infostealers Archives

Tech Optimizer

January 7, 2026

Fake error popups are spreading malware fast

A new cybercrime tool called ErrTraffic has emerged, simplifying malware dissemination through deceptive fake error messages that prompt users to address non-existent issues. The attacks begin on compromised websites, where users encounter distorted text and pop-ups suggesting a browser update or font installation. Clicking the provided button copies a command to the clipboard, instructing users to paste it into PowerShell, which triggers the malware infection. ErrTraffic automates this process, requiring minimal investment for attackers to access a control panel and scripted payload delivery. It operates via JavaScript injection, adapting to the user's operating system and browser to display tailored messages. This method effectively bypasses traditional malware defenses, achieving high conversion rates, with nearly 60% of users following through with the instructions. Infected devices may deploy infostealers or banking trojans, with the system designed to evade law enforcement by excluding certain regions. To mitigate risks, users should avoid copying commands from websites, trust built-in update notifications, use robust antivirus software, and regularly remove personal information from data broker sites.

Winsage

December 4, 2025

This Windows Update Pop-Up Is a Scam

Hackers have exploited Windows update screens to deliver malware disguised as a "critical security update," a tactic known as the ClickFix attack. This attack uses social engineering techniques, including fake error messages and CAPTCHA forms, to trick users into executing harmful commands. The scam appears as a pop-up mimicking the standard Windows blue screen but originates from a malicious domain. Users are prompted to paste and execute harmful commands, leading to malware installation. Researchers from Huntress have detailed this attack, noting that malicious code can be embedded within PNG images. Although recent law enforcement actions have reduced the presence of malware payloads on these domains, the threat remains. Users should be cautious of any update screens that do not show a progress indicator or require manual command input, as these are signs of a ClickFix attack. Microsoft releases security updates on the second Tuesday of each month, and users are advised to enable automatic updates and consider disabling the Windows Run box for added security.

Tech Optimizer

December 2, 2025

The best budget antivirus just got cheaper – save 50% for Cyber Monday

Malwarebytes is offering a 50% discount on all its antivirus plans for Cyber Monday, allowing users to protect three devices for a year against various threats. The plans include Standard, Plus, and Ultimate, featuring safe web browsing, scam and ad blockers, security assessments, and data breach notifications. Independent tests confirm its effectiveness in threat detection. The software has quick scanning capabilities with minimal system impact and a user-friendly interface. Upper-tier plans include additional features like an unlimited VPN, firewall, and identity threat protection.

Winsage

November 25, 2025

Attackers are Using Fake Windows Updates in ClickFix Scams

Threat actors have adapted the ClickFix attack model, using a fraudulent Windows Update screen to disguise malicious code. This screen mimics the legitimate Windows Update interface and prompts users to execute harmful commands. The execution of these commands leads to the installation of LummaC2 and Rhadamanthys info-stealing malware. A report from ESET noted a 500% increase in ClickFix attacks, which now account for nearly 8% of all blocked attacks in early 2025. Huntress researchers tracked ClickFix lures that used steganography to deliver LummaC2 and Rhadamanthys malware, concealing malicious software within image files. The attacks involve a full-screen display that instructs users not to turn off their computers, ultimately prompting them to paste a malicious command. The execution process includes using mshta.exe and PowerShell to load and inject malicious assemblies. European law enforcement recently dismantled infrastructure used by threat actors, but Rhadamanthys is no longer distributed through the fraudulent Windows Update campaign. The use of steganography helps these payloads evade detection while relying on victims to manually execute commands.

Tech Optimizer

November 20, 2025

Windows Has Another Hidden Malware Scanner Tool – How and When to Use It

Microsoft Defender is the primary security tool for Windows systems, while the Malicious Software Removal Tool (MSRT) serves as an additional defense against malware. MSRT is updated monthly through Windows updates and operates in Quiet Mode, targeting common malware infections such as trojans, rootkits, and worms. It enhances its capabilities with each update by adding new malware families and removing outdated ones. MSRT not only eliminates infections but also aims to reverse any damage caused by malware. MSRT is beneficial in several scenarios: it can be used alongside third-party antivirus programs to enhance security, it can undo changes made by malware, and it remains effective even when other security tools are compromised. By default, MSRT runs monthly but can also be initiated on demand by typing "mrt" in the Run dialog. Users can choose from Quick, Full, or Customized scans, and the tool automatically addresses any detected infections. After scanning, a report detailing the findings is available for review.

Tech Optimizer

October 20, 2025

TikTok Videos Spread ClickFix Malware, Stealing User Credentials

Cybercriminals are increasingly using TikTok to spread malware through seemingly harmless videos that promise free software activations for applications like Windows, Spotify, or Netflix. These videos employ a technique called ClickFix, which tricks users into executing harmful PowerShell commands that install infostealers, compromising sensitive information such as login credentials and financial data. The malware can self-compile on the victim's device, making it harder to detect. Reports indicate a shift in these tactics from platforms like YouTube and Meta to TikTok, with over 30,000 websites compromised in related DNS malware campaigns. Artificial intelligence is also being used to create deceptive videos that resemble legitimate content, complicating the identification of malicious material. Android users face similar threats from apps impersonating popular services, such as WhatsApp or TikTok. Experts recommend enabling two-factor authentication, using reputable antivirus software, avoiding unverified commands, and adjusting privacy settings on TikTok to mitigate these risks.

AppWizard

October 16, 2025

Minecraft mods: When ‘hacking’ your game becomes a security risk

Minecraft and Roblox are popular platforms for creativity and community engagement among younger audiences, but they also attract cybercriminals who exploit players by disguising malware as mods, cheats, or automation tools. A mod, short for "modification," is a user-created software extension that alters gameplay in Minecraft, but these mods can be maliciously exploited. Recent threats include over 500 GitHub repositories distributing an infostealer disguised as Minecraft mods and attacks using popular modding platforms like Bukkit and CurseForge to spread malware. Attackers often present malware as essential mods, which can lead to harmful background processes once installed. Common types of malware masquerading as mods include Trojans, infostealers, ransomware, and cryptominers. To reduce risks, players should download mods from trusted platforms, verify developers' reputations, be cautious of unusual file types, and use security software to check downloads. If a suspicious mod is installed, players should delete it, run a full antimalware scan, reinstall Minecraft from the official website, change passwords, and consult cybersecurity professionals if needed. To stay safe while using mods, players should use non-administrator accounts, keep systems updated, maintain regular backups, and implement robust security measures.

Tech Optimizer

September 5, 2025

TAG-150 Hackers Deploy Custom Malware Families to Target Organizations

A new cyber threat actor, TAG-150, has emerged since March 2025, utilizing a sophisticated multi-tiered infrastructure and custom malware, including CastleLoader, CastleBot, and CastleRAT. TAG-150's infrastructure consists of four tiers, including command-and-control servers and intermediary layers to obscure operations. The CastleRAT trojan, available in Python and C variants, features advanced capabilities such as stealth evasion, system information collection, and remote surveillance functions. TAG-150 employs phishing techniques and fraudulent domains to compromise victims, achieving a 28.7% infection rate among those who interact with their schemes. The group utilizes privacy-focused services and frequently relocates its infrastructure to evade detection. Experts recommend proactive measures to counteract TAG-150's activities, including blocking identified infrastructure and monitoring for data exfiltration. Indicators of compromise include specific IP addresses associated with CastleLoader.

Winsage

September 2, 2025

Threat Actors Exploit Windows Search in AnyDesk ClickFix Attack to Spread MetaStealer

Cybercriminals have developed a sophisticated variant of the ClickFix scam, utilizing human-verification social engineering and the Windows search protocol to deploy MetaStealer, an infostealer that steals credentials and sensitive data. The attack begins when a target searches for the legitimate AnyDesk tool and is redirected to a phishing page featuring a deceptive human-verification prompt. This page uses a search-ms URI scheme to connect to an attacker-controlled SMB share, presenting a malicious Windows shortcut disguised as a PDF. Executing this shortcut downloads the legitimate AnyDesk installer and retrieves a malicious "PDF" from an external server. The MSI package contains a dropper (ls26.exe) that operates similarly to known MetaStealer samples, scanning for browser credentials and exfiltrating data. The attack circumvents user suspicion by mimicking a legitimate application installation. Organizations are advised to implement strict application whitelisting, monitor Windows protocol handlers, educate users about suspicious prompts, and deploy detection rules to mitigate these threats.

Tech Optimizer

July 30, 2025

New Malware Targets Crypto Users with Fake Ads, Steals Keys

A new strain of malware is targeting cryptocurrency enthusiasts through deceptive online advertisements that mimic legitimate promotions for crypto wallets and trading platforms. This malware, described as a multi-stage infostealer, begins with an ad redirect that prompts users to download a fake update or extension. Once installed, it monitors clipboard activity to copy and alter cryptocurrency addresses, redirecting funds to attackers' wallets. The malware can evade detection by many antivirus solutions and is often hosted on platforms like GitHub disguised as open-source tools. Victims may not realize they have been compromised until their funds are stolen. Experts recommend using ad blockers, verifying URLs, utilizing hardware wallets, keeping software updated, and employing multi-factor authentication as protective measures. Regular system scans with advanced tools like Malwarebytes and training for employees on malvertising risks are also advised for enterprises.