EXECUTIVE SUMMARY
Attackers are using a wide range of lures, including fake VPN downloads, hardware utilities, and gaming mods, to spread a Windows infostealer known as NWHStealer. This threat is being distributed across multiple platforms, including fake websites, code hosting platforms, and file hosting services, with the goal of stealing sensitive information such as browser data, saved passwords, and cryptocurrency wallet information. The attackers are using various methods to deliver the malware, including self-injection and injection into other processes like RegAsm, and are taking steps to evade detection, such as using custom decryption functions and implementing a dead drop via Telegram.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
Attackers are using a wide range of lures, including fake VPN downloads, hardware utilities, and gaming mods, to spread a Windows infostealer known as NWHStealer. This threat is being distributed across multiple platforms, including fake websites, code hosting platforms, and file hosting services, with the goal of stealing sensitive information such as browser data, saved passwords, and cryptocurrency wallet information. The attackers are using various methods to deliver the malware, including self-injection and injection into other processes like RegAsm, and are taking steps to evade detection, such as using custom decryption functions and implementing a dead drop via Telegram.[emaillocker id="1283"]
Once installed, the stealer can collect and exfiltrate data from multiple browsers, including Edge, Chrome, and Firefox, and injects a DLL into browser processes to extract and decrypt browser data. The attacker also uses a known CMSTP UAC bypass technique to execute PowerShell commands and create scheduled tasks to run the payload at user logon with elevated privileges. The stealer uses AES-CBC encryption to send data to the command-and-control server, and if the primary server is unavailable, it can retrieve a new C2 domain via a Telegram-based dead drop.
This threat is significant because it can lead to serious consequences, including account takeovers, financial loss, and further compromise. Organisations should take defensive actions to protect themselves, such as patching vulnerabilities, monitoring for suspicious activity, maintaining up-to-date backups, and implementing robust endpoint protection. Additionally, users should be cautious when downloading software and should only download from official websites, and should be wary of links in YouTube descriptions and file-sharing platforms.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Initial Access | T1078 | Valid Accounts | — |
| Initial Access | T1190 | Exploit Public-Facing Application | — |
| Execution | T1204 | User Execution | — |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Persistence | T1053 | Scheduled Task/Job | — |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| Defense Evasion | T1112 | Modify Registry | — |
| Collection | T1005 | Data from Local System | — |
| Command and Control | T1071 | Application Layer Protocol | — |
| Command and Control | T1090 | Proxy | — |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
| Impact | T1490 | Inhibit System Recovery | — |
REFERENCES:
The following reports contain further technical details:
https://www.malwarebytes.com/blog/threat-intel/2026/04/from-fake-proton-vpn-sites-to-gaming-mods-this-windows-infostealer-is-everywhere