Memorial Day weekend officially kicks off summer, and for millions of Americans, that means road trips, flights, cookouts, and a little online shopping for the deals.
Unfortunately, scammers know this. They count on the fact that you’re distracted, you’re moving fast, and you’re probably connected to a network you don’t own.
Here are five scams surging this holiday weekend, what they look like, and how to stay ahead of them.
1. Fake Travel Alerts from “Your Bank” or Hotel
You’re packing your bag when a text arrives: “Unusual activity detected on your account. Verify now to avoid suspension.”
It looks like it’s from your bank, or maybe your hotel loyalty program. There’s a link. There’s urgency. And that’s exactly the point.
These are brand impersonation scams, and they’re a dominant tactic year-round, but they spike around travel holidays when people are actively monitoring reservations and accounts.
Example of a fraudulent AMEX message.
According to McAfee research, trusted brands like banks, airlines, and hotels are among the most commonly impersonated, and email scams impersonating retail and financial brands have surged up to 85% as major holidays approach.
The message will typically ask you to click a link and “confirm your details” to secure your account or honor a reservation. That link leads to a convincing-looking fake site designed to capture your login credentials, payment info, or both.
How to Avoid Travel Alert Scams:
Don’t click links in unsolicited texts or emails.
Go directly to the company’s app or website by typing the URL yourself.
Remember: pressure is a tactic, not customer service.
McAfee’s Scam Detector can flag suspicious messages before you interact with them, whether they come via text, email, or social media.
2. Fake Memorial Day Weekend “Deals”
Memorial Day is one of the biggest shopping weekends of the year. Scammers treat it like an open invitation.
Fraudulent retailers flood social feeds with too-good-to-be-true deals on everything from patio furniture to electronics, often impersonating legitimate brands with copycat websites and paid ads.
According to McAfee’s holiday shopping research, 91% of shoppers see ads from unfamiliar retailers, 37% say they might buy from a brand they don’t recognize, and a full 40% of consumers have abandoned a purchase out of fear that the deal wasn’t real.
The most impersonated brands in McAfee’s research span luxury labels (Coach, Dior, Gucci) to mainstream favorites (Apple, Samsung, Nintendo, Disney), exactly the kind of items that show up in “blowout sale” ads. Fake storefronts have grown significantly, with technology URL scams rising nearly 50%.
Once shoppers enter their payment details on a fraudulent site, that information goes directly to criminals. The average scam loss during the holiday shopping period runs around $840 per victim.
How to Avoid Shopping Scams:
Type retailer URLs directly into your browser instead of clicking through ads or social posts.
Look for HTTPS and double-check the domain carefully before entering any payment info.
If a deal looks unbelievably good, verify it on the retailer’s official app before buying.
McAfee’s Web Protection blocks malicious and suspicious sites before they load, including fake checkout pages.
3. QR Code Scams at Gas Stations and Travel Stops
If you’re road-tripping this weekend, you may scan a QR code somewhere. It could be at the gas pump, a rest stop, a parking meter, or a roadside attraction. Scammers know this too.
Criminals increasingly place fake QR codes over legitimate ones on gas station pumps, parking kiosks, and public signs. When you scan, you’re redirected to a convincing-looking payment or login page that captures your financial information. This is known as “quishing” or phishing via QR code.
McAfee research shows just how widespread this risk has become: 68% of people scanned a QR code in the past three months, and 18% ended up on a suspicious or unsafe page after scanning. Among those who did, more than half took a risky action like entering personal information, installing an app, or connecting a digital wallet.
How to Avoid Sketchy QR Codes:
Before scanning any QR code in public, look closely at the sticker or sign.
If it looks like it’s been placed over something else, skip it.
If you do scan, check the URL before proceeding.
McAfee’s Scam Detector now includes instant QR code safety checks that assess risk before you tap, so you’re not flying blind at the gas pump.
This shows how McAfee blocks unsafe QR codes.
4. Public Wi-Fi Traps at Airports, Hotels, and Coffee Shops
Whether you’re waiting at the airport or grabbing coffee before hitting the highway, free Wi-Fi can feel like a gift. But not every “free Wi-Fi” network is what it appears to be.
Hackers set up what are called “evil twin” networks, hotspots with names designed to look exactly like the legitimate network at the airport, hotel, or café you’re in.
The moment you connect, they can use tools called packet sniffers to capture the data you send and receive: passwords, banking credentials, credit card numbers, email logins.
According to McAfee’s travel research, 63% of travelers connect to public Wi-Fi, and 49% use airport Wi-Fi, making these among the riskiest behaviors travelers engage in without realizing it.
Some of these fake networks go further, presenting a phony login screen that captures your username and password for popular services like Google or Apple before you even realize you’ve been compromised.
How to Avoid Malicious Wi-Fi :
Always confirm the exact Wi-Fi network name with staff before connecting.
Turn off auto-join for Wi-Fi on your devices.
And most importantly: use a VPN.
A VPN creates an encrypted tunnel for your internet traffic, so even if a hacker intercepts it, they’ll only see scrambled data. McAfee’s VPN is included in McAfee+ plans and automatically connects when you join public Wi-Fi, exactly the protection you want when you’re traveling and connecting everywhere.
5. Toll Road and Parking Text Scams (Expect a Surge After the Weekend)
You may have seen these already: a text that says you owe an unpaid toll or parking fee, with a link to pay before penalties kick in. These scams have been circulating for a while, and there’s a good chance Memorial Day weekend is about to make them worse.
Scammers track news cycles and know that millions of Americans will be driving this weekend, many of them through toll roads and unfamiliar areas.
That means they can blast out fake “unpaid toll” texts after the holiday and a significant percentage of recipients will think: “Actually, I did drive somewhere new this weekend.” That uncertainty is exactly what they’re counting on.
Fake court notices threatening parking and toll violations have been making the rounds this spring.
These texts typically impersonate EZPass, SunPass, or state transportation departments and create urgency around a small fee to avoid larger fines. The link leads to a fake payment page designed to steal your credit card details.
How to Avoid Toll Scams:
Don’t click links in unsolicited toll or parking texts.
If you think the charge might be legitimate, go directly to your state’s official toll authority website and look up your account there.
Real toll agencies will not threaten immediate penalties over text with a payment link.
If you receive one of these texts after this weekend, treat it as suspicious by default.
Have a Safe Memorial Day Weekend
Scammers don’t take holidays. If anything, long weekends are peak season. The good news: a little awareness goes a long way. Slow down before you click, verify before you scan, and protect your connection before you log on.
McAfee+ Advanced comes with layered protection across all the moments where scams are most likely to strike, from the gas station to the hotel lobby to your inbox.
You’re comparing airfare on your phone, watching prices climb by the hour, when a deal pops up that feels just good enough to grab. The timer’s ticking. The price looks right. You don’t want to miss it.
You’re comparing airfare on your phone, watching prices climb by the hour, when a deal pops up that feels just good enough to grab. The timer’s ticking. The price looks right. You don’t want to miss it.
That moment, when you’re rushing to lock something in, is exactly where scams thrive.
New McAfee research shows that more than 1 in 3 Americans have encountered a travel-related cyberthreat, and 41% of those impacted lost money, often exceeding $500.
This shows a screenshot of a fake Booking.com website detected by McAfee that was attempting to trick users into running malicious script/code
At the same time, rising travel costs and time pressure are pushing people to make faster, riskier decisions. Those arethe exact conditions scammers rely on.
That’s where protection has toshow up earlier.
McAfee’s Scam Detector lets you check suspicious links, messages, and booking sites before you click, so you can pause and verify instead of giving scammers the edge.
Travel Scams, Red Flags, and How McAfee Protects You
Travel Scam Type
Key Red Flags
How McAfee Helps
Fake travel deals
Prices far below market, pressure to “book now,” sites you’ve never heard of
Scam Detector flags suspicious links and explains why they’re risky, so you can avoid fake deals before you book
Fake booking confirmations
Unexpected messages about bookings you didn’t make, mismatched sender details
Scam Detector analyzes messages before you engage, helping you avoid fake confirmations
Fake airline/hotel websites
Slight URL changes, poor design, being pushed to pay immediately or off-platform
Safe Browsing helps block risky sites before you enter payment details, reducing the chance of fraud
Payment requests outside platforms
Asked to pay via wire transfer, crypto, or direct payment instead of official platforms
Scam Detector flags suspicious payment requests, helping you avoid sending money to scammers
QR code scams
QR codes posted in public with no clear source or context
Scam Detector checks QR links before they open, so you don’t land on malicious sites
Customer service impersonation
Calls or messages asking for login credentials or payment info
Scam Detector detects deepfake AI audio impersonation attempts, helping you avoid sharing sensitive information
AI-generated listings
Photos that look overly polished, details that don’t quite match up
Scam Detector identifies suspicious content patterns, helping you spot listings that aren’t real
Public Wi-Fi attacks
Open networks with no password or security prompts
VPN helps protect your data on public networks, keeping your personal information private
The Findings From Our 2026 Travel Research
McAfee Labs found that many travel scams work because they look familiar and spread fast.
TripAdvisor was the most commonly impersonated travel app, cloned at roughly three times the rate of other major platforms like Kayak, Expedia, and Booking.com.
In some cases, thousands of scam detections traced back to just a handful of fake apps, showing how quickly a convincing scam can take off when travelers are racing to book.
Top 5 Ways Rising Travel Costs Are Driving Risky Decisions
Our 2026 travel survey shows how rising prices and last‑minute pressure are changing traveler behavior, often in ways scammers exploit.
1. Booking faster than usual 90% feel pressure to act quickly
2. Choosing cheaper deals without verifying 32% would book before confirming legitimacy
3. Ignoring red flags 33% admit they’ve done it
4. Trusting messages that look legitimate 41% trust airline/hotel messages without verifying
5. Clicking links without checking the source 20% click first, verify later (or not at all)
The Travel Scams People Are Most Likely to Fall For
According to our consumer survey findings, those who reported falling for a travel scam said these were the methods scammers used to trick them:
1. Fake travel deals or promotions (15%)
2. Scam booking confirmations or updates (15%)
3. Manipulated accommodation listings or photos (15%)
4. Payment requests outside official platforms (11%)
5. Fake vacation rental listings (10%)
6. Fake airline or hotel websites (9%)
7. Customer service impersonation (9%)
8 Ways Travelers Put Themselves at Risk Without Realizing It
These common traveler behaviors are popular avenues for criminals to steal your information, data, and money.
1. Connecting to public Wi-Fi (63%)
2. Scanning QR codes without verifying (62%)
3. Using airport Wi-Fi (49%)
4. Trusting travel-related messages (41%)
5. Logging into financial apps on public Wi-Fi (22%)
6. Sharing travel plans in real time (22%)
7. Clicking travel links without verifying (20%)
8. Using shared/public computers (15%)
How McAfee Protects You Before, During, and After Your Trip
As prices rise and decisions happen in real time, it’s easy to prioritize convenience over caution. But that’s exactly the moment when small checks matter most.
Stage of Travel
What’s Happening
How McAfee Helps
Before You Book
Comparing deals, clicking promotions, booking flights and hotels under time pressure
Scam Detector checks links, messages, and booking sites before you click, helping you avoid fake deals and scam listings
During Your Trip
Connecting to public Wi-Fi, scanning QR codes, receiving travel updates and alerts
VPN helps secure your connection on public Wi-Fi, while Scam Detector flags suspicious messages and unsafe links in real time
After Your Trip
Accounts remain active, travel data stored across platforms, potential exposure from breaches
Identity Monitoring alerts you if your personal information appears online, helping you act quickly before damage spreads
With McAfee+ Advanced, multiple layers work together so you’re not left figuring it out after the damage is done.
Spend more time on your vacation, and less time worrying about scammers who want your vacation fund.
McAfee Total Protection just took first place in the latest AV-Comparatives PC Performance Test, the gold standard for measuring how much (or how little) security software slows down your computer.
With an overall impact score of 3.3 out of a possible 100, McAfee outperformed all 19 other security products tested and earned the highest possible rating: 3 Stars ADVANCED+.
The industry average? 12.8. McAfee came in nearly 4x lower than that. The lower the impact score, the less the software gets in your way
What Is the AV-Comparatives PC Performance Test?
AV-Comparatives is an independent cybersecurity testing lab that has been rigorously evaluating security software since 1999. Unlike a review written by a single journalist or a score based on a company’s own claims, AV-Comparatives tests are:
Independent: delivers unbiased, data‑driven evaluations of security products
Standardized: every product is tested under the same conditions
Widely trusted: regularly cited in product roundups, expert reviews, and buying guides that shape how consumers choose security software
The PC Performance Test specifically measures how much a security product impacts your computer’s everyday speed. Testing is conducted on a real Windows 11 machine (Intel Core i3, 8GB RAM, SSD) with all default settings enabled and an active internet connection. That’s the same setup millions of everyday users have at home.
The lower the impact score, the less the software gets in your way.
What McAfee’s Score Actually Means
McAfee Total Protection scored 3.3, the lowest impact score of all 20 products tested, and well below the industry average of 12.8.
Here’s a simple way to think about it: if the average security product takes a measurable toll on your machine while it works in the background, McAfee barely registers. You get full, always-on protection without the sluggishness that frustrates so many users.
This result earned McAfee the ADVANCED+ rating, the highest tier AV-Comparatives awards, reserved for products that deliver top-tier performance with minimal system impact.
Why “Lightweight” Protection Matters More Than You Think
There’s a common misconception that stronger protection means a heavier, slower product. McAfee’s results prove otherwise.
When your security software is slow, you notice it:
Apps take longer to open
Downloads feel sluggish
Your machine lags during everyday tasks
You’re tempted to disable protection to get your speed back, leaving yourself exposed
A lightweight product means protection that works quietly in the background, without making you choose between safety and performance. That’s the promise behind McAfee’s result, and it’s now independently verified.
AV-Comparatives Test Results
First Place, But Not for the First Time
This isn’t a one-off result. McAfee has earned the ADVANCED+ rating consistently across multiple rounds of AV-Comparatives testing, demonstrating that this level of performance isn’t luck. It’s the result of deliberate, sustained engineering.
Independent, repeatable results like these are what separate marketing claims from proven performance.
With McAfee, you get award-winning protection and award-winning performance, so your devices stay secure without slowing you down.
Which McAfee Plans Include This Protection?
The same AI-powered threat protection validated in this test is built into every major McAfee plan:
McAfee+ Premium
McAfee+ Advanced
McAfee+ Ultimate
McAfee Total Protection
McAfee LiveSafe
Whether you’re protecting one device or an entire household, you’re getting the same industry-leading, independently verified performance under the hood.
A text that looks like it came straight from a courthouse is making the rounds across the U.S. And yes, I got it too.
First things first, that’s a scam. And to be clear: DON’T SCAN THAT QR CODE.
It’s the same playbook as last year’s toll road scams, just dressed up with a little more authority and a lot more pressure.
Before doing anything, our team ran it through McAfee’s Scam Detector. It immediately flagged the message as suspicious, and that’s exactly the kind of moment this tool is built for. When something feels just real enough to second guess, it gives you a clear signal before you click, scan, or spiral.
The text claims you’ve missed a payment, violated a law, or have some kind of outstanding “case.” It then pushes you to scan a QR code or click a link to resolve it quickly.
From there, one of two things usually happens:
You’re taken to a fake payment page designed to steal your money, or
You’re prompted to download something that gives scammers access to your device or data
Either way, the goal is the same: get you to act fast before you have time to question it.
Here’s the scam text I got in California. You’ll notice it looks exactly like the others across the country.
The red flags in this message
Urgent, threatening language about fines, penalties, or legal action
Vague accusations with no real details about what you supposedly did
Official-looking formatting like case numbers, clerk signatures, and judge names
Copy-paste consistency across states: McAfee employees in New York and California received nearly identical messages with the same names
There are reports of this scam popping up nationwide, but the rule is simple: law enforcement does not text you to demand payment or resolve legal issues.
What to do if you scanned the QR code
First, don’t panic. Then:
Do not pay anything or enter personal information
Do not delete apps you were told to install (this can make it harder to detect what happened)
Run a device scan using a trusted security tool like McAfee’s free antivirus
Keep an eye on your financial accounts and logins for unusual activity
And that, my friends, is scam number one in this week’s This Week in Scams (new format, we’re experimenting a little).
Let’s get into what else is on our radar.
Deepfake Celebrity Ads Are Targeting Seniors on Social Media. Here’s What a New Study Found.
If you saw our story last year about Al Roker speaking out after scammers used an AI-generated version of him to promote a fake hypertension cure, or the shocking case of a French woman who lost nearly $900,000 to fraudsters posing as Brad Pitt, you already know just how convincing celebrity deepfake scams have become.
Now, new reporting suggests these scams are reaching older adults at enormous scale.
According to a new study from the Center for Countering Digital Hate, just 30 of the most active scam advertisers on Facebook generated an estimated 215 million ad impressions over the past year. Nearly 73% of those impressions were shown to adults over 65.
The fake ads used AI-generated versions of well-known figures including Donald Trump, Joe Biden, Oprah Winfrey, Steve Harvey, and Brad Pitt to promote fake government benefits, miracle health products, and bogus financial offers.
These are some of the AI-generated and photoshopped images used by scammers last year to convince a woman she was dating Brad Pitt.
What McAfee’s Data Says About Celebrity Deepfake Scams
72% of Americans have seen a fake celebrity or influencer endorsement online
39% have clicked on one of these ads or posts
1 in 10 lost money or personal information
Average losses reached $525 per victim
The celebrities most commonly exploited in the U.S. included Taylor Swift, Scarlett Johansson, Jenna Ortega, and Sydney Sweeney, while Brad Pitt also ranked prominently on the global list.
When a familiar face appears in your social feed, whether it is Al Roker recommending a health product or Brad Pitt asking for help, your guard naturally drops.
And AI is making these fakes harder to detect.
McAfee’s 2026 State of the Scamiverse found that Americans now encounter an average of three deepfakes every day, yet more than one in three say they are not confident they can identify one.
In other words, scammers are weaponizing the faces people know best to make fraud feel familiar.
How to Spot a Deepfake on Social Media
Celebrity deepfakes are designed to look convincing, but there are still clues that something is off. If you see a video of Oprah Winfrey, Al Roker, or Brad Pitt promoting a miracle cure, government benefit, or investment opportunity, pause before you click.
Here are some of the biggest red flags to watch for:
Red Flag
What to Look For
Too-good-to-be-true offers
The video promises free grocery money, secret Medicare benefits, guaranteed investment returns, or miracle health cures.
Out-of-character endorsements
A celebrity appears to promote a random supplement, financial opportunity, or government program that seems unrelated to their normal work.
Robotic or unnatural voice
The speech sounds overly smooth, lacks natural pauses, or has strange pacing and tone.
Lip-sync issues
The celebrity’s mouth movements do not perfectly match the words being spoken.
Unnatural facial expressions
Blinking, smiling, and head movements appear stiff, overly polished, or slightly off.
Urgent language
The ad pressures you to “Act now,” “Claim your benefits today,” or “Limited spots available.”
Suspicious links
Clicking leads to a website you do not recognize or that does not match the company or organization being referenced.
No confirmation elsewhere
Trusted news outlets and the celebrity’s verified accounts do not mention the same announcement or offer.
When in doubt, go directly to the celebrity’s verified social account or search trusted news sources to confirm the information. And if something feels off, trust your instincts. In the age of AI, seeing is no longer believing.
How McAfee Helps You Stay Ahead of These Scams
McAfee+ Advanced gives you multiple layers working together so you’re not left figuring it out in the moment:
Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage
Safe Browsing helps block risky sites if you do click or scan
Device Security helps detect and remove malicious apps or downloads
Identity Monitoring alerts you if your personal info shows up where it shouldn’t, so you can act fast
Personal Data Cleanup helps remove your information from data broker sites, making you a harder target in the first place
Secure VPN keeps your data private, especially on public Wi-Fi
Safety tips to carry into next week
Slow down when a message creates urgency. That’s the hook
Don’t scan QR codes or click links from unexpected texts
Go directly to official websites instead of using links sent to you
Use tools that flag scams in real time so you don’t have to guess
Don’t trust celebrity endorsements posted to social media unless they come directly from a celebrity’s official page
The reality is, these scams are designed to look normal. You shouldn’t have to be an expert to spot them. That’s why McAfee’s here to help.
We’ll be back next week with more scams making headlines.
McAfee Labs has recently uncovered a large scale CountLoader campaign that uses multiple layers of obfuscation and staged payload delivery to evade detection and maintain persistence in infected systems. The infection process relies on several layers of loaders, including PowerShell scripts, obfuscated JavaScript executed through mshta.exe, and in memory shellcode injection, each stage decrypting and launching the next. The attackers employ a custom encrypted communication protocol to interact with their C2 servers. By registering a backup domain used by the malware, we were able to sinkhole the traffic and observe thousands of infected machines connecting to the C2 infrastructure. Final payload deployed in this campaign is a cryptocurrency clipper, which monitors clipboard activity and replaces copied wallet addresses with attacker controlled ones to redirect cryptocurrency transactions.
Sinkholing
Sinkholing is a defensive technique in which researchers take control of malicious domains or infrastructure used by malware. Instead of allowing infected systems to communicate with attacker controlled C2 servers, the traffic is redirected to a researcher controlled server. This approach enables researchers to monitor infected hosts, collect telemetry, measure the scale and spread of a campaign.
Key Findings
McAfee researchers identified a large-scale CountLoader campaign using multi-stage payload delivery and heavy obfuscation techniques.
Researchers successfully sinkholed malware communication using a backup C2 domain, enabling visibility into the campaign’s infrastructure and infected hosts.
The sinkhole received approximately 5,000 connections per minute from infected systems.
Telemetry collected during the investigation revealed around 86,000 unique infected machines.
The malware also spreads through USB drives, with approximately 9,000 infections attributed to removable media.
The final payload deployed in this campaign is cryptocurrency clipper malware that hijacks clipboard data to redirect cryptocurrency transactions.
C2 Sinkholing and Geographical Prevalence
As the malware contacts the C2 servers in the reverse order and only hell1-kitty[.]cc was used by attackers, we were able to register hell10-kitty[.]cc and were able to gain insights into the campaign.
Figure 1: Sinkholing malware communication
On average, around 5,000 infected clients contacted our server every minute.
In total, we observed approximately 86,000 unique infections.
Telemetry collected revealed that this CountLoader campaign has a broad global footprint. The highest number of infections were observed in India, followed by Indonesia, the United States, and several countries across Southeast Asia.
Figure 2: Global distribution of CountLoader infections.
Conclusion
CountLoader is a multistage malware loader that uses obfuscated JavaScript and trusted Windows utilities to deliver additional payloads. It ensures persistence via scheduled tasks and uses multiple fallback C2 domains to maintain reliability. Malware employs in-memory execution and security bypass techniques to evade detection.
In recent campaigns, it has been observed deploying cryptocurrency clipper malware to silently hijack transactions.
McAfee Researchers identified a flaw in its communication mechanism and were able to exploit it to gain insights into the campaign.
Technical Analysis
The following diagram illustrates the complete infection chain used in this CountLoader campaign, from the initial execution to the deployment of the final payload.
Figure 3: Infection Chain
The infection begins when an EXE file is executed. This file launches a PowerShell command, which downloads and executes an obfuscated JavaScript loader known as CountLoader. The loader is executed using mshta.exe, a legitimate Windows utility often abused by malware to run scripts.
Once executed, it performs several tasks:
Establishes persistence by creating a scheduled task that runs every 30 minutes.
Contacts multiple C2 servers, trying them in reverse order until a connection is successful.
Attempts to spread via USB drives by replacing files with malicious LNK shortcuts that execute the malware when opened.
Wait for the C2 server to issue commands to download and execute payloads.
The payload execution chain consists of several stages:
Launcher: A secondary JavaScript component creates another scheduled task that runs every 60 minutes, ensuring long term persistence.
PowerShell Packer: The launcher executes an obfuscated PowerShell script that acts as a packer. This script decrypts and launches the next stage.
Injector: The next PowerShell stage disables security mechanisms such as AMSI and injects shellcode into a legitimate process.
Shellcode Execution: The injected shellcode unpacks the final payload directly in memory.
Final Payload: The final payload is executed under the process systeminfo.exe. In this campaign, the deployed payload was identified as a cryptocurrency clipper malware, which monitors clipboard activity and replaces copied cryptocurrency wallet addresses with attacker controlled addresses.
Stage 1–Exe
The infection chain begins with the execution of a malicious EXE file, it immediatelyruns aPowerShellone-liner as shown in the below image.
Stage 2 – PowerShell
The PowerShell script fetched from the URL decodes a Base64-encoded string and executes the resulting content. It also employs an unusual obfuscation technique, where the variable names are crafted to resemble the highlighted pattern, making the script harder to read and analyze.
Multiple such variables are used to create a complete base64 string which is then decoded and executed through Invoke-Expression.
Stage 3 – CountLoader
The file is a HTA file with JavaScript that uses string obfuscation technique to evade detection.
It starts by hiding the mshta window to ensure that the malicious activity runs silently in the background without alerting the user.
The script then attempts to delete its own file in case it was executed locally. If the script determines that it is not being executed from a URL, it terminates immediately.
Then the script tries to contact C2 servers, iterating through the list in reverse order.
Figure 4: C2 communication protocol.
A handshake process is performed to verify connectivity with the server. The client sends an encrypted “checkStatus” message, and the server responds with an encrypted “success” message if the connection is valid
All communications between the client and the server are encrypted, with slightly different encryption schemes used for each direction:
Client to Server: text → (key+(base64encode(utf16le(xor(text, key)))))
Server to Client: text → (key+(base64encode(xor(text, key))))
The key is a randomly generated six digit number created for each message.
If the handshake is successful, the corresponding domain is selected as the active C2 server, which is used for all subsequent communications.
To maintain persistence on the infected system, the malware creates a scheduled task if one does not already exist.
The scheduled task command line is slightly different if it detects CrowdStrike or Reason AV installed on the system, likely as an attempt to evade detection from these AVs.
After establishing persistence, the malware gets a JWT token from the C2 server, which is used to authenticate further requests.
The get_jwt_token function sends system information about the infected host to the server.
This includes details related to cryptocurrency usage, such as installed wallets and browser extensions, allowing the attackers to determine whether the victim is likely involved with cryptocurrency.
Finally, the malware gets commands from the C2 server, which is then executed on the compromised system.
Each command contains a taskType value that determines the action to be performed on the infected system.
The table below shows the command codes and their actions.
Code
Command
1
execute exe file
2
execute python file
3
execute dll file
4
uninstall itself
5
send domain info to C2
6
execute msi file
9
spread by infecting usb files
10
execute HTA file
11
execute powershell file
We observed two commands from the above list being sent to the malwareas highlighted below:
Spreading via USB drives (taskType – 9)
When instructed by the C2 server to spread via USB drives, the malware replaces certain file types on all connected external drives with LNK shortcut files. These shortcuts are crafted so that when a user opens them, the malware executes while simultaneously opening the original file to avoid suspicion.
Targeted file types are exe , pdf , doc and docx.
The build ID of the malware is appended with “_usb”.
Deploying payload using powershell (taskType – 11)
The CountLoader is capable of running many types of executable files, In this campaign, it deploys a separate execution chain that ultimately leads to a clipper malware.
CountLoader launches the next stage using the following command line:
Payload Launcher
The Payload Launcher is very similar to CountLoader in terms of both functionality and obfuscation techniques.
However, unlike CountLoader, which retrieves tasks from the C2 server, the launcher contains hard-coded task information.
For persistence, it creates a scheduled task which executes “mshata.exe {domain}/{name}“ every 60 minutes.
In the task configuration:
“url” specifies the url of the payload.
“taskType” is set to 11, indicating that the payload should be executed as a PowerShell script.
Powershell Packer
The PowerShell script executed by the launcher acts as a simple packer. It is obfuscated using the same obfuscation technique mentioned earlier. Its primary function is to decrypt and execute another PowerShell script.
Injector
The next stage is another PowerShell script responsible for injecting shellcode into a running process.
After disabling AMSI, the script executes code that performs shellcode injection,
And injects in one of theselegitimateprocesses:
Shellcode
The injected shellcode unpacks and loads the final payload directly into memory,
Final Payload
The payload observed in this campaign is a clipper malware. This type of malware changes cryptocurrency address in clipboard to that of attacker’s when user copies any address.
It starts by fetching the C2 server address, which it gets by a technique called EtherHiding, where the C2 server address is fetched from Ethereum blockchain.
Once the C2 server address is obtained, the malware begins reporting system activity to the server.
It then continuously monitors the clipboard contents.
McAfee Coverage
McAfee provides extensive coverage against CountLoader:
If you have ever checked your child’s grades online, submitted a college paper through a school portal, downloaded homework assignments, or received messages from a teacher through a classroom app, there is a good chance you have used Canvas, a nationwide learning management system that was just in a massive data breach.
This is exactly the moment McAfee+ Advanced was built for. With our built-in Scam Detector to flag risky links, QR codes, and deepfakes; Identity Monitoring that alerts you when your data appears where it shouldn’t; and Personal Data Cleanup that removes your information from the dark web and data brokers, McAfee+ Advanced is an all-in-one solution for protection after a data breach.
Now let’s get into what you need to know about this breach:
Who Is Behind the Canvas Breach?
The ransomware group ShinyHunters is claiming responsibility for the attack. The group alleges it stole roughly 275 million records tied to nearly 9,000 schools and educational institutions worldwide.
How Did the Canvas Cyberattack Happen?
Instructure, the company behind Canvas, confirmed a cyber incident affecting its cloud-hosted environment. The attackers later posted claims about the breach on their leak site, where ransomware groups pressure organizations into paying by threatening to release stolen data publicly.
What Information Was Stolen in the Canvas Breach?
The stolen data reportedly includes:
Student names
Teacher and staff names
Email addresses
Student IDs
Course and enrollment information
School-related records
ShinyHunters claims the breach exposed roughly 275 million records and more than 231 million unique email addresses.
How Could the Canvas Data Breach Impact Families and Students?
Even if financial information was not exposed, this kind of data can still be extremely valuable to scammers. Criminals can use real school names, real classes, teacher names, and student information to create highly convincing phishing emails, fake school alerts, scholarship scams, tuition scams, or password reset messages.
A scam message referencing your child’s actual school or assignment is much harder to spot as fake.
This is what a Canvas message might look like when forwarded to your email inbox. Hackers claim to have millions of these types of messages.
This is a real message from Canvas from a community college professor after yours truly took an anthropology class for fun during the pandemic. It’s full of links to apply for programs and reach out to professors. It has exact details about courses I’ve taken.
While this correspondence is real, it’s exactly the type of messaging that scammers could fake and replicate, replacing real links with fake “paid” opportunities to pursue degrees.
Now think of the millions of messages and specific scenarios scammers have access to, to create dubious and convincing scams. That’s why protecting yourself after a breach is key.
What To Do Right Now
Here are some actions you can take immediately ot protect yourself after this breach:
Change you or your child’s Canvas password immediately, and update any other accounts where they reuse that password
Turn on multi-factor authentication(2FA) on parent and student accounts wherever the school permits it — Instructure’s own post-incident guidance specifically called out enforcing MFA as a recommended precaution
Ask your school what identity protection is being offered if sensitive data was involved
Consider placing a credit freeze on your or your child’s file to block new accounts from being opened in their name
Avoid clicking links in any messages that reference the breach, go directly to the official site instead
And that, my friends, is issue number one in this week’s This Week in Scams. Let’s get into what else is on our radar in cybersecurity and scam news.
Fake Amazon Recall Texts Are Targeting Shoppers
Your phone buzzes. It’s a text from an unknown number, but the message looks official.
“Dear Amazon Customer, we are writing to inform you that an item from your March 2026 order has been identified for recall.” There’s an order number. A link at the top of the message. A note about quality standards and a refund waiting for you.
It looks real. It has the Amazon logo, the branded formatting, even a reference to the “Amazon Customer Safety Team.” The only thing it doesn’t have? Any connection to Amazon at all.
A photo of a scam recall text I received this week. Luckily Scam Detector flags the link as risky if you try to click.
This is a fake Amazon recall scam, and it is making the rounds right now. The goal is to get you to click that link, which takes you to a site designed to harvest your login credentials, payment information, or both.
If you get a text like this, do not click the link. Go directly to amazon.com in your browser, log in, and check your orders and messages from there. Amazon does not initiate recall or refund processes through unsolicited texts with outside links.
What Is a Fake Amazon Recall Scam And How Does It Work?
A fake Amazon recall scam is a text message or email in which criminals impersonate Amazon to convince you that one of your recent orders has been flagged for a product recall. The message directs you to an external link leading to a phishing site designed to steal your Amazon credentials, credit card details, or personal information.
Red Flags To Watch For
The text comes from an unknown number, not a short code or verified sender
The link goes to a domain that is not amazon.com
The message asks you to complete a refund through an external link
Small typos or awkward phrasing appear in what looks like official communication
The greeting says “Dear Amazon Customer” rather than your actual name
What To Do If You Get One
Do not click the link
Go to amazon.com directly and check your orders and account notifications
Where McAfee Steps In (So You Don’t Have to Guess)
Scams today are layered. A fake email leads to stolen credentials. A breach leads to targeted phishing. And those follow-ups are getting harder to spot.
With McAfee+ Advanced, multiple layers work together so you’re not left figuring it out after the damage is done:
Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast
According to McAfee’s 2026 State of the Scamiverse report, Americans now spend 114 hours a year trying to figure out what’s real and what’s fake online. That’s nearly three full workweeks lost to second-guessing messages, alerts, and links.
And when scams do succeed, they move quickly. The typical scam unfolds in about 38 minutes, leaving little room for hesitation.
That creates a gap: People want to check before they act, but the tools haven’t always met them in that moment.
ChatGPT + McAfee is designed to close that gap, bringing scam detection directly to a platform people are already using to ask questions and make decisions.
And it’s available to anyone. You don’t have to be a McAfee subscriber.
This isn’t just detection. It’s guidance in the exact moment you’re deciding what to do.
Instead of guessing, you can paste a message or drop in a screenshot and get a clear explanation of what’s risky, and what to do next, powered by McAfee’s threat intelligence.
What You Can Do with ChatGPT + McAfee
With this integration, checking something suspicious becomes as simple as asking a question.
Paste a message. Drop in a link. Upload a screenshot.
McAfee analyzes it and explains what’s going on clearly and in context.
Here’s how it works:
Feature
What it does
How it protects you
Link safety check
Paste a suspicious URL and get a reputational analysis based on McAfee threat intelligence
Scam links are often designed to look legitimate. A quick check helps avoid phishing and malware
Message analysis
Submit texts, emails, or social messages for evaluation
Many scams now rely on urgency and tone. Analysis helps surface subtle red flags
Screenshot uploads
Upload screenshots of messages, emails, or posts for review
Scams don’t always come as clean text. This makes it easier to check what you’re actually seeing
Clear explanations
Get a breakdown of why something is flagged as risky or safe
Not just a warning—an explanation that helps you recognize patterns next time
Guided next steps
Receive recommendations on what to do next
Helps prevent escalation, especially in moments of uncertainty
It’s a quick, accessible way to get answers in the moment. But it’s just one part of a broader system designed to protect you more comprehensively.
Behind the scenes, ChatGPT + McAfee is powered by the same intelligence that fuels McAfee’s broader scam protection ecosystem.
When you submit something for review:
Links are checked against known threat signals
Messages are analyzed for scam patterns and language cues
Results are translated into clear, human-readable explanations
The goal isn’t just to flag risk. It’s to help you understand it.
A New Way to Stay Ahead of Scams
Scams aren’t slowing down. If anything, they’re becoming more convincing, more personalized, and harder to detect.
That’s where ChatGPT + McAfee comes in. But this is only one part of a much bigger system designed to protect you before, during, and after a scam attempt.
With McAfee+ Advanced, multiple layers work together so you’re not left figuring it out after the damage is done:
Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast
You’re scrolling through Facebook or TikTok and see it.
A flash sale from a brand you recognize. A limited-time investment opportunity. A job posting that promises quick money.
The ad has comments. The account looks polished. Maybe someone you follow even liked it.
So you click.
From there, things move fast. You’re pushed to act quickly, enter your information, or send payment before the “deal” disappears. And just like that, the money is gone or your account is compromised.
This isn’t an edge case anymore. According to new FTC data, nearly 30% of people who reported losing money to a scam in 2025 said it started on social media, with total losses hitting $2.1 billion.
That’s why McAfee+ Advanced includes comprehensive protection designed to help you spot and stop scams at every step, including McAfee’s Scam Detector, which flags suspicious links and messages and explains why they may be risky, along with identity and privacy tools that help protect your information if a scam slips through.
How Social Media Ad Scams Work
A social media ad scam is when scammers use paid ads, fake profiles, or hijacked accounts on platforms like Facebook, Instagram, or TikTok to promote fake products, services, or investment opportunities in order to steal money or personal information.
Step
What happens
What to do
How McAfee helps
1
You see an ad, post, or DM promoting a deal, job, or investment
Don’t engage immediately, even if it looks legitimate
Scam Detector flags suspicious links and messages before you interact
2
The ad links to a website or moves you into DMs
Avoid clicking unfamiliar links or continuing off-platform
Safe Browsing helps block risky or newly created websites
3
You’re pressured to act quickly or “secure your spot”
Slow down and verify the company independently
Scam Detector explains urgency tactics and why they’re risky
4
You’re asked to pay, share login info, or download something
Never send money or credentials based on a social media interaction
Identity Monitoring helps protect your personal data if exposed
5
The product never arrives, the investment disappears, or your account is compromised
Report the scam and secure your accounts immediately
Personal Data Cleanup and monitoring help reduce ongoing exposure
Red Flags To Watch For
Deals that feel unusually cheap or urgent
Ads linking to unfamiliar or slightly misspelled websites
Requests to move conversations off-platform quickly
Payment requests via apps, crypto, or wire transfer
Accounts with limited history or inconsistent engagement
And that is the first part of This Week in Scams! This Friday we’re taking a different format to talk about this new FTC data and all that it reveals.
Let’s keep digging in:
FTC Report: Social Media Scams Are Now The Most Costly Fraud Channel
New data from the FTC shows just how dominant social media has become in the scam landscape.
Social media scams drove $2.1 billion in reported losses in 2025
Losses have increased eightfold since 2020
Investment scams alone accounted for $1.1 billion of those losses
Where Scams Are Happening And What’s Changing
Category
What to know
Most common scams
Shopping scams lead, with over 40% of victims reporting purchases from social media ads that never arrived
Most costly scams
Investment scams drive the biggest losses, often starting with ads or group chats showing fake success
What’s changing
Scammers are using platform tools like ads, targeting, and profile data to reach people more precisely than ever
A new scam making the rounds takes a familiar delivery trick and upgrades it with hyper‑realistic messaging and a QR code that looks safe to scan.
But don’t be fooled.
It’s the same delivery scam playbook scammers have relied on for years, just repackaged with better design and more convincing details.
You get a message with a notice that looks something like this, a real message received by our team and tested against McAfee’s Scam Detector.
This is an example of the scam message we received, impersonating the USPS.
That added layer of realism is what makes this version more dangerous. But it doesn’t hold up under scrutiny. McAfee’s Scam Detector flagged both the suspicious language and the QR code in this message before any interaction.
If you receive something like this, pause. Do not scan the code.
You can also protect yourself with McAfee’s Scam Detector, which flags suspicious links and messages, including delivery scams and QR‑based attacks, and explains why they may be risky.
What is the USPS QR Code Scam and How Does it Work?
The USPS QR code scam is a phishing attempt where scammers impersonate postal services and use QR codes instead of clickable links to direct victims to malicious websites.
Once scanned, the QR code can lead to a fake USPS page that asks for payment, login credentials, or personal information.
How the scam works
Step
What happens
The red flags
What to do
How McAfee helps
1
You receive a text about a delivery issue or missed package
Requests for small “redelivery” or “processing” fees are not normal
Exit immediately and do not submit anything
Scam Detector explains why the page is risky, and Identity Monitoring supports you when if your info gets out.
What To Do If You Get This Message
Do not scan the QR code
Go directly to the official USPS website to check tracking
Delete the message
Report it as spam
Monitor your accounts if you interacted with it
And that, my friends, is scam number one in this week’s This Week in Scams.
Let’s get into what else is on our radar.
A Major Health Data Breach Exposes 500,000 Records
A massive health data incident is raising new concerns about how sensitive information is handled and shared.
According to reporting from the Associated Press, data tied to 500,000 participants in a major U.K. health research project was found listed for sale online. The dataset included biological and health-related information, though it did not contain direct identifiers like names or contact details.
Access to the data had been granted to research institutions, but that access has since been revoked. Authorities say no purchases were made, and the listing has been removed.
Still, the situation highlights a growing reality: once data is accessed or shared, control over it becomes harder to guarantee.
What This Breach Says About Data Privacy
Scams are no longer isolated events. They are layered.
A data breach does not just stay a breach. It becomes fuel for future scams. Exposed information can be used to make phishing messages more convincing, personalize attacks, and build trust with targets.
That is why detection alone is not enough anymore. Protection has to account for both incoming threats and what happens when data is already out there.
How McAfee Protects You In A World of Scams and Data Breaches
McAfee+ Advanced gives you multiple layers working together so you are not left figuring it out after the damage is done:
Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast
Personal Data Cleanup helps remove your information from data broker sites, making you harder to target in the first place
Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage
Safe Browsing helps block risky sites if you do click
Your data might be safe today. But that doesn’t mean it’s safe forever.
A growing number of sophisticated actors are collecting encrypted data now, with the goal of decrypting it later, when more powerful technology becomes available.
This strategy is known as Harvest Now, Decrypt Later (HNDL). And it’s not a future problem. It’s already happening, according to research from our McAfee VPN team.
For everyday people, that means private messages, financial records, and sensitive documents could be exposed years from now if protections don’t evolve today.
That’s why security teams, including McAfee’s VPN engineers, are already working on ways to strengthen encryption for both today and what comes next.
What “Harvest Now, Decrypt Later” Means
At its core, HNDL is simple: Attackers collect encrypted data now, store it, and wait until they have the tools to unlock it later.
Even though today’s encryption is incredibly strong, the strategy doesn’t rely on breaking it today. It relies on patience.
A Simple Way to Think About It
You put valuable belongings and documents in a safe at home that’s locked and secured. This works at preventing crimes of opportunity. But let’s say there’s a thief who steals the entire safe, knowing they have tools they can use later to access what’s inside. They wait, and once the tools are available, they break into your safe and access everything inside.
That’s one way to think of HNDL. The safe is the encryption. The quantum computing is the tool they can use later.
But in real life, you’d probably notice if your safe is gone. In the case of HNDL, if you’re not monitoring your data, you may not even notice encrypted information has been stolen to be decrypted.
Key Terms Explained
Term
What it means
Encryption
Scrambling data so others can’t read it
Quantum computing
A new type of computing that can break some encryption
HNDL
A strategy to collect encrypted data now and decrypt it later
Why This Matters Right Now
This isn’t about whether your data is valuable today. It’s about whether it might be valuable later.
Data with a long shelf life is especially at risk, including:
Financial records
Medical information
Private messages
Legal or identity documents
Even something that feels low-stakes today could become sensitive in the future.
And because the collection phase is already happening, the risk isn’t hypothetical. It’s already in motion.
How This Affects VPNs (and what doesn’t change)
VPNs remain one of the most effective ways to protect your data today. That hasn’t changed.
But HNDL introduces a new layer of complexity.
What’s still strong: The encryption that protects your data in transit remains highly resilient.
Where the risk is: The “handshake” process (how a secure connection is established) is more vulnerable to future quantum attacks.
In simple terms: Your data is well protected today, but parts of how that protection is set up may need to evolve for the future.
What Quantum Computing Changes
Traditional computers process information in a linear way.
Quantum computers work differently. They can solve certain types of problems much faster, including the kinds of mathematical challenges that protect today’s encryption.
That’s why attackers are willing to wait.
Once quantum computing reaches a certain level, it could unlock data that was previously considered secure.
What McAfee’s VPN Team is Working On
McAfee’s VPN team is already preparing for this shift.
Evaluating quantum-safe encryption approaches
Exploring hybrid models that protect both now and long-term
Building toward a more resilient VPN experience
This work builds on a broader privacy-by-design approach, where systems are designed to minimize risk from the start, not react after the fact.
Because with HNDL, waiting isn’t an option.
What You Can Do Now
You don’t need to wait for quantum computing to take steps today.
Use a trusted VPN to encrypt your connection
Be mindful of long-term sensitive data you share online
Avoid unsecured public Wi-Fi when possible
Keep your apps and devices updated
These steps help protect your data now while the industry builds toward future-ready security.
How McAfee Helps Protect You
McAfee+ Advanced gives you multiple layers working together so you are not left figuring it out after the damage is done:
Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast
Personal Data Cleanup helps remove your information from data broker sites, making you harder to target in the first place
Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage
Safe Browsing helps block risky sites if you do click
Secure VPN keeps your data private, especially on public Wi-Fi
Frequently Asked Questions (FAQs)
FAQ
Q: Is my data safe right now?
A: In most cases, yes—today’s encryption is extremely strong and is designed to protect your data from current threats. If you’re using trusted security tools like a VPN, safe browsing protections, and device security, your data is actively protected while it’s in transit and in use. However, no system is risk-free. Data exposed through phishing, weak passwords, breaches, or unsecured networks may still be vulnerable. And with “Harvest Now, Decrypt Later,” even properly encrypted data could be collected today and targeted for decryption in the future.
Q: What is quantum-safe encryption?
A: Quantum-safe (or post-quantum) encryption refers to new types of cryptography designed to remain secure even against future quantum computers. Today’s encryption relies on math problems that are extremely difficult for classical computers to solve, but quantum computers could eventually solve some of them much faster. Quantum-safe approaches use different mathematical foundations that are believed to resist those capabilities. In practice, many companies are moving toward hybrid encryption, combining today’s proven methods with newer quantum-resistant techniques to protect data both now and long-term.
Q: Should I still use a VPN?
A: Yes. A VPN remains one of the most effective ways to protect your data today, especially on public or unsecured networks. It encrypts your internet traffic and helps prevent interception by hackers, internet providers, or other third parties. While VPN protocols are evolving to address future quantum risks, they still provide strong, essential protection against today’s threats.
Q: When will this become a real threat?
A: The risk unfolds in two phases. The collection phase is already happening today, where sophisticated actors gather encrypted data and store it. The decryption phase depends on when quantum computing advances far enough to break certain types of encryption, which could take years but is actively progressing. This means data with a long lifespan, such as financial records, personal communications, and sensitive documents, is most at risk because it only needs to remain valuable until those capabilities exist.
You open your inbox and see it: Your cloud storage is full.
There’s a warning about photos being deleted, your account being suspended, or a renewal failing. There’s a button to “fix it now.” Or a warning to “act today.”
It looks routine. Maybe even urgent enough to click.
That’s exactly the point.
An example of a cloud storage scam detected by McAfee.
Cloud storage scams are making headlines again, building on patterns we flagged earlier this year in our State of the Scamiverse research.
These emails have circulated steadily since 2025, often impersonating trusted brands like Apple, Microsoft, and Google. Many are timed to moments when people are already thinking about storage, backups, or subscriptions.
The safest move is simple: pause and don’t click. If there’s a real issue, go directly to your account through the official app or website.
You can also protect yourself with McAfee’s Scam Detector, which flags suspicious links and messages, including cloud storage scams, and explains why they may be risky.
What Is A Cloud Storage Scam And How Does It Work?
Cloud storage scams are phishing attacks designed to trick you into believing there’s an issue with your account so you’ll click a malicious link.
They often look like this, and include 3 key red flags:
Messages that create urgency like “act now or lose your data”
Generic greetings instead of your name
Links that don’t match the official domain
How the scam works (step-by-step)
Step
What happens
What to do
How McAfee helps
1. You receive a message
Email or text claims your storage is full or your account has an issue
Don’t click links directly from the message
Scam Detector flags suspicious messages before you interact
2. Urgency is introduced
Warning that files or photos will be deleted if you don’t act
Investment-related fraud topped the charts, with over $8.5 billion lost to investment cybercrime in 2025. And that’s just losses that were reported. Not everyone reports when they were scammed. (Image Courtesy FBI)
This is where layered protection matters. It’s not just about catching one bad link. It’s about recognizing patterns across messages, platforms, and moments when something feels slightly off.
How McAfee Protects You From Scams and Cyber Threats
McAfee+ Advanced gives you multiple layers working together so you are not left figuring it out after the damage is done:
Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast
Personal Data Cleanup helps remove your information from data broker sites, making you harder to target in the first place
Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage
Safe Browsing helps block risky sites if you do click
Emails claiming to be from Social Security are making the rounds right now.
They look official. They sound official. And they’re designed to get you to click before you think twice.
The Social Security Administration’s Office of Inspector General is warning about a spike in messages that claim your Social Security statement is ready to download. The goal is simple. Get you to click a link or open an attachment.
From there, things can go sideways fast.
Before interacting with anything like this, it’s worth pausing and running it through a tool like McAfee’s Scam Detector. This is exactly the kind of message it’s built to flag. Something that looks legitimate, but feels just slightly off.
How The Scam Works
The email mimics official government communication, using logos, formatting, and language that feels familiar. It might say your statement is ready, your account needs attention, or you need to review a document.
Once you click:
You may be sent to a fake website designed to capture your personal information
You may download malware without realizing it
Or you may be prompted to enter sensitive financial details
Either way, the goal is the same: get access to your identity.
The Red Flags In These Emails
Messages claiming your social security statement is ready to download
Links or attachments labeled as official documents
Urgency pushing you to act quickly
Sender addresses that do not end in “.Gov”
The biggest tell: Social Security does not send emails like this asking you to download statements or provide sensitive information.
What To Do If You Get One
Do not click links or download attachments
Delete the email immediately
Access your account by going directly to the official SSA website
Report the message to the SSA Office of Inspector General
If you already clicked:
Stop communication immediately
Contact your financial institutions
Monitor your accounts closely
Report the incident to the FTC or the FBI’s IC3
And that, my friends, is scam number one in this week’s This Week in Scams.
Let’s get into what else is on our radar.
A Healthcare Data Breach That Could Lead to Follow-Up Scams
Healthcare data breaches don’t always make headlines the same way big tech breaches do, but they can be just as serious.
According to reporting from Fox News, CareCloud, a company that supports electronic health records for tens of thousands of providers, recently confirmed a security incident involving unauthorized access to one of its systems.
The access lasted several hours. And while it’s still unclear whether any data was taken, that uncertainty is exactly what makes situations like this risky.
Because even if you’ve never heard of the company, your doctor might use it.
Why This Matters
Healthcare data is incredibly valuable. It can include:
Names and social security numbers
Insurance details
Medical history
Billing information
Unlike a credit card, you can’t just cancel your medical history.
And when that kind of data is exposed or even potentially exposed, scammers often follow up with messages that feel highly specific and personal.
What To Watch For Next
After incidents like this, scammers often move quickly:
Emails or texts pretending to be your provider
Messages about billing issues or medical records
Requests to “verify” your information
Links to log in or update your account
These scams work because they’re timed perfectly and feel relevant.
This is another moment where Scam Detector can help flag suspicious links or messages before you engage, even when they reference real healthcare providers.
How To Protect Yourself
Review medical bills and insurance statements for unfamiliar activity
Enable two-factor authentication on patient portals
Use strong, unique passwords
Avoid clicking links in unexpected healthcare-related messages
Consider identity monitoring to catch misuse early
Where McAfee Steps In (So You Don’t Have to Guess)
Scams today are layered.
A fake email leads to stolen credentials. A breach leads to targeted phishing. And those follow-ups are getting harder to spot.
McAfee+ Advancedgives you multiple layers working together so you are not left figuring it out after the damage is done:
Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast
Personal Data Cleanup helps remove your information from data broker sites, making you harder to target in the first place
Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage
Safe Browsing helps block risky sites if you do click
We’re excited to share that McAfee’s Scam Detector has been named a finalist in the 2026 Webby Awards.
Recognized in the AI Experiences & Applications – Consumer Application category and named a Webby Honoree for Best Use of AI & Machine Learning, Scam Detector is being acknowledged for its effectiveness as an AI-driven consumer tool.
This recognition of Scam Detector validates something key in research findings. According to McAfee’s 2026 State of the Scamiverse report, Americans now spend 114 hours a year trying to decide what’s real and what’s fake online.
Scam Detector was built with this era of uncertainty in mind, designed to help people cut through confusion and identify scams as they appear. The Webby recognition reinforces to us that McAfee’s Scam Detector is doing exactly that.
What Are the Webby Awards?
The Webby Awards are presented by the International Academy of Digital Arts & Sciences and recognize excellence across the internet, including apps, software, AI, and digital experiences.
Each year, thousands of entries are evaluated, with finalists representing the top work in their category globally.
In addition to judged awards, the Webby Awards include a People’s Voice Award, which is decided by public vote.
How McAfee’s Scam Detector Uses AI to Stop Scams
Scam Detector is designed to help people identify scams where they’re most likely to happen, always ready to help you spot what’s real and what’s not when you least expect it.
It uses AI to analyze and flag suspicious:
Text messages and emails
Links and websites
QR codes
Social media messages
AI-generated and deepfake content
Beyond detection, Scam Detector explains why something was flagged as risky. That transparency helps show how decisions are made, so people can quickly understand the risk and feel more confident trusting what’s flagged.
As scams become more personalized and harder to detect, this combination of automatic detection and clear guidance is critical to preventing financial loss and identity theft.
Vote for McAfee’s Scam Detector
Scam Detector is eligible for the Webby People’s Voice Award, which is decided by public vote.
Voting is open through Thursday, April 16 at 11:59 pm PDT.
Winners will be announced on April 21, 2026.
And a big thank you to the McAfee teams who brought Scam Detector to life and who continuously improve how Scam Detector identifies new threats and adapts to the evolving world of AI-driven scams.
A tax system breach in Oklahoma is putting highly sensitive personal information at risk. And unfortunately, this is exactly the kind of situation scammers love to exploit.
Hackers reportedly accessed W-2 and 1099 files through Oklahoma’s online tax portal, according to state officials, exposing the kind of information that can open the door to tax fraud, identity theft, and highly targeted phishing attempts.
Before the follow-up scams start rolling in, this is the kind of moment where layered protection matters. McAfee+ Advanced includes identity monitoring and data cleansup that can help alert you if your personal information starts circulating where it shouldn’t, and Scam Detector can flag suspicious messages if scammers try to use this breach as a hook.
What Happened in Oklahoma
According to a statement by the Oklahoma Tax Commission and reported by KOCO News 5, a local ABC affiliate, suspicious activity inside the state’s Oklahoma Taxpayer Access Point system was identified in December 2025. The agency says impacted individuals have been notified directly by mail, and complimentary credit monitoring and fraud assistance are being offered.
When W-2s, 1099s, Social Security numbers, and tax-related records are exposed, scammers can use that information to:
File fraudulent tax returns
Try to open new accounts
Build phishing emails or texts that feel unusually real
Either way, the goal is the same: use real information to make the next scam more believable.
Red Flags of a Scam After a Breach Like This
The breach itself is real. But what often follows is a second wave of scams pretending to help.
Watch For:
Emails or texts about your “tax account” that create urgency
Messages asking you to verify personal information
Fake alerts about refunds, filings, or suspicious activity
Links telling you to log in and “secure” your account
That’s where people can get hit twice: once by the breach, and again by the scam that follows it.
What To Do If You’re Impacted
First, don’t panic. Then:
Take advantage of any free credit monitoring or fraud assistance being offered
Monitor your bank accounts, tax records, and credit reports closely
Consider placing a fraud alert or credit freeze if needed
Be extra careful with any message referencing taxes, refunds, or account access
Go directly to official sites instead of clicking links in emails or texts
And that, my friends, is scam number one in this week’s This Week in Scams.
Let’s get into what else is on our radar.
The FBI Impersonation Scam Showing Up Across the U.S.
Scammers pretending to be federal agents are making the rounds across the country, and this one is built to make people panic fast.
Field offices, including Chicago and Houston, are warning the public about fraudsters posing as FBI agents in calls, texts, and emails. In some cases, the scammers claim you’re connected to an investigation. In others, they say you’re a victim of fraud and need to act immediately to protect yourself.
Sometimes they do not stop there. They may also pretend to be bank employees working alongside the FBI, all to make the story feel more convincing and get access to your money or personal information.
The FBI has shared images of these suspects pretending to be agents. If you are contacted by these officials, report it to the FBI.
Why This Scam Works
This scam plays on the same pressure tactics we’ve seen over and over again: authority, urgency, and confusion.
If someone claims to be a federal agent, many people freeze up and assume they need to cooperate immediately. That’s exactly what scammers are counting on.
The FBI has been clear about this: federal law enforcement will not ask you for money or sensitive personal information over the phone, by text, or by email.
The Red Flags in This Message
Unsolicited outreach from someone claiming to be federal law enforcement
Pressure to act immediately
Requests for money, gift cards, prepaid cards, or personal information
Instructions to keep the conversation secret
Stories involving a bank “working with” the FBI
If it feels dramatic, high-pressure, and just a little off, trust that instinct.
What To Do if You Get One Of These Messages
Do not respond
Do not send money or share personal information
Contact the agency directly using publicly listed contact information
Save the message for your records
Report it to the FBI: 1-800-CALL-FBI (225-5324), or online at tips.fbi.gov.
This is also exactly the kind of message McAfee’s Scam Detector is built to flag before you get pulled in.
How McAfee Helps You Stay Ahead of Scams and Breaches
McAfee+ Advancedgives you multiple layers working together so you are not left figuring it out after the damage is done:
Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast
Personal Data Cleanup helps remove your information from data broker sites, making you harder to target in the first place
Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage
Safe Browsing helps block risky sites if you do click
Secure VPN keeps your data private, especially on public Wi-Fi
This kind of layered protection is critical in cases like ghost student scams, where the first sign of fraud often comes after financial damage has already happened.
Safety tips to carry into next week
Be extra cautious after any real breach makes headlines
Do not trust unsolicited messages just because they reference real institutions
Never send money to someone claiming to be law enforcement
Go directly to official websites instead of clicking links
Use tools that flag suspicious messages in real time so you do not have to guess
The reality is, scams are getting better at looking official.
You should not have to be an expert to spot them. That’s why McAfee is here to help. We’re Safer Together.
We’ll be back next week with more scams making headlines.
This category recognizes work that doesn’t just perform, it matters: campaigns that raise awareness, inspire action, and make a real-world impact.
That’s exactly what “Keep It Real” set out to do.
Because behind every scam statistic is a person who thought they were making the right call. And too often, what follows isn’t just financial loss. It’s embarrassment, silence, and stigma.
We wanted to change that.
The campaign launched alongside McAfee Scam Detector to address a growing reality: scams powered by AI are becoming harder to recognize and easier to fall for.
“Keep It Real” paired real survivor stories with AI-driven protection to show how scams actually happen and how people can stop them in the moment.
The goal was simple:
Normalize the experience
Remove shame around being scammed
Help more people recognize scams faster
Because when people feel safe talking about scams, they’re more likely to spot them and stop them.
What Are the Shorty Awards?
The Shorty Awards honor the best work in social media, digital campaigns, and online storytelling across brands, creators, and organizations.
Now in their 18th year, the awards recognize campaigns that combine creativity, impact, and real-world relevance. Finalists are selected alongside leading global brands and judged on both industry evaluation and public voting.
How McAfee’s Scam Detector Fits In
McAfee’s Scam Detector is designed to help people identify scams across everyday digital moments.
It uses AI to fight AI by flagging suspicious:
Text messages and emails
QR codes and links
Social media messages
AI-generated and deepfake content
By combining automatic detection with clear guidance, Scam Detector helps people better understand what they’re seeing and decide what to trust.
Real Stories Behind the Campaign
A core part of “Keep It Real” was giving space to people who experienced scams to share what happened, in their own words.
These stories helped show that scams can happen to anyone and played a key role in breaking the stigma around being targeted.
This recognition reflects the work across McAfee teams who built and brought this campaign to life, including product, engineering, research, creative, and communications.
It also reflects the individuals who chose to share their real scam stories to help others recognize scams, stay safer, and end the shame and stigma around being scammed.
Support the Campaign
The Shorty Awards include a public voting component.
McAfee’s mobile research team has uncovered a large-scale Android malware campaign we’re tracking as Operation NoVoice.
The campaign was distributed through more than 50 apps previously available on Google Play, disguised as everyday tools like cleaners, games, and photo utilities. Together, the apps were downloaded more than 2.3 million times, though it’s unclear how many devices may have been impacted.
If the attack succeeds, the malware can gain deep control of a device, allowing attackers to inject malicious code into apps as they are opened and access sensitive data.
However, the most serious impact depends on the device.
On older or unpatched Android devices, the malware can install a highly persistent form of infection that may survive a standard factory reset. Newer Android devices with up-to-date security protections are not vulnerable to the root exploit observed in this campaign, though they may still be exposed to other types of malicious activity from these apps.
In other words, on vulnerable devices, the malware can behave like a kind of digital “zombie,” continuing to operate in the background even after a reset.
Operation NoVoice is what security experts call a rootkit malware attack.
A rootkit is a type of malware designed to gain deep, privileged control of a device while hiding its presence from the user and the operating system’s normal security tools.
Breaking the term down:
“Root” refers to the highest level of access on a system (administrator-level control).
“Kit” refers to a collection of tools used by an attacker to maintain that control.
Put simply, a rootkit allows attackers to operate underneath the normal apps and security protections on a phone, giving them powerful control while staying difficult to detect.
In the case of Operation NoVoice, the attack unfolds in several steps.
1) A normal-looking app starts the attack
The campaign began with apps that appeared harmless on the Google Play Store. These apps advertised themselves as tools like phone cleaners, puzzle games, or gallery utilities.
When a user downloaded and opened one of these apps, it appeared to work normally. There are no obvious signs to the user that anything is wrong.
2) The malware quietly checks the device
Behind the scenes, the app contacts a remote server controlled by the attackers.
The server collects information about the device, things like its hardware, operating system version, and security patch level. Based on that information, the attackers send back custom exploit code designed for that specific device.
3) The attack gains deep system access
If the exploit succeeds, the malware gains root-level access to the device.
At that point, the attackers can install additional malicious components and modify parts of the Android operating system itself.
4) Every app on the phone can be affected
Once the rootkit is installed, it modifies a core Android system library that every app relies on.
This allows attacker-controlled code to run inside any app the user opens.
That means the attackers could potentially access data from messaging apps, financial apps, or social media apps without the user noticing.
5) The malware can remain even after a reset
Operation NoVoice also includes persistence mechanisms designed to keep the malware active.
In some cases, the infection could survive a standard factory reset, because the malicious components modify parts of the system software that resets typically do not replace.
Fully removing the infection may require reinstalling the device’s firmware, something most users cannot easily do themselves.
*To be clear, these apps have been removed from Google Play and are no longer available for download.
Why The Name “Operation NoVoice”
The name Operation NoVoice comes from a hidden component inside the malware itself.
Researchers discovered a resource labeled “novioce” embedded in one of the attack’s later stages. The file contains a silent audio track that plays at zero volume.
This may seem strange, but it serves a purpose.
By continuously playing silent audio in the background, the malware can keep a foreground service running without drawing attention. This allows the malicious code to remain active while appearing harmless to the operating system.
The researchers believe the name “novioce” is likely a misspelling of “no voice,” referring to the silent audio trick used to keep the malware running.
How To Stay Safe from Malware Disguised as Apps
Operation NoVoice highlights an important reality: even apps that appear legitimate can sometimes hide malicious behavior.
Fortunately, there are several steps users can take to reduce their risk.
Be cautious with unfamiliar apps
Even if an app appears on the Google Play Store, it’s still important to review:
the developer’s name
the number of downloads
recent user reviews (check for negative reviews)
Apps with very few reviews, vague descriptions, or suspicious developer accounts can sometimes be part of malware campaigns. And exercise even greater caution with apps promoted through advertisements or that create a a sense of urgency.
Keep your phone updated
Many attacks rely on exploiting known vulnerabilities in older versions of Android.
Installing system updates and security patches helps reduce the chance that these exploits will work.
Remove apps you don’t recognize
If you notice apps on your device that you don’t remember installing, review them carefully and remove anything suspicious.
Keeping your phone’s app list clean reduces the potential attack surface.
Use mobile security protection
Mobile security software can help detect suspicious behavior and block known malware.
What Operation NoVoice Tells Us About the Future of Mobile Threats
Operation NoVoice highlights how mobile malware is evolving. Instead of obvious malicious apps, attackers are increasingly hiding their operations inside ordinary-looking tools distributed through legitimate app stores.
What makes this campaign particularly concerning isn’t just the number of downloads or the technical complexity. It’s the way the malware combines several advanced techniques, device-specific exploits, modular plugins, and deep system persistence, into a single attack chain.
That approach allows attackers to quietly turn an everyday app download into long-term control of a device.
That’s why keeping devices updated, reviewing apps carefully, and using mobile security protection are becoming increasingly important. As Operation NoVoice shows, today’s malware isn’t just trying to get onto devices; it’s trying to stay there.
McAfee’s mobile research team identified and investigated an Android rootkit campaign tracked as Operation Novoice. The malware described in this blog relies on vulnerabilities Android made patches available for in 2016 – 2021. All Android devices with a security patch level of 2021-05-01 or higher are not susceptible to the exploits that we were able to obtain from the command-and-control server. However patched devices that downloaded these apps could have been exposed to unknown potential payloads outside of what we discovered. The attack begins with apps that were previously available on Google Play that appear to be simple tools such as cleaners, games, or gallery utilities. When a user downloaded and opened one of these apps, it appeared to behave as advertised, giving no obvious signs of malicious activity.
In the background, however, the app contacts a remote server, profiles the device, and downloads root exploits tailored to that device’s specific hardware and software. If the exploits succeed, the malware gains full control of the device. From that moment onward, every app that the user opens are injected with attacker‑controlled code.
This allows the operators to access any app data and exfiltrate it to their servers. One of the targeted apps is WhatsApp. We recovered a payload designed to execute when WhatsApp launches, gather all necessary data to clone the session, and send it to the attacker’s infrastructure.
On older, unsupported devices (Android 7 and lower) that no longer receive Android security updates as of September 2021, this rootkit is highly persistent; a standard factory reset will not remove it, and only reflashing the device with a clean firmware will fully restore the device.
In total, we identified more than 50 of these malicious apps on Google Play, with at least 2.3 million downloads.
McAfee identified the malicious apps, conducted the technical analysis, and reported its findings to Google through responsible disclosure channels. Following McAfee’s report, Google removed the identified apps from Google Play and banned the associated developer accounts. McAfee is a member of the App Defense Alliance, which supports collaboration across the mobile ecosystem to improve user protection. McAfee Mobile Security detects this malware as a High-Risk Threat. For more information, and to get fully protected, visit McAfee Mobile Security.
Background And Key Findings
Android malware has been moving toward modular frameworks that update themselves remotely and adapt to each device. Campaigns like Triada and Keenadu have shown that replacing system libraries gives attackers persistence to survive factory resets. BADBOX has shown that backdoors pre-installed through the supply chain can reach millions of devices. Recent research has confirmed links between several of these families, suggesting shared tooling rather than isolated efforts.
NoVoice fits both trends but does not rely on supply chain access. It reaches devices through Google Play and achieves the same level of persistence through exploitation. McAfee’s investigation revealed the following key findings:
All carrier apps were distributed through Google Play. No sideloading required, no user interaction beyond opening the app.
C2 infrastructure remains active at the time of publication.
The C2 server profiles each device and delivers root exploits matched to its hardware and software version.
The rootkit overwrites a core system library, causing every app on the device to run attacker code at launch.
The infection survives factory reset and can only be removed by reflashing the firmware.
The chain is fully plugin-based. Operators can push any payload to any app on the device at runtime.
The only task we recovered clones WhatsApp sessions, but the framework is designed to accept any objective.
Naming
The name comes from R.raw.novioce, a silent audio resource embedded in one of the later-stage payloads. It plays at zero volume to keep a foreground service alive, abusing Android’s media playback exemption. We believe it is a deliberate misspelling of “no voice.”
Distribution Method
All carrier apps were distributed through Google Play and request no unusual permissions. Their manifests include the same SDKs any legitimate app would (Firebase, Google Analytics, Facebook SDK, AndroidX). The malicious components are registered under tampered com.facebook.utils, blending in with the real Facebook SDK classes the apps already include.
Figure 1: One of the carrier apps on Google Play
The initial payload is embedded in the app’s asset directory as a polyglot image. This means the file displays and renders a normal image, but a deeper inspection reveals that the encrypted malicious payload is appended after the PNG IEND marker. Since that marker signals to image viewers that the image data ends there, the appended payload remains hidden during normal viewing.
Geographical Prevalence
The geographical prevalence map shows the highest infection rates in Nigeria, Ethiopia, Algeria, India, and Kenya, regions where budget devices and older Android versions that no longer receive security updates are common.
Figure 2: Affected users around the world
Malware Analysis
The following breakdown walks through each stage of the chain in order, from the moment a user opens the app to the moment stolen data leaves the device. No single file contains the full chain. Each stage decrypts and loads the next, most are delivered from the server at runtime.
Figure 3. The NoVoice rootkit payloads
Stage 1: The Delivery
The moment the app opens, code injected into the legitimate Facebook SDK initialization path runs automatically. No user interaction is needed. It first checks whether the device has already been processed and, in most samples, whether it is running Android 12L or below. A subset of the carrier apps skips the version check entirely. If either check fails, it stops and logs a message disguised as a Facebook SDK error: “FacebookSdk: Failed in initStore.”
If the device was already processed, the code cleans up files assumed to be left behind by previous runs, including paths that do not belong to any standard Android component. None of these are visible to the user.
If the checks pass, the app reads a polyglot image from its own assets’ directory, extracts the encrypted payload (enc.apk) hidden after the image data, decrypts it to produce h.apk, and loads it into memory. It then deletes all intermediate files, temporary directories.
Figure 4: Normal looking image with malicious payloadFigure 5: The malicious payload begins after the IEND marker, starting with the magic value CAFEBABE
Stage 2: The Gatekeeper
The decrypted payload (h.apk) loads a native library (libkwc.so) that controls the rest of this stage. It first verifies it is running inside the intended carrier app by checking the package name and signing certificate against hardcoded values. It also checks whether the app is running in a debug environment.
libkwc.so contains two encrypted embedded payloads. The first (sec.jar) is a gate designed to detect analysis environments. It runs 15 checks, including emulator detection, root indicators, debuggers, VPN and proxy connections, Xposed hooks, and GPS geofencing. If any check fails, the chain stops silently. The geofence compares the device’s location against bounding boxes for Beijing and Shenzhen hardcoded in the native library and excludes devices confirmed to be inside them. If the app does not have location permission, it cannot determine the device’s position and defaults to letting the chain continue. Two brands get special treatment: on Gionee devices, all checks except the geofence are skipped; on Meizu devices, the chain follows a separate code path entirely. Gionee devices have a documented history of shipping with pre-installed malware through supply chain compromise.
Only if all checks in sec.jar pass does libkwc.so decrypt and load the second payload (hex.jar), which begins contacting the C2 server. If the gate fails, it deletes the working directory and stops.
Figure 6: 15 validation checks before proceeding to the next stage
Stage 3: The Plugin
Once the gate passes, hex.jar sets up a plugin framework built on an internal codebase the authors refer to as “kuwo” in their package names. It checks in with a C2 server every 60 seconds. Updates are delivered the same way as the initial payload: as image files with encrypted data hidden after the image content. The server returns download URLs in a response field named warningIcon, disguising plugin downloads as icon fetches. A log-deletion routine runs alongside the framework to remove forensic traces from the device.
The first plugin delivered (rt) acts as an orchestrator. It manages sub-plugins and handles C2 communication. It checks in with the server, sending over 30 device identifiers including hardware model, kernel version, installed packages, and whether the device has already been rooted. The campaign’s name comes from this plugin: it embeds a silent audio resource named R.raw. novioce.
The checkin tells the server two things: who this device is and whether it has already been rooted. If it has not, rt_plugin downloads security.jar, moving the chain into root exploitation.
Figure 7: MediaPlayer initialized to load the embedded NoVoice audio
Stage 4: The Exploit
security.jar first checks whether the device is already rooted. If it has been, it stops. For unrooted devices, it sends the device’s chipset, kernel version, security patch date, and other identifiers to the C2. The server responds with a list of exploit binaries matched to that specific device.
Before running any exploit, the rootkit installer (CsKaitno.d) is decrypted from an embedded resource and written to disk. The rootkit is already in place before any exploit runs.
The exploits are downloaded one at a time from the C2’s CDN, each encrypted and verified before execution. We recovered 22 exploits in total. Our deep analysis of one revealed a three-stage kernel attack: an IPv6 use-after-free for kernel read, a Mali GPU driver vulnerability for kernel read/write, and finally credential patching and SELinux disablement.
The expected end result is the same across all exploits: a root shell with SELinux disabled. From that shell, the exploit loads CsKaitno.d. This is where exploitation ends and persistence begins.
Figure 8: SELinux enforcement disabled as part of the exploit chain
Stage 5: The Rootkit
CsKaitno.d carries four encrypted payloads: library hooks for ARM32 and ARM64 (asbymol and bdlomsd), a bytecode patcher (jkpatch), and a persistence daemon (watch_dog). It first removes files associated with possible competing rootkits, then decrypts and writes its own payloads to disk.
The installer backs up the original libandroid_runtime.so and replaces it with a hook binary matched to the device’s architecture. It also replaces libmedia_jni.so. The replacements are not copies of the original libraries. They are wrappers that intercept the system’s own functions. When any hooked function runs, it redirects to attacker code.
Figure 9: Rootkit copying and preparing modified system libraries before remounting the filesystem as writable
After replacing the libraries, jkpatch modifies pre-compiled framework bytecode on disk. This is a second layer of persistence: even if someone restores the original library, the framework’s own compiled code still contains the injected redirections
Stage 6: The Watchdog
To survive reboots, the installer replaces the system crash handler with a rootkit launcher, installs recovery scripts, and stores a fallback copy of the exploitation stage on the system partition. If any component is removed, the rootkit can reinstall itself.
It then deploys a watchdog daemon (watch_dog) that checks the installation every 60 seconds. If anything is missing, it reinstalls it. If that fails repeatedly, it forces a reboot, bringing the device back up with the rootkit intact.
After cleaning up all staging files, the installer marks the device as compromised. On the next boot, the system’s process launcher (zygote) loads the replaced library, and every app it starts inherits the attacker’s code.
Figure 10: Watchdog payload decrypted, written to disk, permissioned, and launched with a 60‑second restart interval
Stage 7: The Injection
On the next boot, every app on the device loads the replaced system library. The injected code decides what to do based on which app it is running inside. Two payloads activate depending on the app. The malware authors named them BufferA and BufferB in their own code. Both are embedded as fragments inside the replaced libandroid_runtime.so from Stage 5, assembled in memory at runtime, and deleted from disk immediately after loading, leaving no files behind. BufferA runs inside the system’s package installer and can silently install or uninstall apps. BufferB runs inside any app with internet access.
BufferB is the campaign’s primary post-exploitation tool. It operates two independent C2 channels with separate encryption keys and beacon intervals. Both channels send device fingerprints to the C2 and receive task instructions in return.
If all primary domains fail and three or more days pass without contact, a fallback routine activates between 1 and 4 AM, reaching out to api[.]googlserves[.]com for a fresh domain list. Because BufferB runs inside any app with internet access, it can be active in dozens of apps simultaneously on a single device.
Figure 11: Injection logic selecting BufferA for the package installer and BufferB for all other apps
Stage 8: The Theft
The only task payload we recovered is PtfLibc, delivered to BufferB from Alibaba Cloud OSS. Its target is WhatsApp.
PtfLibc copies WhatsApp’s encryption database, extracts the device’s Signal protocol identity keys and registration ID, and pulls the most recent signed prekey. It also reads 12 keys from WhatsApp’s local storage, including the phone number, push name, country code, and Google Drive backup account. For the client keypair, it tries multiple decryption methods depending on how the device stores the key.
It sends the stolen data to api[.]googlserves[.]com through multiple layers of encryption and deletes the temporary database copy when done.
With these keys and session data, an attacker can clone the victim’s WhatsApp session onto another device.
Figure 12: Code accessing and copying WhatsApp’s encrypted Signal protocol databases for exfiltration
Infrastructure
The campaign spreads its C2 communication across multiple domains, each serving a different function.
fcm[.]androidlogs[.]com handles initial device enrollment. Once the plugin framework activates, stat[.]upload-logs[.]com takes over as the primary C2 for plugin delivery, device checkin, exploit distribution, and result reporting. config[.]updatesdk[.]com serves as its fallback. Exploit binaries are hosted separately on download[.]androidlogs[.]com, with an S3-accelerated endpoint (logserves[.]s3-accelerate[.]amazonaws[.]com) as the primary CDN. This endpoint returned 403 errors during our analysis.
Task payloads for BufferB are hosted on Alibaba Cloud OSS (prod-log-oss-01[.]oss-ap-southeast-1[.]aliyuncs[.]com). PtfLibc beacons to api[.]googlserves[.]com, a domain designed to look like Google service traffic at a glance.
The domain separation is deliberate. Taking down one domain does not affect the others. The C2 can update BufferB’s domain lists at runtime, and a fallback routine fetches fresh domains from hardcoded backup endpoints if all configured domains go silent for three or more days.
Recommendations
Because the rootkit writes to the system partition, a factory reset does not remove it. A reset wipes user data but leaves system files intact. Compromised devices require a full firmware reflash to return to a clean state. Blocking the C2 domains and beacon patterns listed in this report at the network level can disrupt the chain at multiple stages.
Attribution
Several indicators link NoVoice to the Android.Triada family. The property (os.config.ppgl.status)NoVoice sets to mark a device as compromised is a known indicator of compromise for Android.Triada.231, a variant that uses the same property to track installation state. Both NoVoice and Triada.231 persist by replacing libandroid_runtime.so and hooking system functions so that every app runs attacker code at launch. Whether NoVoice is a direct evolution of Triada.231, a fork of its codebase, or a separate group reusing proven techniques, the shared approach suggests access to a common toolchain.
Conclusion
What makes NoVoice dangerous is not any single technique. It is the engineering effort behind the full chain: a self-healing pipeline that goes from a Play Store install to code execution inside every app on the device, survives factory reset, and monitors its own installation. The operators built a delivery system, an infrastructure.
We recovered one task. The framework is designed to accept any number of them, for any app, at any time. The C2 infrastructure remains active. We do not know what other objectives have been deployed before, during, or after our analysis. The WhatsApp session theft we observed may be the least of it.
The rootkit’s persistence model, overwriting a system library inherited by every process, patching pre-compiled framework bytecode, and monitoring its own installation with a watchdog, makes remediation difficult.
This research underscores McAfee’s ongoing role in identifying advanced mobile threats and working with platform partners to protect users before large‑scale harm occurs.
A text that looks like it came straight from a courthouse is making the rounds across the U.S. And yes, I got it too.
First things first, that’s a scam. And to be clear: DON’T SCAN THAT QR CODE.
It’s the same playbook as last year’s toll road scams, just dressed up with a little more authority and a lot more pressure.
Before doing anything, our team ran it through McAfee’s Scam Detector. It immediately flagged the message as suspicious, and that’s exactly the kind of moment this tool is built for. When something feels just real enough to second guess, it gives you a clear signal before you click, scan, or spiral.
A screenshot showing Scam Detector in action.
How the scam works
The text claims you’ve missed a payment, violated a law, or have some kind of outstanding “case.” It then pushes you to scan a QR code or click a link to resolve it quickly.
From there, one of two things usually happens:
You’re taken to a fake payment page designed to steal your money, or
You’re prompted to download something that gives scammers access to your device or data
Either way, the goal is the same: get you to act fast before you have time to question it.
Here’s the scam text I got in California. You’ll notice it looks exactly like the others across the country.
The red flags in this message
Urgent, threatening language about fines, penalties, or legal action
Vague accusations with no real details about what you supposedly did
Official-looking formatting like case numbers, clerk signatures, and judge names
Copy-paste consistency across states: McAfee employees in New York and California received nearly identical messages with the same names
There are reports of this scam popping up nationwide, but the rule is simple: law enforcement does not text you to demand payment or resolve legal issues.
What to do if you scanned the QR code
First, don’t panic. Then:
Do not pay anything or enter personal information
Do not delete apps you were told to install (this can make it harder to detect what happened)
Run a device scan using a trusted security tool like McAfee’s free antivirus
Keep an eye on your financial accounts and logins for unusual activity
And that, my friends, is scam number one in this week’s This Week in Scams (new format, we’re experimenting a little).
Let’s get into what else is on our radar.
What to Know About an Alleged Crunchyroll Breach
Anime streaming platform Crunchyroll is investigating claims of a data breach involving customer support ticket data, potentially impacting millions of users.
According to TechCrunch, access appears to involve a third-party vendor system, a reminder that even strong security setups still rely on people and partners, which can introduce risk in everyday moments.
Even if you’ve never entered your credit card into a support form, these tickets can still include:
Email addresses
Usernames
Screenshots or account details
Conversations that reveal habits, subscriptions, or personal context
That’s more than enough for scammers to build highly believable follow-ups.
Why this matters right now
When breaches like this surface, scammers don’t wait. They use the moment to send emails and messages that feel timely, relevant, and legitimate.
For example, scammers might send messages pretending to be Crunchyroll and suggesting you “click this link to secure your account” after the breach. In reality, that “security check” exposes your information.
This is where tools like Scam Detector come back into play, flagging suspicious links and messages even when they reference real companies or real events.
What to do if you have a Crunchyroll account
Change your password, especially if you’ve reused it elsewhere
Turn on two-factor authentication
Be cautious of emails referencing the breach or asking you to “secure your account”
Avoid clicking links and go directly to the official site instead
How McAfee Helps You Stay Ahead of Scams and Breaches
McAfee+ Advanced gives you multiple layers working together so you’re not left figuring it out in the moment:
Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage
Safe Browsing helps block risky sites if you do click or scan
Device Security helps detect and remove malicious apps or downloads
Identity Monitoring alerts you if your personal info shows up where it shouldn’t, so you can act fast
Personal Data Cleanup helps remove your information from data broker sites, making you a harder target in the first place
Secure VPN keeps your data private, especially on public Wi-Fi
Plus our instant QR code scam checks will flag suspicious QR codes before you scan them.
Safety tips to carry into next week
Slow down when a message creates urgency. That’s the hook
Don’t scan QR codes or click links from unexpected texts
Go directly to official websites instead of using links sent to you
Use tools that flag scams in real time so you don’t have to guess
The reality is, these scams are designed to look normal. You shouldn’t have to be an expert to spot them. That’s why McAfee’s here to help.
We’ll be back next week with more scams making headlines.
Today marks the start of Spring in the Northern Hemisphere, and with warmer weather setting in summer trips are vacation planning are starting to take shape.
But before you respond to that message about your hotel booking or payment confirmation, it’s worth asking: is it actually legit?
This week in scams, we’re breaking down a travel phishing scheme making the rounds through realistic booking messages, as well as new McAfee research on betting scams and AI-driven malware.
Scammers Who Know Your Exact Travel Reservation Details
A new phishing campaign targeting travelers is exploiting hotel booking platforms like Booking.com, and it’s convincing enough to fool even cautious users.
According to reporting from ITBrew and Cybernews, attackers are running a multi-stage scam:
How The Booking Scam Works
Scam Stage
How It Works
What You’ll Notice
How to Protect Yourself
Where McAfee Helps
Stage 1: Hotel account gets compromised
Attackers phish or hack hotel staff to access booking platforms and guest reservation data.
You won’t see this part — it happens behind the scenes.
Use strong, unique passwords and enable multi-factor authentication on your own accounts to reduce risk of similar breaches.
Identity Monitoring can alert you if your personal information appears in suspicious places or data leaks.
Stage 2: You receive a realistic message
Scammers use stolen booking data to send messages via WhatsApp, email, or even booking platforms.
The message includes your real name, hotel, and travel dates, making it feel legitimate.
Be cautious of unexpected outreach, even if the details are correct. Don’t assume accuracy means authenticity.
Scam detection tools can help flag suspicious messages and identify potential phishing attempts.
Stage 3: Urgency is introduced
The message claims there’s an issue with your reservation and pushes you to act quickly.
Phrases like “confirm within 12 hours” or “risk cancellation” create pressure.
Pause before acting. Legitimate companies rarely require urgent payment changes without prior notice.
Scam detection can help identify high-risk messages designed to pressure you into quick decisions.
Stage 4: You’re sent to a fake payment page
A link leads to a convincing lookalike site designed to steal your payment details.
The page looks real but may have subtle URL differences or unusual formatting.
Always navigate directly to the official website or app instead of clicking links in messages.
Safe Browsing tools can help block risky or known malicious websites before you enter sensitive information.
March Madness Brackets, Bets, and Bad Actors
March Madness brings brackets, bets, and a flood of bad actors.
New McAfee research found that 1 in 3 Americans (32%) say they’ve experienced a betting or gambling scam, and nearly a quarter (24%) say they’ve lost money to one. On average, victims reported losing $547.
That’s not surprising when you look at the environment around the tournament. More than half of Americans are watching, more than half are participating in some form of betting, and 82% say they’ve seen betting promotions in the past year.
Some of the most common setups this season include:
“Guaranteed win” or “can’t lose” betting tips that require payment upfront
Fake sportsbook promotions offering bonus bets or free credits
Messages claiming you have winnings, but need to pay a fee to unlock them
Impersonation scams posing as sportsbook support or betting platforms
Invitations to private “VIP betting groups” on WhatsApp or Telegram
The takeaway: If a betting offer promises guaranteed results, demands the use of bizarre apps and sites, asks for money upfront, or pushes you to act quickly, it’s not an edge. It’s a scam.
“AI-Written” Malware Is Hiding in Everyday Downloads
Not all scams start with a message. Some start with a search.
443 malicious ZIP files disguised as legitimate software
1,700+ file names used to make those downloads look credible
48 variants of a malicious DLL file used to infect devices
These weren’t hosted on obscure corners of the internet either. The files were distributed through platforms people recognize, including Discord, SourceForge, and file-sharing sites.
Here’s how the attack typically works:
You search for a tool.
You download what looks like the right file.
It opens normally at first.
Then, behind the scenes, malware loads quietly and begins pulling in additional code. In some cases, victims are shown fake error messages while the real infection happens in the background.
From there, attackers can:
Turn your device into a cryptocurrency mining machine
Install additional malware like infostealers or remote access tools
Slow down your system while running hidden processes
What makes this campaign stand out is that some of the code appears to have been generated with help from AI tools.
That doesn’t mean AI is running the attack on its own. But it does suggest attackers are using AI to:
Generate code faster
Create more variations of malware
Scale campaigns more efficiently
In other words, the barrier to building malware is getting lower.
The takeaway: If a download is unofficial, hard to find, or feels like a shortcut, it’s worth slowing down. The file may look right, but that doesn’t mean it’s safe.
How McAfee+ Advanced Works in These Scam Moments
Whether it’s a message about your booking, a betting offer that looks legitimate, or a download that appears to be exactly what you were searching for, these scams all rely on the same thing: they blend into everyday moments.
That’s where having backup like McAfee+ Advanced comes in. It includes:
McAfee’s Scam Detector, which helps flag suspicious links in texts and messages like the ones used in these booking and betting scams, so you can spot something risky before you engage
Web protection and real-time device security, helping protect against risky links, malicious sites, and evolving threats if you do click, including fake betting platforms or malware hidden in downloads
Personal Data Cleanup, which helps remove your information from sites that sell it, making it harder for scammers to access the personal details that make messages and scams feel legitimate
Secure VPN, which helps keep your personal info safe and private anywhere you use public Wi-Fi, like hotels, airports, and cafés while traveling
Identity Monitoring and alerts, with 24/7 scans of the dark web to help ensure your personal and financial information isn’t being exposed or reused
Credit and transaction monitoring, so you can get alerts about suspicious financial activity if your information is ever compromised
Identity restoration support and up to $2 million in identity theft coverage, giving you access to US-based experts and added peace of mind if something does go wrong
Stay skeptical, verify before you click, and we’ll see you next week with more.
McAfee Labs has uncovered a widespread malware campaign hiding inside fake downloads for things like game mods, AI tools, drivers, and trading utilities.
What makes this campaign especially notable is that some parts of it appear to have been built with help from large language models (LLMs). McAfee researchers found signs that certain scripts likely used AI-generated code, which may have helped the attackers create and scale the campaign faster.
That does not mean AI created the whole operation on its own. But it does suggest AI may be helping cybercriminals lower the effort needed to build malware and launch attacks.
Attackers created many different fake downloads to reach more victims
48 malicious DLL variants
The campaign used multiple versions of the malware, not just one file
1,700+ file names observed
The same threat was repackaged under many different names to look convincing
17 distinct kill chains
Researchers found multiple attack flows, but they followed a similar overall pattern
Hosted on familiar platforms
The malware was distributed through services users may recognize, including Discord and SourceForge
AI-assisted code suspected
Some scripts contained explanatory comments and patterns that strongly suggest LLM assistance
Cryptomining and additional malware observed
Infected devices could be used to mine cryptocurrency or receive more malicious payloads
What Is “AI-Written Malware”?
In this case, “AI-written malware” does not meanan AI system independently invented and launched the attack.
Instead, McAfee Labs found evidence that the attackers very likely used AI tools to help generate some of the code used in the campaign, especially in certain PowerShell scripts.
Put simply:
Term
Plain-English meaning
Large language model (LLM)
An AI system that can generate text and code based on prompts
AI-assisted malware
Malware where attackers appear to have used AI tools to help write or structure parts of the code
Vibe coding
A style of coding where someone describes what they want and an AI does much of the writing
This matters because it can make malware development faster, easier, and more scalable for attackers.
Figure 1: Attack Vector
How The Fake Download Attack Works
The attack begins when someone searches for software online and downloads what looks like the tool they wanted.
That tool might appear to be a game mod, AI voice changer, emulator, trading utility, VPN, or driver. But behind the scenes, the ZIP archive includes malicious components that start the infection.
Step
What happens
1. A user downloads a fake file
The ZIP archive is disguised as something useful or desirable, such as a mod menu, AI tool, or driver
2. The file appears normal at first
In some cases, the package includes a legitimate executable so it feels more convincing
3. A malicious DLL is loaded
A hidden malicious file, often WinUpdateHelper.dll, starts the real attack
4. The user is distracted
The malware may display a fake “missing dependency” message and redirect the user to install unrelated software
5. A PowerShell script is pulled from a remote server
While the user is distracted, the malware contacts a command-and-control server and runs additional code
6. More malware is installed
Depending on the sample, the device may receive coin miners, infostealers, or remote access tools
7. The infected device is abused for profit
In many cases, attackers use the victim’s system resources to mine cryptocurrency in the background
What Kinds of Files Were Used as Bait
McAfee found that the attackers cast a very wide net. The malicious ZIP files impersonated many types of software, including:
Bait category
Examples
Gaming tools
game mods, cheats, executors, Roblox-related tools
AI-themed tools
AI image generators, AI voice changers, AI-branded downloads
System utilities
graphics drivers, USB drivers, emulators, VPNs
Trading or finance tools
stock-market utilities and related downloads
Fake security or malware tools
fake stealers, decryptors, and other risky-looking utilities
That broad range is part of what made the campaign effective. It was designed to catch people already looking for shortcuts, unofficial tools, or hard-to-find software.
Why McAfee Researchers Believe AI Was Used
One of the strongest clues came from the comments inside some of the attack scripts.
McAfee researchers found explanatory comments that looked more like AI-generated instructions than the kind of shorthand attackers usually leave for themselves. In one example, a comment referred to downloading a file from “your GitHub URL,” which suggests the code may have come from a generated template and was not fully cleaned up before use.
These details do not prove every part of the campaign was AI-made. But they do support McAfee’s assessment that certain components were likely generated with help from large language models.
What Happens on an Infected Device
In many cases, the malware was used to turn victims’ computers into quiet crypto-mining machines.
McAfee observed mining activity involving several cryptocurrencies, including:
Ravencoin
Zephyr
Monero
Bitcoin Gold
Ergo
Clore
Some samples also downloaded additional payloads such as SalatStealer or Mesh Agent.
For victims, that can mean:
Possible effect
What it may look like
Slower performance
apps lag, games stutter, system feels unusually sluggish
High CPU or GPU usage
fans run constantly, laptop gets hot, battery drains faster
if an infostealer or remote access tool is installed
McAfee was also able to trace several Bitcoin wallets tied to the campaign. At the time of the report, those wallets held about $4,536 in Bitcoin, while total funds received were approximately $11,497.70. Researchers note the real total could be higher because some of the currencies involved are harder to trace.
Who Was Targeted Most
This campaign was observed most heavily in:
United States
United Kingdom
India
Brazil
France
Canada
Australia
That does not mean users elsewhere were unaffected. These were simply the countries where researchers saw the highest prevalence.
Figure 2: Geographical Prevalence
Red Flags To Watch For
Even though the campaign used advanced techniques, the warning signs for users were often familiar.
Red flag
Why it matters
You found the file through a random link
Unofficial forums, Discord links, and file-hosting pages are common malware delivery paths
The download is a ZIP for something sketchy or unofficial
Cheats, cracks, mod tools, and unofficial utilities carry higher risk
You get a “missing dependency” message
Attackers may use this to push a second download while the real infection happens in the background
The file name looks right, but the source feels wrong
Familiar names can be faked easily
Your PC suddenly slows down or overheats
Hidden cryptominers often abuse system resources
You notice new, unrelated software installed
The campaign sometimes used unwanted software installs as a distraction
How To Stay Safe From Malware Hidden in Fake Downloads
This campaign is a reminder that not every convincing file is a safe one. A few habits can reduce your risk significantly.
Safety step
Why it helps
Download software only from official sources
This lowers the chance of accidentally installing a trojanized file
Avoid cheats, cracks, and unofficial mods
These categories are common bait for malware campaigns
Be skeptical of dependency prompts
Unexpected requests to install helper files or missing components can be part of the attack
Keep your security software updated
Current protection can help detect known threats and suspicious behavior
Pay attention to system performance
A suddenly hot, loud, or slow PC may be a sign something is running in the background
Review what you download before opening it
Even a familiar file name does not guarantee a file is legitimate
McAfee helps protect against malware threats like these with multiple layers of security, including malware detection and safer browsing protections designed to help stop risky downloads before they can do damage.
What To Do If You Think You Opened One of These Files
If you think you downloaded and ran a suspicious file like one described in this campaign:
Action
Why it matters
Disconnect from the internet
This can help interrupt communication with attacker-controlled servers
Run a full security scan
A trusted scan can help identify malicious files and behavior
Delete suspicious downloads
Remove the file and avoid reopening it
Check for unfamiliar software or startup items
The infection may have installed additional components
Change important passwords from a clean device
This is especially important if data-stealing malware may have been involved
Monitor accounts for unusual activity
Keep an eye on email, banking, and other sensitive accounts
If your computer continues acting strangely after a scan, it may be worth getting professional help.
What This Means for the Future of Malware
This campaign highlights how cybercrime is evolving.
The core risk is not just fake downloads. It is the fact that attackers are using AI tools to help generate code, create variations, and speed up parts of the malware development process.
That can make campaigns like this easier to scale and harder to ignore.
For everyday users, the takeaway is simple: if a file seems unofficial, rushed, or too good to be true, pause before opening it. A fake download may look like a shortcut, but it can quietly turn your device into a target.
Frequently Asked Questions
FAQs
Q: What is AI-written malware?
A: AI-written malware generally refers to malicious code, or parts of a malware campaign, that appear to have been created with help from AI coding tools or large language models.
Q: Did AI create this entire malware campaign?
A: McAfee Labs did not say that. The research suggests that certain components, especially some scripts, were likely generated with help from large language models.
Q: What was this malware disguised as?
A: The malicious files impersonated game mods, AI tools, drivers, trading utilities, VPNs, emulators, and other software downloads.
Q: What can happen if you open one of these fake files?
A: Depending on the sample, the malware may install coin miners, steal data, establish persistence, or download additional malicious tools.
Q: Can malware really use my computer to mine cryptocurrency?
A: Yes. McAfee observed samples in this campaign that used victims’ CPU and GPU resources to mine cryptocurrency in the background.
Q: What is the safest way to avoid this kind of malware?
A: Download software only from official or trusted sources, avoid unofficial tools and cheats, be cautious of fake dependency prompts, and keep your security protection up to date.
Login
