{“lastseen”:”2026-04-15T12:05:09″,”description”:”We\u2019ve uncovered multiple campaigns distributing an infostealer we track as **NWHStealer** , using everything from fake VPN downloads to hardware utilities and gaming mods. What makes this campaign stand out isn\u2019t just the malware, but how widely and convincingly it\u2019s being spread.\\n\\nOnce installed, it can collect browser data, saved passwords, and cryptocurrency wallet information, which attackers may use to access accounts, steal funds, or carry out further attacks.\\n\\nWe detected multiple campaigns using different platforms and lures to distribute NWHStealer. The stealer is loaded and executed in several ways, such as self-injection or injection into other processes like `RegAsm` (Microsoft’s Assembly Registration Tool). Often, additional wrappers such as MSI or Node.js are used as the initial loader.\\n\\nThe stealer is distributed using lures (what the file claims to be) such as:\\n\\n * VPN installers\\n * Hardware utilities (e.g. `OhmGraphite`, `Pachtop`, `HardwareVisualizer`, `Sidebar Diagnostics`)\\n * Mining software\\n * Games, cheats, and mods (e.g. `Xeno`)\\n\\n\\n\\nIt’s hosted or shared across multiple distribution channels, including:\\n\\n * Fake websites impersonating legitimate services, like Proton VPN\\n * Code hosting platforms like GitHub and GitLab\\n * File hosting services such as MediaFire and SourceForge\\n * Links and redirects from gaming- and security-related YouTube videos\\n\\n\\n\\nAlthough there are many distribution methods, in this blog we look at two cases:\\n\\n * Case 1: A free web hosting provider distributing a malicious ZIP file that loads the stealer using self-injection\\n * Case 2: Fake websites that load the stealer using DLL hijacking and injection into the RegAsm process\\n\\n\\n\\n## Case 1: Free web hosting provider distributes the stealer\\n\\nThe first case is the most unexpected. We found that a free web hosting provider, onworks[.]net, hosts ZIP files in its download section that ultimately distribute the stealer.\\n\\nThe website, ranked in the top 100,000, allows users to run virtual machines entirely in the browser.\\n\\n_Virtual machine running in the browser_\\n\\nThrough this site, users download a malicious ZIP with names like:\\n\\n * `OhmGraphite-0.36.1.zip`\\n * `Sidebar Diagnostics-3.6.5.zip`\\n * `Pachtop_1.2.2.zip`\\n * `HardwareVisualizer_1.3.1.zip`\\n\\n_One of the pages that downloads the malicious archive_\\n\\nIn this case, the malicious code responsible for loading the stealer is embedded in the executable, for example `HardwareVisualizer.exe`.\\n\\n_The loader that starts the infection chain_\\n\\nThe loader contains junk code to make analysis more difficult and performs several operations, including:\\n\\n * Checking the environment for analysis tools and terminating if detected\\n * Implementing a custom decryption function for strings\\n * Resolving functions using `LoadLibraryA` and `GetProcAddress`\\n * Decrypting and loading the next stage using AES-CBC via BCrypt APIs\\n\\n\\n\\nThis isn\u2019t the only way the stealer is distributed. We found similar lures, with the same ZIP names, that instead distribute the stealer via DLL hijacking.\\n\\nIn this case, `HardwareVisualizer.exe` is actually the WinRAR executable, and the malicious code resides in `WindowsCodecs.dll`.\\n\\n_The WinRAR executable with the malicious DLL_\\n\\nWhile tracking the DLL loader, we also saw it distributed in other campaigns with different lures. For example, in the second case analyzed, this malicious DLL is delivered through fake websites.\\n\\n## Case 2: Fake Proton VPN website and DLL loader\\n\\nIn the second case, we detected a website impersonating Proton VPN that delivers a malicious ZIP. This archive executes the stealer using DLL hijacking or an MSI file. To be clear, this has no affiliation with Proton VPN, and we’ve contacted them to let them know what we found.\\n\\nLinks to the website appear in several compromised YouTube channels, along with AI-generated videos demonstrating the installation process:\\n\\n * Youtube channels with malicious Proton VPN links.\\n * Youtube channels with malicious Proton VPN links.\\n * Youtube channels with malicious Proton VPN links.\\n * Youtube channels with malicious Proton VPN links.\\n * Youtube channels with malicious Proton VPN links.\\n * Youtube channels with malicious Proton VPN links.\\n\\n\\n\\n_Fake website distributes the stealer via DLL hijacking_ _Folders containing the malicious DLL _\\n\\nIn other infection chains, this DLL appears under different names, such as:\\n\\n * `iviewers.dll`\\n * `TextShaping.dll`\\n * `CrashRpt1403.dll`\\n\\n\\n\\nThis DLL decrypts two embedded resources. The decryption method varies between samples: Some use custom AES implementations, while others rely on the OpenSSL library.\\n\\nOne of the decrypted resources is a second-stage DLL, `runpeNew.dll`, which is loaded and executed via the `GetGet` method.\\n\\nThe second-stage DLL starts a process (such as `RegAsm`) and performs process hollowing using low-level APIs, including:\\n\\n * `NtProtectVirtualMemory`\\n * `NtCreateUserProcess`\\n * `NtUnmapViewOfSection`\\n * `NtAllocateVirtualMemory`\\n * `NtResumeThread`\\n\\n\\n\\n## The final payload: NWHStealer\\n\\nAt the end of these infection chains, the attacker deploys NWHStealer. The stealer runs directly in memory or injects itself into other processes such as `RegAsm.exe`.\\n\\nIt enumerates more than 25 folders and registry keys associated with cryptocurrency wallets.\\n\\n\\n\\n_Enumeration phase of wallets_\\n\\nThe stealer also collects and exfiltrates data from multiple browsers, including Edge, Chrome, Opera, 360 Browser, K-Melon, Brave, Chromium, and Chromodo.\\n\\n_Enumeration of browser folders_ _Enumeration of browser extensions_\\n\\nAdditionally, it injects a DLL into browser processes such as `msedge.exe`, `firefox.exe`, or `chrome.exe`. This DLL extracts and decrypts browser data before sending it to the command-and-control (C2) server.\\n\\n_The injected DLL in Microsoft Edge _\\n\\nThe injected DLL also executes a PowerShell command that:\\n\\n * Creates hidden directories in `LOCALAPPDATA`\\n * Adds those directories to Windows Defender exclusions\\n * Forces a Group Policy update\\n * Encrypts a `getPayload` request and sends it to the C2\\n * Receives and executes additional payloads disguised as system processes (e.g., `svchost.exe`, `RuntimeBroker.exe`)\\n * Creates scheduled tasks to run the payload at user logon with elevated privileges\\n\\n\\n\\nData sent to the C2 is encrypted using AES-CBC. If the primary server is unavailable, the malware can retrieve a new C2 domain via a Telegram-based dead drop.\\n\\n_Dead drop resolver via Telegram_ _JSON containing various information about the compromised system_\\n\\nThe stealer also uses a known CMSTP User Account Control (UAC) bypass technique to execute PowerShell commands:\\n\\n * Generates a random `.inf` file in the temp folder\\n * Uses `cmstp.exe` to elevate privileges\\n * Automatically confirms the prompt using Windows APIs\\n\\n\\n\\n## How to stay safe\\n\\nInstead of relying on phishing emails or obvious scams, the attackers behind this campaign are hiding malware inside tools people actively search for and trust. By spreading through platforms like GitHub, SourceForge, and YouTube, they increase the chances that users will let their guard down.\\n\\nOnce installed, the impact can be serious. Stolen browser data, saved passwords, and cryptocurrency wallet information can lead to account takeovers, financial loss, and further compromise. \\n\\nHere are our tips for avoiding being caught out:\\n\\n * Download software only from official websites\\n * Be cautious with downloads from GitHub, SourceForge, or file-sharing platforms unless you trust the source\\n * Check file signatures and publisher details before running anything\\n * Avoid downloading tools from links in YouTube descriptions\\n * **Pro tip:** Install Malwarebytes Browser Guard on your browser to block malicious URLs.\\n\\n\\n\\n## Indicators of Compromise (IOCs)\\n\\nCheck the signature and version of software in suspicious archives.\\n\\n**Hashes**\\n\\n`e97cb6cbcf2583fe4d8dcabd70d3f67f6cc977fc9a8cbb42f8a2284efe24a1e3`\\n\\n`2494709b8a2646640b08b1d5d75b6bfb3167540ed4acdb55ded050f6df9c53b3`\\n\\n**Domains**\\n\\n`vpn-proton-setup[.]com` (fake website)\\n\\n`get-proton-vpn[.]com` (fake website)\\n\\n`newworld-helloworld[.]icu` (C2 domain)\\n\\n`https:\/\/t[.]me\/gerj_threuh` (Telegram dead drop)\\n\\n**URLS**\\n\\n`https:\/\/www.onworks[.]net\/software\/windows\/app-hardware-visualizer`\\n\\n`https:\/\/sourceforge[.]net\/projects\/sidebar-diagnostics\/files\/Sidebar%20Diagnostics-3.6.5.zip`\\n\\n`https:\/\/github[.]com\/PieceHydromancer\/Lossless-Scaling-v3.22-Windows-Edition\/releases\/download\/Fps\/Lossless.Scaling.v3.22.zip`\\n\\nThis is only a partial list of malicious URLs. Download the Malwarebytes Browser Guard plugin for full protection and to block the remaining malicious URLs.”,”published”:”2026-04-15T10:37:33″,”modified”:”2026-04-15T10:37:33″,”type”:”malwarebytes”,”title”:”From fake Proton VPN sites to gaming mods, this Windows infostealer is everywhere”,”source”:””,”references”:””,”id”:”MALWAREBYTES:FECB63B5F4B7DBCDAEDD1A4A62D0AF21″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/threat-intel\/2026\/04\/from-fake-proton-vpn-sites-to-gaming-mods-this-windows-infostealer-is-everywhere”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-15T12:05:09″,”description”:”We\u2019ve uncovered multiple campaigns distributing an infostealer we track as **NWHStealer** , using everything from fake VPN downloads to hardware utilities and gaming mods. What…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-47186","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n