A newly discovered malware, NWHStealer, is targeting Windows users through a sophisticated campaign that uses fake VPN websites, gaming mods, and hardware utility tools as bait. Unlike traditional malware distribution methods that rely on spam emails or obvious phishing tactics, this campaign embeds the malware in files that users actively search for and download, making it more challenging to detect and prevent.
The NWHStealer campaign employs a wide array of distribution methods, including fake websites impersonating trusted services, code-hosting platforms like GitHub and GitLab, and file-sharing sites such as MediaFire and SourceForge. Additionally, malicious links are embedded in gaming and security-related YouTube videos. The malware masquerades as legitimate software, including VPN installers and hardware diagnostic tools, as well as popular gaming cheats and mods, which broadens its reach and increases the risk of infection.
Technically, NWHStealer is designed to evade detection through a layered infection mechanism. It can be loaded through self-injection or injected into legitimate Windows processes like RegAsm. The malware uses additional wrappers, such as MSI packages and Node.js, as initial loaders. Once on a system, it collects sensitive information like browser data, saved passwords, and cryptocurrency wallet details, which are encrypted and sent to the attacker's server. If the primary server is unavailable, the malware uses a Telegram-based dead drop to maintain connectivity.
The impact of NWHStealer is significant, as it targets over 25 folders and registry keys associated with cryptocurrency wallets and browsers such as Edge, Chrome, Opera, Brave, Chromium, and Firefox. This allows attackers to potentially take over accounts, drain funds, or execute further attacks. The malware also employs techniques like DLL hijacking and process hollowing to maintain persistence and evade security measures.
To mitigate the risk of infection, Malwarebytes researchers recommend downloading software only from official, verified websites and avoiding third-party download mirrors. Users should exercise caution with files from platforms like GitHub and SourceForge unless the publisher is trusted and verified. It is also advised to check file signatures and publisher details before executing any downloaded software and to avoid downloading tools or software from links in YouTube video descriptions or comments. Verifying the integrity of compressed archives before extraction is also crucial.
Source: https://www.malwarebytes.com/blog/threat-intel/2026/04/from-fake-proton-vpn-sites-to-gaming-mods-this-windows-infostealer-is-everywhere