fake site can be only a typo or a tap away.
When the impersonation hits home
A recent example shows how low the barrier to entry has become.
We were alerted to a site at installmalwarebytes[.]org that masqueraded from logo to layout as a genuine Malwarebytes site.
Close inspection revealed that the HTML carried a meta tag value pointing to v0 by Vercel, an AI-assisted app and website builder.
The tool lets users paste an existing URL into a prompt to automatically recreate its layout, styling, and structure—producing a near‑perfect clone of a site in very little time.
The history of the imposter domain tells an incremental evolution into abuse.
Registered in 2019, the site did not initially contain any Malwarebytes branding. In 2022, the operator began layering in Malwarebytes branding while publishing Indonesian‑language security content. This likely helped with search reputation while normalizing the brand look to visitors. Later, the site went blank, with no public archive records for 2025, only to resurface as a full-on clone backed by AI‑assisted tooling.
Traffic did not arrive by accident. Links to the site appeared in comment spam and injected links on unrelated websites, giving users the impression of organic references and driving them toward the fake download pages.
Payment flows were equally opaque. The fake site used PayPal for payments, but the integration hid the merchant’s name and logo from the user-facing confirmation screens, leaving only the buyer’s own details visible. That allowed the criminals to accept money while revealing as little about themselves as possible.
Behind the scenes, historical registration data pointed to an origin in India and to a hosting IP (209.99.40[.]222) associated with domain parking and other dubious uses rather than normal production hosting.
Combined with the AI‑powered cloning and the evasive payment configuration, it painted a picture of low‑effort, high‑confidence fraud.
AI website builders as force multipliers
The installmalwarebytes[.]org case is not an isolated misuse of AI‑assisted builders. It fits into a broader pattern of attackers using generative tools to create and host phishing sites at scale.
Threat intelligence teams have documented abuse of Vercel’s v0 platform to generate fully functional phishing pages that impersonate sign‑in portals for a variety of brands, including identity providers and cloud services, all from simple text prompts. Once the AI produces a clone, criminals can tweak a few links to point to their own credential‑stealing backends and go live in minutes.
Research into AI’s role in modern phishing shows that attackers are leaning heavily on website generators, writing assistants, and chatbots to streamline the entire kill chain—from crafting persuasive copy in multiple languages to spinning up responsive pages that render cleanly across devices. One analysis of AI‑assisted phishing campaigns found that roughly 40% of observed abuse involved website generation services, 30% involved AI writing tools, and about 11% leveraged chatbots, often in combination. This stack lets even low‑skilled actors produce professional-looking scams that used to require specialized skills or paid kits.
Growth first, guardrails later
The core problem is not that AI can build websites. It’s that the incentives around AI platform development are skewed. Vendors are under intense pressure to ship new capabilities, grow user bases, and capture market share, and that pressure often runs ahead of serious investment in abuse prevention.
As Malwarebytes General Manager Mark Beare put it:
“AI-powered website builders like Lovable and Vercel have dramatically lowered the barrier for launching polished sites in minutes. While these platforms include baseline security controls, their core focus is speed, ease of use, and growth—not preventing brand impersonation at scale. That imbalance creates an opportunity for bad actors to move faster than defenses, spinning up convincing fake brands before victims or companies can react.”
Site generators allow cloned branding of well‑known companies with no verification, publishing flows skip identity checks, and moderation either fails quietly or only reacts after an abuse report. Some builders let anyone spin up and publish a site without even confirming an email address, making it easy to burn through accounts as soon as one is flagged or taken down.
To be fair, there are signs that some providers are starting to respond by blocking specific phishing campaigns after disclosure or by adding limited brand-protection controls. But these are often reactive fixes applied after the damage is done.
Meanwhile, attackers can move to open‑source clones or lightly modified forks of the same tools hosted elsewhere, where there may be no meaningful content moderation at all.
In practice, the net effect is that AI companies benefit from the growth and experimentation that comes with permissive tooling, while the consequences is left to victims and defenders.
We have blocked the domain in our web protection module and requested a domain and vendor takedown.
How to stay safe
End users cannot fix misaligned AI incentives, but they can make life harder for brand impersonators. Even when a cloned website looks convincing, there are red flags to watch for:
Before completing any payment, always review the “Pay to” details or transaction summary. If no merchant is named, back out and treat the site as suspicious.
Do not follow links posted in comments, on social media, or unsolicited emails to buy a product. Always follow a verified and trusted method to reach the vendor.
If you come across a fake Malwarebytes website, please let us know.
We don’t just report on threats—we help safeguard your entire digital identity
AI tool Vercel was abused by cybercriminals to create a Malwarebytes lookalike website.
Cybercriminals no longer need design or coding skills to create a convincing fake brand site. All they need is a domain name and an AI website builder. In minutes, they can clone a site’s look and feel, plug in payment or credential-stealing flows, and start luring victims through search, social media, and spam.
One side effect of being an established and trusted brand is that you attract copycats who want a slice of that trust without doing any of the work. Cybercriminals have always known it is much easier to trick users by impersonating something they already recognize than by inventing something new—and developments in AI have made it trivial for scammers to create convincing fake sites.
Registering a plausible-looking domain is cheap and fast, especially through registrars and resellers that do little or no upfront vetting. Once attackers have a name that looks close enough to the real thing, they can use AI-powered tools to copy layouts, colors, and branding elements, and generate product pages, sign-up flows, and FAQs that look “on brand.”
Over a three‑month period leading into the 2025 shopping season, researchers observed more than 18,000 holiday‑themed domains with lures like “Christmas,” “Black Friday,” and “Flash Sale,” with at least 750 confirmed as malicious and many more still under investigation. In the same window, about 19,000 additional domains were registered explicitly to impersonate major retail brands, nearly 3,000 of which were already hosting phishing pages or fraudulent storefronts.
These sites are used for everything from credential harvesting and payment fraud to malware delivery disguised as “order trackers” or “security updates.”
Attackers then boost visibility using SEO poisoning, ad abuse, and comment spam, nudging their lookalike sites into search results and promoting them in social feeds right next to the legitimate ones. From a user’s perspective, especially on mobile without the hover function, that fake site can be only a typo or a tap away.
When the impersonation hits home
A recent example shows how low the barrier to entry has become.
We were alerted to a site at installmalwarebytes[.]org that masqueraded from logo to layout as a genuine Malwarebytes site.
Close inspection revealed that the HTML carried a meta tag value pointing to v0 by Vercel, an AI-assisted app and website builder.
The tool lets users paste an existing URL into a prompt to automatically recreate its layout, styling, and structure—producing a near‑perfect clone of a site in very little time.
The history of the imposter domain tells an incremental evolution into abuse.
Registered in 2019, the site did not initially contain any Malwarebytes branding. In 2022, the operator began layering in Malwarebytes branding while publishing Indonesian‑language security content. This likely helped with search reputation while normalizing the brand look to visitors. Later, the site went blank, with no public archive records for 2025, only to resurface as a full-on clone backed by AI‑assisted tooling.
Traffic did not arrive by accident. Links to the site appeared in comment spam and injected links on unrelated websites, giving users the impression of organic references and driving them toward the fake download pages.
Payment flows were equally opaque. The fake site used PayPal for payments, but the integration hid the merchant’s name and logo from the user-facing confirmation screens, leaving only the buyer’s own details visible. That allowed the criminals to accept money while revealing as little about themselves as possible.
Behind the scenes, historical registration data pointed to an origin in India and to a hosting IP (209.99.40[.]222) associated with domain parking and other dubious uses rather than normal production hosting.
Combined with the AI‑powered cloning and the evasive payment configuration, it painted a picture of low‑effort, high‑confidence fraud.
AI website builders as force multipliers
The installmalwarebytes[.]org case is not an isolated misuse of AI‑assisted builders. It fits into a broader pattern of attackers using generative tools to create and host phishing sites at scale.
Threat intelligence teams have documented abuse of Vercel’s v0 platform to generate fully functional phishing pages that impersonate sign‑in portals for a variety of brands, including identity providers and cloud services, all from simple text prompts. Once the AI produces a clone, criminals can tweak a few links to point to their own credential‑stealing backends and go live in minutes.
Research into AI’s role in modern phishing shows that attackers are leaning heavily on website generators, writing assistants, and chatbots to streamline the entire kill chain—from crafting persuasive copy in multiple languages to spinning up responsive pages that render cleanly across devices. One analysis of AI‑assisted phishing campaigns found that roughly 40% of observed abuse involved website generation services, 30% involved AI writing tools, and about 11% leveraged chatbots, often in combination. This stack lets even low‑skilled actors produce professional-looking scams that used to require specialized skills or paid kits.
Growth first, guardrails later
The core problem is not that AI can build websites. It’s that the incentives around AI platform development are skewed. Vendors are under intense pressure to ship new capabilities, grow user bases, and capture market share, and that pressure often runs ahead of serious investment in abuse prevention.
As Malwarebytes General Manager Mark Beare put it:
“AI-powered website builders like Lovable and Vercel have dramatically lowered the barrier for launching polished sites in minutes. While these platforms include baseline security controls, their core focus is speed, ease of use, and growth—not preventing brand impersonation at scale. That imbalance creates an opportunity for bad actors to move faster than defenses, spinning up convincing fake brands before victims or companies can react.”
Site generators allow cloned branding of well‑known companies with no verification, publishing flows skip identity checks, and moderation either fails quietly or only reacts after an abuse report. Some builders let anyone spin up and publish a site without even confirming an email address, making it easy to burn through accounts as soon as one is flagged or taken down.
To be fair, there are signs that some providers are starting to respond by blocking specific phishing campaigns after disclosure or by adding limited brand-protection controls. But these are often reactive fixes applied after the damage is done.
Meanwhile, attackers can move to open‑source clones or lightly modified forks of the same tools hosted elsewhere, where there may be no meaningful content moderation at all.
In practice, the net effect is that AI companies benefit from the growth and experimentation that comes with permissive tooling, while the consequences is left to victims and defenders.
We have blocked the domain in our web protection module and requested a domain and vendor takedown.
How to stay safe
End users cannot fix misaligned AI incentives, but they can make life harder for brand impersonators. Even when a cloned website looks convincing, there are red flags to watch for:
Before completing any payment, always review the “Pay to” details or transaction summary. If no merchant is named, back out and treat the site as suspicious.
Do not follow links posted in comments, on social media, or unsolicited emails to buy a product. Always follow a verified and trusted method to reach the vendor.
If you come across a fake Malwarebytes website, please let us know.
We don’t just report on threats—we help safeguard your entire digital identity
Fresh off a breathless Super Bowl Sunday, we’re less thrilled to bring you this week’s Weirdo Wednesday. Two stories caught our eye, both involving men who crossed clear lines and invaded women’s privacy online.
Last week, 27-year-old Kyle Svara of Oswego, Illinois admitted to hacking women’s Snapchat accounts across the US. Between May 2020 and February 2021, Svara harvested account security codes from 571 victims, leading to confirmed unauthorized access to at least 59 accounts.
Rather than attempting to break Snapchat’s robust encryption protocols, Svara targeted the account owners themselves with social engineering.
After gathering phone numbers and email addresses, he triggered Snapchat’s legitimate login process, which sent six-digit security codes directly to victims’ devices. Posing as Snapchat support, he then sent more than 4,500 anonymous messages via a VoIP texting service, claiming the codes were needed to “verify” or “secure” the account.
Svara showed particular interest in Snapchat’s My Eyes Only feature—a secondary four-digit PIN meant to protect a user’s most sensitive content. By persuading victims to share both codes, he bypassed two layers of security without touching a single line of code. He walked away with private material, including nude images.
Svara didn’t do this solely for his own kicks. He marketed himself as a hacker-for-hire, advertising on platforms like Reddit and offering access to specific accounts in exchange for money or trades.
Selling his services to others was how he got found out. Although Svara stopped hacking in early 2021, his legal day of reckoning followed the 2024 sentencing of one of his customers: Steve Waithe, a former track and field coach who worked at several high-profile universities including Northeastern. Waithe paid Svara to target student athletes he was supposed to mentor.
Svara also went after women in his home area of Plainfield, Illinois, and as far away as Colby College in Maine.
He now faces charges including identity theft, wire fraud, computer fraud, and making false statements to law enforcement about child sex abuse material. Sentencing is scheduled for May 18.
How to protect your Snapchat account
Never send someone your login details or secret codes, even if you think you know them.
Passkeys let you sign in without a password, but unlike multi-factor authentication, passkeys are cryptographically tied to your device, and can’t be phished or forwarded like one-time codes. Snapchat supports them, and they offer stronger protection than traditional multi-factor authentication, which is increasingly susceptible to smart phishing attacks.
Bad guys with smart glasses
Unfortunately, hacking women’s social media accounts to steal private content isn’t new. But predators will always find a way to use smart tech in nefarious ways. Such is the case with new generations of ‘smart glasses’ powered by AI.
This week, CNN published stories from women who believed they were having private, flirtatious interactions with strangers—only to later discover the men were recording them using camera-equipped smart glasses and posting the footage online.
These clips are often packaged as “rizz” videos—short for “charisma”—where so-called manfluencers film themselves chatting up women in public, without consent, to build followings and sell “coaching” services.
The glasses, sold by companies like Meta, are supposed to be used for recording only with consent, and often display a light to show that they’re recording. In practice, that indicator is easy to hide.
When combined with AI-powered services to identify people, as researchers did in 2024, the possibilities become even more chilling. We’re unaware of any related cases coming to court, but suspect it’s only a matter of time.
We don’t just report on scams—we help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!
Fresh off a breathless Super Bowl Sunday, we’re less thrilled to bring you this week’s Weirdo Wednesday. Two stories caught our eye, both involving men who crossed clear lines and invaded women’s privacy online.
Last week, 27-year-old Kyle Svara of Oswego, Illinois admitted to hacking women’s Snapchat accounts across the US. Between May 2020 and February 2021, Svara harvested account security codes from 571 victims, leading to confirmed unauthorized access to at least 59 accounts.
Rather than attempting to break Snapchat’s robust encryption protocols, Svara targeted the account owners themselves with social engineering.
After gathering phone numbers and email addresses, he triggered Snapchat’s legitimate login process, which sent six-digit security codes directly to victims’ devices. Posing as Snapchat support, he then sent more than 4,500 anonymous messages via a VoIP texting service, claiming the codes were needed to “verify” or “secure” the account.
Svara showed particular interest in Snapchat’s My Eyes Only feature—a secondary four-digit PIN meant to protect a user’s most sensitive content. By persuading victims to share both codes, he bypassed two layers of security without touching a single line of code. He walked away with private material, including nude images.
Svara didn’t do this solely for his own kicks. He marketed himself as a hacker-for-hire, advertising on platforms like Reddit and offering access to specific accounts in exchange for money or trades.
Selling his services to others was how he got found out. Although Svara stopped hacking in early 2021, his legal day of reckoning followed the 2024 sentencing of one of his customers: Steve Waithe, a former track and field coach who worked at several high-profile universities including Northeastern. Waithe paid Svara to target student athletes he was supposed to mentor.
Svara also went after women in his home area of Plainfield, Illinois, and as far away as Colby College in Maine.
He now faces charges including identity theft, wire fraud, computer fraud, and making false statements to law enforcement about child sex abuse material. Sentencing is scheduled for May 18.
How to protect your Snapchat account
Never send someone your login details or secret codes, even if you think you know them.
Passkeys let you sign in without a password, but unlike multi-factor authentication, passkeys are cryptographically tied to your device, and can’t be phished or forwarded like one-time codes. Snapchat supports them, and they offer stronger protection than traditional multi-factor authentication, which is increasingly susceptible to smart phishing attacks.
Bad guys with smart glasses
Unfortunately, hacking women’s social media accounts to steal private content isn’t new. But predators will always find a way to use smart tech in nefarious ways. Such is the case with new generations of ‘smart glasses’ powered by AI.
This week, CNN published stories from women who believed they were having private, flirtatious interactions with strangers—only to later discover the men were recording them using camera-equipped smart glasses and posting the footage online.
These clips are often packaged as “rizz” videos—short for “charisma”—where so-called manfluencers film themselves chatting up women in public, without consent, to build followings and sell “coaching” services.
The glasses, sold by companies like Meta, are supposed to be used for recording only with consent, and often display a light to show that they’re recording. In practice, that indicator is easy to hide.
When combined with AI-powered services to identify people, as researchers did in 2024, the possibilities become even more chilling. We’re unaware of any related cases coming to court, but suspect it’s only a matter of time.
We don’t just report on scams—we help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!
A convincing lookalike of the popular 7-Zip archiver site has been serving a trojanized installer that silently converts victims’ machines into residential proxy nodes—and it has been hiding in plain sight for some time.
“I’m so sick to my stomach”
A PC builder recently turned to Reddit’s r/pcmasterrace community in a panic after realizing they had downloaded 7‑Zip from the wrong website. Following a YouTube tutorial for a new build, they were instructed to download 7‑Zip from 7zip[.]com, unaware that the legitimate project is hosted exclusively at 7-zip.org.
In their Reddit post, the user described installing the file first on a laptop and later transferring it via USB to a newly built desktop. They encountered repeated 32‑bit versus 64‑bit errors and ultimately abandoned the installer in favor of Windows’ built‑in extraction tools. Nearly two weeks later, Microsoft Defender alerted on the system with a generic detection: Trojan:Win32/Malgent!MSR.
The experience illustrates how a seemingly minor domain mix-up can result in long-lived, unauthorized use of a system when attackers successfully masquerade as trusted software distributors.
A trojanized installer masquerading as legitimate software
This is not a simple case of a malicious download hosted on a random site. The operators behind 7zip[.]com distributed a trojanized installer via a lookalike domain, delivering a functional copy of functional 7‑Zip File Manager alongside a concealed malware payload.
The installer is Authenticode‑signed using a now‑revoked certificate issued to Jozeal Network Technology Co., Limited, lending it superficial legitimacy. During installation, a modified build of 7zfm.exe is deployed and functions as expected, reducing user suspicion. In parallel, three additional components are silently dropped:
Uphero.exe—a service manager and update loader
hero.exe—the primary proxy payload (Go‑compiled)
hero.dll—a supporting library
All components are written to C:\Windows\SysWOW64\hero\, a privileged directory that is unlikely to be manually inspected.
An independent update channel was also observed at update.7zip[.]com/version/win-service/1.0.0.2/Uphero.exe.zip, indicating that the malware payload can be updated independently of the installer itself.
Abuse of trusted distribution channels
One of the more concerning aspects of this campaign is its reliance on third‑party trust. The Reddit case highlights YouTube tutorials as an inadvertent malware distribution vector, where creators incorrectly reference 7zip.com instead of the legitimate domain.
This shows how attackers can exploit small errors in otherwise benign content ecosystems to funnel victims toward malicious infrastructure at scale.
Execution flow: from installer to persistent proxy service
Behavioral analysis shows a rapid and methodical infection chain:
1. File deployment—The payload is installed into SysWOW64, requiring elevated privileges and signaling intent for deep system integration.
2. Persistence via Windows services—Both Uphero.exe and hero.exe are registered as auto‑start Windows services running under System privileges, ensuring execution on every boot.
3. Firewall rule manipulation—The malware invokes netsh to remove existing rules and create new inbound and outbound allow rules for its binaries. This is intended to reduce interference with network traffic and support seamless payload updates.
4. Host profiling—Using WMI and native Windows APIs, the malware enumerates system characteristics including hardware identifiers, memory size, CPU count, disk attributes, and network configuration. The malware communicates with iplogger[.]org via a dedicated reporting endpoint, suggesting it collects and reports device or network metadata as part of its proxy infrastructure.
Functional goal: residential proxy monetization
While initial indicators suggested backdoor‑style capabilities, further analysis revealed that the malware’s primary function is proxyware. The infected host is enrolled as a residential proxy node, allowing third parties to route traffic through the victim’s IP address.
The hero.exe component retrieves configuration data from rotating “smshero”‑themed command‑and‑control domains, then establishes outbound proxy connections on non‑standard ports such as 1000 and 1002. Traffic analysis shows a lightweight XOR‑encoded protocol (key 0x70) used to obscure control messages.
This infrastructure is consistent with known residential proxy services, where access to real consumer IP addresses is sold for fraud, scraping, ad abuse, or anonymity laundering.
Shared tooling across multiple fake installers
The 7‑Zip impersonation appears to be part of a broader operation. Related binaries have been identified under names such as upHola.exe, upTiktok, upWhatsapp, and upWire, all sharing identical tactics, techniques, and procedures:
Deployment to SysWOW64
Windows service persistence
Firewall rule manipulation via netsh
Encrypted HTTPS C2 traffic
Embedded strings referencing VPN and proxy brands suggest a unified backend supporting multiple distribution fronts.
Rotating infrastructure and encrypted transport
Memory analysis uncovered a large pool of hardcoded command-and-control domains using hero and smshero naming conventions. Active resolution during sandbox execution showed traffic routed through Cloudflare infrastructure with TLS‑encrypted HTTPS sessions.
The malware also uses DNS-over-HTTPS via Google’s resolver, reducing visibility for traditional DNS monitoring and complicating network-based detection.
Evasion and anti‑analysis features
The malware incorporates multiple layers of sandbox and analysis evasion:
Virtual machine detection targeting VMware, VirtualBox, QEMU, and Parallels
Anti‑debugging checks and suspicious debugger DLL loading
Runtime API resolution and PEB inspection
Process enumeration, registry probing, and environment inspection
Cryptographic support is extensive, including AES, RC4, Camellia, Chaskey, XOR encoding, and Base64, suggesting encrypted configuration handling and traffic protection.
Defensive guidance
Any system that has executed installers from 7zip.com should be considered compromised. While this malware establishes SYSTEM‑level persistence and modifies firewall rules, reputable security software can effectively detect and remove the malicious components. Malwarebytes is capable of fully eradicating known variants of this threat and reversing its persistence mechanisms. In high‑risk or heavily used systems, some users may still choose a full OS reinstall for absolute assurance, but it is not strictly required in all cases.
Users and defenders should:
Verify software sources and bookmark official project domains
Treat unexpected code‑signing identities with skepticism
Monitor for unauthorized Windows services and firewall rule changes
Block known C2 domains and proxy endpoints at the network perimeter
Researcher attribution and community analysis
This investigation would not have been possible without the work of independent security researchers who went deeper than surface-level indicators and identified the true purpose of this malware family.
Luke Acha provided the first comprehensive analysis showing that the Uphero/hero malware functions as residential proxyware rather than a traditional backdoor. His work documented the proxy protocol, traffic patterns, and monetization model, and connected this campaign to a broader operation he dubbed upStage Proxy. Luke’s full write-up is available on his blog.
s1dhy expanded on this analysis by reversing and decoding the custom XOR-based communication protocol, validating the proxy behavior through packet captures, and correlating multiple proxy endpoints across victim geolocations. Technical notes and findings were shared publicly on X (Twitter).
Additional technical validation and dynamic analysis were published by researchers at RaichuLab on Qiita and WizSafe Security on IIJ.
Their collective work highlights the importance of open, community-driven research in uncovering long-running abuse campaigns that rely on trust and misdirection rather than exploits.
Closing thoughts
This campaign demonstrates how effective brand impersonation combined with technically competent malware can operate undetected for extended periods. By abusing user trust rather than exploiting software vulnerabilities, attackers bypass many traditional security assumptions—turning everyday utility downloads into long‑lived monetization infrastructure.
Malwarebytes detects and blocks known variants of this proxyware family and its associated infrastructure.
A convincing lookalike of the popular 7-Zip archiver site has been serving a trojanized installer that silently converts victims’ machines into residential proxy nodes—and it has been hiding in plain sight for some time.
“I’m so sick to my stomach”
A PC builder recently turned to Reddit’s r/pcmasterrace community in a panic after realizing they had downloaded 7‑Zip from the wrong website. Following a YouTube tutorial for a new build, they were instructed to download 7‑Zip from 7zip[.]com, unaware that the legitimate project is hosted exclusively at 7-zip.org.
In their Reddit post, the user described installing the file first on a laptop and later transferring it via USB to a newly built desktop. They encountered repeated 32‑bit versus 64‑bit errors and ultimately abandoned the installer in favor of Windows’ built‑in extraction tools. Nearly two weeks later, Microsoft Defender alerted on the system with a generic detection: Trojan:Win32/Malgent!MSR.
The experience illustrates how a seemingly minor domain mix-up can result in long-lived, unauthorized use of a system when attackers successfully masquerade as trusted software distributors.
A trojanized installer masquerading as legitimate software
This is not a simple case of a malicious download hosted on a random site. The operators behind 7zip[.]com distributed a trojanized installer via a lookalike domain, delivering a functional copy of functional 7‑Zip File Manager alongside a concealed malware payload.
The installer is Authenticode‑signed using a now‑revoked certificate issued to Jozeal Network Technology Co., Limited, lending it superficial legitimacy. During installation, a modified build of 7zfm.exe is deployed and functions as expected, reducing user suspicion. In parallel, three additional components are silently dropped:
Uphero.exe—a service manager and update loader
hero.exe—the primary proxy payload (Go‑compiled)
hero.dll—a supporting library
All components are written to C:\Windows\SysWOW64\hero\, a privileged directory that is unlikely to be manually inspected.
An independent update channel was also observed at update.7zip[.]com/version/win-service/1.0.0.2/Uphero.exe.zip, indicating that the malware payload can be updated independently of the installer itself.
Abuse of trusted distribution channels
One of the more concerning aspects of this campaign is its reliance on third‑party trust. The Reddit case highlights YouTube tutorials as an inadvertent malware distribution vector, where creators incorrectly reference 7zip.com instead of the legitimate domain.
This shows how attackers can exploit small errors in otherwise benign content ecosystems to funnel victims toward malicious infrastructure at scale.
Execution flow: from installer to persistent proxy service
Behavioral analysis shows a rapid and methodical infection chain:
1. File deployment—The payload is installed into SysWOW64, requiring elevated privileges and signaling intent for deep system integration.
2. Persistence via Windows services—Both Uphero.exe and hero.exe are registered as auto‑start Windows services running under System privileges, ensuring execution on every boot.
3. Firewall rule manipulation—The malware invokes netsh to remove existing rules and create new inbound and outbound allow rules for its binaries. This is intended to reduce interference with network traffic and support seamless payload updates.
4. Host profiling—Using WMI and native Windows APIs, the malware enumerates system characteristics including hardware identifiers, memory size, CPU count, disk attributes, and network configuration. The malware communicates with iplogger[.]org via a dedicated reporting endpoint, suggesting it collects and reports device or network metadata as part of its proxy infrastructure.
Functional goal: residential proxy monetization
While initial indicators suggested backdoor‑style capabilities, further analysis revealed that the malware’s primary function is proxyware. The infected host is enrolled as a residential proxy node, allowing third parties to route traffic through the victim’s IP address.
The hero.exe component retrieves configuration data from rotating “smshero”‑themed command‑and‑control domains, then establishes outbound proxy connections on non‑standard ports such as 1000 and 1002. Traffic analysis shows a lightweight XOR‑encoded protocol (key 0x70) used to obscure control messages.
This infrastructure is consistent with known residential proxy services, where access to real consumer IP addresses is sold for fraud, scraping, ad abuse, or anonymity laundering.
Shared tooling across multiple fake installers
The 7‑Zip impersonation appears to be part of a broader operation. Related binaries have been identified under names such as upHola.exe, upTiktok, upWhatsapp, and upWire, all sharing identical tactics, techniques, and procedures:
Deployment to SysWOW64
Windows service persistence
Firewall rule manipulation via netsh
Encrypted HTTPS C2 traffic
Embedded strings referencing VPN and proxy brands suggest a unified backend supporting multiple distribution fronts.
Rotating infrastructure and encrypted transport
Memory analysis uncovered a large pool of hardcoded command-and-control domains using hero and smshero naming conventions. Active resolution during sandbox execution showed traffic routed through Cloudflare infrastructure with TLS‑encrypted HTTPS sessions.
The malware also uses DNS-over-HTTPS via Google’s resolver, reducing visibility for traditional DNS monitoring and complicating network-based detection.
Evasion and anti‑analysis features
The malware incorporates multiple layers of sandbox and analysis evasion:
Virtual machine detection targeting VMware, VirtualBox, QEMU, and Parallels
Anti‑debugging checks and suspicious debugger DLL loading
Runtime API resolution and PEB inspection
Process enumeration, registry probing, and environment inspection
Cryptographic support is extensive, including AES, RC4, Camellia, Chaskey, XOR encoding, and Base64, suggesting encrypted configuration handling and traffic protection.
Defensive guidance
Any system that has executed installers from 7zip.com should be considered compromised. While this malware establishes SYSTEM‑level persistence and modifies firewall rules, reputable security software can effectively detect and remove the malicious components. Malwarebytes is capable of fully eradicating known variants of this threat and reversing its persistence mechanisms. In high‑risk or heavily used systems, some users may still choose a full OS reinstall for absolute assurance, but it is not strictly required in all cases.
Users and defenders should:
Verify software sources and bookmark official project domains
Treat unexpected code‑signing identities with skepticism
Monitor for unauthorized Windows services and firewall rule changes
Block known C2 domains and proxy endpoints at the network perimeter
Researcher attribution and community analysis
This investigation would not have been possible without the work of independent security researchers who went deeper than surface-level indicators and identified the true purpose of this malware family.
Luke Acha provided the first comprehensive analysis showing that the Uphero/hero malware functions as residential proxyware rather than a traditional backdoor. His work documented the proxy protocol, traffic patterns, and monetization model, and connected this campaign to a broader operation he dubbed upStage Proxy. Luke’s full write-up is available on his blog.
s1dhy expanded on this analysis by reversing and decoding the custom XOR-based communication protocol, validating the proxy behavior through packet captures, and correlating multiple proxy endpoints across victim geolocations. Technical notes and findings were shared publicly on X (Twitter).
Additional technical validation and dynamic analysis were published by researchers at RaichuLab on Qiita and WizSafe Security on IIJ.
Their collective work highlights the importance of open, community-driven research in uncovering long-running abuse campaigns that rely on trust and misdirection rather than exploits.
Closing thoughts
This campaign demonstrates how effective brand impersonation combined with technically competent malware can operate undetected for extended periods. By abusing user trust rather than exploiting software vulnerabilities, attackers bypass many traditional security assumptions—turning everyday utility downloads into long‑lived monetization infrastructure.
Malwarebytes detects and blocks known variants of this proxyware family and its associated infrastructure.
It started with an email that looked boringly familiar: Apple logo, a clean layout, and a subject line designed to make the target’s stomach drop.
The message claimed Apple has stopped a high‑value Apple Pay charge at an Apple Store, complete with a case ID, timestamp, and a warning that the account could be at risk if the target doesn’t respond.
In some cases, there was even an “appointment” booked on their behalf to “review fraudulent activity,” plus a phone number they should call immediately if the time didn’t work. Nothing in the email screams amateur. The display name appears to be Apple, the formatting closely matches real receipts, and the language hits all the right anxiety buttons.
The email warns recipients not to Apple Pay until they’ve spoken to “Apple Billing & Fraud Prevention,” and it provides a phone number to call.
After dialing the number, an agent introduces himself as part of Apple’s fraud department and asks for details such as Apple ID verification codes or payment information.
The conversation is carefully scripted to establish trust. The agent explains that criminals attempted to use Apple Pay in a physical Apple Store and that the system “partially blocked” the transaction. To “fully secure” the account, he says, some details need to be verified.
The call starts with harmless‑sounding checks: your name, the last four digits of your phone number, what Apple devices you own, and so on.
Next comes a request to confirm the Apple ID email address. While the victim is looking it up, a real-looking Apple ID verification code arrives by text message.
The agent asks for this code, claiming it’s needed to confirm they’re speaking to the rightful account owner. In reality, the scammer is logging into the account in real time and using the code to bypass two-factor authentication.
Once the account is “confirmed,” the agent walks the victim through checking their bank and Apple Pay cards. They ask questions about bank accounts and suggest “temporarily securing” payment methods so criminals can’t exploit them while the “Apple team” investigates.
The entire support process is designed to steal login codes and payment data. At scale, campaigns like this work because Apple’s brand carries enormous trust, Apple Pay involves real money, and users have been trained to treat fraud alerts as urgent and to cooperate with “support” when they’re scared.
One example submitted to Malwarebytes Scam Guard showed an email claiming an Apple Gift Card purchase for $279.99 and urging the recipient to call a support number (1-812-955-6285).
Another user submitted a screenshot showing a fake “Invoice Receipt – Paid” styled to look like an Apple Store receipt for a 2025 MacBook Air 13-inch laptop with M4 chip priced at $1,157.07 and a phone number (1-805-476-8382) to call about this “unauthorized transaction.”
What you should know
Apple doesn’t set up fraud appointments through email. The company also doesn’t ask users to fix billing problems by calling numbers in unsolicited messages.
Closely inspect the sender’s address. In these cases, the email doesn’t come from an official Apple domain, even if the display name makes it seem legitimate.
Never share two-factor authentication (2FA) codes, SMS codes, or passwords with anyone, even if they claim to be from Apple.
Ignore unsolicited messages urging you to take immediate action. Always think and verify before you engage. Talk to someone you trust if you’re not sure.
Malwarebytes Scam Guard helped several users identify this type of scam. For those without a subscription, you can use Scam Guard in ChatGPT.
If you’ve already engaged with these Apple Pay scammers, it is important to:
Change the Apple ID password immediately from Settings or appleid.apple.com, not from any link provided by email or SMS.
Check active sessions, sign out of all devices, then sign back in only on devices you recognize and control.
Rotate your Apple ID password again if you see any new login alerts, and confirm 2FA is still enabled. If not, turn it on.
In Wallet, check every card for unfamiliar Apple Pay transactions and recent in-store or online charges. Monitor bank and credit card statements closely for the next few weeks and dispute any unknown transactions immediately.
Check if the primary email account tied to your Apple ID is yours, since control of that email can be used to take over accounts.
We don’t just report on scams—we help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!
It started with an email that looked boringly familiar: Apple logo, a clean layout, and a subject line designed to make the target’s stomach drop.
The message claimed Apple has stopped a high‑value Apple Pay charge at an Apple Store, complete with a case ID, timestamp, and a warning that the account could be at risk if the target doesn’t respond.
In some cases, there was even an “appointment” booked on their behalf to “review fraudulent activity,” plus a phone number they should call immediately if the time didn’t work. Nothing in the email screams amateur. The display name appears to be Apple, the formatting closely matches real receipts, and the language hits all the right anxiety buttons.
The email warns recipients not to Apple Pay until they’ve spoken to “Apple Billing & Fraud Prevention,” and it provides a phone number to call.
After dialing the number, an agent introduces himself as part of Apple’s fraud department and asks for details such as Apple ID verification codes or payment information.
The conversation is carefully scripted to establish trust. The agent explains that criminals attempted to use Apple Pay in a physical Apple Store and that the system “partially blocked” the transaction. To “fully secure” the account, he says, some details need to be verified.
The call starts with harmless‑sounding checks: your name, the last four digits of your phone number, what Apple devices you own, and so on.
Next comes a request to confirm the Apple ID email address. While the victim is looking it up, a real-looking Apple ID verification code arrives by text message.
The agent asks for this code, claiming it’s needed to confirm they’re speaking to the rightful account owner. In reality, the scammer is logging into the account in real time and using the code to bypass two-factor authentication.
Once the account is “confirmed,” the agent walks the victim through checking their bank and Apple Pay cards. They ask questions about bank accounts and suggest “temporarily securing” payment methods so criminals can’t exploit them while the “Apple team” investigates.
The entire support process is designed to steal login codes and payment data. At scale, campaigns like this work because Apple’s brand carries enormous trust, Apple Pay involves real money, and users have been trained to treat fraud alerts as urgent and to cooperate with “support” when they’re scared.
One example submitted to Malwarebytes Scam Guard showed an email claiming an Apple Gift Card purchase for $279.99 and urging the recipient to call a support number (1-812-955-6285).
Another user submitted a screenshot showing a fake “Invoice Receipt – Paid” styled to look like an Apple Store receipt for a 2025 MacBook Air 13-inch laptop with M4 chip priced at $1,157.07 and a phone number (1-805-476-8382) to call about this “unauthorized transaction.”
What you should know
Apple doesn’t set up fraud appointments through email. The company also doesn’t ask users to fix billing problems by calling numbers in unsolicited messages.
Closely inspect the sender’s address. In these cases, the email doesn’t come from an official Apple domain, even if the display name makes it seem legitimate.
Never share two-factor authentication (2FA) codes, SMS codes, or passwords with anyone, even if they claim to be from Apple.
Ignore unsolicited messages urging you to take immediate action. Always think and verify before you engage. Talk to someone you trust if you’re not sure.
Malwarebytes Scam Guard helped several users identify this type of scam. For those without a subscription, you can use Scam Guard in ChatGPT.
If you’ve already engaged with these Apple Pay scammers, it is important to:
Change the Apple ID password immediately from Settings or appleid.apple.com, not from any link provided by email or SMS.
Check active sessions, sign out of all devices, then sign back in only on devices you recognize and control.
Rotate your Apple ID password again if you see any new login alerts, and confirm 2FA is still enabled. If not, turn it on.
In Wallet, check every card for unfamiliar Apple Pay transactions and recent in-store or online charges. Monitor bank and credit card statements closely for the next few weeks and dispute any unknown transactions immediately.
Check if the primary email account tied to your Apple ID is yours, since control of that email can be used to take over accounts.
We don’t just report on scams—we help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!
Imagine our surprise when we ended up on a site promoting that same Freecash app while investigating a “cloud storage” phish. We’ve all probably seen one of those. They’re common enough and according to recent investigation by BleepingComputer, there’s a
“large-scale cloud storage subscription scam campaign targeting users worldwide with repeated emails falsely warning recipients that their photos, files, and accounts are about to be blocked or deleted due to an alleged payment failure.”
Based on the description in that article, the email we found appears to be part of this campaign.
The subject line of the email is:
“{Recipient}. Your Cloud Account has been locked on Sat, 24 Jan 2026 09:57:55 -0500. Your photos and videos will be removed!”
This matches one of the subject lines that BleepingComputer listed.
And the content of the email:
“Payment Issue – Cloud Storage
Dear User,
We encountered an issue while attempting to renew your Cloud Storage subscription.
Unfortunately, your payment method has expired. To ensure your Cloud continues without interruption, please update your payment details.
Subscription ID: 9371188
Product: Cloud Storage Premium
Expiration Date: Sat,24 Jan-2026
If you do not update your payment information, you may lose access to your Cloud Storage, which may prevent you from saving and syncing your data such as photos, videos, and documents.
Update Payment Details {link button}
Security Recommendations:
Always access your account through our official website
Never share your password with anyone
Ensure your contact and billing information are up to date”
The link in the email leads to https://storage.googleapis[.]com/qzsdqdqsd/dsfsdxc.html#/redirect.html, which helps the scammer establish a certain amount of trust because it points to Google Cloud Storage (GCS). GCS is a legitimate service that allows authorized users to store and manage data such as files, images, and videos in buckets. However, as in this case, attackers can abuse it for phishing.
The redirect carries some parameters to the next website.
The feed.headquartoonjpn[.]com domain was blocked by Malwarebytes. We’ve seen it before in an earlier campaign involving an Endurance-themed phish.
After a few more redirects, we ended up at hx5.submitloading[.]com, where a fake CAPTCHA triggered the last redirect to freecash[.]com, once it was solved.
The end goal of this phish likely depends on the parameters passed along during the redirects, so results may vary.
Rather than stealing credentials directly, the campaign appears designed to monetize traffic, funneling victims into affiliate offers where the operators get paid for sign-ups or conversions.
BleepingComputer noted that they were redirected to affiliate marketing websites for various products.
“Products promoted in this phishing campaign include VPN services, little-known security software, and other subscription-based offerings with no connection to cloud storage.”
How to stay safe
Ironically, the phishing email itself includes some solid advice:
Always access your account through our official website.
Never share your password with anyone.
We’d like to add:
Never click on links in unsolicited emails without verifying with a trusted source.
Do not engage with websites that attract visitors like this.
Pro tip: Malwarebytes Scam Guard would have helped you identify this email as a scam and provided advice on how to proceed.
Redirect flow (IOCs)
storage.googleapis[.]com/qzsdqdqsd/dsfsdxc.html
feed.headquartoonjpn[.]com
revivejudgemental[.]com
hx5.submitloading[.]com
freecash[.]com
Update February 5, 2026
Almedia GmbH, the company behind the Freecash platform, reached out to us for information about the chain of redirects that lead to their platform. And after an investigation they notified us that:
“Following Malwarebytes’ reporting and the additional information they shared with us, we investigated the issue and identified an affiliate operating in breach of our policies. That partner has been removed from our network.
Almedia does not sell user data, and we take compliance, user trust, and responsible advertising seriously.”
We don’t just report on scams—we help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!
Imagine our surprise when we ended up on a site promoting that same Freecash app while investigating a “cloud storage” phish. We’ve all probably seen one of those. They’re common enough and according to recent investigation by BleepingComputer, there’s a
“large-scale cloud storage subscription scam campaign targeting users worldwide with repeated emails falsely warning recipients that their photos, files, and accounts are about to be blocked or deleted due to an alleged payment failure.”
Based on the description in that article, the email we found appears to be part of this campaign.
The subject line of the email is:
“{Recipient}. Your Cloud Account has been locked on Sat, 24 Jan 2026 09:57:55 -0500. Your photos and videos will be removed!”
This matches one of the subject lines that BleepingComputer listed.
And the content of the email:
“Payment Issue – Cloud Storage
Dear User,
We encountered an issue while attempting to renew your Cloud Storage subscription.
Unfortunately, your payment method has expired. To ensure your Cloud continues without interruption, please update your payment details.
Subscription ID: 9371188
Product: Cloud Storage Premium
Expiration Date: Sat,24 Jan-2026
If you do not update your payment information, you may lose access to your Cloud Storage, which may prevent you from saving and syncing your data such as photos, videos, and documents.
Update Payment Details {link button}
Security Recommendations:
Always access your account through our official website
Never share your password with anyone
Ensure your contact and billing information are up to date”
The link in the email leads to https://storage.googleapis[.]com/qzsdqdqsd/dsfsdxc.html#/redirect.html, which helps the scammer establish a certain amount of trust because it points to Google Cloud Storage (GCS). GCS is a legitimate service that allows authorized users to store and manage data such as files, images, and videos in buckets. However, as in this case, attackers can abuse it for phishing.
The redirect carries some parameters to the next website.
The feed.headquartoonjpn[.]com domain was blocked by Malwarebytes. We’ve seen it before in an earlier campaign involving an Endurance-themed phish.
After a few more redirects, we ended up at hx5.submitloading[.]com, where a fake CAPTCHA triggered the last redirect to freecash[.]com, once it was solved.
The end goal of this phish likely depends on the parameters passed along during the redirects, so results may vary.
Rather than stealing credentials directly, the campaign appears designed to monetize traffic, funneling victims into affiliate offers where the operators get paid for sign-ups or conversions.
BleepingComputer noted that they were redirected to affiliate marketing websites for various products.
“Products promoted in this phishing campaign include VPN services, little-known security software, and other subscription-based offerings with no connection to cloud storage.”
How to stay safe
Ironically, the phishing email itself includes some solid advice:
Always access your account through our official website.
Never share your password with anyone.
We’d like to add:
Never click on links in unsolicited emails without verifying with a trusted source.
Do not engage with websites that attract visitors like this.
Pro tip: Malwarebytes Scam Guard would have helped you identify this email as a scam and provided advice on how to proceed.
Redirect flow (IOCs)
storage.googleapis[.]com/qzsdqdqsd/dsfsdxc.html
feed.headquartoonjpn[.]com
revivejudgemental[.]com
hx5.submitloading[.]com
freecash[.]com
Update February 5, 2026
Almedia GmbH, the company behind the Freecash platform, reached out to us for information about the chain of redirects that lead to their platform. And after an investigation they notified us that:
“Following Malwarebytes’ reporting and the additional information they shared with us, we investigated the issue and identified an affiliate operating in breach of our policies. That partner has been removed from our network.
Almedia does not sell user data, and we take compliance, user trust, and responsible advertising seriously.”
We don’t just report on scams—we help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!
It sounds friendly, familiar and quite harmless. But in a scam we recently spotted, that simple phrase is being used to trick victims into installing a full remote access tool on their Windows computers—giving attackers complete control of the system.
What appears to be a casual party or event invitation leads to the silent installation of ScreenConnect, a legitimate remote support tool quietly installed in the background and abused by attackers.
Here’s how the scam works, why it’s effective, and how to protect yourself.
The email: A party invitation
Victims receive an email framed as a personal invitation—often written to look like it came from a friend or acquaintance. The message is deliberately informal and social, lowering suspicion and encouraging quick action.
In the screenshot below, the email arrived from a friend whose email account had been hacked, but it could just as easily come from a sender you don’t know.
So far, we’ve only seen this campaign targeting people in the UK, but there’s nothing stopping it from expanding elsewhere.
Clicking the link in the email leads to a polished invitation page hosted on an attacker-controlled domain.
The invite: The landing page that leads to an installer
The landing page leans heavily into the party theme, but instead of showing event details, the page nudges the user toward opening a file. None of them look dangerous on their own, but together they keep the user focused on the “invitation” file:
A bold “You’re Invited!” headline
The suggestion that a friend had sent the invitation
A message saying the invitation is best viewed on a Windows laptop or desktop
A countdown suggesting your invitation is already “downloading”
A message implying urgency and social proof (“I opened mine and it was so easy!”)
Within seconds, the browser is redirected to download RSVPPartyInvitationCard.msi
The page even triggers the download automatically to keep the victim moving forward without stopping to think.
This MSI file isn’t an invitation. It’s an installer.
The guest: What the MSI actually does
When the user opens the MSI file, it launches msiexec.exe and silently installs ScreenConnect Client, a legitimate remote access tool often used by IT support teams.
There’s no invitation, RSVP form, or calendar entry.
What happens instead:
ScreenConnect binaries are installed under C:\Program Files (x86)\ScreenConnect Client\
A persistent Windows service is created (for example, ScreenConnect Client 18d1648b87bb3023)
There is no clear user-facing indication that a remote access tool is being installed
From the victim’s perspective, very little seems to happen. But at this point, the attacker can now remotely access their computer.
The after-party: Remote access is established
Once installed, the ScreenConnect client initiates encrypted outbound connections to ScreenConnect’s relay servers, including a uniquely assigned instance domain.
That connection gives the attacker the same level of access as a remote IT technician, including the ability to:
See the victim’s screen in real time
Control the mouse and keyboard
Upload or download files
Keep access even after the computer is restarted
Because ScreenConnect is legitimate software commonly used for remote support, its presence isn’t always obvious. On a personal computer, the first signs are often behavioral, such as unexplained cursor movement, windows opening on their own, or a ScreenConnect process the user doesn’t remember installing.
Why this scam works
This campaign is effective because it targets normal, predictable human behavior. From a behavioral security standpoint, it exploits our natural curiosity and appears to be a low risk.
Most people don’t think of invitations as dangerous. Opening one feels passive, like glancing at a flyer or checking a message, not installing software.
Even security-aware users are trained to watch out for warnings and pressure. A friendly “you’re invited” message doesn’t trigger those alarms.
By the time something feels off, the software is already installed.
Signs your computer may be affected
Watch for:
A download or executed file named RSVPPartyInvitationCard.msi
An unexpected installation of ScreenConnect Client
A Windows service named ScreenConnect Client with random characters
Your computer makes outbound HTTPS connections to ScreenConnect relay domains
Your system resolves the invitation-hosting domain used in this campaign, xnyr[.]digital
How to stay safe
This campaign is a reminder that modern attacks often don’t break in—they’re invited in. Remote access tools give attackers deep control over a system. Acting quickly can limit the damage.
For individuals
If you receive an email like this:
Be suspicious of invitations that ask you to download or open software
Never run MSI files from unsolicited emails
Verify invitations through another channel before opening anything
If you already clicked or ran the file:
Disconnect from the internet immediately
Check for ScreenConnect and uninstall it if present
Run a full security scan
Change important passwords from a clean, unaffected device
For organisations (especially in the UK)
Alert on unauthorized ScreenConnect installations
Restrict MSI execution where feasible
Treat “remote support tools” as high-risk software
Educate users: invitations don’t come as installers
This scam works by installing a legitimate remote access tool without clear user intent. That’s exactly the gap Malwarebytes is designed to catch.
Malwarebytes now detects newly installed remote access tools and alerts you when one appears on your system. You’re then given a choice: confirm that the tool is expected and trusted, or remove it if it isn’t.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
It sounds friendly, familiar and quite harmless. But in a scam we recently spotted, that simple phrase is being used to trick victims into installing a full remote access tool on their Windows computers—giving attackers complete control of the system.
What appears to be a casual party or event invitation leads to the silent installation of ScreenConnect, a legitimate remote support tool quietly installed in the background and abused by attackers.
Here’s how the scam works, why it’s effective, and how to protect yourself.
The email: A party invitation
Victims receive an email framed as a personal invitation—often written to look like it came from a friend or acquaintance. The message is deliberately informal and social, lowering suspicion and encouraging quick action.
In the screenshot below, the email arrived from a friend whose email account had been hacked, but it could just as easily come from a sender you don’t know.
So far, we’ve only seen this campaign targeting people in the UK, but there’s nothing stopping it from expanding elsewhere.
Clicking the link in the email leads to a polished invitation page hosted on an attacker-controlled domain.
The invite: The landing page that leads to an installer
The landing page leans heavily into the party theme, but instead of showing event details, the page nudges the user toward opening a file. None of them look dangerous on their own, but together they keep the user focused on the “invitation” file:
A bold “You’re Invited!” headline
The suggestion that a friend had sent the invitation
A message saying the invitation is best viewed on a Windows laptop or desktop
A countdown suggesting your invitation is already “downloading”
A message implying urgency and social proof (“I opened mine and it was so easy!”)
Within seconds, the browser is redirected to download RSVPPartyInvitationCard.msi
The page even triggers the download automatically to keep the victim moving forward without stopping to think.
This MSI file isn’t an invitation. It’s an installer.
The guest: What the MSI actually does
When the user opens the MSI file, it launches msiexec.exe and silently installs ScreenConnect Client, a legitimate remote access tool often used by IT support teams.
There’s no invitation, RSVP form, or calendar entry.
What happens instead:
ScreenConnect binaries are installed under C:\Program Files (x86)\ScreenConnect Client\
A persistent Windows service is created (for example, ScreenConnect Client 18d1648b87bb3023)
There is no clear user-facing indication that a remote access tool is being installed
From the victim’s perspective, very little seems to happen. But at this point, the attacker can now remotely access their computer.
The after-party: Remote access is established
Once installed, the ScreenConnect client initiates encrypted outbound connections to ScreenConnect’s relay servers, including a uniquely assigned instance domain.
That connection gives the attacker the same level of access as a remote IT technician, including the ability to:
See the victim’s screen in real time
Control the mouse and keyboard
Upload or download files
Keep access even after the computer is restarted
Because ScreenConnect is legitimate software commonly used for remote support, its presence isn’t always obvious. On a personal computer, the first signs are often behavioral, such as unexplained cursor movement, windows opening on their own, or a ScreenConnect process the user doesn’t remember installing.
Why this scam works
This campaign is effective because it targets normal, predictable human behavior. From a behavioral security standpoint, it exploits our natural curiosity and appears to be a low risk.
Most people don’t think of invitations as dangerous. Opening one feels passive, like glancing at a flyer or checking a message, not installing software.
Even security-aware users are trained to watch out for warnings and pressure. A friendly “you’re invited” message doesn’t trigger those alarms.
By the time something feels off, the software is already installed.
Signs your computer may be affected
Watch for:
A download or executed file named RSVPPartyInvitationCard.msi
An unexpected installation of ScreenConnect Client
A Windows service named ScreenConnect Client with random characters
Your computer makes outbound HTTPS connections to ScreenConnect relay domains
Your system resolves the invitation-hosting domain used in this campaign, xnyr[.]digital
How to stay safe
This campaign is a reminder that modern attacks often don’t break in—they’re invited in. Remote access tools give attackers deep control over a system. Acting quickly can limit the damage.
For individuals
If you receive an email like this:
Be suspicious of invitations that ask you to download or open software
Never run MSI files from unsolicited emails
Verify invitations through another channel before opening anything
If you already clicked or ran the file:
Disconnect from the internet immediately
Check for ScreenConnect and uninstall it if present
Run a full security scan
Change important passwords from a clean, unaffected device
For organisations (especially in the UK)
Alert on unauthorized ScreenConnect installations
Restrict MSI execution where feasible
Treat “remote support tools” as high-risk software
Educate users: invitations don’t come as installers
This scam works by installing a legitimate remote access tool without clear user intent. That’s exactly the gap Malwarebytes is designed to catch.
Malwarebytes now detects newly installed remote access tools and alerts you when one appears on your system. You’re then given a choice: confirm that the tool is expected and trusted, or remove it if it isn’t.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
Loyal readers and other privacy-conscious people will be familiar with the expression, “If it’s too good to be true, it’s probably false.”
Getting paid handsomely to scroll social media definitely falls into that category. It sounds like an easy side hustle, which usually means there’s a catch.
In January 2026, an app called Freecash shot up to the number two spot on Apple’s free iOS chart in the US, helped along by TikTok ads that look a lot like job offers from TikTok itself. The ads promised up to $35 an hour to watch your “For You” page. According to reporting, the ads didn’t promote Freecash by name. Instead, they showed a young woman expressing excitement about seemingly being “hired by TikTok” to watch videos for money.
The landing pages featured TikTok and Freecash logos and invited users to “get paid to scroll” and “cash out instantly,” implying a simple exchange of time for money.
Those claims were misleading enough that TikTok said the ads violated its rules on financial misrepresentation and removed some of them.
Once you install the app, the promised TikTok paycheck vanishes. Instead, Freecash routes you to a rotating roster of mobile games—titles like Monopoly Go and Disney Solitaire—and offers cash rewards for completing time‑limited in‑game challenges. Payouts range from a single cent for a few minutes of daily play up to triple‑digit amounts if you reach high levels within a fixed period.
The whole setup is designed not to reward scrolling, as it claims, but to funnel you into games where you are likely to spend money or watch paid advertisements.
Freecash’s parent company, Berlin‑based Almedia, openly describes the platform as a way to match mobile game developers with users who are likely to install and spend. The company’s CEO has spoken publicly about using past spending data to steer users toward the genres where they’re most “valuable” to advertisers.
Our concern, beyond the bait-and-switch, is the privacy issue. Freecash’s privacy policy allows the automatic collection of highly sensitive information, including data about race, religion, sex life, sexual orientation, health, and biometrics. Each additional mobile game you install to chase rewards adds its own privacy policy, tracking, and telemetry. Together, they greatly increase how much behavioral data these companies can harvest about a user.
Experts warn that data brokers already trade lists of people likely to be more susceptible to scams or compulsive online behavior—profiles that apps like this can help refine.
We’ve previously reported on data brokers that used games and apps to build massive databases, only to later suffer breaches exposing all that data.
When asked about the ads, Freecash said the most misleading TikTok promotions were created by third-party affiliates, not by the company itself. Which is quite possible because Freecash does offer an affiliate payout program to people who promote the app online. But they made promises to review and tighten partner monitoring.
For experienced users, the pattern should feel familiar: eye‑catching promises of easy money, a bait‑and‑switch into something that takes more time and effort than advertised, and a business model that suddenly makes sense when you realize your attention and data are the real products.
If you’re curious how intrusive schemes like this can be, consider using a separate email address created specifically for testing. Avoid sharing real personal details. Many users report that once they sign up, marketing emails quickly pile up.
Some of these schemes also appeal to people who are younger or under financial pressure, offering tiny payouts while generating far more value for advertisers and app developers.
So, what can you do?
Gather information about the company you’re about to give your data. Talk to friends and relatives about your plans. Shared common sense often helps make the right decisions.
Create a separate account if you want to test a service. Use a dedicated email address and avoid sharing real personal details.
Limit information you provide online to what makes sense for the purpose. Does a game publisher need your Social Security Number? I don’t think so.
Be cautious about app installs that are framed as required to make the money initially promised, and review permissions carefully.
Loyal readers and other privacy-conscious people will be familiar with the expression, “If it’s too good to be true, it’s probably false.”
Getting paid handsomely to scroll social media definitely falls into that category. It sounds like an easy side hustle, which usually means there’s a catch.
In January 2026, an app called Freecash shot up to the number two spot on Apple’s free iOS chart in the US, helped along by TikTok ads that look a lot like job offers from TikTok itself. The ads promised up to $35 an hour to watch your “For You” page. According to reporting, the ads didn’t promote Freecash by name. Instead, they showed a young woman expressing excitement about seemingly being “hired by TikTok” to watch videos for money.
The landing pages featured TikTok and Freecash logos and invited users to “get paid to scroll” and “cash out instantly,” implying a simple exchange of time for money.
Those claims were misleading enough that TikTok said the ads violated its rules on financial misrepresentation and removed some of them.
Once you install the app, the promised TikTok paycheck vanishes. Instead, Freecash routes you to a rotating roster of mobile games—titles like Monopoly Go and Disney Solitaire—and offers cash rewards for completing time‑limited in‑game challenges. Payouts range from a single cent for a few minutes of daily play up to triple‑digit amounts if you reach high levels within a fixed period.
The whole setup is designed not to reward scrolling, as it claims, but to funnel you into games where you are likely to spend money or watch paid advertisements.
Freecash’s parent company, Berlin‑based Almedia, openly describes the platform as a way to match mobile game developers with users who are likely to install and spend. The company’s CEO has spoken publicly about using past spending data to steer users toward the genres where they’re most “valuable” to advertisers.
Our concern, beyond the bait-and-switch, is the privacy issue. Freecash’s privacy policy allows the automatic collection of highly sensitive information, including data about race, religion, sex life, sexual orientation, health, and biometrics. Each additional mobile game you install to chase rewards adds its own privacy policy, tracking, and telemetry. Together, they greatly increase how much behavioral data these companies can harvest about a user.
Experts warn that data brokers already trade lists of people likely to be more susceptible to scams or compulsive online behavior—profiles that apps like this can help refine.
We’ve previously reported on data brokers that used games and apps to build massive databases, only to later suffer breaches exposing all that data.
When asked about the ads, Freecash said the most misleading TikTok promotions were created by third-party affiliates, not by the company itself. Which is quite possible because Freecash does offer an affiliate payout program to people who promote the app online. But they made promises to review and tighten partner monitoring.
For experienced users, the pattern should feel familiar: eye‑catching promises of easy money, a bait‑and‑switch into something that takes more time and effort than advertised, and a business model that suddenly makes sense when you realize your attention and data are the real products.
If you’re curious how intrusive schemes like this can be, consider using a separate email address created specifically for testing. Avoid sharing real personal details. Many users report that once they sign up, marketing emails quickly pile up.
Some of these schemes also appeal to people who are younger or under financial pressure, offering tiny payouts while generating far more value for advertisers and app developers.
So, what can you do?
Gather information about the company you’re about to give your data. Talk to friends and relatives about your plans. Shared common sense often helps make the right decisions.
Create a separate account if you want to test a service. Use a dedicated email address and avoid sharing real personal details.
Limit information you provide online to what makes sense for the purpose. Does a game publisher need your Social Security Number? I don’t think so.
Be cautious about app installs that are framed as required to make the money initially promised, and review permissions carefully.
Login
