Reading view

Facebook scam promises cheap Aldi meat boxes, steals payment info instead

Sometimes you spot posts on social media that make you wonder if any moderation takes place at all.

Which is concerning, because twothirds of all online shopping scams now start on Facebook and Instagram. Online shopping scams are alarmingly common and have become one of the most frequently reported scam types in Australia. The Dutch police have also warned specifically about fake ads promising steep discounts.

Apparently, and this is an issue we’ve flagged before, social media platforms could stop scams, but they don’t because it hurts their revenue.

The Aldi meat box scam

This Facebook post immediately rattled my cage:

Facebook post about Aldi meat box

This promotion is not from Aldi and is not endorsed by the company. A random account, which may be compromised or completely fake, posts:

“My son works at Aldi and told me about something almost nobody knows. To be honest, I thought he was joking at first. If you’re over 40, you can get a meat box from Aldi for under $10. Sounds crazy, but it actually worked. They’re clearing out excess stock and, instead of throwing it away, they’re basically letting people have it for next to nothing. All I did was fill out a short form , I left the link in the comments in case it’s useful to anyone. I signed up for my husband (he’s 59 and loves a good steak), and when the box arrived, he opened it like it was his birthday. Everything looked fresh, neatly packed, and honestly there was more inside than we expected. It took me about a minute to fill out the form. If you’re over 40, definitely give it a go , worst case you lose a minute, best case you get a great box of meat almost for free.”


Scam or legit? Scam Guard knows.


There are several red flags here. Malwarebytes Scam Guard flagged:

  • Unusual offer: Promises of high-value products (“meat box from Aldi for under $10”) for an extremely low price are classic signs of scams, especially when they leverage well-known brands.
  • Anecdotal story: The post uses a personal story (“My son works at Aldi…”) to appear trustworthy and relatable, a common technique in social engineering.
  • Age restriction: Arbitrarily targeting people over 40 is a psychological trick to make the offer feel exclusive and relevant.
  • External link: The most common tactic is to provide a link in the comments rather than in the main post to avoid automatic detection by the platform.
  • Urgency and simplicity: Encourages quick action with phrases like “took me about a minute,” downplaying any possible risk.

As it turns out, the possible risk, or “worst case” as the Facebook post calls it, is a lot worse than losing a minute of your time.

The link was posted as the first comment and used the link shortening service cutt[.]ly (and here’s why you should beware of those):

The link in the first comment

The first redirect sent me to a website where my device was fingerprinted using an embedded JavaScript before redirecting me to https://gifts-survey[.]life/click?key={identifier}, a site designed to mimic the Aldi website. I had my VPN set to the US.

Aldi meat box scam leads to a fake Aldi site.

The scam page immediately creates urgency with messages like “only 1 spot left” and “you only have 2 minutes to complete the survey,” trying to stop visitors from thinking things through.

The survey itself only asks basic questions, so there wasn’t much harm in clicking through it on my virtual machine.

Aldi meat box scam - fake Aldi site.

As a reward, I got to pick three out of nine boxes to win a prize. I’m happy to report that I “aced” that test.

Aldi meat box scam leads to a fake Aldi site.

So, I was forwarded to the scammers’ real goal. On the domain hyperbargainsflow[.]shop, visitors are prompted to enter payment details for their discounted meat box, plus an optional upsell for faster delivery.

Aldi meat box scam leads to a fake Aldi site requesting payment details.

The final page asks victims to hand over personal details, including their full name, contact information, and home address, along with payment details for the fake “delivery” fee.

The site also uses tricks like more than 1,000 fake 5-star ratings and attempts to auto-complete and auto-submit the form if fields are detected as pre-populated. Saves you the trouble of submitting all your data yourself. Isn’t that nice of them?

We found that similar campaigns have targeted Woolworths customers in South Africa and Australia using fake butcher profiles, and the Aldi angle has appeared in other countries as well.

How to stay safe

If a post promises a box of premium meat for the price of a sandwich, assume it is a scam until you can prove otherwise.

The same simple checks will help you avoid this Aldi meat box scam and the next look‑alike campaign that pops up tomorrow.

  • Sometimes scrolling past the enthusiastic, fake comments will reveal what real users are saying:
Comments on the Facebook post
  • You can also help slow these scams down by reporting them. On Facebook, click the three-dot menu on the post and choose Report post > Scam, fraud or false information.
  • If a deal claims to be “known only by insiders” or “almost nobody knows this,” treat it as a red flag, not a perk. Real retailers advertise widely and on their own accounts. They don’t hide genuine promotions in badly written Facebook posts from throwaway accounts.
  • Be wary of links posted in the comments. Scammers sometimes use that tactic to avoid automated scanning and reporting on the platform.
  • Check the browser address bar carefully. Scam pages can copy a brand’s logo and colors perfectly, but the domain name usually gives the game away. 
  • Never enter card details, your full address, or your phone number into a site you reached via a random social post, especially if the offer feels too good to be true. If you already did, contact your bank or card issuer as soon as possible and monitor your statements.
  • Secure your devices. Use an up-to-date, real-time anti-malware solution with web protection. Malwarebytes blocks connections to unsafe sites like these.
Malwarebytes blocks gifts-survey[.]life
Malwarebytes blocks gifts-survey[.]life

Pro tip: Malwarebytes Scam Guard recognized the Facebook post as a scam and could have saved somebody’s day.


Let’s face it, an incognito window can only do so much. 
 
Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protection monitors for all of it, alerts you fast, and comes with identity theft insurance. 

  •  

Facebook scam promises cheap Aldi meat boxes, steals payment info instead

Sometimes you spot posts on social media that make you wonder if any moderation takes place at all.

Which is concerning, because twothirds of all online shopping scams now start on Facebook and Instagram. Online shopping scams are alarmingly common and have become one of the most frequently reported scam types in Australia. The Dutch police have also warned specifically about fake ads promising steep discounts.

Apparently, and this is an issue we’ve flagged before, social media platforms could stop scams, but they don’t because it hurts their revenue.

The Aldi meat box scam

This Facebook post immediately rattled my cage:

Facebook post about Aldi meat box

This promotion is not from Aldi and is not endorsed by the company. A random account, which may be compromised or completely fake, posts:

“My son works at Aldi and told me about something almost nobody knows. To be honest, I thought he was joking at first. If you’re over 40, you can get a meat box from Aldi for under $10. Sounds crazy, but it actually worked. They’re clearing out excess stock and, instead of throwing it away, they’re basically letting people have it for next to nothing. All I did was fill out a short form , I left the link in the comments in case it’s useful to anyone. I signed up for my husband (he’s 59 and loves a good steak), and when the box arrived, he opened it like it was his birthday. Everything looked fresh, neatly packed, and honestly there was more inside than we expected. It took me about a minute to fill out the form. If you’re over 40, definitely give it a go , worst case you lose a minute, best case you get a great box of meat almost for free.”


Scam or legit? Scam Guard knows.


There are several red flags here. Malwarebytes Scam Guard flagged:

  • Unusual offer: Promises of high-value products (“meat box from Aldi for under $10”) for an extremely low price are classic signs of scams, especially when they leverage well-known brands.
  • Anecdotal story: The post uses a personal story (“My son works at Aldi…”) to appear trustworthy and relatable, a common technique in social engineering.
  • Age restriction: Arbitrarily targeting people over 40 is a psychological trick to make the offer feel exclusive and relevant.
  • External link: The most common tactic is to provide a link in the comments rather than in the main post to avoid automatic detection by the platform.
  • Urgency and simplicity: Encourages quick action with phrases like “took me about a minute,” downplaying any possible risk.

As it turns out, the possible risk, or “worst case” as the Facebook post calls it, is a lot worse than losing a minute of your time.

The link was posted as the first comment and used the link shortening service cutt[.]ly (and here’s why you should beware of those):

The link in the first comment

The first redirect sent me to a website where my device was fingerprinted using an embedded JavaScript before redirecting me to https://gifts-survey[.]life/click?key={identifier}, a site designed to mimic the Aldi website. I had my VPN set to the US.

Aldi meat box scam leads to a fake Aldi site.

The scam page immediately creates urgency with messages like “only 1 spot left” and “you only have 2 minutes to complete the survey,” trying to stop visitors from thinking things through.

The survey itself only asks basic questions, so there wasn’t much harm in clicking through it on my virtual machine.

Aldi meat box scam - fake Aldi site.

As a reward, I got to pick three out of nine boxes to win a prize. I’m happy to report that I “aced” that test.

Aldi meat box scam leads to a fake Aldi site.

So, I was forwarded to the scammers’ real goal. On the domain hyperbargainsflow[.]shop, visitors are prompted to enter payment details for their discounted meat box, plus an optional upsell for faster delivery.

Aldi meat box scam leads to a fake Aldi site requesting payment details.

The final page asks victims to hand over personal details, including their full name, contact information, and home address, along with payment details for the fake “delivery” fee.

The site also uses tricks like more than 1,000 fake 5-star ratings and attempts to auto-complete and auto-submit the form if fields are detected as pre-populated. Saves you the trouble of submitting all your data yourself. Isn’t that nice of them?

We found that similar campaigns have targeted Woolworths customers in South Africa and Australia using fake butcher profiles, and the Aldi angle has appeared in other countries as well.

How to stay safe

If a post promises a box of premium meat for the price of a sandwich, assume it is a scam until you can prove otherwise.

The same simple checks will help you avoid this Aldi meat box scam and the next look‑alike campaign that pops up tomorrow.

  • Sometimes scrolling past the enthusiastic, fake comments will reveal what real users are saying:
Comments on the Facebook post
  • You can also help slow these scams down by reporting them. On Facebook, click the three-dot menu on the post and choose Report post > Scam, fraud or false information.
  • If a deal claims to be “known only by insiders” or “almost nobody knows this,” treat it as a red flag, not a perk. Real retailers advertise widely and on their own accounts. They don’t hide genuine promotions in badly written Facebook posts from throwaway accounts.
  • Be wary of links posted in the comments. Scammers sometimes use that tactic to avoid automated scanning and reporting on the platform.
  • Check the browser address bar carefully. Scam pages can copy a brand’s logo and colors perfectly, but the domain name usually gives the game away. 
  • Never enter card details, your full address, or your phone number into a site you reached via a random social post, especially if the offer feels too good to be true. If you already did, contact your bank or card issuer as soon as possible and monitor your statements.
  • Secure your devices. Use an up-to-date, real-time anti-malware solution with web protection. Malwarebytes blocks connections to unsafe sites like these.
Malwarebytes blocks gifts-survey[.]life
Malwarebytes blocks gifts-survey[.]life

Pro tip: Malwarebytes Scam Guard recognized the Facebook post as a scam and could have saved somebody’s day.


Let’s face it, an incognito window can only do so much. 
 
Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protection monitors for all of it, alerts you fast, and comes with identity theft insurance. 

  •  

Why Malwarebytes blocks some Yahoo Mail redirects

Some Malwarebytes users have recently noticed frequent web protection alerts while reading email in Yahoo Mail’s web interface. These alerts are caused by background connections from the Yahoo Mail page to a set of third‑party domains that our products and other security tools currently classify as risky.

What we are seeing under the hood

When you open Yahoo Mail in a browser, the page loads various embedded components for navigation, features, and metrics. As part of this, the interface makes calls to domains such as cook.howduhtable.com and related subdomains, sometimes in the context of URLs that include /ybar/mail.yahoo.com/ and a long encoded parameter. That encoded string often resolves to a URL like:

https://gpt.mail.yahoo.net/sandbox?client=novation&version=0.1&haq=1&cache=1

This suggests the traffic is being routed through what appears to be a sandboxed web component that Yahoo can use for things like telemetry, testing infrastructure, or mail features. It may also be part of an advertising or tracking flow, but at this time we cannot say with certainty exactly what purpose Yahoo is using it for.

Regardless of intent, multiple security systems have observed these redirect domains and assigned them poor reputations. Characteristics include:

  • Frequently changing, opaque subdomains that do not resemble normal consumer‑facing Yahoo addresses
  • Use of encoded parameters and chained redirects that make it difficult for users, and sometimes defenders, to see the final destination at a glance
  • Existing detections and blocklists from other vendors that classify the infrastructure as suspicious or potentially malicious

Because of these signals, Malwarebytes Web Protection and Browser Guard have been blocking a growing list of related subdomains to protect users, which is why some people see repeated alerts while using Yahoo Mail.

What we are not saying

It is important to be clear about what we do and do not know.

We have not established that Yahoo Mail itself is compromised or that Yahoo is deliberately distributing malware through its mail platform. What we can say is that third‑party or internal components invoked from within the Yahoo Mail web interface are making connections through domains that behave very similarly to infrastructure commonly associated with malicious or deceptive advertising and tracking.

From a security standpoint, this creates unnecessary risk. Any mechanism that injects content or runs sandboxed components via opaque redirect chains could, if misused or subverted in the future, expose users to harmful content without them ever clicking a suspicious link.

Blocking these domains is a precautionary step in line with our normal protection standards.

Why Malwarebytes blocks these redirects

Our decision to block these connections is based on a combination of technical behavior and third‑party reputation data:

  • The redirects are triggered by embedded components in the Yahoo Mail interface, not by users intentionally browsing to those domains
  • The infrastructure relies on frequently changing, non‑descriptive domains and subdomains, a pattern we often see in malicious or evasive advertising and tracking systems
  • Multiple security vendors and automated reputation feeds already flag these domains as risky or malicious, and some have seen them associated with unwanted or harmful activity

Because of this, Malwarebytes products currently block connections to these third‑party domains when they are invoked as part of Yahoo Mail’s web experience. This does not mean that all of Yahoo Mail is considered malicious. It means we are specifically interrupting a narrow set of background calls that present elevated risk.

What this means for users

If you use Yahoo Mail in a browser with Malwarebytes enabled, you may see:

  • Web protection or MWAC alerts referencing domains like cook.howduhtable.com or similar names while you are reading or composing email
  • Multiple alerts in a short period, because the mail interface may retry or rotate through different subdomains or IP addresses in the same family

In most cases, your email content itself still loads, though certain embedded elements, metrics, or ad‑related content may fail to load or behave differently.

How to stay safe and reduce interruptions

You should not need to lower your protection to continue using Yahoo Mail. Here are some practical steps you can take:

  • Keep Malwarebytes protection enabled
    Leaving Web Protection and Browser Guard on ensures blocks remain in place if these redirects change behavior or begin serving harmful content in the future.
  • Avoid allowlisting the suspicious domains
    While it’s technically possible to add exclusions for individual domains, doing so would allow their traffic to load unfiltered in your browser. We don’t recommend this unless you fully understand and accept the risk.
  • Use private/incognito windows for Yahoo Mail
    Accessing Yahoo Mail in a private/incognito session can help reduce persistence of certain tracking and advertising data because the browser discards cookies and local storage when you close the window.
  • Clear cookies and site data periodically
    If you see repeated alerts, clearing Yahoo‑related cookies and cached data may reduce some of the underlying tracking behavior that triggers these redirects.
  • Consider fewer‑ads options
    Yahoo offers paid plans that reduce or remove ads, and users can also use reputable content‑blocking extensions alongside Malwarebytes to cut down on ad‑driven behavior in webmail interfaces.

Our ongoing monitoring

The domains and infrastructure involved in these redirects are operated outside Malwarebytes, and their configuration or behavior may change over time. We are actively monitoring telemetry, sandbox reports, and reputation data for these domains and related infrastructure, and we will adjust our detections if new information emerges.

Our priority is to keep users safe while being transparent about why protection events occur, especially in widely used services such as webmail. If we learn more about the exact role of this component within Yahoo Mail, or if Yahoo provides additional clarity, we will update this article accordingly.


Stop threats before they can do any harm.

Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →

  •  

Why Malwarebytes blocks some Yahoo Mail redirects

Some Malwarebytes users have recently noticed frequent web protection alerts while reading email in Yahoo Mail’s web interface. These alerts are caused by background connections from the Yahoo Mail page to a set of third‑party domains that our products and other security tools currently classify as risky.

What we are seeing under the hood

When you open Yahoo Mail in a browser, the page loads various embedded components for navigation, features, and metrics. As part of this, the interface makes calls to domains such as cook.howduhtable.com and related subdomains, sometimes in the context of URLs that include /ybar/mail.yahoo.com/ and a long encoded parameter. That encoded string often resolves to a URL like:

https://gpt.mail.yahoo.net/sandbox?client=novation&version=0.1&haq=1&cache=1

This suggests the traffic is being routed through what appears to be a sandboxed web component that Yahoo can use for things like telemetry, testing infrastructure, or mail features. It may also be part of an advertising or tracking flow, but at this time we cannot say with certainty exactly what purpose Yahoo is using it for.

Regardless of intent, multiple security systems have observed these redirect domains and assigned them poor reputations. Characteristics include:

  • Frequently changing, opaque subdomains that do not resemble normal consumer‑facing Yahoo addresses
  • Use of encoded parameters and chained redirects that make it difficult for users, and sometimes defenders, to see the final destination at a glance
  • Existing detections and blocklists from other vendors that classify the infrastructure as suspicious or potentially malicious

Because of these signals, Malwarebytes Web Protection and Browser Guard have been blocking a growing list of related subdomains to protect users, which is why some people see repeated alerts while using Yahoo Mail.

What we are not saying

It is important to be clear about what we do and do not know.

We have not established that Yahoo Mail itself is compromised or that Yahoo is deliberately distributing malware through its mail platform. What we can say is that third‑party or internal components invoked from within the Yahoo Mail web interface are making connections through domains that behave very similarly to infrastructure commonly associated with malicious or deceptive advertising and tracking.

From a security standpoint, this creates unnecessary risk. Any mechanism that injects content or runs sandboxed components via opaque redirect chains could, if misused or subverted in the future, expose users to harmful content without them ever clicking a suspicious link.

Blocking these domains is a precautionary step in line with our normal protection standards.

Why Malwarebytes blocks these redirects

Our decision to block these connections is based on a combination of technical behavior and third‑party reputation data:

  • The redirects are triggered by embedded components in the Yahoo Mail interface, not by users intentionally browsing to those domains
  • The infrastructure relies on frequently changing, non‑descriptive domains and subdomains, a pattern we often see in malicious or evasive advertising and tracking systems
  • Multiple security vendors and automated reputation feeds already flag these domains as risky or malicious, and some have seen them associated with unwanted or harmful activity

Because of this, Malwarebytes products currently block connections to these third‑party domains when they are invoked as part of Yahoo Mail’s web experience. This does not mean that all of Yahoo Mail is considered malicious. It means we are specifically interrupting a narrow set of background calls that present elevated risk.

What this means for users

If you use Yahoo Mail in a browser with Malwarebytes enabled, you may see:

  • Web protection or MWAC alerts referencing domains like cook.howduhtable.com or similar names while you are reading or composing email
  • Multiple alerts in a short period, because the mail interface may retry or rotate through different subdomains or IP addresses in the same family

In most cases, your email content itself still loads, though certain embedded elements, metrics, or ad‑related content may fail to load or behave differently.

How to stay safe and reduce interruptions

You should not need to lower your protection to continue using Yahoo Mail. Here are some practical steps you can take:

  • Keep Malwarebytes protection enabled
    Leaving Web Protection and Browser Guard on ensures blocks remain in place if these redirects change behavior or begin serving harmful content in the future.
  • Avoid allowlisting the suspicious domains
    While it’s technically possible to add exclusions for individual domains, doing so would allow their traffic to load unfiltered in your browser. We don’t recommend this unless you fully understand and accept the risk.
  • Use private/incognito windows for Yahoo Mail
    Accessing Yahoo Mail in a private/incognito session can help reduce persistence of certain tracking and advertising data because the browser discards cookies and local storage when you close the window.
  • Clear cookies and site data periodically
    If you see repeated alerts, clearing Yahoo‑related cookies and cached data may reduce some of the underlying tracking behavior that triggers these redirects.
  • Consider fewer‑ads options
    Yahoo offers paid plans that reduce or remove ads, and users can also use reputable content‑blocking extensions alongside Malwarebytes to cut down on ad‑driven behavior in webmail interfaces.

Our ongoing monitoring

The domains and infrastructure involved in these redirects are operated outside Malwarebytes, and their configuration or behavior may change over time. We are actively monitoring telemetry, sandbox reports, and reputation data for these domains and related infrastructure, and we will adjust our detections if new information emerges.

Our priority is to keep users safe while being transparent about why protection events occur, especially in widely used services such as webmail. If we learn more about the exact role of this component within Yahoo Mail, or if Yahoo provides additional clarity, we will update this article accordingly.


Stop threats before they can do any harm.

Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →

  •  

Attackers adopt JavaScript runtime Bun to spread NWHStealer

In our previous research, we analyzed a Windows infostealer we track as NWHStealer. The attackers behind this stealer are continuously finding new methods to distribute the stealer. During our hunting activities, we noticed how attackers are using a JavaScript runtime called Bun to help distribute it.

Bun is a legitimate, fast, all-in-one JavaScript and TypeScript toolkit designed as a modern, high-performance replacement for Node.js. It is built from the ground up to simplify modern web development by integrating several essential tools into a single executable. 

Its relative newness also makes it appealing for attackers. Bun has not yet been widely seen in malware campaigns, and it allows them to package malicious code into larger executables that may be less easily detected. 

What is NWHStealer and what can it do? 

NWHStealer is a  Rust-based stealer distributed using a range of lures and delivery methods. These include Node.js scripts, MSI installers, and, more recently, JavaScript loaders built with the Bun runtime.  

It is often hosted on legitimate platforms such as GitHub, GitLab, MediaFire, Itch.io, and SourceForge, which helps it blend in with normal software and increases the chances of users downloading it. Attackers continue to create new profiles and lures to spread the stealer. 

Once installed on your PC, NWHStealer can: 

  • Collect system information, including operating system, hardware, security software, user data and connected devices. 
  • Steal data from browsers, extensions and crypto wallets. 
  • Steal data from different applications, including FTP applications such as FileZilla, CoreFTP and messaging apps such as Steam and Discord. 
  • Inject malicious code into browser processes and run additional payloads (e.g. XMRig).
  • Attempt to bypass User Account Control (UAC). 
  • Achieve persistence via scheduled tasks. 
  • Get new command-and-control (C2) addresses from Telegram. 

How to stay safe 

Attackers are constantly adapting their techniques, and the use of newer tools like Bun shows how they try to stay ahead of detection. 

NWHStealer is particularly concerning because of how widely it is distributed, and the types of data it targets. Stolen browser data, saved passwords, and cryptocurrency wallet information can quickly lead to account takeovers, financial loss, and further compromise. 

Here are a few simple ways to stay safe: 

  • Only download software from official websites. 
  • Be cautious with downloads from platforms like GitHub, SourceForge, or file-sharing platforms unless you trust the source. 
  • Attackers are continuing to create new profiles to distribute this stealer across platforms.  Check the profile/developer/publisher’s profile, reputation, and how new it is when downloading something from file hosting providers or blogs. 
  • Check the structure of the archives, that the content, images, txt files are consistent with what you downloaded. Also check the archive name, they usually have recognizable patterns. 
  • Check the file’s publisher and signature before you run it. 

Safer. Cleaner. Ad-free browsing.


Pro tip: Install Malwarebytes Browser Guard to block malicious sites before they load. 


Technical analysis

The new distribution method: Bun JavaScript Runtime 

According to its official site, Bun is an all-in-one JavaScript, TypeScript & JSX toolkit. It’s built from scratch in Zig and powered by Apple’s JavaScriptCore engine, with a focus on fast startup and low memory usage.

Bun is composed of four main components: 

  • JavaScript Runtime: a JavaScript runtime designed as a drop-in replacement for Node.js. 
  • Package Manager: a fast alternative for npm. 
  • Test Runner: a built-in, Jest-compatible runner that executes tests much faster than standard runners. 
  • Bundler: replaces tools like Webpack, Vite, or esbuild for packaging code. 

In recent campaigns, we detected that NWHStealer is being distributed using a Bun JavaScript Runtime bundle.  

As we saw in our previous research, game-related and other software lures are used to start the infection chain. Some of the detected ZIP names in these recent campaigns include: 

  • Game-related software and cheats such as: 
    • MOUSE_PI_Trainer_v1.0.zip
    • FiveM Mod.zip
    • VampireCrawlers_Trainer_v1.0.zip
    • MagicalPrincess_Trainer_v1.0.zip 
    • TerraTechLegion_Trainer_v1.0.zip 
  • Other software such as: 
    • TradingView-Activation-Script-0.9.zip 
    • AutoTune 2026.zip
    • Metatune by Slate Digital 2026.zip
    • GoGoTv_Plus.zipAutodesk.zip

In the case analyzed in this article, the infection chain starts with an archive containing Installer.exe, which embeds JavaScript code bundled with the Bun runtime. 

The “DW” folder contains another loader, called dw.exe. This self-injection loader is similar to the one analyzed previously, but with a different decryption routine. This loader is not present in all ZIP files analyzed. 

The malicious ZIP contains two loaders
The malicious ZIP contains two loaders 

The Readme.txt file asks the user to manually launch dw.exe if the main .exe file fails to run properly. This gives the attacker two ways to distribute the stealer if the C2 of the main Bun loader is offline. The loader in dw.exe works independently from the Bun JavaScript loader. 

The Readme file inside the ZIP archive
The Readme file inside the ZIP archive
The fake Build Tools setup shown if dw.exe is started
The fake Build Tools setup shown if dw.exe is started

In this article, we don’t analyze dw.exe, as it’s a variant of the previous loaders. Instead, we focus on the JavaScript loader executed with the Bun JavaScript runtime. 

Analysis of the JavaScript Loader  

The executed JavaScript code by the Bun JavaScript runtime is inside the .bun section and is obfuscated.  

The .bun section with the obfuscated JavaScript code
The .bun section with the obfuscated JavaScript code 

The malicious code is implemented in two parts of the code: 

  • sysreq.js: performs the anti-virtualization checks with a score system. 
  • memload.js: communicates with the C2 server, performs decryption and loads the next stage. 
Entry point of the JavaScript loader

The loader runs several PowerShell CIM (Common Information Model) commands and WMI (Windows Management Instrumentation) commands to detect virtual environments. There are different controls related to CPU numbers, disk space, screen resolution, USB devices, hardware manufacturers and products, number of installed software, presence of specific folders such as Browser folders, number of running processes and username. A scoring system is implemented, and based on this score, the loader decides whether to continue with the infection or terminate it.

To detect a virtual environment, the loader executes more than 10 PowerShell commands, such as: 

  • Get-CimInstance -ClassName Win32_DiskDrive | Select-Object Model  
  • Get-CimInstance -ClassName Win32_PhysicalMemory | Select-Object Manufacturer,Speed  
  • Get-CimInstance -ClassName Win32_BIOS | Select-Object Manufacturer  
  • Get-CimInstance -ClassName Win32_BaseBoard | Select-Object Manufacturer,Product  
  • Get-CimInstance -ClassName Win32_DiskDrive | Select-Object PNPDeviceID 
  • (Get-Process -ErrorAction SilentlyContinue).Count 

The results are compared against different strings, for example:

  • Virtualization indicators: qemu, seabios, bochs, vbox, vmware, virtualbox, kvm, xen, parallels, virtio, vmbus, red hat, edk ii
  • Username sandbox: sandbox, malware, virus, sample, vmuser, wdagutilityaccount, defaultuser0
  • MAC associated with virtual environments

The strings are decrypted using XOR and base64 decoding; there are arrays of tuples and each contains the encrypted strings and a key used for XOR decryption. 

Encrypted data with XOR keys
Encrypted data with XOR keys 

Several functions handle string decryption, including one that decrypts the config used in the C2 communication. Partial config: 

C2 server: https://silent-harvester.cc
BUILD_ID: 0ddbfec60307
C2 Path: /api/status, /api/update

The loader obtains and sends an initial request to the endpoint https://C2-server/api/report with encrypted data about the compromised system: 

  • Public IP obtained with a request to api.ipify.org. 
  • System information 
  • Anti-VM result 
  • Base-64 encoded screenshot 
  • Timestamp 

Then it makes two GET HTTP requests: 

  • https://C2-server/api/status?v={BUILD_ID}, to obtain the seed used for AES key derivation. 
  • https://C2-server/api/update?v={BUILD_ID}, to obtain the encrypted payload with AES nonce and authentication tag. 

The next stage is decrypted using AES-256-CBC, with the AES data returned by the C2 and loaded with a self-injection loader using the following APIs: 

  • VirtualAlloc 
  • VirtualProtect 
  • LoadLibraryA 
  • GetProcAddress 
  • RtlAddFunctionTable
  • CreateThread 
  • SearchPathA 

These Win32 APIs are executed through the Bun module bun:ffi, which allows JavaScript to call native libraries. 

At the end of this process, NWHStealer was deployed in the analyzed cases. 

Indicators of Compromise (IOCs) 

Domains 

whale-ether[.]pro: NWH Stealer C2 server 

cosmic-nebula[.]cc: NWH Stealer C2 server 

silent-harvester[.]cc: Bun Loader C2 server 

silent-orbit[.]cc: Bun Loader C2 server 

support-onion[.]club: Bun Loader C2 server 

Hash 

d3a896f450561b2546b418b469a8e10949c7320212eb1c72b48e2b1e37c34ba5 

96fe4ddfe256dc9d2c6faea7c18e2583cd9d9c0099a4ad2cf082f569ee8379f4 

3710fb27d2032ef1eb1252ebf5c4dd516d2b2c0a83fb82c664c89e504b990fa9 

33d07aa24b217f27df6a483295c817da198e12511a6989bcc6b917feaf8e491d 

5427b4cefb329ed0e9585b3ce58a2788baf87e3b0c7221373f9bbd5f32c85b62 

308da9f49ffa1d1744e428b567792ab22712159974e9da8d8e0414ecd81de93e 

021838f30a43026084978bce187c165c6b640d8d474ec009d48078d21ec62025 

c8e96b55f13435c4b43b7209d2403f1a0e0f9deb05edc50e0f777430be693b07 

0614c4cc6375ab6bdcdd2dfa913a67d32c3e8be9b95a4a2aa09bb131b98191c8 

0020999b2e3e4d1b2cfb69e4df9440d3ce05d508573889fdc12b724ce75a0cd8 

0fa42df08cc467ec52b2d388b5575114a8ec067d13f6b1a653ec33fe879f88ca 

15f79980650393d182f81cd6e389210568aa1f5f875e515efe6cb9485d64b7fb 

20454ba58d509300fd694ae6159db4efa1b7ff965f98c29e7d087e20f96578c1 


CNET Editors' Choice Award 2026

“One of the best cybersecurity suites on the planet.” 

According to CNET. Read their review


  •  
❌