cryptocurrency wallet Archives

Tech Optimizer

June 9, 2026

Fake ChatGPT download site infects Windows and Mac users with malware

A counterfeit website, openew[.]app, is impersonating OpenAI's official ChatGPT download page and distributing malware. Windows users who download from this site receive a credential-stealing malware loader, while macOS users are infected with Odyssey Stealer, a variant associated with cryptocurrency theft. The fake site mimics the legitimate ChatGPT interface and uses HTTPS to appear trustworthy. The Windows malware, Chat_GPT.exe, creates a back channel to an attacker-controlled server, while the macOS malware captures sensitive data and attempts to replace legitimate cryptocurrency wallet applications with compromised versions. Users who download from official sources remain safe, but those who click on ads or unfamiliar links risk compromising their online accounts and sensitive information. Malwarebytes offers protection against this malware. Indicators of compromise include specific file hashes and network indicators associated with the malicious site.

AppWizard

June 9, 2026

This New Computer Virus Is Disguising Itself As A Popular Video Game

Old-school gaming consoles are seeing a resurgence, but hackers are exploiting this trend with a malware campaign called "WeedHack," which emerged in January. This malware operates on a "Malware-as-a-Service" model, allowing users to purchase it to infect victims. WeedHack functions as a remote access infostealer, compromising computers to manipulate screens, access webcams, and steal sensitive data. It propagates by enticing users with unofficial "Minecraft" mods and clients, often using videos and download links as bait. Additionally, it employs "SEO poisoning" to promote fake websites as legitimate sources for these mods on platforms like Discord and Reddit. WeedHack disguises itself as a JAR file, similar to the official "Minecraft" client, and once executed, it installs its payload from Ethereum server domains. It can insert itself into antivirus exclusion lists, evading detection, and McAfee's tests show that Windows Defender is ineffective against it. The malware collects extensive information, including Wi-Fi networks and browser cookies, and grants hackers complete control over infected computers. The WeedHack virus serves as both malware and a training ground for aspiring hackers, structured into two tiers: a free version with core capabilities and a paid subscription for advanced features. A community has formed around WeedHack, offering tutorials, a Discord server, and a website for feature requests and custom payload creation. This community aspect lowers the barrier for newcomers, particularly targeting a younger audience that may not understand online safety.

AppWizard

June 5, 2026

“2,000 to 3,000 new hits every single day”: Dangerous malware “WeedHack” hides in Minecraft mods, gives attackers webcam access, Steam and Discord passwords, and more

Minecraft's modding community is facing a threat from a malware called WeedHack, identified by McAfee researchers. This malware is part of a Malware-as-a-Service campaign that has been active since January and is notably affordable compared to other hacking tools. WeedHack targets systems that mod Minecraft and can compromise Discord accounts, browsers, and cryptocurrency wallets. To reduce risks, users are advised to download mods only from reputable sources like CurseForge and Modrinth, and to invest in strong security software, such as McAfee, which offers features to protect against such threats.

AppWizard

June 3, 2026

Fake ‘Minecraft’ Mods Bring Malware to as Many as 116,000 Players

The "Minecraft" community is facing a cybersecurity threat from a malware operation called WeedHack, which disguises itself as fake mods to lure players into downloading it. This operation, run by a teenager, has affected over 116,000 players and uses social engineering tactics to distribute malicious mods, cheats, and clients. WeedHack spreads through trusted channels, including YouTube, and employs search engine optimization poisoning to mislead users. The malware operates by disseminating malicious Java Archive files that appear legitimate, compromising devices to extract sensitive information such as session IDs, browser cookies, and cryptocurrency wallet data. It can also steal credentials for applications like Discord, Steam, and Telegram, and includes remote control features for surveillance and keylogging. Approximately 2,000 new infections occur daily, primarily affecting users in the United States, Germany, India, the United Kingdom, and Italy. The low cost of access to this malware has led to its use by teenagers for online bullying and harassment.

Winsage

May 20, 2026

MSHTA abuse helps malware hide in Windows processes

Bitdefender's research highlights the use of Microsoft's MSHTA utility in malware attacks, noting its default activation in Windows systems. Cybercriminals exploit MSHTA to execute malicious scripts under the guise of legitimate processes, linking it to various malware families like LummaStealer and PurpleFox. The study reports a rise in MSHTA-related detections, indicating a shift towards "living-off-the-land" tactics that utilize legitimate tools to evade security alerts. Social engineering is identified as a common entry point for attacks, employing deceptive methods such as fake software downloads and phishing links. MSHTA can retrieve and execute additional payloads through multi-stage chains, complicating detection efforts. The attacks target sensitive information, including credentials and financial data, and the continued presence of MSHTA poses risks as it allows threat actors to conceal malicious actions. To mitigate these threats, organizations are advised to restrict or disable legacy scripting tools and exercise caution with untrusted downloads. The report emphasizes the challenge of detecting unusual behaviors associated with legitimate utilities in the context of cyber threats.

AppWizard

May 19, 2026

Steam Game Sparks Controversy for Planting Malware on Users’ PCs

'Beyond the Dark' is an indie game released for free on Steam on December 29, 2024, which was identified as an 'asset flip' by tech YouTuber Eric Parker. The game was found to contain malware hidden in a DLL file that targets users' cryptocurrency wallet information and Roblox account credentials. This incident follows a similar case in September 2025 involving a game called 'Blockbusters,' which also distributed malware. Following the exposé, Valve removed 'Beyond the Dark' from its platform within a day.

AppWizard

May 19, 2026

“I thought it was a Steam game”… Malicious code found planted on users’ PCs

'Beyond the Dark' is an indie game released for free on Steam on December 29, 2024, which was misrepresented as a turn-based strategy game despite displaying characteristics of a first-person horror game. Tech YouTuber Eric Parker identified it as an 'asset flip' and revealed that it distributed malware designed to steal cryptocurrency wallet information and Roblox account credentials. The malware was embedded in a DLL file activated upon the game's execution. Following Parker's findings, Valve removed the game from its platform within a day. The gaming community has seen similar incidents, such as the 'Blockbusters' game in September 2025, which was involved in a malware scheme that stole cryptocurrency. Security experts advise caution when installing free games that appear hastily produced.

AppWizard

April 17, 2026

New RecruitRat, SaferRat, Astrinox, Massiv Android Malware Found Targeting 800 Apps

Cybersecurity researchers from Zimperium zLabs have identified four families of Android malware—RecruitRat, SaferRat, Astrinox, and Massiv—targeting banking and cryptocurrency applications. These malware families can extract sensitive information from over 800 applications. They primarily use phishing and smishing to lure users into downloading malicious software. Phishing involves creating fake websites resembling legitimate login pages, while smishing uses urgent text messages with links to download harmful payloads. RecruitRat targets job seekers with fake employment websites, and SaferRat promises free access to premium video services. Astrinox mimics a business tool and has been linked to a fraudulent Apple App Store page, while Massiv's distribution methods remain unclear. Once installed, these malware applications initiate Overlay attacks, displaying counterfeit screens to capture user credentials. They also use a "blindfold" technique to obscure their activities by overlaying static images on the user's screen. The malware can intercept security codes, capture one-time passwords, and employ keylogging techniques. RecruitRat has a library of over 700 counterfeit login pages that activate with targeted apps. Researchers recommend avoiding links in urgent messages and downloading apps only from official sources.

Winsage

April 16, 2026

Fake Proton VPN sites are pushing NWHStealer malware to Windows users

A malware campaign is utilizing counterfeit Proton VPN websites and other deceptive tactics to distribute a Windows infostealer known as NWHStealer. This malware extracts sensitive information, including browser credentials and cryptocurrency wallet details, and operates stealthily by injecting itself into legitimate processes. Two primary infection vectors have been identified: malicious ZIP archives on a free web hosting platform and trojanized installers from fake Proton VPN sites. The malware employs DLL hijacking and can exfiltrate data to a command-and-control server while ensuring persistence through scheduled tasks and disguising payloads as legitimate system processes. It also exploits the Windows cmstp.exe utility to bypass User Account Control. Users are advised to avoid downloading software from unofficial sources and to verify file signatures and publisher information.

Tech Optimizer

April 6, 2026

36 Malicious npm Packages Exploited Redis, PostgreSQL to Deploy Persistent Implants

Cybersecurity researchers have discovered 36 malicious packages in the npm registry that impersonate Strapi CMS plugins. These packages exploit Redis and PostgreSQL, deploy reverse shells, harvest credentials, and establish persistent implants. Each package consists of three files—package.json, index.js, and postinstall.js—without descriptions or repositories, and all use version 3.6.8 to mimic legitimate Strapi plugins. The malicious packages follow a naming convention starting with "strapi-plugin-" and were uploaded by four accounts within 13 hours. The identified packages include names like strapi-plugin-cron, strapi-plugin-database, and strapi-plugin-server. The malicious code is embedded in the postinstall script, executing automatically upon installation with the same privileges as the user. The payloads evolve from exploiting Redis for remote code execution to attempting direct PostgreSQL database exploitation and deploying persistent implants for remote access. The campaign appears to target cryptocurrency platforms, as indicated by the focus on credential theft and digital assets. Users of these packages are advised to assume compromise and rotate credentials. This incident reflects a broader trend of supply chain attacks in the open-source ecosystem, with recent examples including credential exfiltration payloads in GitHub repositories and compromised GitHub Actions workflows. Group-IB reported that software supply chain attacks are increasingly reshaping the cyber threat landscape, targeting trusted vendors and open-source software to gain access to downstream organizations.