Normal view

Roblox developers are losing entire games to malware attacks

17 June 2026 at 22:22

Account theft usually ends with someone losing a password. This one ends with hackers walking off with the entire game.

Developers behind some of Roblox’s millions of games told 404 Media that attackers persuaded them to run a single file. Then they watched their group, their game, and their Robux (in-platform currency) balance vanish into someone else’s account within hours. In several cases, Roblox support didn’t help them get the games back until a reporter called the company for comment.

From beaming to hostile takeover

Roblox attacks used to be opportunistic. “Beamers” targeted individual players to steal rare hats, limited items, and accounts, then resold them. The pattern has shifted. The new targets are developer accounts, and the prize is the game itself.

Ioannis Matziaris told 404 Media that his two 20-year-old sons spent five years building a Roblox game called The Shadow Network. In April, attackers approached one of them with a job offer and convinced him to run a particular file. It was malware. The attackers stole control of the game, the group’s Roblox account, and their Robux balance.

Another developer, Jovan Rai, received the same project-manager job pitch. This time, the attackers were impersonating Cheesy Studios, the Matziaris brothers’ company, to lend the offer credibility. The 15-year-old was earning roughly 10,000 Robux (around $38) per day from his game. He spent more than 30 days trying to recover it through Roblox support before media attention helped move the case forward.

The malware behind the theft

Developer Mohamed Kaparoza described how the attack worked. Attackers contacted him on Discord, dangled a project-manager role, and asked him to install a Python package called “robase,” which they claimed was a database tool. Shortly after installing it, he was logged out of Roblox on both his PC and his phone. His Discord account went with it, and his two-step verification settings and passkey were changed.

This is a case of session-token theft, rather than credential theft. Once an infostealer steals an authenticated browser session, attackers can often bypass security measures such as two-factor authentication (2FA) because they are reusing a session that has already been authenticated.

The technique itself isn’t new. We reported on a similar campaign in January 2025 that targeted Roblox players with offers to beta test new games. The “installer” was actually an infostealer designed to steal data, including Discord and Steam sessions, and cryptocurrency wallet information.

What developers can do

If you build Roblox games, the defensive advice is unglamorous and mostly behavioral.

  • Treat unsolicited Discord job offers with caution. If a stranger asks you to install a “database tool,” a custom installer, or any file at all, do not run it.
  • Developers who need to test unfamiliar software should do so in an isolated environment, such as a virtual machine, rather than on a device where they are signed in to Roblox, Discord, GitHub, or other important accounts.
  • Review active Roblox sessions and signed-in devices regularly, and switch on Roblox’s Enhanced Protection features where available. They won’t stop session-stealer malware, but they can help protect against many other forms of account compromise.
  • If the worst happens, document everything as early as possible. Keep records of messages, screenshots, account changes, and support requests to help with any recovery process.
  • Use security software with real-time protection. Malwarebytes Premium can detect and block infostealers and other malware before they compromise your accounts.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Rokarolla Android malware can take over your phone and steal banking logins

17 June 2026 at 17:34

Researchers have analyzed a new Android banking Trojan called Rokarolla. It can effectively take over a device, steal banking and crypto login details from more than 200 apps, and quietly monitor much of what you do on your phone.

On an infected device, Rokarolla steals banking and crypto login details. It also uses fake lock-screen overlays to capture your PIN, pattern, or password.

When you open one of the banking or crypto apps on Rokarolla’s target list, the malware downloads and displays a matching fake login page over the real app. Anything you type into the fake page, including usernames, passwords, and card numbers, is sent to the attackers.

Separately, Rokarolla abuses Android’s Accessibility features to monitor activity across the device. It can recognize WhatsApp screens by looking for familiar labels such as “Chats” and “Calls,” extract contact information, read SMS messages, and send new ones. These capabilities can help it intercept one-time passwords (OTPs) and two-factor authentication (2FA) codes.

Rokarolla can take control of text messages and phone calls, helping it block security alerts and hide signs of fraud.

It can also record everything you type and see on the screen. If you copy and paste a cryptocurrency wallet address, the malware can secretly replace it with one belonging to the attackers.

Other features help the malware stay hidden, including the ability to hide its icon, silence the device, turn off Google Play Protect, and prevent the screen from going to sleep.

How it spreads

Rokarolla is distributed through rogue websites, where it is offered as fake versions of popular apps like TikTok or Chrome.

Malwarebytes blocks the download site
Malwarebytes blocks the download site

Instead of sending you to the official Google Play Store, these malicious sites push you to download the app directly, a process known as sideloading. After you install it, the fake app poses as Google Play Protect and quietly downloads and installs the malware that carries out the attack.

To gain the access it needs, the fake app asks for powerful permissions, including Accessibility access, the permission to read SMS messages, and access to notifications. Because these requests can look legitimate, many users may approve them without realizing the risks.

How to stay safe

To avoid banking Trojans like Rokarolla, there are a few guidelines you should follow:

  • Don’t trust apps that claim to be Google Play Protect or another system component. You should never need to install these manually.
  • Use up-to-date, real-time anti-malware protection with web protection on your devices.
  • Don’t sideload apps that are available on the Google Play Store. While malware can sometimes slip into official stores, the risk is much greater elsewhere.
  • Deny powerful permissions to apps downloaded from links or websites, especially if they ask for Accessibility access, SMS permissions, or the ability to handle calls, even though that doesn’t match their stated purpose.
  • In fact, any request for Accessibility access should be treated with caution. If an app that is not clearly an accessibility tool asks for it, deny the request and reconsider whether you trust the source.
  • Scrutinize banking and crypto login screens. If something looks off, or you see multiple login prompts, close the app and relaunch it from its official icon.

Scammers know more about you than you think. 

Malwarebytes Mobile Security protects you from phishing, scam texts, malicious sites, and more. With real-time AI-powered Scam Guard built right in. 

Download for iOS → Download for Android → 

24 billion stolen records exposed online. Here’s what to do

17 June 2026 at 12:56

A newly discovered database containing 24 billion stolen records is a reminder that personal information from data breaches, phishing campaigns, and infostealer infections continues to circulate online.

The collection was exposed on the internet before being taken offline. While researchers can’t confirm exactly whose information was included, the discovery is a good opportunity to check whether your email addresses, passwords, or other personal data have already been exposed.

What happened?

Researchers at Cybernews found a publicly exposed database holding more than 8.3 TB of data.

The data, consisting of 24 billion credential records, reportedly came from 36 sources, including numerous Telegram channels, prior breach compilations, collections of infostealer logs, and some datasets apparently exported directly from live servers.

Because the data came from different sources there are some differences in what the records contain and how they are organized.

Some records were structured infostealer logs containing usernames, email addresses, and plaintext passwords, and the associated login URL. Infostealers are a type of malware designed to steal sensitive information from infected devices, such as your home computer.

An infostealer log from a single infected device can include passwords stored across all browsers, active session cookies and tokens (including those that bypass multi-factor authentication), autofill data, device fingerprints, and sometimes crypto wallets or messaging accounts. The complete bundle is what ends up in logs such as those seen by the Cybernews researchers.

Roughly 1.7 billion of the records came from hacking-related Telegram channels, mainly English and Russian, including at least one that was focused on stolen credit card data.

The exposed database was hosted on an Elasticsearch cluster. Elasticsearch is a tool used to quickly store and search lots of data. If an Elasticsearch server lacks passwords, authentication, or network restrictions, it can be accessed by anyone who finds it online. Without protections such as passwords or a firewall, anyone can read, copy, change, or even delete its data.

Other documents in the dataset contained information about known vulnerabilities, articles about breaches, and social media posts about cyberattacks. This suggests the owner actively monitors security news and vulnerabilities and enriches the credential hoard with fresh breach information, either for a commercial “monitoring” service or for offensive use.

A few years ago, we wrote about what was called the “mother of all breaches,” where the source of the dataset was later identified as data breach search engine Leak-Lookup.

This newly discovered 24 billion record exposure is in the same league as that previous mega‑dump, but appears more heavily weighted toward fresh infostealer logs, rather than older, static breach data.

Since the data was taken out of public view soon after the discovery, the researchers were unable to fully retrace everything they had found or determine how many duplicate records it contained. That’s reassuring because it reduces the chances of cybercriminals finding the database, but reused passwords may still put accounts at risk. And we still don’t know the purpose for the data collection in the first place.

What to do now

It’s good to be aware of how much information about you is out there and who’s gathering it, but it’s even more important to know exactly which information they have, since that is what they can use against you.

1. Check if your data has been exposed online using our Digital Footprint Portal.

2. If you discover exposed passwords, change them immediately and make sure you aren’t reusing the same password across multiple accounts. Prioritize updating your important accounts such as email, banking, shopping, and social media accounts.

3. Turn on multi-factor authentication (MFA) wherever possible, since it can help protect accounts even if a password has been exposed.

How to protect your data

Infostealers often spread through malicious ads, fake browser updates, and one-click downloads. Avoid clicking sponsored ads, and instead visit official websites directly. Download software only from trusted sources such as official vendor sites or app stores.

Another increasingly popular technique is ClickFix, a social engineering attack that tricks users into infecting their own devices. Never run commands or scripts copied from websites, emails, or messages unless you trust the source and understand what they do.

Pirated software, game cheats, cracked tools, and shady browser extensions remain common sources of infostealer infections. Stick to reputable software and extensions, and be wary of anything asking for excessive permissions.

Lastly, phishing emails are still a major threat. Be cautious of unexpected attachments, links, and urgent requests. If you’re unsure whether a message is legitimate, verify it through the company’s official website rather than the link in the message.

You can also use Malwarebytes Scam Guard to check individual messages. Just upload a screenshot and we’ll let you know if it’s a scam.


Breaches happen every day. Don’t be the last to know.



Malwarebytes earns AV-TEST Top Product award, aces other third-party tests

17 June 2026 at 11:41

Our job is to protect people from online threats, and independent testing is one of the best ways to measure how well we’re doing.

Malwarebytes nabbed AV-TEST’s Top Product award after scoring 17.5 points out of a possible 18 in the research organization’s most recent Windows security test. The award is the latest in a string of endorsements from third-party testers whose ongoing evaluations help keep us sharp.

Here’s a closer look at the results.

AV-TEST Windows Consumer Security Product Test

AV-TEST’s Windows Consumer Security Product Test, which took place in March and April, assessed 14 security applications across three categories: how well they protected Windows PCs from malware, how much they slowed down a device, and how often they raised false alarms.

AV-TEST noted in its synopsis:

“We focused on realistic test scenarios and challenged the products against real-world threats. Products had to demonstrate their capabilities using all components and protection layers.”

To receive the Top Product award, companies had to score 17.5 points or higher out of a total of 18, earning a maximum of six points in each category. Malwarebytes has received a Top Product endorsement from AV-TEST more than a dozen times since it first began taking the test in 2018.

MRG Effitas Consumer Assessment Certification

Malwarebytes once again came out on top in the MRG Effitas Consumer Assessment Certification, which tested eight security products to measure their ability to block malware, protect against phishing, and avoid false positives.

Malwarebytes was the only company to achieve Level 1 Certification, meaning we succeeded in stopping all 300 in-the-wild infections without causing damage to the device or its data, generated zero false positives, and blocked at least 79% of phishing attempts. Our phishing detection rate was 100%.

This certification is particularly impressive because the test used newly discovered malware samples, meaning most security products had not encountered them before.

AVLab Advanced In-the-Wild Malware Test

Continuing our winning streak, Malwarebytes received a perfect score (421/421) in AVLab’s Advanced In-The-Wild Malware Test, earning an “Excellent” certificate. The test applied existing threats currently circulating online, delivered the way a real user would come across them.

To receive the “Excellent” certification, a security product had to stop at least 99.6% of malware threats, either before they could run or during an attack. We detected and blocked every single real-world threat in an average of 0.508 seconds—a full 3 seconds faster than the industry average.

These types of independent assessments are important. They keep us on top of our game, which in turn keeps our customers safe.


CNET Editors' Choice Award 2026

“One of the best cybersecurity suites on the planet.” 

According to CNET. Read their review


“Free World Cup stream” sites are serving scams, not football

16 June 2026 at 15:00

With the World Cup on, you’ll find no shortage of websites promising every match, live, in HD, for free. They look convincing, usually with a video player, a “Live Stream Available” indicator, a row of server buttons, maybe a match schedule, and a “Watch Live” button. There’s no signup, no paywall, and seemingly, no catch.

But of course there’s a catch. These sites aren’t really in the business of streaming football. What the page is really built to do is fire pop-ups, hidden ads, and redirects through an advertising network we detect as malicious. Instead of watching the match, visitors end up facing scams, malware, and fraudulent downloads.

Here’s how the scam works and how to stay out of it.

.kb-advanced-slider-423028_956a35-72 .kb-slider-pause-button{color:#fff;background-color:rgba(0, 0, 0, 0.8);border:1px solid transparent;}

    If they’re not real streaming sites, what are they?

    We’ve identified more than 40 websites that are effectively identical. They use different World Cup-themed names, but behind the scenes they’re running the same page template, the same code, and the same advertising infrastructure.

    A script generates a separate page for every match, making the operation cheap to run and easy to scale.

    When a stream appears at all, it’s usually embedded from a third-party piracy service. The real business is the advertising surrounding the player.

    A typical page loads eight or more ad and tracking scripts from the same shady network, plus a handful of other ad domains. The hub the whole page is wired to is a domain we detect as malicious. Your data is the product; the “stream” is the bait.

    Why these sites are dangerous, not just annoying

    It’s tempting to shrug this off as the usual price of free streams. But it’s worse than facing a few annoying ads.

    The real threat is the ad network. This isn’t mainstream, vetted advertising. The kind of ad network we flag as malicious is a common delivery route for the stuff that causes harm: fake virus warnings, bogus software update prompts that install malware, fake prize and verification pages, and forced redirects into subscription traps.

    The video window itself is untrusted. The stream is pulled from a third-party piracy service, not anything the site controls or vets. Pirated stream embeds are a well-known source of their own ads, redirects, and hidden clickable overlays, so even the part that looks like a video player can be working against you.

    There’s nobody behind the counter. These are anonymous, disposable sites built around a major sporting event. There’s no real company, no support, no accountability, and no reason for them to care what lands on your screen.

    It’s the oldest play in the scam handbook: take something millions of people want right now, present it nicely, and monetize the rush. Scammers don’t create the demand, they just stand in front of it with a bucket and collect payment.

    How it works (a quick technical version)

    The first tap is hijacked. A script waits for your first click or tap anywhere on the page and uses it to open an ad in a new tab or window, often in the background. Before you’ve watched a second of football, you’ve already triggered an ad.

    The “Play” button is a maze. Clicking Play doesn’t play anything. Instead, you’re sent through prompts like “Click Resume to continue” before you might reach a video. Every extra step is another click, and each click triggers more ads.

    Invisible ads load. The page quietly loads tiny, invisible 1×1-pixel ads and opens more tabs. These exist purely to generate paid ad views. The tactic has many of the hallmarks of ad fraud, and you’re the unwitting traffic. More ads are injected into the player area the moment you try to watch.

    The stream is an afterthought. Often there’s no working stream at all, so the page loops you through “Streams loading… Retry,” which means more clicks and more ads. Whether you ever see the match or not, the ads have already cashed in.

    What the ads are serving up

    The code fires the ads; but here’s what comes out the other end. On these pages, the injected ads tend to fall into two buckets, and neither has anything to do with football.

    The first is fake message notifications: little pop-ups designed to look like real chat alerts, complete with a stranger’s photo and messages such as “Seen my message yet? Let’s talk!” Some include fake voice messages or explicit thumbnails. They’re made to look like notifications you’ve forgotten to check so you’ll click them.

    The second is crypto bait. These ads promote “play-to-earn” games with promises of daily rewards, surprise drops, massive airdrops, and eye-catching claims like a “124% APY yield engine.”

    One warning sign is the promise of guaranteed triple-digit returns and free money for tapping a button. That’s not how legitimate financial products work.

    That’s the whole machine working end to end: football is the doorway, the malicious advertising network is the engine, and the scams are what it’s actually selling.

    How to watch the World Cup safely

    These “Free HD stream, every match, no catch” sites use football as bait to funnel visitors through a malicious advertising network. Here’s how to stay safe:

    • Use official broadcasters and streaming services. That’s where the legal and safe coverage lives.
    • Treat “every match, free, HD, no signup” as a red flag. Broadcast rights are expensive. If a random website is giving everything away for free, it’s making money some other way.
    • Don’t follow a maze of interactions. If a streaming site opens pop-ups, launches extra tabs, or sends you through endless “click to continue” screens, close it.
    • Never trust warnings or download prompts on these sites. Don’t download anything, install anything, or enter any information.
    • Block ads and trackers in the browser. A tool like Malwarebytes Browser Guard can block the advertising and tracking domains these sites rely on, helping stop pop-ups and redirects before they load.
    • Keep your software up to date. Browser and operating system updates often fix security vulnerabilities that attackers try to exploit.
    • Use up-to-date, real-time anti-malware. If you do click something malicious, products like Malwarebytes Premium can block and remove malware before it causes damage.

    Indicators of compromise (IoCs)

    Domains

    arenaworldcupfootball.xyz
    footballworldcup.xyz
    freeworldcup.xyz
    freeworldcupstream.xyz
    freeworldcupstreaming.xyz
    livestreamingworldcup.xyz
    livestreamworldcup.xyz
    liveworldcup.today
    liveworldcup.xyz
    liveworldcup2026.xyz
    liveworldcupmatch.xyz
    matchoraworldcup.world
    matchworldcup.xyz
    sportivaworldcup.xyz
    sportworldcuponline.xyz
    watchworldcup.watch
    watchworldcup.world
    watchworldcup2026.xyz
    watchworldcupfree.live
    watchworldcupfree.online
    watchworldcupfree.xyz
    worldcup2026match.xyz
    worldcuparena.xyz
    worldcupfoootballmatch.xyz
    worldcupfootball.live
    worldcupfootballmat.live
    worldcupfootballmatch.live
    worldcupfootbmatch.xyz
    worldcupfreeonline.xyz
    worldcuplive.world
    worldcuplivestream.online
    worldcupmatch.online
    worldcupmatch.world
    worldcupmatch.xyz
    worldcupmatchlive.live
    worldcupsoccer.live
    worldcupsoccermatch.live
    worldcupstreameast.online
    worldcupstreameast.xyz
    worldcupusa.world
    worldcupusa.xyz


    Stop threats before they can do any harm.

    Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →

    Cardiac patients’ medical data stolen and held to ransom

    16 June 2026 at 14:49

    Cardiac monitoring provider iRhythm has been hit by a data theft followed by an extortion attempt.

    In a filing with the Securities and Exchange Commission (SEC), iRhythm revealed it was contacted by someone on June 9 who claimed to have stolen sensitive information, including proprietary data, patient PHI, and other personal information. That person demanded payment in exchange for not publishing the data.

    iRhythm provides ambulatory cardiac monitoring and analysis (for example using the Zio patch) and has reportedly processed over two billion hours of heartbeat data from more than twelve million patients.

    In the filing, the company said the data was obtained through social engineering and is from “certain third-party-hosted business applications”, without revealing any further details about the amount of data.

    On its own website, iRhythm also doesn’t disclose much about the nature of the stolen data, but does seem to imply no financial data was affected:

    “We have not identified any impact to our products, our clinical or medical device systems, our connections to customers, our manufacturing and distribution operations, patient safety, or our ability to meet patient needs. In addition, we do not store or retain individual financial account information or payment card information. 

     As we actively investigate, we will notify individuals affected by this incident in accordance with applicable law and take steps as needed to protect and remediate the impact to them.“

    However, the SEC filing adds that iRhythm determined that the incident is significant, “in light of the volume of the potentially affected data.” Together with the extortionist’s claims that they have patients’ medical data, that makes the breach one worth noting if you have used iRhythm’s services.

    Even without payment data, healthcare breaches have serious downstream effects:

    • Attackers can craft highly convincing emails, texts, or calls that reference specific procedures or monitoring episodes (for example, “about your recent Zio patch recording”) to trick patients into sharing more data or paying fake bills.
    • The breached data can be used to create a fake identity, insurance fraud, or medical identity theft.
    • Exposure of cardiac and other health‑related information can be deeply sensitive and may have employment/insurance ramifications, especially if data is posted publicly or sold to data brokers.

    Healthcare breach data tends to circulate for years, and victims may face sporadic fraud and phishing attempts long after the headlines fade.

    How to stay safe

    If you’ve used iRhythm’s services, keep an eye on your post, email, and patient portals for official breach notifications from iRhythm or your healthcare provider.

    In the US, breaches of protected health information that meet certain criteria must be reported to patients and regulators. iRhythm has promised to “notify individuals affected by this incident in accordance with applicable law and take steps as needed to protect and remediate the impact to them.”

    To stay out of the hands of phishers and scammers:

    • When you receive a communication about the data breach, verify through other channels that it really came from iRhythm. Go directly to iRhythm’s official website or patient portal, or call a known phone number to confirm the communication is genuine.
    • Be extra suspicious of emails or texts that claim to offer compensation, refunds, or other financial consequences related to this incident.
    • Change passwords for your iRhythm‑linked portals and your cardiology or hospital patient portals, especially if you reused those passwords elsewhere.
    • Log into your health insurer’s portal and check claims on a regular basis.
    • If you see anything suspicious, report it immediately to your insurer and provider and ask them to flag your account for possible identity theft.
    • Do not provide personal or financial information over the phone just because the caller knows details about you which they may have obtained from the stolen data.

    Let’s face it, an incognito window can only do so much. 
     
    Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protection monitors for all of it, alerts you fast, and comes with identity theft insurance. 

    Deepfake posting sites depicting famous women taken down by feds

    16 June 2026 at 12:31

    Thanks to Uncle Sam, anyone trying to find nonconsensual intimate deepfakes on CFake.com and SOCFake.com will be disappointed. The US Departments of Justice (DOJ) and Homeland Security has seized the two domain names under the TAKE IT DOWN Act.

    The TAKE IT DOWN Act, signed in May 2025, is the first US federal statute criminalizing the publication of nonconsensual intimate imagery, including AI-generated forgeries. It imposes penalties of up to two years’ imprisonment, gives covered platforms 48 hours to remove flagged content, and grants the forfeiture powers the DOJ just used.

    According to the seizure warrants, the digital forgeries depicted “politicians, first ladies of multiple countries, royalty, journalists, television presenters, athletes, entertainers, and others,” and visitors could browse them under tags including “rape,” “forced,” and “degradation”.

    The authorities didn’t just snag the sites, though. They got the alleged operator of CFake.com, in an international effort.

    The US alerted the Paris prosecutor’s office to a French national in Nice who was allegedly running CFake.com. French investigators counted roughly 300,000 images and 7,000 videos depicting 14,000 people across CFake.com, drawing four million monthly views from 200,000 user accounts.

    They then arrested the IT professional, who had no prior criminal record. They also found around $64,000 in Ether cryptocurrency at his home in advertising revenue from the site.

    The man will be tried on July 7 in Paris for carrying out illicit transactions online and providing nonconsensual sexual deepfakes. The former offence carries a potential seven years’ imprisonment and a €500,000 (approximately $580,000) fine. The latter could yield three years and a €75,000 ($87,000) fine.

    Providers and accused providers of nonconsensual intimate deepfakes have also been held in the US. In April, James Strahler II from Ohio pleaded guilty to cyberstalking, producing child sexual abuse material, and publishing digital forgeries.

    Strahler had downloaded produced over 700 images and animations posted to a child sexual abuse site, and had sent deepfake material to at least six adult women, including one sent to a victim’s coworkers.

    Last month, the DoJ also arrested Cornelius Shannon and Arturo Hernandez under the TAKE IT DOWN Act for publishing thousands of deepfake images of prominent women and those not in the public eye.

    Other countries are also taking action. Anthony Rontondo was arrested by Australian authorities in May last year for posting deepfaked pictures of prominent Australian women. He eventually received an AU$343,000 fine.

    How prevalent are deepfakes?

    These seizures and prosecutions are encouraging, but prosecutors trying to force non-consensual deepfakes offline face a rising tide of such material. Requests for and sharing of nonconsensual deepfake imagery have risen, with activity migrating across platforms. Deepfake incidents overall jumped 257% in 2024, and girls accounted for 94% of victims in reported AI-generated child sexual abuse cases.

    Seizing a distribution point removes a storefront. It does not remove the AI models used to produce the material, the anonymous hosting providers downstream, or the demand that draws visitors in the first place.

    What you can do

    If you or someone you know are depicted in a nonconsensual deepfake, keep dated screenshots, URLs, and any communications as evidence before filing a takedown request and reporting it to the authorities.

    Limit the high-resolution face images you and your children post publicly, since school portraits and social media profile pictures are the raw material these tools need.

    Take advantage of expert advice to help protect yourself from non-consensual deepfakes:


    Let’s face it, an incognito window can only do so much. 
     
    Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protection monitors for all of it, alerts you fast, and comes with identity theft insurance. 

    Inside a malicious infrastructure delivering EtherRAT, phishing pages, and malicious software 

    15 June 2026 at 22:17

    During our recent threat hunting activities, we found EtherRAT malware being distributed by a website with a strange homepage. This homepage allowed us to discover a vast malicious infrastructure distributing malware, malicious documents, remote desktop software, and phishing pages. 

    EtherRAT is a RAT developed in Node.js which allows an attacker to gain complete control over the machine and execute arbitrary code returned by the Command and Control (C2) server. The malware uses the Etherium blockchain to obtain the C2 server, hence the “Ether” part of the name. EtherRAT is typically distributed via MSI, PowerShell, or JavaScript scripts. 

    An open directory that distributes EtherRAT: where it all began 

    While threat hunting, we found an open directory that was distributing MSI installers and PowerShell scripts, which ultimately distributed EtherRAT. In the analyzed cases, the PowerShell scripts and MSI installers were distributed from a “/install” folder.  The versions have a progressive number, ranging from v1 to v10. 

    Figure 1: Open Directory hosting EtherRAT MSI 
    Open Directory hosting EtherRAT MSI 

    The returned home page caught our attention and prompted us to further explore the campaign. 

    The homepage returned by the EtherRAT distribution website 

    Analyzing domains and associated IPs with the EtherRAT distribution, we detected other similar home pages with a hacking-style theme. They appeared to belong to a larger distribution chain, which also distributes phishing, remote control software, and other malware. These websites usually have several folders with malware and phishing related content, and what is displayed depends on the specific infection chain. 

    Different websites that resolve to the same IP addresses have previously returned pages related to fake companies or default templates. The use of these new pages could therefore be a method to make detection more difficult for automated scanners or researchers.  Here are some of the home pages we found:

    Some of the malicious websites indexed on Google 

    EtherRAT is an interesting RAT, as it has few lines of code and allows the execution of arbitrary code returned by the C2 server. Furthermore, using the Ethereum blockchain to obtain the C2 server makes it more resilient to infrastructure takedowns. 

    Technical analysis of EtherRAT 

    The detected websites usually distribute an MSI or PowerShell script with the version name, such as v1.msi, v2.ps1, and so on. 

    MSI Loader 

    The MSI file “v9.msi” contains three components: 

    MSI Filename Description 
    KmPuGimn.cmd BAT launcher 
    cDQMlQAru0.xml First Jscript loader 
    MRaQCipBIZeiZNx.log Encrypted EtherRAT 

    When the MSI is executed, the “KmPuGimn.cmd” file is started: 

    conhost --headless cmd /c "KmPuGimn.cmd" 

    This obfuscated BAT file performs different operations: 

    • Extracts the other files in a random folder in %LOCALAPPDATA%. 
    • Re-executes itself via: 
      • %SystemRoot%\System32\conhost.exe –headless %SystemRoot%\System32\cmd.exe /c call “C:\Users\{user}\AppData\Local\{random_path}\KmPuGimn.cmd” nKWa 
    • Runs the command “where node” to find an existing installation. 
    • Downloads Node.js if it’s not found 
      • Uses “curl -sLo” to download Node.js from the official website. 
      • Extracts to installation directory via “tar -xf”. 
      • Renames extracted directory to “28Q75h”.
    • Loops until both “MRaQCipBIZeiZNx.log” and “cDQMlQAru0.xml” exist, then executes: 
      • conhost.exe –headless C:\Users\{user}\AppData\Local\{random_path}\{random_path}\node.exe cDQMlQAru0.xml 

    The executed “cDQMlQAru0.xml” is a loader that decrypts the embedded code with a XOR function and then executes it with “vm.compileFunction”. 

    decrypted[i] = (encrypted[i] - key[i % key.length] - i) & 0xFF 
    The embedded decrypted code 

    The decrypted code: 

    • Copies node.exe in “C:\Users\{user}\AppData\Local\{random_path}\{random_path}\_MJlLlt5.exe”. 
    • Adds a registry key for persistence with “conhost.exe –headless”. 
    • Decrypts “MRaQCipBIZeiZNx.log” and executes it with “_MJlLlt5.exe” stdin. 

    The decryption algorithm is a custom stream-like decoding routing based on XOR, byte rotations and an accumulator: 

    for e in range(len(data)): 
        byte = data[e] 
        g = prev 
        prev = byte 
        byte = (byte - g) & 0xff 
        byte = byte ^ n[e % len(n)] ^ ((e >> 8) & 0xff) 
        byte = si[byte] 
        byte = (byte - k[e % len(k)]) & 0xff
        result[e] = byte 

    The final stage is to deploy EtherRAT. EtherRAT allows the attacker to: 

    • Execute arbitrary JavaScript code received by the C2 server. This allows the attacker to execute new commands, perform operations on files and folders, modify the registry, and exfiltrate data. 
    • Get a new C2 server using the Ethereum blockchain. 
    • Reobfuscate itself. 
    • Save the logs to “svchost.log”. 
    Part of decrypted EtherRAT code 

    The EtherRAT uses Ethereum’s “eth_call” JSON-RPC method to retrieve the active C2 URL from a smart contract on the Ethereum mainnet.  

    The blockchain parameters in this case are: 

    • Contract: 0x88ea8d0bc4146f0a018e989df3fd089ac48f9a58 
    • Function selector: 0x7d434425 
    • Argument: 0xf6a772e163e64b07f658946f863b5d457d88f9f0 
    The decoded C2 from Ethereum blockchain 

    The contacted URLs to obtain the C2 server endpoint are: 

    • mainnet[.]gateway[.]tenderly[.]co 
    • rpc[.]flashbots[.]net/fast 
    • rpc[.]mevblocker[.]io 
    • eth-mainnet[.]public[.]blastapi[.]io 
    • ethereum-rpc[.]publicnode[.]com 
    • eth[.]drpc[.]org 
    • eth[.]merkle[.]io 

    Polling requests use randomized URL patterns based on some parameters defined in the code: 

    GET /api/<4-byte-hex>/<victim-uuid>/<4-byte-hex>.<ext>?<param>=<build-id> 
    X-Bot-Server: <c2_url> 

    In the analyzed sample, the parameters are: 

    • Build ID: “6f816d80-0d6c-4384-9cd6-6b79965fc08f” 
    • ext: randomly selected from “png”, “jpg”, “gif”, “css”, “ico”, “webp”. 
    • param: randomly selected from “id”, “token”, “key”, “b”, “q”, “s”, “v”. 

    After startup, the RAT sends its own source code to the C2 server. The C2 responds with a newly obfuscated version of the script, which is written back to disk, making each execution generate a new file hash. 

    POST /api/[REOBF_PATH]/<victim-uuid> 
    Body: { "code": "<current_script_contents>", "build": "<build_id>" } 

    After the EtherRAT execution, we observed different post-compromised cmd.exe activities to check the environment. For example: 

    • powershell -NoProfile -NonInteractive -WindowStyle Hidden -Command “(Get-WmiObject Win32_VideoController).Name”
    • reg query “HKLM\SOFTWARE\Microsoft\Cryptography” /v MachineGuid 
    • powershell -NoProfile -NonInteractive -WindowStyle Hidden -Command “(Get-WmiObject Win32_ComputerSystem).Domain” 
    • powershell -NoProfile -NonInteractive -WindowStyle Hidden -Command “(Get-WmiObject Win32_ComputerSystem).PartOfDomain” 
    • cmd.exe /d /s /c “net session” 
    EtherRAT logs 

    PowerShell Loader 

    The activities performed by the PowerShell loaders are very similar to the last stage of the JS script of the MSI installer: 

    • Downloads Node.js if it’s not present. 
    • Create the necessary directories. 
    • Decode the EtherRAT with a custom decryption algorithm. 
    • Execute Node.js with conhost.exe and the decrypted EtherRAT payload. 

    We detected some variants of the PowerShell loader hosted on these websites; namely that the functions’ names and the decryption functions change in the analyzed PowerShell scripts. 

    The decryption of EtherRAT payload with the custom decryption algorithm 

    Tracking the malicious infrastructure 

    When we analyzed the different websites with the “hacking-theme” pages, we found that in the past many had hosted multiple phishing pages in some specific paths. For example: 

    • /zht/sharep-redirect.html 
    • /bl/me.php 
    • /t/teams 
    • /teams/Windows/invite.php 

    It seems that these domains and IPs are actually part of a much larger infrastructure that distributes malware, phishing, malicious documents, and remote software. It is possible that these infrastructures are shared by multiple threat actors who activate different URL endpoints based on the specific campaign. 

    Interestingly, the majority of the domains related to this malicious infrastructure in the past also returned an HTML page related to a “Bulletproof Infrastructure” service.  

    We found that these phishing campaigns typically start via emails with documents attached, such as PDF or Excel files. These documents ask the user to click a link to view another document. Below are two examples of the phishing documents attached to the emails:

    These phishing pages typically ask the user to enter their email address, then continue the infection chain and distribute phishing or malware pages.  Below are some of the phishing pages detected within the malicious infrastructure:

    Misconfigurations exposed the phishing kits 

    While tracking malicious websites, we found one with an open directory containing part of the phishing kit used in the campaigns. 

    Open directory hosting part of phishing kits

     

    The open directory contained several folders with code and pages related to the phishing campaigns. 

    Phishing kit code 

    Additionally, some domains were misconfigured and allowed the download of “cl.zip”, which contained the source code for the “URL Cloaker” pages. 

    Part of “URL Cloaker” code 

    Indicators of Compromise (IOCs)  

    IPs 

    82[.]165[.]65[.]244: malicious infrastructure  

    185[.]221[.]216[.]121: malicious infrastructure  

    43[.]163[.]233[.]166: malicious infrastructure  

    40[.]160[.]238[.]30: malicious infrastructure  

    159[.]89[.]227[.]204: malicious infrastructure  

    57[.]128[.]31[.]168: malicious infrastructure  

    Domains 

    ivorilla[.]cloud: EtherRAT distribution  

    mx[.]nrlwz[.]com: EtherRAT distribution  

    dn[.]eyqwj[.]com: EtherRAT distribution  

    bi[.]mkrjcsw[.]com: EtherRAT distribution  

    dorqen[.]casa: EtherRAT distribution  

    kelvra[.]club: EtherRAT distribution  

    cambioefectivo[.]com: EtherRAT C2  

    vabelles[.]com: EtherRAT C2  

    tranzed[.]org: EtherRAT C2  

    kibrisarazi[.]com: EtherRAT C2  

    aravisblog[.]com: EtherRAT C2  

    publicspeakingtip[.]org: EtherRAT C2  

    Acknowledgements 


    Stop threats before they can do any harm.

    Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →

    Claude Fable 5 and Mythos 5 &#8220;abruptly disabled&#8221; after US gov. ban

    15 June 2026 at 16:32

    Anthropic has been ordered by the US government to cut off its newest Claude Fable 5 and Mythos 5 models for fear of abuse by adversaries.

    Reuters reports that Anthropic said it will “abruptly ​disable” its most advanced AI models for all users after the US government ordered it to suspend access to the models for foreign nationals, citing national security ‌concerns.

    Officials reportedly believe a jailbreak could turn Fable 5 and Mythos 5 into vulnerability-discovery tools for adversaries, so Anthropic says it is disabling them worldwide rather than try to nationality‑filter access, since it is virtually impossible to verify every user’s nationality.

    In a statement on its website, Anthropic says:

    “The letter did not provide specific details of its national security concern. Our understanding is that the government believes it has become aware of a method of bypassing, or “jailbreaking” Fable 5. We reviewed a demonstration of this specific technique being used to identify a small number of previously known, minor vulnerabilities. These vulnerabilities all appear relatively simple, and we have found that other publicly-available models are able to discover them as well without requiring a bypass.”

    Mythos 5 is the non-public full version, which is currently used only by government agencies and selected corporate partners to harden their systems. Fable 5 is a Mythos-class model that should supposedly be safe for general use.

    It makes sense to me that if Fable 5 is easy to jailbreak, that it should fall under the same restrictions as Mythos 5. However, Anthropic maintains that it has built-in safeguards that mean queries on some topics will instead receive a response from the next-most-capable model, Claude Opus 4.8. 

    The relationship between the US government and Anthropic had shown signs of easing in parts of the US government after tensions over military use, surveillance, and autonomous weapons. In March, defense Secretary Pete Hegseth designated the San Francisco-based company a “supply-chain risk to national security.”

    To understand the nature of the argument, it is necessary to understand that Mythos 5 is described in multiple reports as particularly effective at identifying software vulnerabilities, including long‑standing bugs in complex, legacy systems such as those in banking and other critical infrastructure. Many view this as dual‑use: great for defense hardening, but catastrophic in the wrong hands.

    In recent updates from major software vendors like Microsoft and Google, we’ve seen a growth in numbers of patched vulnerabilities after the vendors began using AI-guided search for new vulnerabilities in their own software. We also know that Mozilla found over 270 Firefox vulnerabilities with the aid of Anthropic’s new Claude Mythos model. 

    What this means

    In the wrong hands these vulnerabilities could definitely do a lot of harm. So, it looks like it will take some time before regular consumers and developers will gain access to Fable 5 and Mythos 5 entirely. However, existing Anthropic models (older Claude variants) remain available.

    For home users who were simply chatting with Claude or using it to help with basic scripting, the change will mostly show up as “this specific version is unavailable” rather than a broader AI blackout.

    Removing a high‑end vulnerability‑finding model from broad circulation increases the effort required for less‑resourced cybercriminals to automate discovery of complex bugs in consumer‑facing software and services only by so much. There are other models available on the black market that might be just as effective. And for most cybercriminals, turning a vulnerability into a method they can utilize in an exploit is much more relevant.


    We don’t just report on threats—we remove them

    Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

    Deepfake porn sites are going offline (re-air) (Lock and Code S07E12)

    15 June 2026 at 16:32

    This week on the Lock and Code podcast…

    If you weren’t taking deepfakes seriously before, it’s too late now to ignore them.

    According to new research from Malwarebytes, one in three people who use AI every day said it’s okay to generate pornography of people without their consent.

    Nearly 10 years ago, “deepfake” technology provided hobbyists and film editors with artificial intelligence (AI) tools to swap the face of one person onto the body of another. In its infancy, this technology brought silly film experiments like swapping Tom Cruise in Mission Impossible with Keanu Reeves. Today, this same technology produces something far more harmful—fake nude images of teenagers.

    On the Lock and Code podcast today with host David Ruiz, we are re-visiting an interview from 2024, in which we spoke with a lawyer named David Chiu about his lawsuit against 16 deepfake nude generation websites.

    The websites named in that lawsuit often needed just one image of a person to generate fake pornography. And while nearly everyone has at least one image of themselves online, even if they had hundreds, the path towards deletion is somewhat understood—start by deactivating and deleting popular social media accounts. But for teenagers today, raised mostly online, and who share images directly with friends and boyfriends and girlfriends and exes, it’s likely impossible to remove every visual trace of themselves. Also, they shouldn’t have to face this problem alone.

    The Lock and Code podcast frequently discusses structural problems that require individual management. You have to skirt corporate data collection. You have to find the automated license plate readers in your hometown. You have to review every single message you get with a certain antagonism, to guard yourself against scams.

    So, it’s rare to encounter a solution that benefits more than one person.

    Chiu serves as the City Attorney for San Francisco, which means his department can file a lawsuit on behalf of not just the people of San Francisco, but also California, and that’s what his team did in going after the deepfake websites.

    Since then, Chiu’s department has shut down 10 deepfake nude websites, and it received a settlement agreement from a company called Briver LLC to no longer operate any website that creates nonconsensual deepfake pornography.

    And, as California goes, so goes the nation.

    In May of last year, the Take It Down Act became effective as law in the United States, which criminalizes “revenge porn” and AI-generated nonconsensual intimate imagery. The law is not perfect but so far it is being used as intended. Last month, two men in the US were among the first to be charged with violating the Take It Down act for allegedly creating deepfake nudes that, according to the AP, “included both celebrities as well as private women, including recent high school graduates.”

    Today, we revisit our conversation with San Francisco City Attorney David Chiu about the important fight against deepfake porn and the clear threat that his department found against the public.

    “At least one of these websites specifically promotes the non-consensual nature of this. So, and I’ll just quote, ‘Imagine wasting time taking her out on dates when you can just use website X to get her nudes.'”

    Tune in today to listen to the full conversation.

    Show notes and credits:

    Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
    Licensed under Creative Commons: By Attribution 4.0 License
    http://creativecommons.org/licenses/by/4.0/
    Outro Music: “Good God” by Wowa (unminus.com)


    Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

    Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium Security for Lock and Code listeners.

    Stolen iPhones could soon be worth a lot less to thieves

    12 June 2026 at 16:03

    The UK’s Metropolitan Police has reached an agreement with Apple designed to make stolen iPhones harder to resell and less attractive to thieves. The approach combines stronger technical protections with direct data sharing between Apple and law enforcement.

    In 2023, about 1.4 million mobile phones were stolen in the US alone. London is reportedly one of the worst cities for phone theft, with around 200 devices stolen every day. 

    As part of this effort, Apple has strengthened its Stolen Device Protection feature in iOS 26.4, making it harder for thieves to change security settings, factory‑reset a stolen iPhone, or set it up as new.

    Previously, thieves with your passcode (or who snatched your iPhone while it was still unlocked) could factory reset it, wiping your account and making the device look new for resale. Stolen Device Protection blocks this, requiring biometric authentication, not just a passcode, to make critical changes.

    The Met has started sharing identifiers for reported stolen devices with Apple. In return, Apple can provide data on whether those devices later attempt to reconnect to a network or attempt to be reactivated.

    Police say this gives them a better picture of what happens to stolen devices: Are they being switched back on locally? Shipped abroad? Broken down for parts?

    Met Police Commissioner Sir Mark Rowley said Apple believes it has “cracked” the engineering problem. Phone thefts in London have since fallen 18% year-on-year, with Westminster (the capital’s worst-affected borough) down 45.8%.

    Given the early signs of success, the Met is pressing for broader changes.

    The Commissioner has written to the Home Secretary asking for laws that would require all phone manufacturers and mobile operators to share information about stolen devices and implement measures that make stolen handsets unusable. 

    As part of that effort, the Met has explicitly said that Samsung and Google are also improving device security to address phone theft, suggesting this will become an industry‑wide expectation rather than an Apple‑only initiative.

    Possible pitfalls

    From a privacy perspective, it’s important to keep an eye on what data is shared, and who can see it.

    Reports so far suggest that Apple and the Met are exchanging device identifiers and high‑level information about whether a stolen phone has attempted to reconnect or be reactivated. In theory, that sounds narrow and purpose‑bound: device X was reported stolen, later tried to come online in country Y, at time Z. There is no public indication that content, contacts, or location histories are being handed over wholesale.

    There’s also a risk of someone reporting your phone as stolen. If a device is incorrectly marked as stolen, the protections designed to stop thieves could lock an innocent user out, turning a valuable asset into a brick. Without transparent appeal mechanisms, this is a notable concern.

    The measures could also create challenges for recycling initiatives, legitimate repair shops, and refurbishers. They may face additional hurdles when diagnosing, restoring, or reselling devices if anti-theft protections become more restrictive.

    Stay safe

    Make sure your phone is protected with a strong passcode and biometric security, such as Face ID or a fingerprint.

    Enable Apple’s Find My feature, or the Android equivalent, and make sure it is linked to a strong account password.

    Keep lock screen notifications to a minimum so thieves cannot quickly access your sensitive information if they get hold of your device.

    When buying a used phone, use a reputable seller and make sure the device has been reset by its owner. Complete the initial setup process with the seller present to confirm the phone isn’t locked to someone else’s account or reported stolen.


    Scammers know more about you than you think. 

    Malwarebytes Mobile Security protects you from phishing, scam texts, malicious sites, and more. With real-time AI-powered Scam Guard built right in. 

    Download for iOS → Download for Android → 

    Fake verification pages are stealing Steam accounts from players

    12 June 2026 at 11:27

    Online gamers should watch out for a convincing scam that aims to steal your Steam account.

    The scam uses fake FACEIT verification pages that look legitimate, complete with official branding, working links, and what appears to be a real Steam login window. By the time it asks for your password, many victims are convinced they’re interacting with a genuine service.

    The goal is to steal your Steam account.

    Why this scam targets FACEIT players

    If you’re not a competitive gamer, FACEIT might not mean anything to you. But to millions of people, it’s a big deal, and that makes it a target for impersonation by cybercriminals.

    FACEIT is one of the largest competitive gaming platforms for Counter-Strike 2 (CS2). Millions of players use it for ranked matches, tournaments, leagues, and advanced anti-cheat protections.

    To use FACEIT, players typically connect their Steam platform accounts, which are valuable for scammers.

    A stolen Steam account can contain:

    • Hundreds or thousands of dollars’ worth of purchased games
    • Valuable CS2 skins and items, some worth significant amounts of real money
    • Wallet funds and saved payment methods
    • Years of friends, messages, and community reputation

    Once criminals gain access, they can steal items, scam friends, or sell the account on criminal marketplaces.

    Because FACEIT connects to Steam, a fake “FACEIT verification” page is an easy way to trick people. Victims think they’re updating their account, but attackers are really trying to steal Steam accounts that may contain valuable games, skins, and wallet funds. Gamers are especially vulnerable because they’re used to linking accounts and following verification steps, and may act quickly if they think their access to a game is at risk.

    How the scam works

    The attack starts with a website that looks like an official FACEIT page. The scam pages are likely distributed through the same channels gamers use every day: community forums, chat servers, social media posts, and direct messages.

    The page claims FACEIT is offering free, optional identity verification to help build a more trusted community. It’s polished, uses the correct branding, and even includes working links to FACEIT’s real blog and support pages. Everything about it is designed to make you think you’re on a genuine FACEIT website, but you’re not.

    Fake FACEIT verification page
    Fake FACEIT verification page

    Instead of using the official faceit.com domain, the scammers use lookalike addresses such as:

    • faceit-discord.com
    • faceit-clubs-verify.com
    • faceit-verification-clubs.com

    The extra words like “verification” or “discord,” are designed to make these addresses look legitimate at a glance, but they’re sites that are controlled by cybercriminals.

    Many of these domains are only days or even hours old. Scammers constantly register new ones, knowing they’ll likely be blocked eventually. That’s why a site not being flagged as dangerous doesn’t mean it’s safe.

    There are small clues, though. In one example, the page listed both “Copyright 2024” and “Copyright 2025.” Legitimate companies rarely make mistakes like that, but scam sites often do.

    After the verification pitch, the page claims there’s a problem with your CS2 account and asks you to update your information to prove you’re not a cheater or using a smurf account.

    Here’s the clever part. The QR code appears blurry and difficult to scan. Researchers believe that’s intentional. After a few failed attempts, many users are likely to give up and click the easier-looking “Sign in through Steam” button instead.

    The broken QR code is the nudge that guides victims toward the part of the page where the real theft happens.

    Fake FACEIT page with a blurry QR code and "Sign in with Steam" button
    Fake FACEIT page with a blurry QR code and “Sign in with Steam” button

    When users eventually give up on the QR code and click the button, a Steam login window appears. It looks convincing, complete with the Steam logo, login fields, and what appears to be a steamcommunity.com address bar.

    But the window is fake.

    Fake Steam sign-in window steals your account details
    Fake Steam sign-in window steals your account details

    Instead of opening a real Steam login page, the scammers display a convincing copy inside the website itself. Security researchers call this a Browser-in-the-Browser attack. The fake window looks and behaves like a genuine browser pop-up, but the address bar is just part of the image.

    Anything entered into the form goes straight to the criminals. If the page also asks for a Steam Guard code, that gets stolen too, allowing attackers to access the account. Some victims are then tricked into “protecting” their items by transferring them to a friend or backup account, when they’re actually sending them directly to the scammers.

    How to protect yourself against this scam

    A few simple habits can stop this scam:

    • Check the real address bar. FACEIT’s official website is faceit.com. Be wary of lookalike domains such as faceit-discord.com or faceit-clubs-verify.com. Remember: a login window inside a webpage can fake its own address bar. Trust the one at the top of your browser, not the one inside the page.
    • Be suspicious of blurry QR codes. Researchers believe the QR code in this scam is deliberately blurred to push users toward the “Sign in through Steam” button instead.
    • Treat urgency as a warning sign. Messages about account problems, verification, or losing access are designed to make you act quickly. Slow down and verify first.
    • Go to the source. If you’re unsure whether FACEIT or Steam needs something from you, open the official website or app yourself rather than following links from Discord, messages, or ads.
    • Add another layer of protection. Scam sites often look legitimate. Malwarebytes Browser Guard can help block known phishing pages and other online scams before you enter your username and password.

    If you already entered your details

    Change your Steam password immediately, make sure Steam Guard is enabled, and sign out of all other devices. Check your Steam API key settings and remove any key you don’t recognize. Change the password anywhere else you reused it and review your account for unauthorized trades or purchases.

    Why this scam works

    This scam works because it doesn’t look like a scam. The branding is convincing, the story makes sense, and even the Steam login window appears legitimate.

    Most people know to check the address bar before entering a password. Browser-in-the-Browser attacks are designed to defeat that habit. Because the fake Steam window is built into the page itself, the criminals can make its address bar say whatever they want, including steamcommunity.com.

    The safest approach is to be suspicious of any login window that appears inside another website. If you’re unsure, close the page and sign in to Steam the way you normally would, through the official app or by typing the address yourself.

    That small pause, that refusal to take the convenient shortcut a page is pushing you toward, is all it takes to keep your account yours.


    Stop threats before they can do any harm.

    Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →

    Google can be liable for false AI Overviews, court rules

    11 June 2026 at 18:09

    A German court has ruled that Google can be held directly responsible for defamatory claims produced by its AI Overviews. Basically, the court said that telling people they should double-check AI search results is not enough to deny liability for what those results say.

    This kind of warning may not be enough.
    This kind of warning may not be enough

    The Munich Regional Court issued a preliminary injunction against Google after two German publishers discovered that AI Overviews falsely portrayed them as involved in scams and “dubious business practices,” even though the linked articles did not support those claims.

    The decision could echo far beyond Germany. The court effectively found that Google can be held directly liable for defamatory content generated by its AI Overviews. The court cut through the usual “it’s just AI, don’t trust it too much” messaging and made one thing clear: If you build a system that confidently smears people or companies, you may be responsible for what it says, even when the content was “hallucinated” by AI.

    AI Overviews are not harmless suggestions. In this case, the court treated them as Google’s own statements, with all the legal baggage that comes with that.

    When the publishers sent a cease-and-desist letter, Google did not promptly stop similar claims from appearing. That detail turned out to be crucial in the ruling. The court noted that, unlike traditional search results, which simply list third-party content, AI Overviews generate “independent, new, and substantive statements.”

    And since only Google can adjust the models and the logic that create those statements, only Google can reliably stop the system from repeating the same or similar falsehoods. In this case, the court found that Google can be held responsible.

    For years, search engines have enjoyed broad protection under the logic that some harmful content is unavoidable when indexing the open web at scale. Showing a search result does not mean endorsing it. The search engine is a channel, not a publisher.

    That changes when an AI Overview summarizes, rephrases, and sometimes invents facts, then publishes them at the top of search results.

    AI Overviews are an extra feature, not essential to how search works. However, the appeal of AI summaries is their fast, confident answers, which is exactly what makes them dangerous. When those answers are wrong, many users may not click through to check the sources.

    The ruling is preliminary and may be appealed, but the signal is clear: AI search output is not magic dust that makes liability disappear. Disclaimers about possible mistakes may not be enough when a system is deployed at scale, creates new content, and is designed to be trusted.

    By the numbers

    Google AI Overviews are powered by Gemini, Google’s AI model. Like other AI systems, it can produce confident answers that are wrong or poorly supported.

    Pew Research studied browsing data from hundreds of users and found that when an AI Overview appears on a Google results page, clicks to traditional search results drop from around 15% to about 8%. 

    A New York Times analysis of AI Overviews found that they were accurate roughly nine out of ten times. But with Google processing more than five trillion searches a year, even a small error rate could mean millions of wrong answers.

    And those mistakes are not always due to bad sources. Even when Google links to a page with the correct information, its AI can still produce a false answer. More than half of the accurate responses were classified as “ungrounded,” meaning the websites cited by the AI Overview did not fully support the information it provided.

    The main lesson here is to double-check AI search responses. Don’t trust an answer just because it’s presented confidently and includes links.

    Users can be steered toward real threats, or away from effective protections, simply because an AI system sounded convincing on a search page.

    If you find false or defamatory AI summaries about yourself or your company, document them thoroughly. Take screenshots, save the search terms, file correction requests, and keep records of the platform’s response. Or the lack of one.


    Scammers don’t need to hack you. They just need you to click once. 

    Malwarebytes Identity Theft Protection catches suspicious activity before it becomes a problem.

    VRChat says reported data breach never happened

    11 June 2026 at 13:31

    A data breach notice has been filed with the Maine Attorney General, saying more than 2.4 million users of VRChat have had their data breached.

    The question is, was it VRChat who filed the breach notice, or did someone pretending to represent the company post it instead? On Reddit, a VRChat representative posted:

    VRChat did not submit this Notice of Data Incident, and we have no reason to believe that our systems have been compromised. We are in the process of contacting the Maine Attorney General’s office to have this removed.

    The breach notice states that VRChat experienced unauthorized access to some account data between May 10 and May 12, 2026. The access supposedly happened in VRChat’s cloud environment and involved user profile and login-related data.

    According to the notice, the information exposed varied by account, but may have included:

    • VRChat username
    • Email address associated with the VRChat account
    • VRChat+ subscription status
    • Login history, including device information, hardware identifiers, and IP addresses

    VRChat is a social platform designed primarily for virtual reality headsets, allowing users to interact with others through user-created 3D avatars and worlds. Users can access VRChat through Steam for PC, the Meta Quest Store, or as an Android app for compatible devices.

    The notice states that no passwords or payment card data was exposed. However, even without passwords or card details, there are still potential risks when it comes to other breached data.

    Phishing

    Cybercriminals may use usernames and email addresses in targeted phishing attempts. For example, users may receive phishing emails or in‑platform messages claiming to be from “Support,” with fake security alerts or prompts to “confirm your age” via a malicious link.

    Knowledge of subscription status could make scams more convincing. A scammer could send tailored lures like “billing issue with your subscription” or refund scams, which tend to have higher click-through rates among paying users.

    Account takeover

    Cybercriminals may combine usernames and email addresses from one breach with passwords stolen in other data breaches and try them against accounts. This technique, known as credential stuffing, takes advantage of people who reuse passwords across multiple sites.

    Valuable accounts may then be sold to other players or used for scams.

    Identity correlation

    Steam and Meta user IDs linked to breached accounts can help cybercriminals connect identities across gaming and social platforms, especially if the same email or profile name is reused.

    IP addresses, login history, device information, and other identifiers can also help build a more detailed advertising or tracking profile of a user.

    How to stay safe

    Whether or not the breach turns out to be an actual breach, here are some steps you can take to protect yourself:

    First and foremost, be cautious of emails, texts, or calls claiming to come from VRChat or the gaming platforms you used it on, as cybercriminals often exploit breaches with phishing scams.

    If you’ve used your VRChat password anywhere else, change those accounts immediately, and set up two-factor authentication (2FA) on your VRChat account if you haven’t already.

    More general advice can be found in our article on what to do when you find out you’re involved in a data breach.

    Update June 11, 2026: Article was updated to reflect VRChat’s post on Reddit.

    Before publishing our original article, we tried to contact VRChat on two separate email addresses but received no meaningful response.


    Let’s face it, an incognito window can only do so much. 
     
    Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protection monitors for all of it, alerts you fast, and comes with identity theft insurance. 

    Children&#8217;s phones must block nude images by September, UK says

    11 June 2026 at 12:55

    Build something that doesn’t exist. Don’t collect any data while you do it. Get it wrong and the CEO could face criminal charges. That’s close to the ultimatum the UK government handed Apple and Google on June 8. The two companies have three months to introduce device-level protections blocking nudity across every smartphone and tablet sold in the UK. If they don’t, the government will legislate—including fines and, as a last resort, criminal liability for tech bosses.

    Prime Minister Keir Starmer announced the move at London Tech Week, telling the firms:

    “If they choose not to, then we will act and change the law.”

    The policy reads cleanly. The execution doesn’t.

    What’s already on your child’s phone, and what isn’t

    Both companies already do something to prevent children interacting with nudes. Apple’s Communication Safety feature warns children with a Child Account when they send or receive images and videos containing nudity across Messages, AirDrop, FaceTime, and other apps. It updated the feature with new functionality at its Worldwide Developer Conference (WWDC) this week.

    Google’s Sensitive Content Warnings blur sensitive imagery in Google Messages for supervised users and signed-in unsupervised teens—though the feature covers images only, not video.

    Apple will soon require people to confirm that they are over 18 in the UK and some other countries to access certain features on their phones. That will involve age assurance through government ID, payment information, or other verification methods depending on region.

    These measures aren’t enough, according to the UK government. It complains that existing nudity detection isn’t applied to the camera or other apps, third-party messaging services, or search functions. So in other words, the protections miss most of the phone. The camera, WhatsApp, Signal, Safari, and the photo library all sit outside the protective bubble parents may assume already exists.

    Is privacy-respecting scanning possible?

    The announcement also contains a line that’s hard to reconcile with the rest of it:

    “Companies must introduce these measures without threatening privacy or collecting any data.”

    Adults can opt out, but only by completing age verification.

    That’s a tall order. Privacy advocates argue that age verification inevitably creates new data collection risks, even when companies try to minimize the information they store. Whatever Apple and Google build, some form of record-keeping seems likely. If executives can face personal liability for non-compliance, someone has to be able to demonstrate what the system did and when.

    The government’s proof that any of this is achievable rests on a single product: SafeToNet’s HarmBlock, which the Home Office calls “a proven example” of safe-by-default device protection. HarmBlock’s source code (which isn’t public) analyzes images and live streams entirely on-device.

    Digital privacy groups were not happy with the announcement. Big Brother Watch pointed out that children could easily access adult-registered devices, and warned that mandatory ID checks for adults would mean “the death of anonymity and internet privacy.”

    Private messaging app Signal said promises the scanning would run only on-device were “cold comfort” because wherever the system runs, its reach would ultimately be determined by government, not technology:

    “Its scope will be defined by the whims and proscriptions of the government to detect nudity today and political speech tomorrow.”

    Apple has been here before. In 2021, it announced a separate plan to detect known child sexual abuse imagery on devices by matching image hashes against a database of known material, and quietly shelved it after sustained backlash from privacy advocates.

    What families can do today

    September will end in voluntary compliance or hurried legislation. Either way, none of that changes what’s on your child’s phone right now. Today, the messaging channels most heavily used by teenagers aren’t protected. Many grooming and sextortion cases begin on apps that operate outside the operating system’s built-in safety features. Parents and kids can take extra steps for protection:

    • Turn on Communication Safety on iPhones with a Child Account, and Sensitive Content Warnings on supervised Android Messages. They might only blunt the problem at one narrow point, but it’s better than nothing.
    • Talk to your kids about coerced sharing. The Internet Watch Foundation reported that 91% of reports it assessed in 2024 contained self-generated content submitted by children themselves. Children are often coerced into sending explicit material to abusers online. The Internet Watch Foundation has a list of resources for people who are being coerced into sending intimate images online.
    • Cover the basics that outlive any policy: put unique passwords on all accounts, and add multi-factor authentication.
    • Be careful when sharing images of children you know online. Increasingly, criminals can use non-explicit images to create sexual content using AI that can in turn be used for extortion.

    CNET Editors' Choice Award 2026

    “One of the best cybersecurity suites on the planet.” 

    According to CNET. Read their review


    Free Spotify Premium hacks on social media are spreading infostealers

    10 June 2026 at 18:27

    Short-form video platforms like TikTok and Instagram Reels have become the latest way cybercriminals spread malware.

    We’ve already seen attackers move away from traditional phishing emails and toward tactics that trick people into installing malware themselves. Now they’re being lured with slick social media videos that promise free Spotify Premium, free Windows activation, or free Microsoft Office, but instead leave people with infostealers on their Windows devices.

    Researchers at ReversingLabs uncovered two active campaigns that use short videos to trick users into running dangerous PowerShell commands or visiting malicious download sites. Similar campaigns have been reported by other researchers and national cybersecurity agencies, suggesting a growing trend: Cybercriminals are learning how to use social media algorithms just as effectively as marketers.

    In true social media fashion, the videos on platforms like TikTok and Instagram Reels claim to solve a problem you didn’t know you had. The catch is that following the instructions delivers malware to your device.

    How the scam works

    The first campaign looks deceptively professional.

    Accounts with names like “windows.tips” or “windows.insights” use Windows-style branding and post polished tutorial videos that resemble genuine tech support content. The videos are tagged with Windows and Office-related keywords so they appear alongside legitimate troubleshooting and tips content.

    The videos promise to unlock Spotify Premium, Microsoft Office, or Windows for free. Viewers are then guided through step-by-step instructions that include opening Powershell, a legitimate Windows admin tool, and pasting in commands. Those commands download and run malware, much like the ClickFix scams we’ve covered before.

    The malware was identified as Vidar, an infostealer designed to steal sensitive informtion from infected devices. Vidar commonly targets:

    • Saved browser passwords
    • Autofill data
    • Browser cookies
    • Cryptocurrency wallets
    • Two-factor authentication (2FA) data
    • TOR browser data

    The stolen information is then sent back to servers controlled by the attackers.

    How to stay safe

    Research into similar TikTok-based attacks shows these scripts commonly add exclusions to Windows Defender, making it harder for security software to detect future malicious activity.

    Fortunately, there are  a few simple ways to protect yourself:  

    • Only download software from official vendor websites.  
    • Be skeptical of “free”, cracked, or unofficial versions of paid software. 
    • Don’t follow instructions on a webpage without thinking them through, especially if the page asks you to run commands on your device or copy and paste code. Many ClickFix pages use countdowns, fake user counters, or other pressure tactics to make you act quickly.
    • Check that downloaded files match what you expected to download.
    • Verify a file’s publisher and digital signature before you run it. On Windows, you can usually check this by right-clicking the file, selecting Properties > Digital Signatures. Keep in mind that a valid signature does not guarantee a file is safe, but missing or suspicious signatures are often a red flag. 
    • Use a real-time, up-to-date anti-malware solution to block malware like infostealers before it runs.

    Pro tip: If you’re unsure whether a video, message, or website is legitimate, you can ask Malwarebytes Scam Guard about it. It can help identify suspicious content and advise you on what to do next.

    Image courtesy of ReversingLabs


    We don’t just report on threats—we remove them

    Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

    Microsoft’s biggest-ever Patch Tuesday fixes 206 bugs, including 3 zero-days

    10 June 2026 at 14:43

    This month’s Patch Tuesday fixes 206 security flaws in Microsoft software, making it the biggest Patch Tuesday release ever.

    The update includes 32 critical vulnerabilities, as well as three publicly disclosed zero-days. Microsoft classifies these as zero-days because information about the vulnerabilities became public before patches were available. None are known to have been actively exploited by attackers.

    The huge number of fixed vulnerabilities makes this the largest Patch Tuesday since Microsoft launched the program in October 2003. The company introduced the monthly update schedule after the Blaster worm caused disruption in the early days of Windows.

    How to apply patches and check if you’re protected

    These updates fix security problems and keep your Windows PC protected. Here’s how to make sure you’re up to date:

    1. Open Settings

    • Click the Start button (the Windows logo at the bottom left of your screen).
    • Click on Settings (it looks like a little gear).

    2. Go to Windows Update

    • In the Settings window, select Windows Update (usually at the bottom of the menu on the left).

    3. Check for updates

    • Click the button that says Check for updates.
    • Windows will search for the latest Patch Tuesday updates.
    • If you have selected to get the latest updates as soon as they’re available, you may see this under More options.
      In which case you may see a Restart required message. Restart your system and the update will complete.
      restart required
    • If not, continue with the steps below.

    4. Download and install

    • If updates are found, they’ll start downloading automatically. Once complete, you’ll see a button that says Install or Restart now.
    • Click Install if needed and follow any prompts. Your computer will usually need a restart to finish the update. If it does, click Restart now.

    5. Double-check you’re up to date

    • After restarting, go back to Windows Update and check again. If it says You’re up to date, you’re all set!
    Windows up to date

    Technical details

    One publicly disclosed vulnerability is important to mention. This flaw in Windows BitLocker is tracked as CVE-2026-50507 (CVSS score: 6.8 out of 10) and its description states:

    “a protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.”

    BitLocker is a built-in Windows security feature that encrypts your entire hard drive, securing your data from unauthorized access if your device is lost or stolen. However, this vulnerability could allow an attacker with physical access to bypass BitLocker Device Encryption and gain access to encrypted data.

    Another is CVE-2026-49160 (CVSS score: 7.5 out of 10) in HTTP.sys. This vulnerability can be exploited to launch a remote denial-of-service attack against major web servers using a technique called HTTP/2 Bomb.

    The third to discuss is CVE-2026-45586 (CVSS score: 7.8 out of 10) in the Windows Collaborative Translation Framework (CTFMON). An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. These elevation of privilege (EoP) vulnerabilities are especially valuable to attackers because they can be combined with other flaws to gain full control of a compromised system.


    We don’t just report on threats—we remove them

    Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

    88% of people struggle to tell what&#8217;s real online

    10 June 2026 at 13:45

    What would you trade for a technology that can do almost anything? For many people, the answer is clear: Everything they thought they could trust.

    In a few, short years, Artificial Intelligence (AI) tools have granted people unfettered access to easier writing, faster image generation, quicker coding, and near-instantaneous answers, advice, and information—advantages they value and want. But the same tools that can spruce up a dating profile or reimagine an old photograph can also manipulate the broader world online, and people are noticing.

    According to new research from Malwarebytes, 88% of people said it’s becoming harder to tell what content online is genuinely human or real, with 84% saying that “convincing video evidence” no longer feels like proof. Further, 85% said it can be hard to tell scams apart from the real thing—a major uptick from the 66% who said the same thing last year.

    Statistics from the Face Value report

    These are the first signs of AI’s counterfeit world. Replete with fake websites, fake products, fake videos, fake pictures, fake voices, and even fake people, it is threatening to swallow the web.

    The latest report from Malwarebytes, Face value: How AI is reshaping trust, identity, and scams exposes the hidden cost of AI on the public: an excess of fraud that is dismantling trust in reality and in one another.

    The damage arrives in large moments and small, from the US parent who said they “received a voicemail that sounded exactly like my son’s voice, saying he was in trouble and needed money for legal fees,” to the two entirely unrelated respondents fooled by the same AI-generated video of rabbits bouncing on a trampoline, to the individual worried about “my grandfather showing me AI slop and he thought it was real.”

    For this research, Malwarebytes surveyed 1,500 adults aged 18 and older across the US, UK, Austria, Germany, and Switzerland about their uses, feelings, and concerns regarding AI. The sample was equally split for gender with a spread of ages, geographical regions, and race groups, and weighted to provide a balanced view.

    The complete findings can be found in the full report:

    Here are some of the key takeaways and findings:

    • 88% said it’s becoming harder to tell what content online is genuinely human or real
    • 84% said convincing video evidence no longer feels like proof 
    • 85% of people said it’s hard to tell a scam from the real thing (up from 66% last year)
    • 50% have experienced some form of AI fraud or scam, such as being misled by AI-generated photos of products or receiving a highly personalized scam message
    • 19% have specifically experienced some form of AI-driven identity harm, including the 10% who have had someone use AI to generate sexually explicit content of them without permission
    • 81% fear someone stealing their family’s likeness, yet only 13% have created a family codeword to guard against it
    • 67% worry about voice cloning, yet only 19% have turned off voicemail recordings to prevent it
    • 45% say it’s okay to use AI for personal emotional tasks (like writing wedding vows or a eulogy)
    • 34% say it’s okay to use AI to help create or improve a dating profile
    • One in three self-avowed daily users of AI said it’s okay to generate explicit images of someone without their consent 

    Defeat would be the wrong lesson to take from all this. It is true now that the internet requires assistance, but there are plenty of safe places to seek help.

    While Malwarebytes works to provide new tools, we’d like to remind both the AI anxious and the eager about the first rule of the internet: Remember the human. People’s voices, bodies, choices, and agency belong to them and them alone. 

    As for every fake video, product, website, and image, understand that there’s help. No one needs to navigate an artificial internet alone. Whether through scam detection, identity protection, and simple awareness, people have more options than they may realize.

    Meta&#8217;s face-recognition code raises new concerns about smart glasses

    9 June 2026 at 15:57

    Meta’s smart glasses are once again at the center of a privacy debate due to face recognition.

    WIRED reports that Meta had quietly embedded unreleased face-recognition code, internally called “NameTag,” into its Meta AI companion app, which powers the company’s smart glasses. The code was not active, but its presence in an app installed on more than 50 million devices raised immediate concerns about how quickly using smart glasses could slide into biometric surveillance.

    Face recognition in glasses, even if disabled or unreleased, is especially sensitive because it can identify people at a distance, in real time, and without their consent. Many organizations have warned that this technology could be misused by stalkers, abusers, and others who want to identify people in public without drawing attention.

    Gizmodo reports on a proposed Pennsylvania bill that would require smart glasses and similar wearable recording devices to include a visible indicator light when they are capturing audio or video. The bill would also prohibit users from disabling that indicator, a move clearly aimed at reducing covert recording in public spaces.

    Most smart glasses already include such an indicator, but reporters noted that some users have been paying others to have them removed or disabled. The proposal is interesting because it tries to solve a hardware-level trust problem with a visible signal. But a visible light only helps if it is both mandatory and difficult to bypass, and history suggests that any visible privacy safeguard becomes a target for tampering when the incentives are high enough.

    These two stories are really about the same issue: smart glasses are normalizing the use of always-on cameras, microphones, and AI features in a form that is much easier to conceal than a phone. That creates an unwanted privacy problem for people around the wearer.

    Smart glasses are supposed to make computing more seamless. Instead, they are becoming a test case for what happens when cameras, microphones, AI, and biometric features are squeezed into everyday wearables before the privacy rules catch up.

    From our point of view, smart glasses sit at the intersection of consumer privacy, surveillance tech, and potential abuse. The risk is not just that a device records audio or video. AI-enabled wearables can process what they see, deduce identities, and potentially store biometric data in ways that ordinary users and bystanders can’t easily detect.

    We’d rather err on the side of caution and use an app that can detect when smart glasses are nearby. Unfortunately, it only detects some devices, and we don’t yet know how well it will perform if smart glasses become more common.

    As noted by 404 Media, the app is an imperfect, tech-based response to a social and legal problem: it can misfire, it can’t tell you who is being recorded, and it risks giving a false sense of safety. The developer frames it not as a solution but as a small, user-controlled countermeasure in an environment where surveillance devices are becoming less visible and more AI-enabled.

    Don’t get recognized

    If facial recognition features ever become common in smart glasses, much of their effectiveness will depend on how much information about you is already available online. There are a few steps you can take today to reduce your visibility in facial recognition systems and people-search databases.

    A major factor is limiting who can see the photographs you post on social media and other online platforms. But there is more you can do:

    Remove yourself from reverse face search engines

    The major, most accurate reverse face search engines, Pimeyes and Facecheck.id, offer opt-out and removal processes that can help reduce your visibility in search results:

    Remove yourself from people search engines

    Most people don’t realize how much information can be found from a name alone. People-search sites often aggregate home addresses, phone numbers, ages, and relatives from public records and commercial databases.

    The New York Times has compiled a useful guide to many of the major people-search sites, along with instructions for opting out and removing your information.

    Scrub your data

    If you’re in the US, you can also use Malwarebytes Personal Data Remover to help find and remove personal information that data broker sites have collected about you.

    ❌