Description
We’ve uncovered multiple campaigns distributing an infostealer we track as **NWHStealer** , using everything from fake VPN downloads to hardware utilities and gaming mods. What makes this campaign stand out isn’t just the malware, but how widely and convincingly it’s being spread.
Once installed, it can collect browser data, saved passwords, and cryptocurrency wallet information, which attackers may use to access accounts, steal funds, or carry out further attacks.
We detected multiple campaigns using different platforms and lures to distribute NWHStealer. The stealer is loaded and executed in several ways, such as self-injection or injection into other processes like `RegAsm` (Microsoft's Assembly Registration Tool). Often, additional wrappers such as MSI or Node.js are used as the initial loader.
The stealer is distributed using lures (what the file claims to be) such as:
* VPN installers
* Hardware utilities (e.g. `OhmGraphite`, `Pachtop`, `HardwareVisualizer`, `Sidebar Diagnostics`)
* Mining software
* Games, cheats, and mods (e.g. `Xeno`)
It's hosted or shared across multiple distribution channels, including:
* Fake websites impersonating legitimate services, like Proton VPN
* Code hosting platforms like GitHub and GitLab
* File hosting services such as MediaFire and SourceForge
* Links and redirects from gaming- and security-related YouTube videos
Although there are many distribution methods, in this blog we look at two cases:
* Case 1: A free web hosting provider distributing a malicious ZIP file that loads the stealer using self-injection
* Case 2: Fake websites that load the stealer using DLL hijacking and injection into the RegAsm process
## Case 1: Free web hosting provider distributes the stealer
The first case is the most unexpected. We found that a free web hosting provider, onworks[.]net, hosts ZIP files in its download section that ultimately distribute the stealer.
The website, ranked in the top 100,000, allows users to run virtual machines entirely in the browser.
_Virtual machine running in the browser_
Through this site, users download a malicious ZIP with names like:
* `OhmGraphite-0.36.1.zip`
* `Sidebar Diagnostics-3.6.5.zip`
* `Pachtop_1.2.2.zip`
* `HardwareVisualizer_1.3.1.zip`
_One of the pages that downloads the malicious archive_
In this case, the malicious code responsible for loading the stealer is embedded in the executable, for example `HardwareVisualizer.exe`.
_The loader that starts the infection chain_
The loader contains junk code to make analysis more difficult and performs several operations, including:
* Checking the environment for analysis tools and terminating if detected
* Implementing a custom decryption function for strings
* Resolving functions using `LoadLibraryA` and `GetProcAddress`
* Decrypting and loading the next stage using AES-CBC via BCrypt APIs
This isn’t the only way the stealer is distributed. We found similar lures, with the same ZIP names, that instead distribute the stealer via DLL hijacking.
In this case, `HardwareVisualizer.exe` is actually the WinRAR executable, and the malicious code resides in `WindowsCodecs.dll`.
_The WinRAR executable with the malicious DLL_
While tracking the DLL loader, we also saw it distributed in other campaigns with different lures. For example, in the second case analyzed, this malicious DLL is delivered through fake websites.
## Case 2: Fake Proton VPN website and DLL loader
In the second case, we detected a website impersonating Proton VPN that delivers a malicious ZIP. This archive executes the stealer using DLL hijacking or an MSI file. To be clear, this has no affiliation with Proton VPN, and we've contacted them to let them know what we found.
Links to the website appear in several compromised YouTube channels, along with AI-generated videos demonstrating the installation process:
* Youtube channels with malicious Proton VPN links.
* Youtube channels with malicious Proton VPN links.
* Youtube channels with malicious Proton VPN links.
* Youtube channels with malicious Proton VPN links.
* Youtube channels with malicious Proton VPN links.
* Youtube channels with malicious Proton VPN links.
_Fake website distributes the stealer via DLL hijacking_ _Folders containing the malicious DLL _
In other infection chains, this DLL appears under different names, such as:
* `iviewers.dll`
* `TextShaping.dll`
* `CrashRpt1403.dll`
This DLL decrypts two embedded resources. The decryption method varies between samples: Some use custom AES implementations, while others rely on the OpenSSL library.
One of the decrypted resources is a second-stage DLL, `runpeNew.dll`, which is loaded and executed via the `GetGet` method.
The second-stage DLL starts a process (such as `RegAsm`) and performs process hollowing using low-level APIs, including:
* `NtProtectVirtualMemory`
* `NtCreateUserProcess`
* `NtUnmapViewOfSection`
* `NtAllocateVirtualMemory`
* `NtResumeThread`
## The final payload: NWHStealer
At the end of these infection chains, the attacker deploys NWHStealer. The stealer runs directly in memory or injects itself into other processes such as `RegAsm.exe`.
It enumerates more than 25 folders and registry keys associated with cryptocurrency wallets.
_Enumeration phase of wallets_
The stealer also collects and exfiltrates data from multiple browsers, including Edge, Chrome, Opera, 360 Browser, K-Melon, Brave, Chromium, and Chromodo.
_Enumeration of browser folders_ _Enumeration of browser extensions_
Additionally, it injects a DLL into browser processes such as `msedge.exe`, `firefox.exe`, or `chrome.exe`. This DLL extracts and decrypts browser data before sending it to the command-and-control (C2) server.
_The injected DLL in Microsoft Edge _
The injected DLL also executes a PowerShell command that:
* Creates hidden directories in `LOCALAPPDATA`
* Adds those directories to Windows Defender exclusions
* Forces a Group Policy update
* Encrypts a `getPayload` request and sends it to the C2
* Receives and executes additional payloads disguised as system processes (e.g., `svchost.exe`, `RuntimeBroker.exe`)
* Creates scheduled tasks to run the payload at user logon with elevated privileges
Data sent to the C2 is encrypted using AES-CBC. If the primary server is unavailable, the malware can retrieve a new C2 domain via a Telegram-based dead drop.
_Dead drop resolver via Telegram_ _JSON containing various information about the compromised system_
The stealer also uses a known CMSTP User Account Control (UAC) bypass technique to execute PowerShell commands:
* Generates a random `.inf` file in the temp folder
* Uses `cmstp.exe` to elevate privileges
* Automatically confirms the prompt using Windows APIs
## How to stay safe
Instead of relying on phishing emails or obvious scams, the attackers behind this campaign are hiding malware inside tools people actively search for and trust. By spreading through platforms like GitHub, SourceForge, and YouTube, they increase the chances that users will let their guard down.
Once installed, the impact can be serious. Stolen browser data, saved passwords, and cryptocurrency wallet information can lead to account takeovers, financial loss, and further compromise.
Here are our tips for avoiding being caught out:
* Download software only from official websites
* Be cautious with downloads from GitHub, SourceForge, or file-sharing platforms unless you trust the source
* Check file signatures and publisher details before running anything
* Avoid downloading tools from links in YouTube descriptions
* **Pro tip:** Install Malwarebytes Browser Guard on your browser to block malicious URLs.
## Indicators of Compromise (IOCs)
Check the signature and version of software in suspicious archives.
**Hashes**
`e97cb6cbcf2583fe4d8dcabd70d3f67f6cc977fc9a8cbb42f8a2284efe24a1e3`
`2494709b8a2646640b08b1d5d75b6bfb3167540ed4acdb55ded050f6df9c53b3`
**Domains**
`vpn-proton-setup[.]com` (fake website)
`get-proton-vpn[.]com` (fake website)
`newworld-helloworld[.]icu` (C2 domain)
`https://t[.]me/gerj_threuh` (Telegram dead drop)
**URLS**
`https://www.onworks[.]net/software/windows/app-hardware-visualizer`
`https://sourceforge[.]net/projects/sidebar-diagnostics/files/Sidebar%20Diagnostics-3.6.5.zip`
`https://github[.]com/PieceHydromancer/Lossless-Scaling-v3.22-Windows-Edition/releases/download/Fps/Lossless.Scaling.v3.22.zip`
This is only a partial list of malicious URLs. Download the Malwarebytes Browser Guard plugin for full protection and to block the remaining malicious URLs.
Once installed, it can collect browser data, saved passwords, and cryptocurrency wallet information, which attackers may use to access accounts, steal funds, or carry out further attacks.
We detected multiple campaigns using different platforms and lures to distribute NWHStealer. The stealer is loaded and executed in several ways, such as self-injection or injection into other processes like `RegAsm` (Microsoft's Assembly Registration Tool). Often, additional wrappers such as MSI or Node.js are used as the initial loader.
The stealer is distributed using lures (what the file claims to be) such as:
* VPN installers
* Hardware utilities (e.g. `OhmGraphite`, `Pachtop`, `HardwareVisualizer`, `Sidebar Diagnostics`)
* Mining software
* Games, cheats, and mods (e.g. `Xeno`)
It's hosted or shared across multiple distribution channels, including:
* Fake websites impersonating legitimate services, like Proton VPN
* Code hosting platforms like GitHub and GitLab
* File hosting services such as MediaFire and SourceForge
* Links and redirects from gaming- and security-related YouTube videos
Although there are many distribution methods, in this blog we look at two cases:
* Case 1: A free web hosting provider distributing a malicious ZIP file that loads the stealer using self-injection
* Case 2: Fake websites that load the stealer using DLL hijacking and injection into the RegAsm process
## Case 1: Free web hosting provider distributes the stealer
The first case is the most unexpected. We found that a free web hosting provider, onworks[.]net, hosts ZIP files in its download section that ultimately distribute the stealer.
The website, ranked in the top 100,000, allows users to run virtual machines entirely in the browser.
_Virtual machine running in the browser_
Through this site, users download a malicious ZIP with names like:
* `OhmGraphite-0.36.1.zip`
* `Sidebar Diagnostics-3.6.5.zip`
* `Pachtop_1.2.2.zip`
* `HardwareVisualizer_1.3.1.zip`
_One of the pages that downloads the malicious archive_
In this case, the malicious code responsible for loading the stealer is embedded in the executable, for example `HardwareVisualizer.exe`.
_The loader that starts the infection chain_
The loader contains junk code to make analysis more difficult and performs several operations, including:
* Checking the environment for analysis tools and terminating if detected
* Implementing a custom decryption function for strings
* Resolving functions using `LoadLibraryA` and `GetProcAddress`
* Decrypting and loading the next stage using AES-CBC via BCrypt APIs
This isn’t the only way the stealer is distributed. We found similar lures, with the same ZIP names, that instead distribute the stealer via DLL hijacking.
In this case, `HardwareVisualizer.exe` is actually the WinRAR executable, and the malicious code resides in `WindowsCodecs.dll`.
_The WinRAR executable with the malicious DLL_
While tracking the DLL loader, we also saw it distributed in other campaigns with different lures. For example, in the second case analyzed, this malicious DLL is delivered through fake websites.
## Case 2: Fake Proton VPN website and DLL loader
In the second case, we detected a website impersonating Proton VPN that delivers a malicious ZIP. This archive executes the stealer using DLL hijacking or an MSI file. To be clear, this has no affiliation with Proton VPN, and we've contacted them to let them know what we found.
Links to the website appear in several compromised YouTube channels, along with AI-generated videos demonstrating the installation process:
* Youtube channels with malicious Proton VPN links.
* Youtube channels with malicious Proton VPN links.
* Youtube channels with malicious Proton VPN links.
* Youtube channels with malicious Proton VPN links.
* Youtube channels with malicious Proton VPN links.
* Youtube channels with malicious Proton VPN links.
_Fake website distributes the stealer via DLL hijacking_ _Folders containing the malicious DLL _
In other infection chains, this DLL appears under different names, such as:
* `iviewers.dll`
* `TextShaping.dll`
* `CrashRpt1403.dll`
This DLL decrypts two embedded resources. The decryption method varies between samples: Some use custom AES implementations, while others rely on the OpenSSL library.
One of the decrypted resources is a second-stage DLL, `runpeNew.dll`, which is loaded and executed via the `GetGet` method.
The second-stage DLL starts a process (such as `RegAsm`) and performs process hollowing using low-level APIs, including:
* `NtProtectVirtualMemory`
* `NtCreateUserProcess`
* `NtUnmapViewOfSection`
* `NtAllocateVirtualMemory`
* `NtResumeThread`
## The final payload: NWHStealer
At the end of these infection chains, the attacker deploys NWHStealer. The stealer runs directly in memory or injects itself into other processes such as `RegAsm.exe`.
It enumerates more than 25 folders and registry keys associated with cryptocurrency wallets.
_Enumeration phase of wallets_
The stealer also collects and exfiltrates data from multiple browsers, including Edge, Chrome, Opera, 360 Browser, K-Melon, Brave, Chromium, and Chromodo.
_Enumeration of browser folders_ _Enumeration of browser extensions_
Additionally, it injects a DLL into browser processes such as `msedge.exe`, `firefox.exe`, or `chrome.exe`. This DLL extracts and decrypts browser data before sending it to the command-and-control (C2) server.
_The injected DLL in Microsoft Edge _
The injected DLL also executes a PowerShell command that:
* Creates hidden directories in `LOCALAPPDATA`
* Adds those directories to Windows Defender exclusions
* Forces a Group Policy update
* Encrypts a `getPayload` request and sends it to the C2
* Receives and executes additional payloads disguised as system processes (e.g., `svchost.exe`, `RuntimeBroker.exe`)
* Creates scheduled tasks to run the payload at user logon with elevated privileges
Data sent to the C2 is encrypted using AES-CBC. If the primary server is unavailable, the malware can retrieve a new C2 domain via a Telegram-based dead drop.
_Dead drop resolver via Telegram_ _JSON containing various information about the compromised system_
The stealer also uses a known CMSTP User Account Control (UAC) bypass technique to execute PowerShell commands:
* Generates a random `.inf` file in the temp folder
* Uses `cmstp.exe` to elevate privileges
* Automatically confirms the prompt using Windows APIs
## How to stay safe
Instead of relying on phishing emails or obvious scams, the attackers behind this campaign are hiding malware inside tools people actively search for and trust. By spreading through platforms like GitHub, SourceForge, and YouTube, they increase the chances that users will let their guard down.
Once installed, the impact can be serious. Stolen browser data, saved passwords, and cryptocurrency wallet information can lead to account takeovers, financial loss, and further compromise.
Here are our tips for avoiding being caught out:
* Download software only from official websites
* Be cautious with downloads from GitHub, SourceForge, or file-sharing platforms unless you trust the source
* Check file signatures and publisher details before running anything
* Avoid downloading tools from links in YouTube descriptions
* **Pro tip:** Install Malwarebytes Browser Guard on your browser to block malicious URLs.
## Indicators of Compromise (IOCs)
Check the signature and version of software in suspicious archives.
**Hashes**
`e97cb6cbcf2583fe4d8dcabd70d3f67f6cc977fc9a8cbb42f8a2284efe24a1e3`
`2494709b8a2646640b08b1d5d75b6bfb3167540ed4acdb55ded050f6df9c53b3`
**Domains**
`vpn-proton-setup[.]com` (fake website)
`get-proton-vpn[.]com` (fake website)
`newworld-helloworld[.]icu` (C2 domain)
`https://t[.]me/gerj_threuh` (Telegram dead drop)
**URLS**
`https://www.onworks[.]net/software/windows/app-hardware-visualizer`
`https://sourceforge[.]net/projects/sidebar-diagnostics/files/Sidebar%20Diagnostics-3.6.5.zip`
`https://github[.]com/PieceHydromancer/Lossless-Scaling-v3.22-Windows-Edition/releases/download/Fps/Lossless.Scaling.v3.22.zip`
This is only a partial list of malicious URLs. Download the Malwarebytes Browser Guard plugin for full protection and to block the remaining malicious URLs.
Basic Information
ID
MALWAREBYTES:FECB63B5F4B7DBCDAEDD1A4A62D0AF21
Published
Apr 15, 2026 at 10:37