A recently discovered malware campaign is making waves in the cybersecurity landscape, utilizing counterfeit Proton VPN websites alongside gaming modifications and utility tools to propagate a Windows infostealer known as NWHStealer.
Malwarebytes has meticulously documented this alarming activity, revealing that cybercriminals are employing a variety of deceptive tactics. These include fraudulent websites, open-source platforms like GitHub and SourceForge, and even AI-generated YouTube videos, all designed to mislead unsuspecting users into downloading malicious software.
Malwarebytes
NWHStealer is engineered to extract sensitive information, such as browser-stored credentials, autofill data, and cryptocurrency wallet details. Its stealthy design allows it to operate directly in memory or inject itself into legitimate processes like RegAsm.exe, complicating detection efforts. The malware targets over 25 wallet-related directories and registry keys, siphoning data from popular browsers including Chrome, Edge, Firefox, Opera, and Brave.
Infection Vectors
Malwarebytes has pinpointed two primary infection vectors. The first involves a free web hosting platform, onworks[.]net, which has been found harboring malicious ZIP archives masquerading as legitimate utilities such as HardwareVisualizer, Sidebar Diagnostics, and OhmGraphite. These archives contain executables embedded with obfuscated loader code that conducts environment checks, decrypts payloads using AES-CBC via Windows BCrypt APIs, and ultimately deploys the infostealer.
The second method of distribution revolves around counterfeit Proton VPN websites that deliver trojanized installers through ZIP files. These samples frequently utilize DLL hijacking, where a legitimate executable—often a repackaged WinRAR binary—is paired with a malicious DLL. Upon execution, the DLL decrypts an embedded payload and initiates process hollowing using low-level Windows APIs.
Malwarebytes
The infection chain progresses by injecting code into active browser processes to extract decrypted data, which is then exfiltrated to a command-and-control (C2) server using AES-CBC encryption. To ensure persistence, the malware creates scheduled tasks, adds exclusions to Windows Defender, and deploys payloads disguised as legitimate system processes such as svchost.exe or RuntimeBroker.exe. In cases where the primary C2 server is unreachable, NWHStealer can access fallback infrastructure via a Telegram-based dead drop.
Additionally, the malware exploits the Windows cmstp.exe utility to circumvent User Account Control (UAC), generating a temporary .inf file and programmatically approving the elevation prompt using Windows APIs. This enables it to execute PowerShell commands with elevated privileges without the user’s knowledge.
While the allure of Proton VPN remains prominent, Malwarebytes has also noted that similar payloads are being distributed through mining software, cheat tools like Xeno, and various hardware utilities.
To mitigate exposure to these threats, users are advised to refrain from downloading software from unofficial sources or links found in YouTube descriptions, even if they appear credible. It is essential to verify file signatures, check publisher information, and adhere to official vendor websites as critical protective measures.
If you liked this article, be sure to follow us on X/Twitter and also LinkedIn for more exclusive content.
