Authored By: Ahmad Zubair Zahid 

McAfee’s mobile research team identified and investigated an Android rootkit campaign tracked as Operation Novoice. The malware described in this blog relies on vulnerabilities Android made patches available for in 2016 – 2021. All Android devices with a security patch level of 2021-05-01 or higher are not susceptible to the exploits that we were able to obtain from the command-and-control server. However patched devices that downloaded these apps could have been exposed to unknown potential payloads outside of what we discovered. The attack begins with apps that were previously available on Google Play that appear to be simple tools such as cleaners, games, or gallery utilities. When a user downloaded and opened one of these apps, it appeared to behave as advertised, giving no obvious signs of malicious activity.  

In the background, however, the app contacts a remote server, profiles the device, and downloads root exploits tailored to that device’s specific hardware and software. If the exploits succeed, the malware gains full control of the device. From that moment onward, every app that the user opens are injected with attacker‑controlled code.  

This allows the operators to access any app data and exfiltrate it to their servers. One of the targeted apps is WhatsApp. We recovered a payload designed to execute when WhatsApp launches, gather all necessary data to clone the session, and send it to the attacker’s infrastructure.   

On older, unsupported devices (Android 7 and lower) that no longer receive Android security updates as of September 2021, this rootkit is highly persistent; a standard factory reset will not remove it, and only reflashing the device with a clean firmware will fully restore the device.   

In total, we identified more than 50 of these malicious apps on Google Play, with at least 2.3 million downloads.  

McAfee identified the malicious apps, conducted the technical analysis, and reported its findings to Google through responsible disclosure channels. Following McAfee’s report, Google removed the identified apps from Google Play and banned the associated developer accounts. McAfee is a member of the App Defense Alliance, which supports collaboration across the mobile ecosystem to improve user protection. McAfee Mobile Security detects this malware as a High-Risk Threat. For more information, and to get fully protected, visit McAfee Mobile Security.  

Background And Key Findings

Android malware has been moving toward modular frameworks that update themselves remotely and adapt to each device. Campaigns like Triada and Keenadu have shown that replacing system libraries gives attackers persistence to survive factory resets. BADBOX has shown that backdoors pre-installed through the supply chain can reach millions of devices. Recent research has confirmed links between several of these families, suggesting shared tooling rather than isolated efforts. 

NoVoice fits both trends but does not rely on supply chain access. It reaches devices through Google Play and achieves the same level of persistence through exploitation. McAfee’s investigation revealed the following key findings: 

• All carrier apps were distributed through Google Play. No sideloading required, no user interaction beyond opening the app. 
• C2 infrastructure remains active at the time of publication. 
• The C2 server profiles each device and delivers root exploits matched to its hardware and software version. 
• The rootkit overwrites a core system library, causing every app on the device to run attacker code at launch. 
• The infection survives factory reset and can only be removed by reflashing the firmware. 
• The chain is fully plugin-based. Operators can push any payload to any app on the device at runtime. 
• The only task we recovered clones WhatsApp sessions, but the framework is designed to accept any objective.

Naming  

The name comes from R.raw.novioce, a silent audio resource embedded in one of the later-stage payloads. It plays at zero volume to keep a foreground service alive, abusing Android’s media playback exemption. We believe it is a deliberate misspelling of “no voice.” 

Distribution Method 

All carrier apps were distributed through Google Play and request no unusual permissions. Their manifests include the same SDKs any legitimate app would (Firebase, Google Analytics, Facebook SDK, AndroidX). The malicious components are registered under tampered com.facebook.utils, blending in with the real Facebook SDK classes the apps already include.  

The initial payload is embedded in the app’s asset directory as a polyglot image. This means the file displays and renders a normal image, but a deeper inspection reveals that the encrypted malicious payload is appended after the PNG IEND marker. Since that marker signals to image viewers that the image data ends there, the appended payload remains hidden during normal viewing.

Geographical Prevalence 

The geographical prevalence map shows the highest infection rates in Nigeria, Ethiopia, Algeria, India, and Kenya, regions where budget devices and older Android versions that no longer receive security updates are common. 

Malware Analysis

The following breakdown walks through each stage of the chain in order, from the moment a user opens the app to the moment stolen data leaves the device. No single file contains the full chain. Each stage decrypts and loads the next, most are delivered from the server at runtime. 

Stage 1: The Delivery

The moment the app opens, code injected into the legitimate Facebook SDK initialization path runs automatically. No user interaction is needed. It first checks whether the device has already been processed and, in most samples, whether it is running Android 12L or below. A subset of the carrier apps skips the version check entirely. If either check fails, it stops and logs a message disguised as a Facebook SDK error: “FacebookSdk: Failed in initStore.” 

If the device was already processed, the code cleans up files assumed to be left behind by previous runs, including paths that do not belong to any standard Android component. None of these are visible to the user. 

If the checks pass, the app reads a polyglot image from its own assets’ directory, extracts the encrypted payload (enc.apk) hidden after the image data, decrypts it to produce h.apk, and loads it into memory. It then deletes all intermediate files, temporary directories. 

Stage 2: The Gatekeeper 

The decrypted payload (h.apk) loads a native library (libkwc.so) that controls the rest of this stage. It first verifies it is running inside the intended carrier app by checking the package name and signing certificate against hardcoded values. It also checks whether the app is running in a debug environment. 

libkwc.so contains two encrypted embedded payloads. The first (sec.jar) is a gate designed to detect analysis environments. It runs 15 checks, including emulator detection, root indicators, debuggers, VPN and proxy connections, Xposed hooks, and GPS geofencing. If any check fails, the chain stops silently. The geofence compares the device’s location against bounding boxes for Beijing and Shenzhen hardcoded in the native library and excludes devices confirmed to be inside them. If the app does not have location permission, it cannot determine the device’s position and defaults to letting the chain continue. Two brands get special treatment: on Gionee devices, all checks except the geofence are skipped; on Meizu devices, the chain follows a separate code path entirely. Gionee devices have a documented history of shipping with pre-installed malware through supply chain compromise. 

Only if all checks in sec.jar pass does libkwc.so decrypt and load the second payload (hex.jar), which begins contacting the C2 server. If the gate fails, it deletes the working directory and stops. 

Stage 3: The Plugin 

Once the gate passes, hex.jar sets up a plugin framework built on an internal codebase the authors refer to as “kuwo” in their package names. It checks in with a C2 server every 60 seconds. Updates are delivered the same way as the initial payload: as image files with encrypted data hidden after the image content. The server returns download URLs in a response field named warningIcon, disguising plugin downloads as icon fetches. A log-deletion routine runs alongside the framework to remove forensic traces from the device. 

The first plugin delivered (rt) acts as an orchestrator. It manages sub-plugins and handles C2 communication. It checks in with the server, sending over 30 device identifiers including hardware model, kernel version, installed packages, and whether the device has already been rooted. The campaign’s name comes from this plugin: it embeds a silent audio resource named R.raw. novioce. 

The checkin tells the server two things: who this device is and whether it has already been rooted. If it has not, rt_plugin downloads security.jar, moving the chain into root exploitation. 

Stage 4: The Exploit 

security.jar first checks whether the device is already rooted. If it has been, it stops. For unrooted devices, it sends the device’s chipset, kernel version, security patch date, and other identifiers to the C2. The server responds with a list of exploit binaries matched to that specific device. 

Before running any exploit, the rootkit installer (CsKaitno.d) is decrypted from an embedded resource and written to disk. The rootkit is already in place before any exploit runs. 

The exploits are downloaded one at a time from the C2’s CDN, each encrypted and verified before execution. We recovered 22 exploits in total. Our deep analysis of one revealed a three-stage kernel attack: an IPv6 use-after-free for kernel read, a Mali GPU driver vulnerability for kernel read/write, and finally credential patching and SELinux disablement. 

The expected end result is the same across all exploits: a root shell with SELinux disabled. From that shell, the exploit loads CsKaitno.d. This is where exploitation ends and persistence begins. 

Stage 5: The Rootkit 

CsKaitno.d carries four encrypted payloads: library hooks for ARM32 and ARM64 (asbymol and bdlomsd), a bytecode patcher (jkpatch), and a persistence daemon (watch_dog). It first removes files associated with possible competing rootkits, then decrypts and writes its own payloads to disk. 

The installer backs up the original libandroid_runtime.so and replaces it with a hook binary matched to the device’s architecture. It also replaces libmedia_jni.so. The replacements are not copies of the original libraries. They are wrappers that intercept the system’s own functions. When any hooked function runs, it redirects to attacker code. 

After replacing the libraries, jkpatch modifies pre-compiled framework bytecode on disk. This is a second layer of persistence: even if someone restores the original library, the framework’s own compiled code still contains the injected redirections

Stage 6: The Watchdog 

To survive reboots, the installer replaces the system crash handler with a rootkit launcher, installs recovery scripts, and stores a fallback copy of the exploitation stage on the system partition. If any component is removed, the rootkit can reinstall itself. 

It then deploys a watchdog daemon (watch_dog) that checks the installation every 60 seconds. If anything is missing, it reinstalls it. If that fails repeatedly, it forces a reboot, bringing the device back up with the rootkit intact. 

After cleaning up all staging files, the installer marks the device as compromised. On the next boot, the system’s process launcher (zygote) loads the replaced library, and every app it starts inherits the attacker’s code. 

Stage 7: The Injection 

On the next boot, every app on the device loads the replaced system library. The injected code decides what to do based on which app it is running inside. Two payloads activate depending on the app. The malware authors named them BufferA and BufferB in their own code. Both are embedded as fragments inside the replaced libandroid_runtime.so from Stage 5, assembled in memory at runtime, and deleted from disk immediately after loading, leaving no files behind. BufferA runs inside the system’s package installer and can silently install or uninstall apps. BufferB runs inside any app with internet access. 

BufferB is the campaign’s primary post-exploitation tool. It operates two independent C2 channels with separate encryption keys and beacon intervals. Both channels send device fingerprints to the C2 and receive task instructions in return. 

If all primary domains fail and three or more days pass without contact, a fallback routine activates between 1 and 4 AM, reaching out to api[.]googlserves[.]com for a fresh domain list. Because BufferB runs inside any app with internet access, it can be active in dozens of apps simultaneously on a single device. 

Stage 8: The Theft 

The only task payload we recovered is PtfLibc, delivered to BufferB from Alibaba Cloud OSS. Its target is WhatsApp. 

PtfLibc copies WhatsApp’s encryption database, extracts the device’s Signal protocol identity keys and registration ID, and pulls the most recent signed prekey. It also reads 12 keys from WhatsApp’s local storage, including the phone number, push name, country code, and Google Drive backup account. For the client keypair, it tries multiple decryption methods depending on how the device stores the key. 

It sends the stolen data to api[.]googlserves[.]com through multiple layers of encryption and deletes the temporary database copy when done. 

With these keys and session data, an attacker can clone the victim’s WhatsApp session onto another device. 

Infrastructure 

The campaign spreads its C2 communication across multiple domains, each serving a different function. 

fcm[.]androidlogs[.]com handles initial device enrollment. Once the plugin framework activates, stat[.]upload-logs[.]com takes over as the primary C2 for plugin delivery, device checkin, exploit distribution, and result reporting. config[.]updatesdk[.]com serves as its fallback. Exploit binaries are hosted separately on download[.]androidlogs[.]com, with an S3-accelerated endpoint (logserves[.]s3-accelerate[.]amazonaws[.]com) as the primary CDN. This endpoint returned 403 errors during our analysis. 

Task payloads for BufferB are hosted on Alibaba Cloud OSS (prod-log-oss-01[.]oss-ap-southeast-1[.]aliyuncs[.]com). PtfLibc beacons to api[.]googlserves[.]com, a domain designed to look like Google service traffic at a glance. 

The domain separation is deliberate. Taking down one domain does not affect the others. The C2 can update BufferB’s domain lists at runtime, and a fallback routine fetches fresh domains from hardcoded backup endpoints if all configured domains go silent for three or more days. 

Recommendations 

Because the rootkit writes to the system partition, a factory reset does not remove it. A reset wipes user data but leaves system files intact. Compromised devices require a full firmware reflash to return to a clean state. Blocking the C2 domains and beacon patterns listed in this report at the network level can disrupt the chain at multiple stages. 

Attribution  

Several indicators link NoVoice to the Android.Triada family. The property (os.config.ppgl.status) NoVoice sets to mark a device as compromised is a known indicator of compromise for Android.Triada.231, a variant that uses the same property to track installation state. Both NoVoice and Triada.231 persist by replacing libandroid_runtime.so and hooking system functions so that every app runs attacker code at launch. Whether NoVoice is a direct evolution of Triada.231, a fork of its codebase, or a separate group reusing proven techniques, the shared approach suggests access to a common toolchain. 

Conclusion 

What makes NoVoice dangerous is not any single technique. It is the engineering effort behind the full chain: a self-healing pipeline that goes from a Play Store install to code execution inside every app on the device, survives factory reset, and monitors its own installation. The operators built a delivery system, an infrastructure. 

We recovered one task. The framework is designed to accept any number of them, for any app, at any time. The C2 infrastructure remains active. We do not know what other objectives have been deployed before, during, or after our analysis. The WhatsApp session theft we observed may be the least of it. 

The rootkit’s persistence model, overwriting a system library inherited by every process, patching pre-compiled framework bytecode, and monitoring its own installation with a watchdog, makes remediation difficult. 

This research underscores McAfee’s ongoing role in identifying advanced mobile threats and working with platform partners to protect users before large‑scale harm occurs. 

References 

https://www.kaspersky.com/blog/triada-trojan/11481/ 

https://www.kaspersky.com/about/press-releases/kaspersky-discovers-keenadu-a-multifaceted-android-malware-that-can-come-preinstalled-on-new-devices 

https://www.humansecurity.com/learn/blog/badbox-peachpit-and-the-fraudulent-device-in-your-delivery-box/ 

Indicators of Compromise 

Command and Control Servers 

api.googlserves[.]com 

api.uplogconfig[.]com 

avatar.ttaeae[.]com 

awslog.oss-accelerate.aliyuncs[.]com 

check.updateconfig[.]com 

config.googleslb[.]com 

config.updatesdk[.]com 

dnskn.googlesapi[.]com 

download.androidlogs[.]com 

fcm.androidlogs[.]com 

log.logupload[.]com 

logserves.s3-accelerate.amazonaws[.]com 

prod-log-oss-01.oss-ap-southeast-1.aliyuncs[.]com 

sao.ttbebe[.]com 

stat.upload-logs[.]com 

upload.crash-report[.]com 

nzxsxn.98kk89[.]com 

98kk89[.]com 

Carrier App Samples 

03e62ac5080496c67676c0ef5f0bc50fc42fc31cf953538eda7d6ec6951979d8,com.filnishww.fluttbuber.storagecleaner, 

066a096a3716e02a6a40f0d7e6c1063baecbebc9cbcc91e7f55b2f82c0dad413,com.wififinder.wificonnect, 

0751decd391fa76d02329b0726c308206e58fc867f50283aa688d9fe0c70e835,com.wuniversal.lassistant, 

07a9d41c1c775def78a017cf1f6e65266382e76de0f05400b3296e2230979664,com.dynamicpuzzle.cvbfhf, 

0f28c49b24070a36dec09dd9d4b768e1ef6583b4891eca2e935a304ce704fcce,com.wgoddessg.sgallery, 

106edd06b6961c3d38edfefd2869ee05285f11b68befe145b124794d0e79e766,com.crazycodes.blendphoto, 

183e9174e51786be77d1341bcf7f05514f581823532028119c5844a8a5111848,com.colorbrickelim.inationl, 

1e0376330ff9e97f798870da8433c81e39f3591c82497ca1f6b5f00878d0221a,com.crazycodes.photomotion, 

1e7fe0ae7546162f23ff4f6e570f51b38562bf4f0ffd9305533b43d19574be38,com.swiftc.tcleans, 

1e8b048c8d32662f340787893d9ca824b039c14fb91bcc16e185a8bb872e0b80,com.mybatice.googcomlayou.phonecleaner, 

224e2395d3df96cf19e0b7be9731452da5b568026d81bd0981e48893f6a66859,com.glamorousg.sgoddesslys, 

2c2c965f3d091693bc6906fc2ed8d03ffccb84e0665841f2d073c2f0a09261bc,com.myapps.gooble.mobile1.maxclean, 

30504104f232a990f8226ff746b1718aafb727ce111d5a538962cc5e06c4259a,com.mybatice.smartersleep.junkfiles, 

3937b0bec287662fd82fca4693c8b3619b8c61eca7fe6efa7540c1ae291f8759,com.crazycodes.beautycam, 

4830a985f064974e6b5d19ae95d645d01fb57edd975a4fce5a1453c2ada70d4e,com.khanbro.gamestation, 

4f7825647bab001298f768302d0eeb6e0d639d401dc8b5bf60a4b9841a93c980,com.wBoothCash_18748294, 

4fbf1906fe02745cbf0350563440e9a05d19cd4a27c4fb6b67436392a18a0cd4,com.steppay.yrewards, 

54224288aa9fa3d4281fb91ad7b202fbc3e5708b173e319b6b450ad15bcdab43,com.scleanm.nmastery, 

594521e642fee75d474d8d0be839ebe9341f30196b19555882499145bf00746b,com.qwalkingr.grewards, 

721d92d30fbb90fe643507055baa4cce937c8659f1520be1bbce7f9669af6f84,com.modes2048.gamepro, 

7d90ee0be5eb63fbaa6839efdd6217b482576b1bab553731cac0b55f2fa1e6fa,com.jkesogeop.classicsudo, 

7f00991e63154a79ea220b713fcfb2ef8b8db923a75366a61e9bc30d9c355274,com.glamorousg.sgoddesslys, 

8cd77df7cf2242105b12297071ad1d11e91264f9de311d1b082666da19134476,com.wtoolboxp.xpro, 

974a5d005d3cfe4c63bd7a46ca72c6716c6c6de397d2e3e19b1730def31f7825,com.systmapp.mobile1.cleanmanager, 

98819230a6c3f5092517ada9652e9156e338acc27d29e4647b3cb69cddb668cb,com.crazycodes.airvpn, 

98db4904c3299b8ac383dd177c3cde87af25c088df1988f484427aab3b5c4e0d,com.wlifetoolp.lpro, 

9b9f55c4a68385e4a739c7d11159c9b4ab006660142331e8bdc477b5eba62aad,com.ulifea.eassistants, 

a02694b5de7a8a6ef3024d53e54a54a676f992bfa1e070f07827ab9b5dd1365c,com.priceper.km, 

a1e77c148f190b6bfdd40ce657722e902a31cedecab669dd6f78f38b6b18ddf7,crazycodes.notes.app, 

a430123efe9611f322fbc3c459fc5ec13abbb0def88ba3ec56a05a361a51a9ac,com.gbversion.gbplus.gblatestversion, 

ab6365bf7e6c7fba6867b44a80e8bf653c7b66ff91204ee3e2981b6532fea7ee,com.snowfindthesame.samethesnowswe, 

b4438ac1694e3a08a994750a7ac76399c48d5d3446e90ebebbea1f8694bf3dd5,com.guidely.earningapp, 

b8087e3535d395210b80637be35da6ae8e10450b6fb87de62a284d5d7397cd17,com.shcoob.groobe.timebuke, 

bf47dc1577c8b862c4e849a7ce52e143239f2f7274421befa902baf4bd1c4a19,com.wlifet.etoolbox, 

c332166f720e4d2f6f9b59993559df05281e7d2fbd56f90a7f2399a0ac620295,com.ebitans.tenstarbd, 

c509a98d0823add0c1440a7b043586eb5a8069fbb776ca36252f5b7653c92cb7,com.whabitn.tnotes, 

c517b26dfc8ffd5de7f49966ff3391475f80299ebc6ad9988bf166029cf76c91,com.filnishww.fluttbuber.storagecleaner, 

cf945c433aa80120be10566b9f1ae88e043f96872996f599b75bb57c74248e56,com.mfunt.ttetris, 

d72d96c6f299fe961dd98655e0468e45ed3ac03df0cfa499e27d4c399e304500,com.wififinder.wificonnect, 

db1168f2cb3b25ef65e06eb4e788ddda237a428fbce0725de1e9d70b36e96833,com.whomea.eassistan, 

ddc4da4c63c8bc7df53c3c7fe350b56ad31f313c7d95b472dc45a9fcf85273f0,com.mi2048nig.game, 

df00753933359d7369668eddeb0dc2565f075c78e4b46f3cabd2e8ff31eda42e,com.sportscash.xyz, 

e32c8a869585c107ccd1586b5edebc1d8eaa18017c2dd39b6267eec4db7f7410,com.biopops.mathly, 

e5b8d25ef612f0240ce28fbffd550fd4e0b9abdbf325e3ff85718e8312b70c2b,com.wdailyn.anova, 

e5f3aa5ef6b5b5fa94a921b55f52aa2c1011486b7370f1585deb6d571325ebcb,com.khan.pregnancyexercise, 

ec79443aa53864e4d322b8fa8fd4aad0ef878221f01e7d32512694ba24992aee,com.merge2048joy.joy, 

f654c5f926ebfcded4c0d07590972536280454e2501dc8a525390402fa945ff1,com.kgoddessv.svibe, 

f7c664ea66c43a82801ed7da23369af1e285857c1a4bf200147b716715f09d3f,com.chall2048enge.game, 

fc3b06c36feb38ed62f3034e428e814d6e1ac06ec1569ea22428374b8d15d848,com.jekunotesimple.notesimple, 

fd62c2bfa2277eff8787926f9976aa4a11235a18a9a543ced71a509c6ebf2bf2,com.game.ludoplay, 

The post Operation NoVoice: Rootkit Tells No Tales appeared first on McAfee Blog.

A text that looks like it came straight from a courthouse is making the rounds across the U.S. And yes, I got it too. 

First things first, that’s a scam. And to be clear: DON’T SCAN THAT QR CODE. 

It’s the same playbook as last year’s toll road scams, just dressed up with a little more authority and a lot more pressure. 

Before doing anything, our team ran it through McAfee’s Scam Detector. It immediately flagged the message as suspicious, and that’s exactly the kind of moment this tool is built for. When something feels just real enough to second guess, it gives you a clear signal before you click, scan, or spiral. 

How the scam works 

The text claims you’ve missed a payment, violated a law, or have some kind of outstanding “case.” It then pushes you to scan a QR code or click a link to resolve it quickly. 

From there, one of two things usually happens: 

1. You’re taken to a fake payment page designed to steal your money, or 
2. You’re prompted to download something that gives scammers access to your device or data  

Either way, the goal is the same: get you to act fast before you have time to question it. 

The red flags in this message 

• Urgent, threatening language about fines, penalties, or legal action  
• Vague accusations with no real details about what you supposedly did  
• Official-looking formatting like case numbers, clerk signatures, and judge names  
• Copy-paste consistency across states: McAfee employees in New York and California received nearly identical messages with the same names  

There are reports of this scam popping up nationwide, but the rule is simple: law enforcement does not text you to demand payment or resolve legal issues. 

What to do if you scanned the QR code 

First, don’t panic. Then: 

• Do not pay anything or enter personal information  
• Do not delete apps you were told to install (this can make it harder to detect what happened)  
• Run a device scan using a trusted security tool like McAfee’s free antivirus  
• Keep an eye on your financial accounts and logins for unusual activity  

And that, my friends, is scam number one in this week’s This Week in Scams (new format, we’re experimenting a little).  

Let’s get into what else is on our radar. 

What to Know About an Alleged Crunchyroll Breach 

Anime streaming platform Crunchyroll is investigating claims of a data breach involving customer support ticket data, potentially impacting millions of users. 

According to TechCrunch, access appears to involve a third-party vendor system, a reminder that even strong security setups still rely on people and partners, which can introduce risk in everyday moments. 

Even if you’ve never entered your credit card into a support form, these tickets can still include: 

• Email addresses  
• Usernames  
• Screenshots or account details  
• Conversations that reveal habits, subscriptions, or personal context  

That’s more than enough for scammers to build highly believable follow-ups. 

Why this matters right now 

When breaches like this surface, scammers don’t wait. They use the moment to send emails and messages that feel timely, relevant, and legitimate. 

For example, scammers might send messages pretending to be Crunchyroll and suggesting you “click this link to secure your account” after the breach. In reality, that “security check” exposes your information.

This is where tools like Scam Detector come back into play, flagging suspicious links and messages even when they reference real companies or real events. 

What to do if you have a Crunchyroll account 

• Change your password, especially if you’ve reused it elsewhere  
• Turn on two-factor authentication  
• Be cautious of emails referencing the breach or asking you to “secure your account”  
• Avoid clicking links and go directly to the official site instead  

How McAfee Helps You Stay Ahead of Scams and Breaches

McAfee+ Advanced gives you multiple layers working together so you’re not left figuring it out in the moment: 

• Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage  
• Safe Browsing helps block risky sites if you do click or scan  
• Device Security helps detect and remove malicious apps or downloads  
• Identity Monitoring alerts you if your personal info shows up where it shouldn’t, so you can act fast  
• Personal Data Cleanup helps remove your information from data broker sites, making you a harder target in the first place  
• Secure VPN keeps your data private, especially on public Wi-Fi  

Plus our instant QR code scam checks will flag suspicious QR codes before you scan them.

Safety tips to carry into next week 

• Slow down when a message creates urgency. That’s the hook  
• Don’t scan QR codes or click links from unexpected texts  
• Go directly to official websites instead of using links sent to you  
• Use tools that flag scams in real time so you don’t have to guess  

The reality is, these scams are designed to look normal. You shouldn’t have to be an expert to spot them. That’s why McAfee’s here to help. 

We’ll be back next week with more scams making headlines. 

The post Got a “Court Notice” Text? Ignore It. Plus, the Crunchyroll Breach: This Week in Scams appeared first on McAfee Blog.

Tax season is prime time for scammers. And in 2026, the scams are more convincing, more targeted, and increasingly powered by AI. 

In this guide, we break down this year’s biggest tax scams from the IRS Dirty Dozen and show how tools like McAfee’s Scam Detector help flag malicious links, scan suspicious QR codes, and analyze risky messages across text, email, and social media to help you stay ahead of fraud. 

The need for that kind of protection is clear. New McAfee research shows: 

• 82% of Americans are concerned about tax fraud  
• 67% are seeing the same or more scam messages than last year  
• 40% say scams are more sophisticated  
• Only 29% feel very confident they can spot a deepfake scam  
• Nearly 1 in 4 Americans say they’ve lost money to a tax scam  

Tax scams are not just increasing. They are getting harder to recognize in the moment. 

What is the IRS Dirty Dozen? 

The IRS Dirty Dozen is the agency’s annual list of the most common and dangerous tax scams targeting individuals and businesses. 

The 2026 list highlights a clear shift toward: 

• AI-driven impersonation  
• QR code and link-based phishing  
• Social media misinformation  
• Refund and credit manipulation schemes  

These scams are designed to create urgency, confusion, and quick decisions. That combination is what makes them effective. 

The IRS Dirty Dozen for 2026 and how to spot each scam 

Below is a full breakdown of all 12 scams identified by the IRS, along with what to look for and how protection tools can help. 

#	Scam Type	How It Works	Red Flags	How McAfee Helps
1	IRS impersonation (email, text, DM)	Messages claim to be from the IRS asking you to verify info or claim a refund	Urgent tone, links, QR codes, unexpected outreach	Scam Detector flags suspicious messages and links across text, email, and social. Safe browsing blocks fake IRS sites if you click
2	AI voice scams and robocalls	AI-generated calls mimic IRS agents or officials	Threats, payment pressure, spoofed caller ID	Scam Detector helps validate follow-up messages or links tied to the call. Identity monitoring helps detect if your info is being used in impersonation attempts
3	Fake charities	Scammers pose as charities to collect donations or data	Emotional appeals, vague organization details	Scam Detector flags suspicious donation links. Safe browsing blocks fraudulent charity sites. Personal Data Cleanup reduces exposure to targeting lists
4	Social media tax misinformation	Viral posts push fake deductions or “tax hacks”	Promises of large refunds or loopholes	Scam Detector’s screenshot analysis lets you check social posts and DMs before acting, helping identify misleading or risky claims
5	IRS account takeover scams	Criminals use stolen data to access IRS accounts	Alerts about account changes you didn’t initiate	Identity monitoring and alerts notify you if your data is exposed. Device security helps prevent malware used to steal credentials
6	Abusive capital gains schemes (Form 2439)	Fake or inflated claims tied to investment credits	Complicated filings tied to unfamiliar organizations	Scam Detector flags suspicious messages and links. Safe browsing blocks fraudulent filing sites tied to these schemes
7	Fake self-employment tax credit	Misleading claims about eligibility for large credits	“You qualify” messaging without verification	Safe browsing blocks scam sites attempting to capture personal or tax info
8	Ghost tax preparers	Preparers refuse to sign returns or provide credentials	No PTIN, vague business identity	Scam Detector helps assess suspicious messages or outreach. Identity monitoring adds protection if your data is shared with a bad actor
9	Non-cash donation schemes	Inflated valuations used to reduce tax liability	Unrealistic deductions, aggressive promoters	Scam Detector flags suspicious offers and links. Safe browsing blocks sites attempting to collect sensitive financial data
10	Overstated withholding scams	False income or withholding reported to inflate refunds	Encouragement to “boost” refund numbers	Scam Detector flags misleading content. Device security helps protect against malware tied to fake filing tools
11	Spear phishing targeting tax pros	Emails designed to steal client or business data	Unexpected document requests, attachments	Scam Detector detects phishing attempts. Safe browsing blocks malicious links. Device security helps prevent malware installs
12	Offer in Compromise scams	Companies overpromise tax debt relief and charge high fees	High-pressure sales tactics, guaranteed outcomes	Scam Detector flags suspicious outreach. Personal Data Cleanup reduces targeting. Identity monitoring helps catch misuse of your data

How McAfee helps protect you from tax scams 

Tax scams rarely rely on just one tactic. A message leads to a link. A link leads to a fake site. A fake site leads to stolen data or payment. 

That is why protection needs to work across the full chain, not just one moment. 

McAfee goes beyond traditional antivirus by combining multiple layers of digital protection into one app, helping you stay safer before, during, and after a scam attempt. 

Here is how each layer helps: 

• Scam Detector helps flag suspicious messages, links, and AI-driven scams across text, email, and social media. It can also scan QR codes and analyze screenshots of messages that feel off.  

• Safe browsing tools help block risky websites, including fake IRS portals and lookalike domains designed to steal personal and financial information.  

• Secure VPN helps keep your connection private, especially on public Wi-Fi where sensitive activity like filing taxes or accessing financial accounts can be exposed.  

• Identity monitoring and alerts notify you if your personal information, like your Social Security number or email, appears in places it should not, helping you act quickly if identity theft is attempted.  

• Personal Data Cleanup helps reduce your exposure by removing your information from high-risk data broker sites that scammers use to target you.  

• Device and account security helps protect the devices and accounts you rely on every day, adding another layer of defense against malware, phishing, and unauthorized access.  

Together, these protections help you do more than react to scams. They help you spot them earlier, avoid risky situations, and recover faster if something goes wrong.

The post How to Protect Yourself Against Tax Scams in 2026 appeared first on McAfee Blog.

Today marks the start of Spring in the Northern Hemisphere, and with warmer weather setting in summer trips are vacation planning are starting to take shape.   

But before you respond to that message about your hotel booking or payment confirmation, it’s worth asking: is it actually legit? 

This week in scams, we’re breaking down a travel phishing scheme making the rounds through realistic booking messages, as well as new McAfee research on betting scams and AI-driven malware. 

We’ll walk through what happened, what to watch for, and how McAfee’s tools can help you stay safe. 

Scammers Who Know Your Exact Travel Reservation Details 

A new phishing campaign targeting travelers is exploiting hotel booking platforms like Booking.com, and it’s convincing enough to fool even cautious users. 

According to reporting from ITBrew and Cybernews, attackers are running a multi-stage scam: 

How The Booking Scam Works 

Scam Stage	How It Works	What You’ll Notice	How to Protect Yourself	Where McAfee Helps
Stage 1: Hotel account gets compromised	Attackers phish or hack hotel staff to access booking platforms and guest reservation data.	You won’t see this part — it happens behind the scenes.	Use strong, unique passwords and enable multi-factor authentication on your own accounts to reduce risk of similar breaches.	Identity Monitoring can alert you if your personal information appears in suspicious places or data leaks.
Stage 2: You receive a realistic message	Scammers use stolen booking data to send messages via WhatsApp, email, or even booking platforms.	The message includes your real name, hotel, and travel dates, making it feel legitimate.	Be cautious of unexpected outreach, even if the details are correct. Don’t assume accuracy means authenticity.	Scam detection tools can help flag suspicious messages and identify potential phishing attempts.
Stage 3: Urgency is introduced	The message claims there’s an issue with your reservation and pushes you to act quickly.	Phrases like “confirm within 12 hours” or “risk cancellation” create pressure.	Pause before acting. Legitimate companies rarely require urgent payment changes without prior notice.	Scam detection can help identify high-risk messages designed to pressure you into quick decisions.
Stage 4: You’re sent to a fake payment page	A link leads to a convincing lookalike site designed to steal your payment details.	The page looks real but may have subtle URL differences or unusual formatting.	Always navigate directly to the official website or app instead of clicking links in messages.	Safe Browsing tools can help block risky or known malicious websites before you enter sensitive information.

March Madness Brackets, Bets, and Bad Actors 

March Madness brings brackets, bets, and a flood of bad actors. 

New McAfee research found that 1 in 3 Americans (32%) say they’ve experienced a betting or gambling scam, and nearly a quarter (24%) say they’ve lost money to one. On average, victims reported losing $547. 

That’s not surprising when you look at the environment around the tournament. More than half of Americans are watching, more than half are participating in some form of betting, and 82% say they’ve seen betting promotions in the past year. 

Some of the most common setups this season include: 

• “Guaranteed win” or “can’t lose” betting tips that require payment upfront 
• Fake sportsbook promotions offering bonus bets or free credits 
• Messages claiming you have winnings, but need to pay a fee to unlock them 
• Impersonation scams posing as sportsbook support or betting platforms 
• Invitations to private “VIP betting groups” on WhatsApp or Telegram 

The takeaway:
If a betting offer promises guaranteed results, demands the use of bizarre apps and sites, asks for money upfront, or pushes you to act quickly, it’s not an edge. It’s a scam. 

“AI-Written” Malware Is Hiding in Everyday Downloads 

Not all scams start with a message. Some start with a search. 

McAfee Labs uncovered a large-scale malware campaign hiding inside hundreds of fake downloads, including game mods, AI tools, drivers, and trading utilities. 

In January alone, researchers identified: 

• 443 malicious ZIP files disguised as legitimate software 
• 1,700+ file names used to make those downloads look credible 
• 48 variants of a malicious DLL file used to infect devices 

These weren’t hosted on obscure corners of the internet either. The files were distributed through platforms people recognize, including Discord, SourceForge, and file-sharing sites. 

Here’s how the attack typically works: 

• You search for a tool. 
• You download what looks like the right file. 
• It opens normally at first. 

Then, behind the scenes, malware loads quietly and begins pulling in additional code. In some cases, victims are shown fake error messages while the real infection happens in the background. 

From there, attackers can: 

• Turn your device into a cryptocurrency mining machine 
• Install additional malware like infostealers or remote access tools 
• Slow down your system while running hidden processes 

What makes this campaign stand out is that some of the code appears to have been generated with help from AI tools. 

That doesn’t mean AI is running the attack on its own. But it does suggest attackers are using AI to: 

• Generate code faster 
• Create more variations of malware 
• Scale campaigns more efficiently 

In other words, the barrier to building malware is getting lower. 

The takeaway:
If a download is unofficial, hard to find, or feels like a shortcut, it’s worth slowing down. The file may look right, but that doesn’t mean it’s safe. 

How McAfee+ Advanced Works in These Scam Moments 

Whether it’s a message about your booking, a betting offer that looks legitimate, or a download that appears to be exactly what you were searching for, these scams all rely on the same thing: they blend into everyday moments. 

That’s where having backup like McAfee+ Advanced comes in. It includes: 

• McAfee’s Scam Detector, which helps flag suspicious links in texts and messages like the ones used in these booking and betting scams, so you can spot something risky before you engage

• Web protection and real-time device security, helping protect against risky links, malicious sites, and evolving threats if you do click, including fake betting platforms or malware hidden in downloads

• Personal Data Cleanup, which helps remove your information from sites that sell it, making it harder for scammers to access the personal details that make messages and scams feel legitimate

• Secure VPN, which helps keep your personal info safe and private anywhere you use public Wi-Fi, like hotels, airports, and cafés while traveling

• Identity Monitoring and alerts, with 24/7 scans of the dark web to help ensure your personal and financial information isn’t being exposed or reused

• Credit and transaction monitoring, so you can get alerts about suspicious financial activity if your information is ever compromised 

• Identity restoration support and up to $2 million in identity theft coverage, giving you access to US-based experts and added peace of mind if something does go wrong 

Stay skeptical, verify before you click, and we’ll see you next week with more. 

The post This Week in Scams: Why That “Booking Confirmation” Message Might Be Fake appeared first on McAfee Blog.

Filing your taxes may not feel risky. You download a W-2. Upload a PDF. Email a document. Move on. 

But tax season is one of the most active times of year for scammers, and the moment you start collecting and sharing tax documents is often when people are most exposed. 

W-2s, 1099s, prior-year returns, and identity documents contain nearly everything criminals need to commit tax fraud or identity theft. And increasingly, scammers don’t need to break into systems to get them. They rely on rushed filers, familiar workflows, and convincing messages that blend into tax season noise. 

The good news: securing your tax documents doesn’t require expensive tools or technical expertise. With a few deliberate steps, you can dramatically reduce your risk before anything leaves your device. 

Why Scammers Want Your Tax Documents

Tax documents are valuable because they’re complete.A single W-2 includes your full name, Social Security number, employer information, and income data. Combined with other files, like a prior return or ID scan, that’s enough to: 

• File a fraudulent tax return 
• Open new credit accounts 
• Access financial services 
• Sell your identity on criminal marketplaces 

That’s why tax-related phishing and document theft spike every filing season. Many scams don’t look like scams at all. They look like routine requests, delivery notices, or “quick questions” from someone you already trust. 

How to Safely Handle and Share Tax Documents 

Tax forms contain some of the most sensitive personal information you have. Taking a few precautions when storing and sharing them can reduce the risk of identity theft and tax fraud. 

Store Your Tax Documents Securely 

Before sending anything to an accountant or tax service, make sure your files are organized and stored safely. 

Use a single secure folder
Create one folder, on your device or in a trusted private cloud service account, specifically for tax documents. Avoid scattering files across downloads, email attachments, and screenshots. 

Rename files clearly
Use descriptive names such as “2025_W2_EmployerName.pdf” so you can easily identify documents without opening multiple files or re-downloading forms. 

Avoid public Wi-Fi
If you’re downloading tax documents, do it on a secure home network whenever possible. Public Wi-Fi can increase the risk of interception. If you must connect in public, using a trusted VPN adds another layer of protection. 

Watch for Tax-Season Phishing Scams 

Many tax scams don’t target software, they target people. 

Common examples include: 

• Emails pretending to be from the IRS asking you to “verify” information 
• Messages that appear to come from your employer requesting a copy of your  W2 
• Fake tax portals asking you to re-upload documents 
• Urgent messages claiming there is a problem with your return 

These scams often arrive when you’re already expecting tax-related communication, which makes them easier to trust. 

Important: The IRS does not initiate contact by email, text message, or social media to request personal or financial information. 

Use Secure Ways to Share Tax Documents 

Email attachments are convenient, but they can also expose sensitive information. 

Safer options include: 

• A secure client portal provided by your accountant or tax preparer 
• Encrypted file-sharing services 
• Password-protected documents sent through a secure channel 

If you must email a document, avoid sending the password in the same message. 

Verify Requests Before Sending Documents 

Even if a request looks legitimate, pause before sharing sensitive files. 

Ask yourself: 

• Did I expect this request? 
• Is the sender using their normal contact method? 
• Does the message create urgency or pressure? 

If something seems unusual, verify the request through a separate channel, such as calling the person directly or starting a new email thread. 

Secure the Devices You Use to File 

Protecting tax documents also means protecting the device where they’re stored. 

Before filing your taxes: 

• Install the latest software updates on your computer and phone 
• Enable automatic updates when possible 
• Use security tools that can flag malicious links, fake websites, and suspicious messages, like McAfee’s WebAdvisor (free download here)

Tax scams increasingly arrive through text messages and social media, not just email, so protection needs to cover the places scammers actually reach you. 

File Early and Watch for Warning Signs 

Filing early reduces the opportunity for scammers to file a fraudulent tax return in your name. 

After filing: 

• Watch for IRS notices you didn’t expect 
• Monitor financial accounts for unfamiliar activity 
• Be cautious of follow-up messages claiming problems with your return 

If something feels off, investigate before responding. 

Step-by-Step: How to Encrypt Tax Documents Before Sending Them 

Step	What to Do	Why It Matters
1. Put all tax files into one folder	Gather your W-2s, 1099s, receipts, PDFs, and spreadsheets in one folder.	Keeps you organized and prevents accidentally leaving something unprotected.
2. Convert photos into PDFs (if needed)	If documents are photos, save them as a PDF using your phone scanner app or printer settings.	PDFs are easier to encrypt and share securely than image files.
3. Combine files into one ZIP folder	On your computer, select all files → right click → Compress / Zip.	Creates a single package you can protect with a password.
4. Add a password to the ZIP file	Choose the “Encrypt” or “Password Protect” option when creating the ZIP file.	Password protection helps prevent unauthorized access if the file is intercepted.
5. Use a strong password	Use at least 12 characters with a mix of letters, numbers, and symbols.	Weak passwords can be cracked quickly.
6. Rename the file to something generic	Use a name like “Documents_2025.zip” instead of “Taxes_W2_SSN.zip.”	Avoids exposing sensitive info in the file name itself.
7. Send the encrypted file through a secure method	Upload via your tax preparer’s secure portal or share through a secure cloud link.	Email attachments can be risky if the wrong person gains access.
8. Send the password separately	Text or call the password—don’t include it in the same email as the file.	If someone intercepts the email, they won’t have both pieces.
9. Confirm the recipient received it securely	Ask them to confirm download and access.	Prevents re-sending sensitive documents multiple times.
10. Delete extra copies once filing is done	Remove unneeded copies from desktop, downloads folder, and email attachments.	Reduces the chance of future exposure if your device is compromised.

What to Do If You Think Your Tax Information Was Exposed 

If you believe your tax documents were shared with the wrong party or compromised: 

1. Stop further communication immediately 
2. Contact your accountant or tax service 
3. Notify the IRS if sensitive information was exposed 
4. Monitor credit and financial accounts closely 
5. Run a security scan on your device, check out our free trial 

Acting quickly can limit damage and help prevent long-term fallout. 

Final Thoughts

Securing your tax documents doesn’t require perfection, just intention. 

By slowing down, using safer sharing methods, and staying alert to tax-season scams, you can protect yourself before problems start. In a season where everyone feels rushed, a few extra minutes can save months of cleanup later. 

McAfee helps protect your identity, devices, and personal information so tax season doesn’t become scam season. 

Frequently Asked Questions 

Q: Is it safe to email tax documents to my accountant?  A: Email is not the safest option. Secure portals or encrypted file-sharing tools are preferred for sensitive documents like W-2s and tax returns.

Q: How do W-2 phishing scams work?  A: Scammers impersonate employers or tax authorities to trick people into sending W-2s or personal information, often using urgent or official-looking messag

Q: Can scammers file taxes using my W-2?  A: Yes. With enough personal information, criminals can file fraudulent returns or commit identity theft.

Q: How can I tell if a tax message is fake? A: Be cautious of unsolicited requests, urgent language, unfamiliar links, or requests for documents outside normal filing workflows.

Q: What’s the safest way to share tax documents online?  A: Use secure portals, encrypted file-sharing, and verified communication channels. Avoid public Wi-Fi and unprotected email attachments.

 

The post How to Secure Tax Documents Before Sending to Your Accountant appeared first on McAfee Blog.

McAfee Labs has uncovered a widespread malware campaign hiding inside fake downloads for things like game mods, AI tools, drivers, and trading utilities. 

In January 2026, researchers observed 443 malicious ZIP files impersonating software people might actively search for online. Across those files, McAfee identified 48 malicious WinUpdateHelper.dll variants used to infect devices. The campaign was spread through a mix of file-hosting and content delivery services, including Discord, SourceForge, FOSSHub, and mydofiles[.]com. 

What makes this campaign especially notable is that some parts of it appear to have been built with help from large language models (LLMs). McAfee researchers found signs that certain scripts likely used AI-generated code, which may have helped the attackers create and scale the campaign faster. 

That does not mean AI created the whole operation on its own. But it does suggest AI may be helping cybercriminals lower the effort needed to build malware and launch attacks. 

Want the full research? Dive in here. 

We break down the top takeaways below. 

What McAfee Found 

Finding	What it means
443 malicious ZIP files	Attackers created many different fake downloads to reach more victims
48 malicious DLL variants	The campaign used multiple versions of the malware, not just one file
1,700+ file names observed	The same threat was repackaged under many different names to look convincing
17 distinct kill chains	Researchers found multiple attack flows, but they followed a similar overall pattern
Hosted on familiar platforms	The malware was distributed through services users may recognize, including Discord and SourceForge
AI-assisted code suspected	Some scripts contained explanatory comments and patterns that strongly suggest LLM assistance
Cryptomining and additional malware observed	Infected devices could be used to mine cryptocurrency or receive more malicious payloads

What Is “AI-Written Malware”? 

In this case, “AI-written malware” does not mean an AI system independently invented and launched the attack. 

Instead, McAfee Labs found evidence that the attackers very likely used AI tools to help generate some of the code used in the campaign, especially in certain PowerShell scripts. 

Put simply: 

Term	Plain-English meaning
Large language model (LLM)	An AI system that can generate text and code based on prompts
AI-assisted malware	Malware where attackers appear to have used AI tools to help write or structure parts of the code
Vibe coding	A style of coding where someone describes what they want and an AI does much of the writing

This matters because it can make malware development faster, easier, and more scalable for attackers. 

 

How The Fake Download Attack Works 

The attack begins when someone searches for software online and downloads what looks like the tool they wanted. 

That tool might appear to be a game mod, AI voice changer, emulator, trading utility, VPN, or driver. But behind the scenes, the ZIP archive includes malicious components that start the infection. 

Step	What happens
1. A user downloads a fake file	The ZIP archive is disguised as something useful or desirable, such as a mod menu, AI tool, or driver
2. The file appears normal at first	In some cases, the package includes a legitimate executable so it feels more convincing
3. A malicious DLL is loaded	A hidden malicious file, often WinUpdateHelper.dll, starts the real attack
4. The user is distracted	The malware may display a fake “missing dependency” message and redirect the user to install unrelated software
5. A PowerShell script is pulled from a remote server	While the user is distracted, the malware contacts a command-and-control server and runs additional code
6. More malware is installed	Depending on the sample, the device may receive coin miners, infostealers, or remote access tools
7. The infected device is abused for profit	In many cases, attackers use the victim’s system resources to mine cryptocurrency in the background

What Kinds of Files Were Used as Bait 

McAfee found that the attackers cast a very wide net. The malicious ZIP files impersonated many types of software, including: 

Bait category	Examples
Gaming tools	game mods, cheats, executors, Roblox-related tools
AI-themed tools	AI image generators, AI voice changers, AI-branded downloads
System utilities	graphics drivers, USB drivers, emulators, VPNs
Trading or finance tools	stock-market utilities and related downloads
Fake security or malware tools	fake stealers, decryptors, and other risky-looking utilities

That broad range is part of what made the campaign effective. It was designed to catch people already looking for shortcuts, unofficial tools, or hard-to-find software. 

Why McAfee Researchers Believe AI Was Used 

One of the strongest clues came from the comments inside some of the attack scripts. 

McAfee researchers found explanatory comments that looked more like AI-generated instructions than the kind of shorthand attackers usually leave for themselves. In one example, a comment referred to downloading a file from “your GitHub URL,” which suggests the code may have come from a generated template and was not fully cleaned up before use. 

These details do not prove every part of the campaign was AI-made. But they do support McAfee’s assessment that certain components were likely generated with help from large language models. 

What Happens on an Infected Device 

In many cases, the malware was used to turn victims’ computers into quiet crypto-mining machines. 

McAfee observed mining activity involving several cryptocurrencies, including: 

• Ravencoin 
• Zephyr 
• Monero 
• Bitcoin Gold 
• Ergo 
• Clore 

Some samples also downloaded additional payloads such as SalatStealer or Mesh Agent. 

For victims, that can mean: 

Possible effect	What it may look like
Slower performance	apps lag, games stutter, system feels unusually sluggish
High CPU or GPU usage	fans run constantly, laptop gets hot, battery drains faster
Background malware activity	unknown processes, suspicious downloads, unexpected behavior
Potential data theft	if an infostealer or remote access tool is installed

McAfee was also able to trace several Bitcoin wallets tied to the campaign. At the time of the report, those wallets held about $4,536 in Bitcoin, while total funds received were approximately $11,497.70. Researchers note the real total could be higher because some of the currencies involved are harder to trace. 

Who Was Targeted Most 

This campaign was observed most heavily in: 

• United States 
• United Kingdom 
• India 
• Brazil 
• France 
• Canada 
• Australia 

That does not mean users elsewhere were unaffected. These were simply the countries where researchers saw the highest prevalence. 

The post New Research: Hackers Are Using AI-Written Code to Spread Malware appeared first on McAfee Blog.

Authored by Aayush Tyagi  

Background 

The term ‘Vibe coding,’ first coined back in February of 2025 by OpenAI researchers, has exploded across digital platforms. With hundreds of articles and YouTube Videos discussing the dangers of Vibe coding and warning the internet about the rise of “Vibe Coders”, while others labelled it as the fundamental shift in software development and the future of coding.  

Vibe Coding is an approach where the AI does heavy lifting, rather than the user. Instead of manually writing code or implementing algorithms, users describe their intent through text-based prompt, and the LLMs respond with fully functional code and explanation. Unsurprisingly, the internet is now flooded with guides on the best LLMs and prompts to generate “perfect” code. 

Given the ease of generating fully functional code, McAfee Labs has also seen a rise in vibe-coded malware. In these campaigns, certain components of the kill chain contain AI-generated code, significantly reducing the effort and knowledge required to execute new malware campaigns. This shift not only makes malware campaigns more scalable but also lowers the barrier to entry for new malware authors. 

Executive summary 

In January 2026, McAfee Labs observed 443 malicious zip files impersonating a wide range of software, including AI image generators and voice-changing tools, stock-market trading utilities, game mods and modding tools, game hacks, graphics card and USB drivers, ransomware decryptors, VPNs, emulators, and even infostealer, cookie-stealer, and backdoor malware, to infect users.  

Across the 440+ zip files, we observed 48 unique malicious WinUpdateHelper.dll variants, responsible for the infections. McAfee has been detecting variants of this threat since December 2024, although the vibe coding observed in certain components appears to be a recent addition. These files are distributed through various legitimate content delivery network (CDN) services and file-hosting websites, such as Discord, SourceForge, FOSSHub, and MediaFire, to name a few. Another website that was actively delivering this malware was mydofiles[.]com. 

Here, the attackers implement volume-driven malware distribution techniques to infect as many users as possible.  

This attack begins when users surf the internet looking for tools and software that promise to simplify their tasks. Instead, they encounter trojanized zip files.  

We discovered over 100 URLs actively spreading this malware, of which approximately 61 were hosted on Discord, 17 on SourceForge, and 15 on mydofiles[.]com. 

On running the executable, it loads a malicious WinUpdateHelper.dll file, which redirects the user to file-hosting websites, under the disguise that they are missing crucial dependencies and tricks them into installing unrelated software, which is a distraction. Meanwhile, the DLL has already requested and executed a malicious PowerShell script from a command-and-control (C2) server.  

This script infects the user’s system and downloads additional mining software, and abuses the system’s resources, or it downloads additional payloads such as SalatStealer or Mesh Agent, depending on the WinUpdateHelper.dll sample which infected the user.  

In this PowerShell script, the presence of explanatory comments and structured sections strongly indicates the use of LLM models to generate this code. 

Read more about this in the Using AI to generate malware? section below.  

So far, we’ve observed the mining of Ravencoin, Zephyr, Monero, Bitcoin Gold, Ergo, and Clore cryptocurrencies.    

Due to the presence of hardcoded Bitcoin wallet credentials within these malware samples, we were able to trace on-chain transactions and identify wallets containing over $4,500 USD that are part of this campaign.  

Since most of the mining activity targets privacy-focused cryptocurrencies such as Zephyr, Ravencoin and Monero, the real financial impact is likely to be nearly double the amount identified through Bitcoin tracing alone.  

Geographical Prevalence 

This malware campaign has specifically targeted users in the following counties, ranked by prevalence: The United States of America, followed by United Kingdom, India, Brazil, France, Canada, Australia. 

Bottom Line

The availability of LLMs capable of generating code instantly, combined with the widespread accessibility of technical knowledge, has created a low-effort, high-reward environment, making malware deployment increasingly accessible. 

At McAfee Labs, we have been doing hard work so that you don’t need to worry. But it always helps to be informed and educated on the latest threat that steps into the threat landscape. 
We will continue monitoring these campaigns to ensure our customers remain informed and protected across platforms. 

Technical Analysis  

Impersonated Applications

Here we see malware distribution at a large scale and by analyzing the filenames of these ZIP archives, we can infer to the users that are being targeted. These are some of the names we’ve witnessed in the wild. 

The attackers are actively impersonating video game cheats and game mods for popular titles, and well-known script executors for Roblox, such as Delta Executor and Solara as seen above.  

Names such as Panther-Stealer and Zerotrace-Stealer indicate that even users looking for malware on the internet are not safe either, reinforcing the notion that there is truly no honor among thieves. 

The campaign also leverages drivers and AI-themed tools as part of its lure portfolio among other tools. Interestingly, we see the name ‘DeepSeek.zip’, where attackers are exploiting a prominent LLM model, DeepSeek. McAfee had encountered these types of attacks in early 2025 and covered them extensively.  

Read the previous blog here: Look Before You Leap: Imposter DeepSeek Software Seek Gullible Users  

Stage 1 Payload – Misleading Installation  

Once the user downloads the ZIP archive from Discord or any other website. They get the following set of files.

Here, the executable named ‘gta-5-online-mod-menu.exe’ (Highlighted in Blue) is a legitimate and clean file. Whereas the file named ‘WinUpdateHelper.dll’ (Highlighted in Red) is malicious.  

On executing ‘gta-5-online-mod-menu.exe’, the malicious DLL is loaded. The user is informed that they are missing dependencies, and they’re redirected to the following URL via default browser.  

hxxps://igk[.]filexspace.com/getfile/XKQLPSK?title=DependencyCore&tracker=gta-5-online-mod-menu 

Here, within the URL, a tracker variable is used to identify which malware has infected the user. In this instance, it was ‘gta-5-online-mod-menu’.  

Dependecycore.zip is a setup file. On execution, it installs unrelated 3rd party software on the victim’s system. 

In this instance, iTop Easy Desktop was installed. 

This unwanted installation is meant to subvert users’ attention. As, the WinUpdateHelper.dll has already connected to the C2 server and infected the system.   

Stage 1 Payload – Malicious Functionality  

Once the redirection code is executed, the malware executes the malicious code.  

In the above code snippet, which is present in the WinUpdateHelper.dll, we can see that a new service has been created under the name “Microsoft Console Host” to make it appear to be benign (Highlighted in Red). The parameters passed to this service ensure that it executes at system boot. This is done to maintain persistence in the system.

The service executes a PowerShell command that dynamically generates the C2 domain using the UNIX time stamp.  

Using the following code, 
$([Math]::Floor([DateTimeOffset]::UtcNow.ToUnixTimeSeconds() / 5000000) * 5000000).xyz 

It generates a domain name that changes once every 5,000,000 seconds or 58 days. 

The latest C2 domain we’ve discovered that is up and running is 
1770000000[.]xyz/script?id=fA9zQk2L0M&tag=WinUpdateHelper

During our analysis we observed the following domain 
1765000000[.]xyz/script?id=fA9zQk2L0M&tag=WinUpdateHelper, which is present in the following images.  

Here the id=fA9zQk2L0M is randomly generated, to uniquely identify the user and tag=WinUpdateHelper is used to identify the malware campaign.  

The malware connects to the above-mentioned C2 server to download a PowerShell script and execute it in memory. This fileless execution ensures improved evasion against signature-based detections. 

Stage 2 Payload – PowerShell Script  

It is funny to note here, that the first comment of this script says “# I am forever sorry” which indicates that the attacks do carry some guilt regarding their actions, but not enough to stop the campaign. We found similar comments, such as “# sorry lol”, across multiple PowerShell scripts we discovered.  

The first set of commands (Highlighted in Green) are used to delete windows services and scheduled tasks. This is done to remove older or conflicting persistence mechanisms and to avoid duplicate miners from running on the same system. 

The second set of commands (Highlighted in Red) are registry modifications, that adds “C:\ProgramData” to Windows Defender exclusion paths. That is, ProgramData Folder won’t be scanned by Windows Defender anymore. This exclusion allows malware to drop additional payloads to disk, without the risk of them being detected and removed.  

The third set of commands (Highlighted in Blue) does exactly that. It downloads the next level payload from the URL “hxxps://1765000000[.]xyz/download/xbhgjahddaa” and stored it at this path “C:\ProgramData\fontdrvhost.exe”.

Again the name ‘fontdrvhost.exe’ imitates a legitimate Windows binary, to masquerade its true intent. After the download, the file is decoded using a simple arithmetic decryption routine. This provides protection against static signature detection and network detection. 

The payload is an XMRIG miner sample. In the next command, the miner is initialized and executed. Here, we see the miner connecting to “solo-zeph.2miners.com:4444” and start CPU based Zephyr coin mining using the following wallet address: ‘ZEPHsCY4zbcHGgz2U8PvkEjkWjopuPurPNv8nnSFnM5MN8hBas8kBN4hoNKmc7uMRfUQh4Fc9AHyGxL6NFARnc217m2vYgbKxf’. 

In the second half of the script, we see another miner being set up and executed using the same technique (Highlighted in Red). This time the file is stored as “RuntimeBroker.exe” in the ProgramData folder. The miner is connecting to “solo-rvn.2miners.com:7070” to mine Ravencoin and it is using the system’s GPU instead of the CPU for mining (Highlighted in Blue).  

This is the wallet address used for mining in this instance ‘bc1q9a59scnfwkdlm6wlcu5w76zm2uesjrqdy4fr8r’.  

Hence, we see a dual coin-mining deployment infrastructure utilizing both CPU and GPU resources to optimize mining efficiency. 

Bitcoin? Interesting…  

What is interesting here is that attackers have used a bitcoin wallet address for mining Ravencoin, which indicates they are using multi-coin pools for mining. The attackers are using the victims’ machine to mine Ravencoin and automatically convert the mining rewards to Bitcoin before the payout.  

This is done for a variety of reasons, such as, bitcoin offers higher liquidity and has broader acceptance, but most importantly, Ravencoin is computationally easier and economically viable to mine on victim’s system. Bitcoin requires specialized ASIC hardware for profitable mining and attempting to mine Bitcoin directly on infected systems would generate negligible returns. We’ve seen the same behaviour in multiple samples. 

This is a smoking gun. Unlike Zephyr coin or Monero, Bitcoin’s blockchain is fully traceable. Every Satoshi, the smallest unit of Bitcoin, can be traced across the blockchain from the moment it was mined to its current holder. From there, it becomes easy to determine how much cryptocurrency the threat actor is receiving. More on this later.  

Anti-Analysis Techniques 

The attackers have meticulously designed the campaign and have implemented various anti-analysis techniques to thwart researchers.  

The PowerShell script we’ve seen above is responsible for downloading and initializing the coin miner samples. It is only accessible via PowerShell. If we try to access the server via Curl, we get the following response.  

 This indicates that the server is actively monitoring the User-Agent of incoming requests and deploys the payload only when the request originates from PowerShell. 

 Similarly, the URLs embedded within the PowerShell script that download the next payload are unique to each victim and remain active for 60 seconds. After that, they return a 404 Not Found error.  

These techniques are meant to confuse and disorient researchers, making the analysis difficult.  

Using AI to generate malware?  

While working on this malware campaign, we came across over 440 unique zip files. These same zip files were distributed with over 1700 different names, targeting various software. 

Across these 440 zip files, we noticed 48 unique variants of WinUpdateHelper.dll. These 48 files can be clustered together into 17 distinct kill chains, each featuring their own C2 infrastructure, misleading installation setups, second-stage PowerShell scripts and final payloads, yet the cryptocurrency wallet credentials remain similar. 

In the above technical analysis, we’ve only covered 1 kill chain. Yet, across these 17 kill chains, we’ve noticed the flow remain the same.  

Across multiple second stage payloads, we encounter multiple comments such as the following, embedded within the code:

# === Create and execute run.bat in C:\ProgramData ===

:: This batch file:

:: – Creates the hidden folder C:\ProgramData\cvtres if it doesn”t exist (using CMD attrib for hidden + system)

:: – Downloads cvtres.exe from your GitHub URL

:: – Saves it to C:\ProgramData\cvtres\cvtres.exe

:: – Executes it immediately

:: – Runs completely hidden/minimized (no window visible)

The presence of such explanatory-style comments indicates that large language models were likely used during the development of these scripts. Especially, the comment “Downloads cvtres.exe from your GitHub URL”, where ‘Your GitHub URL’ refers to the threat actor’s GitHub repository that is hosting the malware, which indicates potential vibe coding.  

Tracking Bitcoin Across the Blockchain 

During analysis of this malware campaign, we came across few instances where the final payload was Infostealer malware. In most cases it was coin miner samples. 
In these cases, we encountered wallet credentials and mining pool URLs for several alternative cryptocurrencies such as Ravencoin, Zephyr, Monero, which aren’t traceable.  

Fortunately, we came across 7 bitcoin wallets that are part of this malware campaign and are actively receiving mined cryptocurrency. 

bc1q9a59scnfwkdlm6wlcu5w76zm2uesjrqdy4fr8r     bc1q7cpwxjatrtpa29u85tayvggs67f6fxwyggm8kd 

bc1qyy0cv8snz7zqummg0yucdfzpxv2a5syu7xzsdq    bc1qxhp6mn0h7k9r89w8amalqjn38t4j5yaa7t89rp 

bc1qxnkkpnuhydckmpx8fmkp73e38dfed93uhfh68l    bc1qrtztxnqnjk9q4d5hupnla245c7620ncj3tzp7h 

bc1q97yd574m9znar99fa0u799rvm55tnjzkw9l33w 

As of writing this blog, these wallets contain Bitcoin valued at approximately $4,536.20 USD. 

These wallets have seen regular withdrawals, with total funds received amounting to approximately $11,497.7 USD. 

McAfee Coverage 

McAfee has extensive coverage for this Coinminer Malware Campaign. We’re proactively covering new samples observed in the wild. 

Trojan:Win/Phishing.AP 

Trojan:Script/Coinminer.AT 

Trojan:Win/Dropper.AT 

Indicator of Compromise(s)

File Type	SHA256/URLs	File Name
SHA256	94de957259c8e23f635989dd793cd fd058883834672b2c8ac0a3e80784fce819	WinUpdateHelper.dll
	db8afdafbe39637fec3572829dd0a 1a2f00c9b50f947f1eb544ede75e499dca7	WinUpdateHelper.dll
	f15098661d99a436c460f8a6f839 a6903aebd2d8f1445c3bccfc9bf64868f3b0	WinUpdateHelper.dll
	3abf66e0a886ec0454d0382369dd6 d23c036c0dd5d413093c16c43c72b8ccb0b	WinUpdateHelper.dll
	767b63d11cee8cfb401a9b72d7bcc a23b949149f2a9d7456e6e16553afcef169	WinUpdateHelper.dll
	12850f78fc497e845e9bf9f10314c4ecc 6a659dcd90e79ef5bd357004021ba78	WinUpdateHelper.dll
	0a8a58d18adc86977b7386416c6be8db 850a3384949b6750a6c6b2136138684a	WinUpdateHelper.dll
	1a60852904ff9c710cd754fa187ce58cb18c69 e35ea4962a8639953abe380f64	WinUpdateHelper.dll
	4ab63b5ccd60dfd66c7510d1b3bc1f45f0 c31c2d4c16b63b523d05ccac3fcb9d	WinUpdateHelper.dll
	1390e61a45dd81fa245a3078a3b305 e3c7cdeb5fa1e63d9daca22096b699f9e8	WinUpdateHelper.dll
	a0c3de95e5bf84cb616fe1ee1791e96ff57 53778b36201610e6730d025a6cb12	WinUpdateHelper.dll
	ea65298d8d8ce4b868511a1026f8657abcc 6b2e333854f4fc1bd498463b24084	WinUpdateHelper.dll
	6ea34fd213674f31a83c0eee2fb521303d2 a7c23e324bbdfa1a8edd7b6b6b6f1	WinUpdateHelper.dll
	7bec5e37777e6a2ca50e765b07e8cb 65e88f4822ab19d98c32f1c69444228e5c	WinUpdateHelper.dll
	64c96f0251363aaf35c3709c134aab52b9 81508b0ce9445e42774d151e43686b	WinUpdateHelper.dll
	393f6c6b307aecfe46acc603da812cc17f 0ebf24b66632660a2e533dfa4f463f	WinUpdateHelper.dll
	94077065d049e821803986316408b 82edad43fcd5a154f6807b4382eece705c3	WinUpdateHelper.dll
	a206ff592aea155d2bb42231afc3f060 494ffa8f3de8f25aaf8881639c500b44	WinUpdateHelper.dll
	cb2eebf27def80261eef6b80d898e06 f443294371463accd45ca24ce132fad98	WinUpdateHelper.dll
	3fea0a031ffd78c8d08f6499c2bbc 6a9edac5dc88b9ba224921f8f142e5a9adb	WinUpdateHelper.dll
	4fe5d461aaa752b94d016ca4e742e 02d30d3d4848a32787ce3564b5393017d77	WinUpdateHelper.dll
	04399f9f3ef87d8dd15556628532a84 d63d628eaae0ed81166d6efbee428cdba	WinUpdateHelper.dll
	dd37cd62fa18af798018a706f20a91a537f 0993f0254a0c84d64097c6480afb2	WinUpdateHelper.dll
	1d85ffe28d065780c9327078941cb76 2915c69c69012303e45eee44c092f8046	WinUpdateHelper.dll
	86e14dd0ab29ee0eab21874811b7e4 50d609feb606f77206627b62cccbd58afa	WinUpdateHelper.dll
	17704d58fb9c4e68c54a56fa97cd32599 792d00da53691b8bdb58e49296b7feb	WinUpdateHelper.dll
	491019e31af8f1489aea8d4c0f9816 813698def0301a2abb88e5248b37753d2b	WinUpdateHelper.dll
	c0ab89c3d9c7b9a04df5169eb175d517 3c6de08a4ef3674cd6d7f9a925d63151	WinUpdateHelper.dll
	df0ca0f15926964040bb43978f97faccc0 0bae5f6a00d8bd7d105d8c7d32efb1	WinUpdateHelper.dll
	e40f2628b2981226b1afe16c1cf3796b94 82b2ac070adac999707fc09909327c	WinUpdateHelper.dll
	f6093084196acded1179d3a1466908beb 966dceaba03e1dfeb02a2628fdb0423	WinUpdateHelper.dll
	fcc512630ee95d3f4c31e3aabc75ad2e29 dfacb4d4bcce7a12abe9a516979dbd	WinUpdateHelper.dll
	fe02d8d7a6b8f66624b238665d63094 a2bcd19c44a3f9c449788cadbb1b741a6	WinUpdateHelper.dll
	1967f6f42710b43506a0784a28ca8785a f91b84dfa8629ec5be92be8eec564c6	WinUpdateHelper.dll
	5280b0ecb6c7246db84a9b194f5c85cc3 03c028475900b558306fdd4e51f4fc3	WinUpdateHelper.dll
	ce06d83adb53c8b9d240202193ca4c04d 0163994dad707aed0f0e67fdd2a42fe	WinUpdateHelper.dll
	13976bdc28d3b3ae88ed92fcf49ff9e083b 0ce5fd53e60680df00cd92bdfb33b	WinUpdateHelper.dll
	4135754b26dfac10cd19dcf6e03677b53 7244cf69fdce9c4138589e59449b443	WinUpdateHelper.dll
	7d69eca36c0f69b3007cdbf908f15545 e95611acf4bad8b9e30e54687a6d33bb	WinUpdateHelper.dll
	085dc279b422d761729374b01eae1e2 2375ef9538a6c4bc7cc35e8a812450f93	WinUpdateHelper.dll
	99ff2045d1377db7342420160eb254b7 b09cc4ce41a97b6bf0ec4d3f65d9ede6	WinUpdateHelper.dll
	396f397099a459f3adeba057788aa3d3488 2eea7d1665c828449f205a86dc80f	WinUpdateHelper.dll
	908d35e6afd90da2e7c71cf82c8a61b5534 10ca920e67dba1bae35c2b6b19bad	WinUpdateHelper.dll
	7029d68969814f1473e4e4a22abd4be8 5678a03bbe4c0f6194f3b7e421872ab3	WinUpdateHelper.dll
	d3ba17aa83748c539c75cee7eedb03a4 83f2e86af10b69da3f0c8e549f014ac3	WinUpdateHelper.dll
	d758820962ead89d5eaf7e45930a5eb 6ab11d5508988087faf84d8d7524408f1	WinUpdateHelper.dll
	e863f45099f3dc057a5aee5990fabfb4 e8ea8849cd5bc895092ff0a305a3f85d	WinUpdateHelper.dll
	0db26e9a1213d09521fc0dbfe15f807c9 960f62bc1cf4071001f58f210c53e9c	WinUpdateHelper.dll
	94de957259c8e23f635989dd793cdfd 058883834672b2c8ac0a3e80784fce819	WinUpdateHelper.dll
C2 URLs	hxxp://85[.]235[.]75[.]242/script[.]ps11
	hxxp://41[.]216[.]188[.]184/downloads/loader[.]ps1
	hxxp://46[.]151[.]182[.]238:6969/script
	hxxps://mydofiles[.]com/script[.]ps1
	hxxp://45[.]141[.]119[.]191/jjj[.]txt
	hxxps://getthishasg[.]live/cz8wl3k[.]php? cnv_id=cee43wfhqb7b81&payout=1
	hxxps://gocrazy[.]gg/script?id=fA9z Qk2L0M`&tag=schtasks
	hxxps://dystoria[.]cc/mon
	hxxp://85[.]235[.]75[.]242/script[.]ps1
	hxxps://github[.]com/dextamoggan4-sudo/ shineex/releases/download/python/script[.]ps1
	hxxp://45[.]141[.]119[.]191/gg[.]txt
	hxxps://codeberg[.]org/Yesdev123/ load/raw/branch/main/testfile[.]txt
	hxxp://45[.]141[.]119[.]191/jjjj[.]tt
	hxxps://kenovn[.]net/script
	hxxps://1765000000[.]xyz/script? id=fA9zQk2L0M&tag=WinUpdateHelper
	hxxp://46[.]151[.]182[.]238:6969/scrpt
	hxxp://46[.]151[.]182[.]238:6969/script
	hxxps://cutt[.]ly/ke0WRr70
	hxxps://cutt[.]ly/pe0WRidw
	hxxps://1770000000[.]xyz/script?id =fA9zQk2L0M&tag=WinUpdateHelper
	hxxp://150[.]241[.]64[.]28/panfish
Final Payload URLs	hxxps://github[.]com/gaescmo-ai/justin/ releases/download/son/xmrig[.]exe
	hxxps://github[.]com/gaescmo-ai/justin/ releases/download/son/ethminer[.]exe
	hxxp://41[.]216[.]188[.]184/downloads /windows-service[.]zip
	hxxp://46[.]151[.]182[.]238:6969/exe/rat[.]exe
	hxxp://46[.]151[.]182[.]238:6969/exe/miner[.]exe
	hxxp://46[.]151[.]182[.]238:6969/exe/titledetector[.]exe
	hxxps://github[.]com/jimbrock44/filezilla2025/ raw/refs/heads/main/sc[.]msi
	hxxps://github[.]com/softwarelouv/software/ raw/refs/heads/main/scvhosts[.]exe
	hxxps://github[.]com/softwarelouv/software/ raw/refs/heads/main/cvtres[.]exe
	hxxp://109[.]120[.]177[.]217:8082/download
	hxxp://45[.]141[.]119[.]191/fontdrvhost[.]exe
	hxxps://codeberg[.]org/Yesdev123/load/raw/ branch/main/source[.]exe
	hxxps://1765000000[.]xyz/download/xbhgjahddaa
	hxxps://1765000000[.]xyz/download/ebhgjahddaa
	hxxp://46[.]151[.]182[.]238:6969/autoexec
	hxxp://62[.]113[.]112[.]203/adm[.]exe
	hxxps://evilmods[.]com/api/nothingtoseehere[.]exe
	hxxps://evilmods[.]com/api/nothingbeme[.]exe
	hxxps://evilmods[.]com/DependencyCore2
	hxxps://evilmods[.]com/DependencyCore
Unwanted Installers	CD1B15644BF0D7CBF270E8F21CEAE5E6	Dependecycore.zip
	7d18257b55588bccb52159d261f9cd7f	Dependecycore.zip
	A518FB6B9D2689737CE668675EEDE98F	iTop Easy Desktop
	E3BB21152BA90990E3CCBC1A05842F8B	Opera Installer
	A6BC4C6A58AC533D3DB5F96D24DDE0EF	Docs Helper Setup
	FA24733F5A6A6F44D0E65D7D98B84AA6	Windows Manager
	CDB67B1C54903F223F7DCCA14AEA67DF	eld4.exe
Final Payloads	e07a76cc4258c6b4b3f85451ea2174d5	xmrig.exe
	d32395a3a340e033e11bd89acddaa9cd	ethminer.exe
	14f1de874c78221e7b6889af7463de69	WindowsService.exe
	47c8731b2526613e1e3bc61a88680cd0	rat.exe
	fbac126407b5735583dac5ea7cf519b3	SalatStealer
	4dc93730ebe04a9b508a9f9dae74ae09	miner.exe
	90e10b510144719613b1017abe227b87	titledetector.exe
	8dadf8a4b77a340fcbb402789f9a07db	agent
	4c8e8e2fdc23bb7b24e6b410eb69fb4a	scvhosts.exe
	79ea41812bd3310e11fc95403504f048	sc.msi
	1b1bd2783d4e8d1c2d444ffa8689677b	cvtres.exe
	16b70d148b66c20c709b7eed70100a96	source.exe
	e2af5595c9a0b7feaa9291b405d4c991	XMRIG _Miner
	b133229ed0be8788c84a975656a7339c	CoinMiner
	754b581c7e3593446f0a06852031564a	MeshAgent
	a7400236ffab02ae5af5c9a0f61e7300	NiceHash Miner
	d7d34c0559b3f6ba70be089e4cc6172c	lolMiner
PowerShell Scripts	02a4d24d0cdaa6f9a3ecf4b71e3f2eec
	2a153877acc9270406d676403e999490
	77f491c1c50e224d0c61ed608445d8a9
	c60a3307d21840d1e15ee78b07d3eb04
	d17b85de54d0c438c092c1e889b8c63f
	e35c04a7c31f8641757374404edea395
	fa8b5b5a302c0e353f4983973cf4b37e
	d2ad87a1fd1e8812c5ba4b259de4f885
Wallet Address	46NgyMUVMf6Xzsao9XR C6BTjJpjUJFfA12F8BPmD 86Y7biz4gZdjCWsSXMUZo mtuUs8crujryAvhRFMyvhzb s6naMKucHFi	Monero (XMR) wallet address
	RJe6FfyoWDq6M4i3b17LxvjdT2fSNTLTYA	Ravencoin (RVN) wallet address
	ZEPHsCY4zbcHGgz2U8 PvkEjkWjopuPurPNv8nnSFn M5MN8hBas8kBN4hooNKmc7uMRfU Qh4Fc9AHyGxL6NFARnc217m2vYgbKxf	Zephyr (ZEPH) wallet address
	bc1qyy0cv8snz7zqummg0yucd fzpxv2a5syu7xzsdq	Bitcoin (BTC) address
	bc1q7cpwxjatrtpa29u85tayvggs 67f6fxwyggm8kd	Bitcoin (BTC) address
	bc1qxhp6mn0h7k9r89w8amalqj n38t4j5yaa7t89rp	Bitcoin (BTC) address
	bc1qxnkkpnuhydckmpx8fmkp73e3 8dfed93uhfh68l	Bitcoin (BTC) address
	bc1qrtztxnqnjk9q4d5hupnla245c762 0ncj3tzp7h	Bitcoin (BTC) address
	bc1q9a59scnfwkdlm6wlcu5w76zm2 uesjrqdy4fr8r	Bitcoin (BTC) address
	bc1q97yd574m9znar99fa0u799rvm 55tnjzkw9l33w	Bitcoin (BTC) address
URL Distributing Malware	http://www[.]mydofiles[.]com/ MultiClicker[.]zip
	http://www[.]mydofiles[.]com/ ProCheatsInstaller[.]zip
	http://www[.]mydofiles[.]com/ RobloxCheatEngine[.]zip
	http://www[.]mydofiles[.]com/ ST-Bot[.]zip
	https://sourceforge[.]net/projects/ delta-executor-for-pc/files/latest/download
	https://ixpeering[.]dl[.]sourceforge[.]net/project/ delta-executor-for-pc/DeltaExecutor[.]zip?viasf=1
	https://sourceforge[.]net/projects/ delta-executor-for-pc/files/DeltaExecutor[.]zip/download
	https://cdn[.]discordapp[.]com/ attachments/1436383055471185961/ 1454995091423887442/Keyser[.]zip? ex=6953c606&is=69527486&hm= e3ba56d122cc6b6228d787d29c6b5db31 709fd16be119fa8d3a09d92cb0291e4&
	https://cdn[.]discordapp[.]com/attachments/ 1436746541669945409/1454995359754358875/ Matcha[.]zip?ex=6953c646&is=695274c6&hm= 1bae58927d0bcd6a1971b604644035ad938c1d535 61f7d4e951fdf5454d52f8d&
	https://cdn[.]discordapp[.]com/ attachments/1437009916224209018/ 1454995174328500318/CheatLoverz[.]zip? ex=69531d5a&is=6951cbda&hm= f1ac26bebf4394c43cbf21ed531f5dfdf7 d31f30853b126611c1a39b970b81bc&
	https://cdn[.]discordapp[.]com/attachments/ 1438966596222849134/1454995223171170386/ Complex[.]zip?ex=69531d65&is=6951cbe5&hm= b66d9539c0d487fc63125982db773e42eee01dfc 4bc5a28dc1a7a773134a7bc6&
	https://cdn[.]discordapp[.]com/attachments/ 1438966596222849134/1454995223171170386/ Complex[.]zip?ex=6953c625&is=695274a5&hm= 0d6ba0e247e275a9824a838969ee06452e188310 c434c5d852141bfad3eedff2&
	https://cdndownloads[.]com/ download?clickid=277af8wcia4d4b
	https://cdndownloads[.]com/ download?clickid=53ba0myoj8p617
	https://download[.]fosshub[.]com/Protected/ expiretime=1735860643;badurl=aHR0cHM6L y93d3cuZm9zc2h1Yi5jb20vQnVsay1DcmFwLVV uaW5zdGFsbGVyLmh0bWw=/db8e43d66065d d656635ff00c50d96369d2fc4dddad18f52c5d00 05f868649b8/5b964d315dc7e865ea596350/67 3508bbeeeeed04938b399f/BCUninstaller_5 [.]8[.]2_setup[.]exe
	https://download[.]fosshub[.]com/ Protected/expiretime=1738877220; badurl=aHR0cHM6Ly93d3cuZm9z c2h1Yi5jb20vQnVsay1DcmFwLVVu aW5zdGFsbGVyLmh0bWw=/bd26 b0ced684ddb98f194568d7f05c819 71932a5bfb323ed73296940dd8ec74d/ 5b964d315dc7e865ea596350/673508bb eeeeed04938b399f/BCUninstaller_5[.]8[.] 2_setup[.]exe
Malicious ZIPs	001cdd8e978b8233a958cfb81b202 72a5d3a9c53ce2eb9dda28f0755f95f3e14	bluetoothCore.zip
	00226d16b97c2a2201ca806491f5a6df 3650a70c19e82b791740aaef7cf93e72	octet-stream
	00d70985e5e73cba934ffc7b886cea5df 2d9f04c72b80f1e653ae709910666da	FreeFireForPC.zip
	0165aa283b6dd66db66d5865907e75 3acc68b894fc8086bffe106ac3d550d0df	AIVoiceChanger.zip
	020b6449605713404d9ea6bd332df47 f815663f239b39c368208158b1411efb2	r6s-multi.zip
	04d3477a22a0693c3278c5a86f9c882 89a7ccc2565cb61f8a78c9b269666baff	EZFN.zip
	054d2da6e959466490cb0c3cdc2acb9 602e47ac56b977a3d365b4d1728eb2dd5	download
	057121dd0ecbb242f7a26ec277249614 7ae2ec2ee03abd6e79a2bfb5a6ac60e9	demonCore.zip
	063d5400db74f7e064141e3cb9bdc6e 71fec88956560de94c280cf59bbc65c78	Nihon-Executor.zip
	3be99fb0b3bcaa125583bd1763537216 34c090233dd018e56cd3fa8ac89c3aee	Panther-Stealer.zip
	07aa31bd8b220f79acd6b26accfb84ab 6b67f1e6b1baa57ad2f48c5db6771ec5	DeltaExecutor.zip
	1097bc1ed1dd2e46f65fe16f18f431a1539 cf73f97599aec2b81d1ad07f2e485	gta-5-online-mod-menu.zip
	112c08db627e759a499ab96e7964425f7 21fda8b56029e15ab27c762bf1d91cc	DeltaExecutor.zip
	113c38d3c1b6d6a87bc99dcfda4020245 47ecdbdc1d7577a4c0cb3a88569582a	Fortnite-External.zip
	116760f2d7d0b138a2d62683bc08d4620 87dbd278e491177ae9c978e1fddb1a0	roblox-multi.zip
	11b129c8373b6621343dbfe837e21c016f6 fe1f9bdbb2a40283c15cc046fd0ba	Matcha.rar
	1217e31084df1dbe3fb37cd2b0c65bc70ec2 0278ab11471f0adafe845ed482d9	roblox-counter-blox-multi.zip
	12e5890426baa26062077ec41d407ddfcd 8df88480cce6308c0b4064530e767f	AIAutoClicker.zip
	1366f9bf45a11fed9ec6a2f40a571f273661523 3567c3d91bb1b09916bf5068c	demonCore.zip
	140c985db532c9085b2de4adcc885a67199dac2 c36a465afd7a2655b4f797b17	TheExecutor.zip
	14df8e6e7aadab0866e1a7b17adb247014343f5e31 43249e78a6846051b1e620	AIVoiceChanger.zip
	152914827e68584725b0890a46d62e45122789 d1341e50f134b586aa7e139d3c	TemuForPC.zip
	179e55bb20de0def4f9a5272397a11b7 cb5b4c55a24539da22720f64738a95eb	AutoClicker.zip
	17e0302f15475a90e807550ea4abe57f e75a3630fbcc6d9b8feec4c645b7c31b	Roblox-Injector.zip
	17eff164be5859f8ed5b4c4d9969f9384 523f4ac9a8bd1b6e73ee2ea7d1761e2	1vqckj.zip
	188148aae3bdf973ba88b387db68feae da58daf3a70477766ac34f3b125651a9	Roblox-MMap-Injector.zip
	19c6d61936af8a650eebe50b7a21260 cbc365cb09e27b9104a095eda3dbc85a9	release-delta-executor.zip
	1aa12327f111d30f0a973070e2a941322b0 7710b9c90c02b0c5c0eda26c902cc	DeltaExecutor.zip
	1baea27d6148bf630d85c28b24d5aa91 14ad32800d10f2977acecd7845275ecf	Osiris.zip
	1cdd70b8b8aac60584f17b9396c5f8086 105c92e630fcb81649d395c461c71f9	TLifeForPC.zip
	1db8d6d66ab97ed3e1415a02b356a05d8 ec846d69e5fa533f443b8d5d29949ef	ProExt.zip
	206265f971c6b6bea2b74ceef0ec1417e79 54d2cb83261ffa1b63f82964e5792	Lo4f-Malware.zip
	347601eae5851ef7a6cf5a6b7f93ae6078 969bafd191f6a8812a20fa6bf43996	pubg-cheat.zip
	35aa1d44c71bdac70faa11b51fc29c13348e 99cf981faa7119861df3ab7e50ba	Complex.zip
	36b339f53a8bf65b030bedf5ad3bfde04eb dad3b150ec75ebb77f4a4b3c0cdd7	HWIDSpoofer.zip
	37aead580cea7b82a1e76cb642a9269b9a d1dcdb60f36660e59ee5f8e00cc7b8	AIVoiceChanger.zip
	42b0ba7953a014a56a27c07cb8c97c0109 a1b38b78f34f230ea356f9403007ee	sony-playstation-vita-emulator.zip
	3a02d75900ba42443c40667182711584b 83844911fdf212747b1e087269d3632	FortniteDev.zip
	3dafa158ccb63f989aaab41541ea9c02d2cf1a 2b5f50c5a7b98abc1bcadd73f1	r6-multi.zip

The post AI Wrote This Malware: Dissecting the Insides of a Vibe-Coded Malware Campaign appeared first on McAfee Blog.

Whether you’re a hardcore basketball fan or the office colleague who gets roped into filling out a bracket every year, March Madness is the season for brackets, office pools, and last-minute picks. 

More than half of Americans (57%) plan to watch the NCAA basketball tournament, and 55% say they participate in some kind of betting or bracket activity during March Madness, from office pools to licensed sportsbook wagers.  

But where there’s excitement and money, scammers aren’t far behind. 

New research from McAfee finds that 1 in 3 Americans (32%) say they’ve experienced a betting or gambling scam, and 24% say they’ve lost money to one, with victims losing an average of $547. 

Big events like March Madness create the perfect storm: massive attention, constant betting promotions, and fans searching online for predictions, tips, and an edge. 

Scammers know it, and they’re exploiting the moment. 

Why March Madness is Prime Time for Betting Scams 

Sports betting promotions are everywhere during major events like March Madness. 

According to McAfee research, 82% of Americans say they’ve seen sports betting promotions or offers in the past year, often on social media, streaming broadcasts, and sports websites. 

That flood of promotions makes it easier for scams to blend in with legitimate content. 

Many scams start the same way legitimate offers do, through messages, ads, or links promising bonuses or tips. But once someone clicks or responds, the situation can escalate quickly. 

For example: 

• 42% of Americans say they’ve been asked to click a link sent via email tied to a betting offer 
• Others report links sent through social media messages or text messages directing them to betting sites, apps, or private betting groups 

In many cases, victims are then asked to send money to unlock winnings, activate accounts, or access premium betting picks. 

The payout rarely exists. 

The Most Common Betting Scams Fans Encounter 

Betting scams come in several forms, but many follow familiar patterns. 

Here are some of the most common tactics reported in McAfee’s research: 

Scam Type	Definition	How It Works	Red Flags
Guaranteed Win Scam	A betting scam where someone promises a “guaranteed win,” “sure bet,” or “can’t lose” outcome in exchange for money, clicks, or sign-ups. According to McAfee Findings, about 1 in 6 Americans say they’ve received these kinds of messages, which are designed to lure fans looking for an edge.	Scammers send private messages, emails, or social posts claiming they have insider knowledge or a lock on a game. The goal is usually to get the victim to pay for picks, join a private group, or click a malicious link.	Claims that a bet is guaranteed, pressure to act fast, requests for payment to access picks, and promises that sound risk-free.
Fake Free Bet Promotion Scam	A scam that pretends to offer bonus bets, deposit matches, or free credits through a fake sportsbook promotion.	The victim sees what looks like a real sportsbook offer, often through social media, email, or text. Clicking may lead to a fake site that steals login details, payment information, or deposits.	Unfamiliar brand names, unofficial links, urgent sign-up language, and promotions that seem unusually generous.
Winnings Release Fee Scam	A scam where a victim is told they have winnings waiting, but must first pay a fee, deposit, or processing charge to collect them.	The scammer claims the user has won money, then invents a reason payment is required before the funds can be released. Once the fee is sent, the payout never arrives.	Requests to pay before receiving winnings, vague “processing” or “verification” fees, and pressure to send money immediately.
Fake Betting App or Website Scam	A scam involving a fraudulent app or website designed to look like a real sportsbook or betting platform.	Victims are directed to a fake platform where they may create an account, enter personal information, or deposit money. The site may appear legitimate, but withdrawals are blocked or impossible.	Slightly misspelled URLs, strange app download paths, poor website quality, and platforms that make deposits easy but withdrawals difficult.
Sportsbook Impersonation Scam	A scam in which someone pretends to represent a legitimate betting platform or sportsbook support team.	The scammer contacts the victim claiming there is an issue with an account, a bonus, or winnings. They then ask for login credentials, payment details, or personal information.	Requests for passwords, bank details, or identity information; unexpected outreach; and messages pushing you to resolve an “account issue” through a link.
Fake Insider Tip Scam	A scam that uses claims of insider information, fixed games, or special access to make a betting offer sound exclusive and trustworthy.	Scammers position themselves as experts, insiders, or connected sources who can help the victim beat the odds. The real goal is usually payment, account access, or enrollment in a scam betting channel.	Claims of fixed outcomes, “insider” knowledge, exclusive access, and offers that rely on secrecy or urgency.
Celebrity or Influencer Endorsement Scam	A betting scam that uses fake or misleading celebrity, athlete, or influencer endorsements to make an offer seem legitimate.	Scammers create ads, videos, or posts that appear to feature a public figure recommending a betting platform, app, or tip service. In some cases, AI-generated content makes these endorsements look more convincing.	Endorsements that seem off-brand, videos or graphics that look unnatural, unfamiliar accounts, and promotions tied to fake urgency or suspicious links.
Private Betting Group Scam	A scam that tries to move betting conversations into private channels like WhatsApp, Telegram, or Signal.	After initial contact on social media or another public platform, the scammer encourages the victim to join a private group for “exclusive picks,” “VIP bets,” or “premium insights.” These groups are often used to pressure victims into sending money or clicking malicious links.	Pressure to move off-platform quickly, promises of VIP access, requests for payment to join, and little proof that the group is legitimate.

AI Is Making Betting Scams Harder to Spot 

Artificial intelligence is beginning to change how scams look and sound. 

About 1 in 5 Americans say they’ve encountered betting scams that appeared more realistic because of AI, and 27% believe they’ve seen AI-generated betting content such as fake promotions, images, or videos.  

Among those who encountered AI-driven scams: 

• 58% reported AI-generated images or graphics in betting ads 
• 57% saw AI-written messages that sounded natural or personalized 
• 45% encountered fake celebrity or influencer endorsements 
• 36% interacted with chatbots posing as betting experts or support agents  

As these tools improve, scam messages are becoming smoother, more convincing, and harder to distinguish from legitimate promotions. 

Safety Check	What To Do
Be skeptical of “guaranteed wins”	No bet is risk-free. Ignore messages promising sure bets, insider picks, or guaranteed outcomes.
Use only licensed sportsbooks	Stick to official betting apps and well-known sportsbooks. Avoid unfamiliar websites or apps.
Don’t click betting links from unknown messages	If you receive a betting offer via email, text, or social media, go directly to the official site instead of clicking the link.
Never pay fees to unlock winnings	If someone says you must send money to claim winnings or activate a betting account, it’s almost certainly a scam.
Be cautious of private betting groups	Invitations to “VIP betting groups” on apps like Telegram or WhatsApp are often used to promote scam picks or collect payments.
Protect your accounts	Use strong passwords and turn on two-factor authentication wherever possible. Try our free strong password generator.
Use scam detection tools	Tools like McAfee’s Scam Detector can flag suspicious links, websites, and messages before you engage.

March Madness is meant to be fun, filling out brackets, debating picks with friends, and cheering for the next big upset. Betting can be part of that excitement, but it’s worth remembering that scammers are watching the tournament too. 

A simple rule of thumb can go a long way: if a betting offer promises guaranteed wins, asks for money upfront, or pushes you to act quickly, take a step back and verify it first.  

The safest plays are the ones where you slow down, stick to trusted platforms, and keep your personal information protected. 

If You or Someone You Know Needs Help 

Sports betting can be fun, but for some people it can become difficult to manage. If you or someone you know is struggling with gambling, help is available through the National Problem Gambling Helpline (1-800-MY-RESET), operated by the National Council on Problem Gambling. 

The post 1 in 3 Has Experienced a Betting Scam. What March Madness Fans Should Know appeared first on McAfee Blog.

McAfee Total Protection has been recognized with three major honors in the AV-TEST Best Awards 2025, receiving awards for Best Performance, Best Advanced Protection, and Best Usability. 

Among consumer security products, McAfee was the only solution to receive both the Best Performance and Best Advanced Protection awards, highlighting its ability to deliver strong security while keeping everyday devices running smoothly. 

The awards are issued by AV-TEST, an independent cybersecurity research institute that evaluates security products through thousands of lab tests each year. 

Together, these recognitions reinforce what matters most for people using security software every day: protection that works quietly in the background without slowing down your system or interrupting your workflow. 

How Big is an AV-TEST Award? 

Pretty big! The AV-TEST Awards recognize security products that deliver consistently strong results across independent testing throughout the year. 

To qualify, products must demonstrate exceptional performance across multiple categories, including protection against modern threats, system performance impact, and usability. 

In the 2025 test cycle, McAfee Total Protection earned recognition in three key areas. 

Best Performance Award 

Security software needs to protect your system without slowing it down. 

In AV-TEST’s Windows performance testing, researchers measure how much a security solution impacts system resources during everyday tasks such as launching applications, installing programs, browsing the web, and copying files. 

McAfee Total Protection earned the Best Performance Award for maintaining strong protection while keeping system impact minimal. 

For users, that means protection that runs efficiently in the background so your PC stays responsive while you work, stream, or game. 

Best Advanced Protection Award 

Modern cyberattacks rarely rely on a single tactic. Today’s threats often combine multiple techniques, including ransomware, infostealers, and other advanced attack methods. 

To evaluate how well security products handle these complex threats, AV-TEST runs Advanced Threat Protection (ATP) tests, which simulate real-world attacks using the latest techniques. 

In the 2025 testing cycle, McAfee Total Protection delivered consistently strong results across these real-world attack scenarios, earning the Best Advanced Protection Award for consumer users. 

These results demonstrate how multiple protection layers inside the product work together to detect and stop threats, even if an attack attempts to bypass initial defenses. 

Best Usability Award 

Strong security should also be easy to live with. 

In AV-TEST’s usability tests, researchers evaluate how accurately a product distinguishes between legitimate files and malicious ones, while monitoring for false alarms. 

McAfee Total Protection earned the Best Usability Award for its accurate threat detection and low rate of false positives. 

That means fewer unnecessary alerts and interruptions, while still maintaining strong protection against real threats. 

Recognition from AV-TEST 

According to AV-TEST’s testing team, McAfee stood out across multiple categories in the 2025 evaluation. 

“The team of the AV-TEST Institute is delighted to present McAfee with three of the highly coveted trophies. The manufacturer received recognition for its consistently efficient use of system resources, clear distinction between benign and malicious files, and strong results in Advanced Threat Protection testing.”
— Marcel Wabersky, Lead Mobile & Network Testing, AV-TEST 

What is the AV-TEST Institute 

Independent testing plays an important role in helping consumers evaluate cybersecurity tools. 

The AV-TEST Institute is an independent IT security research organization based in Germany and operating for more than 20 years. The institute runs one of the world’s largest testing laboratories dedicated to cybersecurity products. 

From its headquarters in Magdeburg, Germany, AV-TEST researchers analyze new malware, study emerging attack techniques, and conduct large-scale comparative testing of security software used by both consumers and businesses. 

These tests are designed to be standardized, transparent, and repeatable, allowing security products to be evaluated under the same conditions across multiple vendors. 

The AV-TEST Best Awards recognize products that deliver consistently strong results across a full year of testing. Because the awards are based on sustained performance rather than a single test cycle, they are widely used as an indicator of long-term security reliability. 

For McAfee users, these awards reinforce the goal behind McAfee Total Protection: delivering powerful protection that stays fast, accurate, and easy to use. 

Frequently Asked Questions  

FAQ

Q: What are the AV-TEST Best Awards?   A: The AV-TEST Best Awards are annual honors given by the independent cybersecurity testing institute AV-TEST. The awards recognize security products that deliver consistently strong results across a full year of testing in areas such as protection, performance, and usability.

Q: What awards did McAfee win in the AV-TEST Awards 2025?   A: McAfee Total Protection received three AV-TEST Best Awards for 2025: Best Performance, Best Advanced Protection, and Best Usability. McAfee was also the only consumer security product to receive both the Best Performance and Best Advanced Protection awards in the 2025 evaluation.

Q: What does the AV-TEST Best Performance award mean?   A: The AV-TEST Best Performance award recognizes security software that provides strong protection while using minimal system resources. AV-TEST measures how security products affect everyday activities such as launching programs, installing applications, browsing the web, and copying files.

Q: What is Advanced Threat Protection (ATP) testing?   A: Advanced Threat Protection (ATP) testing simulates real-world cyberattacks using techniques such as ransomware and infostealer malware. AV-TEST runs these scenarios to evaluate how well security products detect and stop attacks at multiple stages of an infection attempt.

Q: What does the AV-TEST Best Usability award measure?   A: The AV-TEST Best Usability award evaluates how accurately security software distinguishes between safe files and malicious threats. Products that score well demonstrate strong detection capabilities while minimizing false alarms and unnecessary alerts.

Q: Why do independent cybersecurity tests matter?   A: Independent cybersecurity testing organizations like AV-TEST evaluate security products using standardized and transparent testing methods. These tests help consumers compare protection tools based on measurable results rather than marketing claims.

 

The post McAfee Wins 3 Major AV-TEST Awards for 2025 Security Performance appeared first on McAfee Blog.

This week in scams, the Pokémon Trainer pursuit to “catch ’em all” is being hijacked by criminals posting fake trading card listings online; duping buyers, including young collectors, out of hundreds of dollars. 

Meanwhile, threatening email extortion scams claiming your personal data has been stolen are flooding inboxes around the world. And a viral “wedding photo” of Tom Holland and Zendaya shows how AI-generated images can blur the line between real and fake online. 

Here’s what to know. 

Pokémon Card Scams Surge on Online Marketplaces 

The booming market for collectible Pokémon cards has become a new target for scammers. 

According to reporting from The Straits Times, Singapore police recently arrested a 25-year-old man suspected of running a series of e-commerce scams involving Pokémon trading cards. Victims reportedly lost more than $135,000 after paying for limited-edition cards that never arrived. 

Authorities say the suspect allegedly advertised pre-orders for rare cards on the online marketplace Carousell. After receiving payment through bank transfers or digital payment apps, the seller either became unreachable or claimed there were delivery problems. 

Police say at least 35 reports tied to the suspect have been filed since October 2025, and more broadly there have been over 600 reported Pokémon card e-commerce scams totaling more than $1.1 million in losses during that same period. 

Why this matters: 

Collectibles create the perfect storm for online scams. Limited releases, hype, and rising resale values make buyers feel pressure to act quickly before items “sell out.” Scammers take advantage of that urgency. 

How to Stay Safe When Buying Collectibles Online 

If you’re buying trading cards or other collectibles online: 

• Buy from authorized retailers or well-established marketplaces 
• Avoid sellers who require direct bank transfers or payment apps upfront 
• Use platforms with buyer protection or escrow payment systems 
• Be cautious of sellers who suddenly move the conversation to WhatsApp, Telegram, or other messaging apps 

When demand spikes for a product, whether it’s sneakers, concert tickets, or Pokémon cards, scams usually follow. 

The “Your Data Was Stolen” Email Extortion Scam 

Another scam spreading widely right now arrives in a much more intimidating format: a threatening email claiming hackers have stolen your personal data. 

According to reporting from Fox News, many people are receiving messages that claim the sender has access to their passwords, files, or financial information. The message then demands payment in Bitcoin to prevent the data from being sold on the dark web. 

At first glance, these emails can feel frightening. They often use dramatic language like: 

• “I have your complete personal information” 
• “Your files and devices are compromised” 
• “Pay within 48 hours or your data will be leaked” 

But in most cases, there’s one major problem with the claim. 

There’s no proof. 

Security experts note that these messages usually include no screenshots, no passwords, and no evidence of a real breach. Instead, scammers send the same message to thousands of email addresses at once, hoping a small percentage of recipients will panic and pay. 

Often, the scammers obtained your email address from old data breach lists circulating online, which makes the message feel more believable. 

What to Do If You Receive One of These Emails 

If you receive a threatening extortion email: 

• Do not reply
• Do not send money
• Mark the message as spam or phishing
• Delete it

Reporting the message helps email providers improve spam filters and prevent similar scams from reaching others. 

The biggest tactic here is fear. Once you slow down and evaluate the message, the scam usually falls apart. 

That Viral Tom Holland and Zendaya “Wedding Photo”? AI 

A viral image circulating on social media this week claimed to show Tom Holland and Zendaya’s wedding, sparking massive speculation online. 

But many viewers quickly suspected the image wasn’t real. 

According to reporting on Yahoo Entertainment, the photo appeared to originate from a fan account on X (formerly Twitter) that claimed the image had been “confirmed” by major outlets like Vogue and Cosmopolitan. However, no such confirmation existed, and soon the official label was added marking the content as AI-generated. 

Celebrity rumors already spread quickly online. Add generative AI to the mix, and fabricated images can travel even faster. 

While a fake celebrity wedding photo may seem harmless, the same technology can easily be used in more serious ways. 

AI-generated visuals are already being used to create: 

• Fake celebrity endorsements 
• Fabricated news events 
• Scam ads featuring public figures 
• Fraudulent investment promotions 

The line between real and synthetic content is getting harder to spot. 

How to Spot Potential AI Images 

If a viral image seems surprising or dramatic: 

• Check whether credible news outlets or verified accounts are reporting it 
• Look for visual inconsistencies in hands, text, or background details 
• Reverse image search the photo to see where it first appeared 
• Verify through official sources before sharing 

When something looks shocking online, that’s often exactly why it spreads. McAfee’s built-in Scam Detector can help you spot AI-generated audio and video. 

McAfee’s Safety Tips This Week 

A few simple habits can help reduce your risk across all three of these scenarios: 

• Be cautious when buying high-demand collectibles online 
• Never send money in response to threatening emails 
• Treat viral images and breaking celebrity news with healthy skepticism 
• Use strong, unique passwords and enable two-factor authentication 
• Verify surprising claims through trusted sources before reacting 

Scams today don’t always look like scams. They often look like exciting deals, urgent warnings, or AI depictions of people you trust. 

The best defense is slowing down before clicking, paying, or sharing. 

We’ll Be Back Next Week 

From collectible card fraud to email extortion campaigns and AI-generated viral content, the tactics scammers use may change, but the strategy is the same: manipulate emotion and urgency. 

Stay skeptical, verify before you trust, and we’ll be back next week with another breakdown of the scams making headlines, and what they mean for your security. 

The post This Week in Scams: Pokémon Card Cons, Email Extortion, and a Viral AI Wedding Photo appeared first on McAfee Blog.

Tax season is a headache for many people, and when a shortcut promises to make filing easier, it’s hard to resist. This year, one of the newest trends is using AI chatbots like ChatGPT to help prepare tax returns.

According to new McAfee research, 30% of people say they plan to use an AI tool, such as ChatGPT, to help with their taxes, with younger adults leading the trend. 

At first glance, it makes sense. AI tools can explain confusing tax rules, summarize IRS forms, and answer questions instantly. 

But there’s an important line that should never be crossed: Do not enter your personal tax information into AI chatbots. 

That includes Social Security numbers, income records, home addresses, bank details, or anything else tied to your identity. 

Here’s why: 

Typing Your Tax Info Into a Chatbot Is Like Posting It Online 

Think about it this way: when you type something into an AI chatbot, you’re sending that information over the internet to a system that processes and stores data. 

In practical terms, entering sensitive information into an AI tool is similar to typing it directly into a search engine or submitting it to an online form. 

Once it leaves your device, you lose direct control over where it travels and how it may be stored. 

Even companies with strong security protections are transparent about this risk. 

OpenAI’s privacy documentation explains that they use encryption and strict access controls to protect user data. However, they also note that no internet transmission or digital storage system can be guaranteed completely secure. 

This is true across the internet, not just for AI tools.  

Even Secure Systems Can Experience Breaches 

Security incidents can happen anywhere online, including companies with robust security programs. 

For example, in late 2025, OpenAI disclosed a security incident involving a third-party analytics provider called Mixpanel. The breach occurred within the vendor’s systems, not OpenAI’s infrastructure, but some limited user profile data associated with the platform was exposed. 

According to OpenAI’s disclosure, the data involved information such as: 

• Names associated with accounts 
• Email addresses 
• Approximate location data 
• Browser and device information 

Importantly, chat content, passwords, payment information, and government IDs were not exposed in that incident. 

But the event highlights a broader cybersecurity reality: 

Even when a company takes strong security precautions, third-party services, vendors, and other parts of the digital ecosystem can still introduce risk. 

That’s why cybersecurity experts recommend limiting what personal information you share online whenever possible. 

Why Tax Data Is Especially Dangerous to Share 

Tax information is one of the most valuable targets for cybercriminals. 

If scammers obtain the details commonly found in tax filings, they may be able to: 

• Commit tax refund fraud 
• Open financial accounts in your name 
• Conduct identity theft 
• Launch highly personalized phishing attacks 

Tax returns typically include multiple pieces of highly sensitive data, including: 

• Social Security numbers 
• Home addresses 
• Employer and income information 
• Banking details for refunds 
• Family member information 
• Entering these details into any tool outside of a secure tax platform significantly increases risk. 

Safer Ways to File Your Taxes 

Instead of relying on AI chatbots for filing, stick with trusted tax preparation options designed to securely handle sensitive data: 

• Official tax software platforms 
• Licensed tax professionals 
• IRS-approved free filing services 

These systems are specifically built with compliance, encryption, and identity verification in mind. 

AI tools can be incredibly useful for learning and research. But they are not secure tax filing platforms. 

If you wouldn’t feel comfortable posting your Social Security number publicly online, you shouldn’t paste it into a chatbot either. When it comes to taxes, the safest rule is simple: Use AI for advice, not for your personal data. 

The post Using an AI like ChatGPT to File Your Taxes? Stop and Read This First appeared first on McAfee Blog.

We’re back with another roundup of must-know scams and cybersecurity news making headlines this week, including a scam that features the name of the Jim Carrey movie, The Truman Show.

Let’s break it down. 

Why Reports Call it the “Truman Show” Scam 

So, why the name of this scam?

In the 1998 film The Truman Show, the main character unknowingly lives inside a staged reality TV world where everything around him is carefully controlled. In the “Truman Show” scam, criminals try to place victims into a similarly staged investment environment, complete with fake group chats, fake investors, and fake profits designed to build trust. It doesn’t actually have anything to do with the movie.

What is the “Truman Show” Scam?

The “Truman Show” scam is an AI-powered investment scam where criminals create an entire fake online community to convince victims an investment opportunity is real. 

According to reports, scammers invite people into group chats on platforms like Telegram or WhatsApp that appear full of investors sharing tips and celebrating profits. In reality, many of the participants, moderators, and conversations may be run by AI bots designed to simulate a lively trading community. 

Security researchers say the moderator and the other “investors” in the group may actually be AI-driven bots, programmed to simulate real conversations and enthusiasm around the investment strategy. 

The scam often includes: 

• A group chat on Telegram or WhatsApp 
• A downloadable trading app or website 
• Screenshots showing fake profits 
• Encouragement from “other members” to invest more 

The app itself may appear legitimate. But in reality, it often redirects users to a malicious website where scammers collect personal and financial information. 

Once victims deposit money, the criminals can quickly drain accounts or block withdrawals. 

McAfee’s State of the Scamiverse research shows just how convincing scams have become. One in three Americans (33%) say they feel less confident spotting scams than they did a year ago, as criminals increasingly use polished branding, realistic conversations, and AI-generated content to make fraudulent opportunities look legitimate. 

Why this works: people naturally trust social proof. When it looks like dozens of other investors are making money, people lower their skepticism.  

Fake Government Letters Are Targeting Residents Across Towns 

Another scam to be aware of this week includes spoofed letters impersonating local government offices.

According to reporting from WGME in Maine, residents in multiple towns recently received official-looking notices requesting payment for supposed municipal fees tied to development applications. 

The letters appeared convincing. They used formal language, official seals, and department names. But there was a problem. 

One of the notices claimed it came from a “Board of Commissioners,” even though the town in question does not have one. 

Officials say the letters instructed recipients to send payments by wire transfer, a method legitimate government offices almost never use for these kinds of transactions. 

McAfee’s experts say these scams are effective because they rely on volume. Fraudsters send thousands of letters hoping a small percentage of recipients will respond before verifying the request. And remember, these types of scams occur all the time and across the globe. While today’s reports are in Maine, it’s important to be vigilant wherever you live. 

Red flags to watch for: 

• Requests for wire transfers, gift cards, or crypto payments 
• Pressure to pay quickly to avoid penalties 
• Official-looking letters with subtle inconsistencies 
• Contact information that doesn’t match the official government website 

The safest move is simple: verify the request independently. Contact the government office directly using phone numbers listed on its official website, not the ones in the letter. 

LexisNexis Confirms Data Breach After Hackers Leak Files 

Meanwhile, a well-known data analytics company is dealing with a breach after hackers published stolen files online. 

According to BleepingComputer, LexisNexis Legal & Professional confirmed that attackers accessed some of its servers and obtained limited customer and business information. The confirmation came after a hacking group leaked roughly 2GB of stolen data on underground forums. 

LexisNexis says the compromised systems contained mostly older or “legacy” data from before 2020, including: 

• Customer names 
• User IDs 
• Business contact information 
• Product usage details 
• Support tickets and survey responses 

The company says highly sensitive financial information, Social Security numbers, and active passwords were not part of the exposed data. 

However, attackers claim they accessed millions of database records and hundreds of thousands of cloud user profiles tied to the company’s systems. 

LexisNexis says it has contained the intrusion and is working with cybersecurity experts and law enforcement. 

Why breaches like this matter: even when the stolen data appears limited, it can still be used in targeted phishing attacks. 

For example, scammers might use real names, email addresses, or business roles to send convincing messages that appear legitimate. 

Breaches often trigger waves of follow-up scams weeks or months later. (We know we cover this one a lot, but it’s key to remember!) 

McAfee’s Safety Tips This Week 

A few simple habits can make these schemes much easier to spot. 

• Be skeptical of investment groups online. Real trading communities rarely pressure you to deposit money quickly or download unfamiliar apps. 
• Verify government payment requests independently. If you receive a letter demanding payment, contact the agency directly using information from its official website. 
• Treat breach-related messages cautiously. After a breach makes headlines, phishing emails often follow pretending to offer “account verification” or “security updates.” 
• Avoid clicking unfamiliar links in emails or texts. Tools like McAfee’s free WebAdvisor can help flag risky websites and block known malicious pages before they load. 
• Pause before sending money or personal information. Many scams rely on urgency. Slowing down gives you time to verify what’s real.

We’ll be back next week with another roundup of the scams and cybersecurity news making headlines and what they mean for your digital safety. 

The post This Week in Scams: The AI “Truman Show” Scam Draining Bank Accounts appeared first on McAfee Blog.

John C. isn’t the person you picture getting scammed. 

He’s 36. He’s tech-savvy. He’s a mechanical engineer leading a team at a national energy lab in Denver. And he told us his story for one reason: “Scammers will target anyone.” 

It began with a phone call from someone claiming to be the IRS. They said John had underpaid his taxes and needed to resolve it quickly. The caller sounded polished and convincing, so convincing that John didn’t stop to question it. 

“I thought maybe they sent back too much money [in my refund], and they needed it back,” he said. “I was just so busy and overwhelmed that I never really stopped to think about the situation.” 

A follow-up email arrived with IRS logos, clean formatting, and a big payment button. John was trying to move fast between classes as he finished up his PhD, and he wanted to correct the situation as quickly as possible. 

“I was like, let me just hurry up and do this, get it over with.” 

He clicked. He paid. But later, when he checked his statement, he saw the charge didn’t look like an IRS payment at all. In fact, it was an international charge. The whole thing was a scam. 

John said the scammer on the phone had appealed to his emotions and been incredibly convincing.  

“It was absolutely masterful,” John said. “I would give him an Oscar for it. 

And new McAfee research shows John isn’t alone, with nearly 1 in 4 (23%) US adults surveyed revealing they’ve lost money to a tax scam.  

Key findings from McAfee’s 2026 Tax Season Survey 

Here’s what our January 2026 survey of 3,008 U.S. adults found: 

The big picture: lots of worry, not enough confidence 

• 82% of Americans say they’re concerned about tax fraud this season. 
• 67% say they’re seeing the same or more tax scam messages than last year. 
• 40% say tax scam messages are more sophisticated than last year. 
• 84% are concerned about AI making tax scams more realistic. 
• Only 29% say they’re very confident they could spot a deepfake tax scam. 

How often scams are reaching people 

• 34% say they’ve been contacted by someone claiming to be the IRS or another tax authority (phone, text, or email). 
• 38% say they’ve been asked to click a link or send payment related to a “tax issue.” 
• Common asks include SSNs (15%), birth dates (11%), addresses (10%), “you owe back taxes” pressure (9%), and banking details (8%). 

Who is getting hit hardest 

• Nearly 1 in 4 Americans (23%) say they’ve fallen for a tax scam. 
• Young adults report the highest exposure: 42% of 18–24-year-olds say they’ve fallen for at least one tax scam. 
• 11% of Americans report tax-related identity theft, rising to 17% among ages 25–34. 

The money is real 

• Among people who say they’ve fallen for a tax scam, the average loss is $1,020. 
• Separately, nearly 1 in 5 Americans say they’ve lost money to a tax scam. 

Tax filing is increasingly digital (and that changes the risk) 

• 55% say they file taxes online (software or IRS Free File). 
• 75% say they receive refunds or pay taxes electronically (direct deposit, cards, apps, EFTPS, etc.). 
• 30% say they plan to use an AI tool (like ChatGPT) to help prepare taxes, especially younger adults. This is highly dangerous, even with platform security protections. For example, if an AI tool were compromised in a data breach, user messages with personal tax information (like social security numbers, home address, and more) could be made public.  

Tax Scams Now Hit Year-Round, McAfee Labs Finds 

In addition to our consumer survey findings, McAfee Labs analyzed malicious URLs, apps, texts, and emails in the months leading up to filing season. 

The major takeaway: tax scams don’t wait for April. 

Scam activity began climbing as early as November and has again continued building steadily into 2026. 

Between September 1, 2025, and February 19, 2026, McAfee Labs identified 1,468 malicious or suspicious tax-themed unique domains, an average of 43 new fake tax websites every day. 

In early November 2025 alone, the average number of new tax-themed malicious domains nearly doubled in just over a week. After a brief dip in late December, activity resumed climbing into February, a pattern we expect to intensify as the April filing deadline approaches. 

 

Fake IRS Websites Are A Major Threat 

Scammers are rapidly creating lookalike IRS domains that mimic official government URLs.  

They use small changes, extra letters, added words, subtle misspellings, to trick taxpayers into believing they’re on a legitimate IRS site. 

Examples include domains that insert additional text around “irs.gov” or add misleading subdomains designed to pass a quick glance. 

These fake portals are used to: 

• Steal login credentials 
• Harvest Social Security numbers and tax IDs 
• Capture payment details 
• Charge bogus “processing fees” 

In some cases, these sites don’t just steal, they overcharge. 

McAfee Labs observed scam services offering to file for an EIN (Employer Identification Number), something the IRS provides for free, and charging as much as $319 for it. 

Example of a scam website we found charging for an EIN. 

The official IRS website explicitly warns: you never have to pay a fee to obtain an EIN. 

Other scam sites misuse legitimate policy terms, like the “Fresh Start Initiative,” to harvest personal data and enroll victims in aggressive robocall and marketing campaigns. 

Tax scams don’t always steal outright. Sometimes they monetize confusion. 

How a Typical Tax Scam Unfolds 

Most tax scams aren’t one single message. They’re a sequence, designed to make you panic, click, and comply. 

Below is the common playbook, plus the red flags that show up repeatedly. 

*Note: Scammers may swap the details like AI voice, fake IRS videos, cloned websites, or impersonating tax software, but the pattern stays familiar. 

Step	What happens	Red flags you’ll see at this step	Red flags that are true every time	What to do instead
1) The hook	You get a call, text, or email claiming there’s a tax issue (refund problem, underpayment, verification needed).	Message arrives out of nowhere, often during busy hours; “final notice” language; spoofed caller ID.	Unexpected contact + urgency.	Don’t engage. Pause. Go directly to IRS.gov or your tax provider’s official site (type it in).
2) The authority move	They lean hard on being “the IRS” or “state tax authority,” sometimes with personal details.	They sound polished; may use AI voice cloning; may cite a “case number.” Fake or meaningless case numbers are very common.	They want you to trust the title, not verify the source.	Ask for written notice and time. Real tax issues can be verified through official channels.
3) The link	They send a link to a “secure portal” or “refund page.”	Lookalike website, subtle misspellings, weird domain, shortened link, email button that says “Pay Now.”	They’re trying to pull you off official channels.	Never click the link. Navigate to the real site yourself. If unsure, delete it.
4) The data grab	The site (or “agent”) asks for SSN, banking info, login credentials, or details from a prior return.	Requests that are broader than needed; “verify identity” prompts; form fields that feel too invasive.	They want sensitive info fast.	Stop. Don’t type anything. If you already did, assume it’s compromised and act quickly (see next section).
5) The payment push	They demand payment to “avoid penalties,” “release your refund,” or “resolve a mistake.”	Gift cards, crypto, wire transfers, payment apps; pressure to pay today; threats.	Urgency + unusual payment method.	The IRS does not demand immediate payment via text/social, and doesn’t require gift cards or crypto. Verify independently.
6) The escalation	If you hesitate, they intensify: threats, “law enforcement,” or AI video/audio that “proves” it’s real.	Deepfake IRS video, intimidating language, “you’ll be arrested,” “your license will be revoked.”	Fear is the product.	Hang up. Save evidence. Talk to a trusted person. Contact official support through verified numbers.
7) The aftermath	You realize it was a scam—often after noticing a strange charge or login activity.	Charges from odd merchants; new accounts; IRS account alerts; failed tax filing due to “duplicate return.”	Shame keeps people quiet—scammers count on that.	Report it and protect your identity right away. You’re not alone, and it’s not your fault.

Key point: A message can look “official” and still be fake. AI is making scam language smoother and scams more believable. The safest habit is simple: slow down, and verify using official sources you navigate to yourself. 

What to do if you’ve been involved in a tax scam 

First: take a breath. Scams are designed to trick you, especially when you’re overwhelmed, rushed, or just trying to fix a problem quickly. 

John said it plainly: “Don’t be embarrassed. It does happen. It’s common… they will target anyone.” 

And he’s right. The most important thing is what you do next. 

1) Stop the bleeding: cut off contact 

• Stop replying 
• Don’t click anything else 
• Don’t send more information or money 

2) Capture proof (before it disappears) 

Take screenshots and save: 

• Phone numbers, email addresses, usernames 
• The message content 
• Links (don’t click them, just copy) 
• Payment receipts and transaction IDs 

3) Lock down your accounts (especially email) 

If a scammer gets into your email, they can reset passwords for everything else. 

Do this today: 

• Change your email password first, then banking/tax accounts 
• Turn on two-factor authentication (2FA) 
• If you reused passwords anywhere, change those too 

Important: If you clicked a suspicious link, downloaded a file, or gave someone remote access to your computer, make sure you use a different, trusted device (like your phone or another computer) to change passwords. Why? If a scammer installed malware or has access to your computer, they may be able to see all of your brand-new passwords as you’re making them. 

Tip: A password manager like McAfee’s can help you create strong, unique passwords quickly, without having to memorize them all. 

4) Check for identity theft signals 

Tax scams often turn into identity theft. Watch for: 

• IRS notices about a return you didn’t file 
• Trouble e-filing because a return was already submitted 
• Alerts about a new IRS online account you didn’t create 

If you suspect tax-related identity theft: 

• Consider filing an IRS identity theft report (commonly done with IRS Form 14039, Identity Theft Affidavit). 
• Create or log into your IRS account periodically to review account activity (John now does this every few months). 

McAfee’s Identity Monitoring can help restore your sense of security and privacy online.  

5) Report it (even if you feel weird about it) 

Reporting helps you and helps stop the next person from getting hit. 

Common reporting options include: 

• FTC report: Report scams and identity theft at the FTC’s reporting site. 
• IRS phishing email: If you received a scam email posing as the IRS, you can forward it to phishing@irs.gov. 
• Your bank or card provider: If you paid, contact them immediately. Even if recovery isn’t guaranteed, speed matters. 

6) Clean up your digital footprint 

Scammers don’t just use what you give them. They also use what they can look up. 

Removing your personal details from risky data broker sites can reduce how easily scammers can target you again. Tools like Personal Data Cleanup can help you identify where your information is exposed and guide removal. 

7) Add protection for the next attempt 

Tax season scams often come in waves, especially if scammers think your info is “good.” 

Helpful layers include: 

• Web protection to warn you about risky links and lookalike sites before you enter info – get our free WebAdvisor download here 
• Scam detection that can flag suspicious messages 
• Identity monitoring to alert you if key personal info shows up in risky places 
• Run a free antivirus scan to check your device for malware or unwanted programs (especially if you clicked a link or downloaded anything) 

The key takeaway 

Tax season creates the perfect storm: time pressure, sensitive data, and a lot of official-looking communication. 

Our research shows most people are worried, and for good reason. Scammers are getting more convincing, and AI is raising the bar on what “real” looks and sounds like. 

“Tell your friends, tell your family,” John said. “Everyone I know at some point has heard this story, and it might just prevent someone from losing… thousands of dollars.” 

If you remember just three things this season, make them these: 

1. Pause before you click. 
2. Verify through official channels you navigate to yourself. 
3. If something happens, act quickly, and don’t blame yourself. 

The post Tax Scams Hit Nearly 1 in 4 Adults. Spot the Red Flags appeared first on McAfee Blog.

This week in scams, we’re looking at three very different stories with the same underlying theme: trust is being exploited at scale. 

A massive government contractor data breach has quietly grown to affect more than 25 million people. Meanwhile, a viral AI-generated image of Mary-Kate and Ashley Olsen posing in a fake luxury campaign is spreading across social media, fooling some users and alarming others. 

And in a new threat report, OpenAI detailed how its own tools are being misused for dating scams, impersonation, and influence operations. 

Let’s break it down. 

The Conduent Data Breach Now Impacts 25+ Million People 

The fallout from a ransomware attack on Conduent, one of the largest government contractors in the U.S., continues to expand. 

According to reporting from TechCrunch, updated state-level breach notifications now indicate that more than 25 million people across the U.S. have had personal data exposed. 

Conduent provides services tied to state benefit programs, including food assistance, unemployment systems, and other government payment processing operations. The company has said its services reach over 100 million people. 

Data reportedly exposed in the breach includes: 

• Names 
• Dates of birth 
• Addresses 
• Social Security numbers 
• Health insurance and medical information 

TechCrunch noted that the majority of affected individuals appear to be in Oregon and Texas, based on state breach disclosures. Other states have also reported an impact. 

The attack has been described as one of the largest government-contractor-related data breaches in recent memory. 

Why this matters: When companies that process government benefits are hit, the exposed data often includes highly sensitive identity information. Social Security numbers combined with medical or insurance details can significantly increase the risk of identity theft and fraud. 

How to Protect Yourself After a Major Data Breach 

If you believe your data may have been exposed: 

• Monitor your credit reports for unfamiliar activity 
• Consider placing a free credit freeze 
• Be wary of phishing emails or texts referencing benefits or account verification 
• Never share personal information in response to unexpected outreach 

Breaches like this often lead to secondary scams months later. The breach itself is only phase one. Phishing campaigns usually follow. 

That Viral Olsen Twins “Louis Vuitton” Image? It’s AI. 

A supposed luxury campaign featuring Mary-Kate and Ashley Olsen began circulating widely on X and Facebook this week, racking up millions of views. 

The images show the twins styled in what appears to be a high-end fashion shoot, drawing numerous comments over their styling. But social media users quickly pointed out visual irregularities and inconsistencies commonly associated with AI-generated imagery. 

A screenshot of one of the AI images making thr rounds across social media.

While this doesn’t fall into our typical “scam” roundup, the normalization of AI-generated visuals that look close enough to real to confuse people are a growing issue that can lead to real confusion and distrust. 

We have entered a phase where: 

• Fake ads look legitimate 
• Public figures appear in campaigns they never participated in 
• Synthetic images spread faster than corrections 

Today it’s a fashion ad. Tomorrow it could be a fake political endorsement, financial announcement, or emergency alert. 

The takeaway: If you see a surprising campaign or announcement, verify it through official brand websites or verified accounts before assuming it’s real. 

OpenAI Details How ChatGPT Is Being Misused

In a newly released threat report, OpenAI outlined several ways its tools have been abused by bad actors. 

According to Reuters’ reporting: 

A cluster of accounts used ChatGPT to run a dating scam targeting Indonesian men, allegedly defrauding hundreds of victims per month. 

Some accounts used the tool to generate promotional copy and ads for a fake dating platform that pressured users into completing costly “tasks.”

Other accounts posed as law firms, impersonating real attorneys and U.S. law enforcement to target fraud victims.

OpenAI also banned accounts linked to activity believed to be part of influence operations, including efforts targeting Japanese political figures. 

OpenAI stated that the activity was detected and accounts were removed. 

Why this matters: AI tools themselves are not inherently scams. But they dramatically lower the cost and increase the scale of fraud operations. Writing persuasive emails, generating fake legal letters, building scam ads… these now require fewer technical skills than ever before. 

The technology doesn’t create the criminal intent. It just accelerates it. 

McAfee’s Safety Tips This Week 

1. Assume viral images could be AI-generated until verified 
2. Verify unexpected announcements through official websites 
3. Treat post-breach emails as suspicious by default 
4. Be skeptical of online “consultation” invites that promise payment 
5. Never send money to someone you’ve only met online 

We’ll Be Back Next Week 

From ransomware breaches to AI-generated impersonations, the pattern is clear: scammers are scaling trust manipulation with technology. 

Stay skeptical. Verify before you click. And we’ll be back next week with another breakdown of what’s making headlines, and what it actually means for your security. 

For more reading on AI deepfakes and breaches: 

Taylor Swift Tops List of Most Deepfaked Celebs

What to Do If You’re Caught Up in a Data Breach

Everything You Need to Know to Keep Your Passwords Secure

The post This Week in Scams: Conduent Data Breach and AI Olsen Twins appeared first on McAfee Blog.

X (formerly Twitter) hacks tend to hit fast. 

One minute you’re scrolling like normal. The next, your account is posting crypto promotions, sending spam DMs, or following hundreds of random accounts you’ve never heard of. Sometimes you don’t even notice until a friend asks why you’re suddenly “giving away” gift cards. 

If you use X for work, your personal brand, or your business, a takeover can do real damage quickly. And in many cases, the hacker isn’t just trying to cause chaos, they’re trying to use your account to scam your followers while you still look trustworthy. 

This guide walks you through exactly what to do if your X account has been hacked: how to spot the warning signs, how to regain access, and what to change immediately so it doesn’t happen again. 

If you’re still locked out after trying these steps, X also offers an official support form for hacked or compromised accounts. 

Signs Your X Account May Be Compromised 

X account takeovers don’t always start with a full lockout. Often, the first signs are strange activity you didn’t authorize. 

Watch for these red flags: 

Unexpected posts: Tweets you didn’t write, especially spam, crypto links, or promotions. 

Unusual DMs: Messages sent from your account that you don’t remember sending. 

Account behavior changes: Random follows, unfollows, blocks, or profile changes you didn’t approve. 

Security notifications: Alerts from X that your account may be compromised. 

Account info changed: Notifications that your email, phone number, or password was updated without your permission. 

Password suddenly stops working: You’re prompted to reset your password even though you didn’t request it. 

If any of these are happening, assume your account is compromised and start recovery steps immediately. 

What to Change Immediately If Your X Account Was Hacked 

If your X account was hacked, assume your login details may have been stolen. 

That means simply getting back into your account isn’t enough, you also need to update the passwords and settings attackers could still use. 

Here’s what to change right away: 

• Change your X password 
• Change the password for the email account connected to X 
• Turn on two-factor authentication (2FA) 
• Confirm your email address and phone number are correct 
• Revoke access for any suspicious third-party apps 
• Review X Pro / Teams access (if you use it) and remove unfamiliar users 
• Update any other accounts that share the same password 
• Delete unauthorized posts and DMs (once you regain control) 

If you suspect the hack started through malware or phishing, it’s also smart to update passwords for other sensitive accounts tied to your identity, like banking apps, payment apps, or your Apple/Google account. 

Using a password manager like McAfee’s can help you create strong, unique passwords for every account, and store them securely in one place. 

Step-by-Step: How to Recover a Hacked X Account 

X offers different recovery options depending on whether you can still log in. 

Step	What to Do	Why It Matters
1. Change your password immediately (if you can still log in)	Go into your X account settings and update your password to something strong and unique.	This is the fastest way to cut off unauthorized access.
2. Reset your password if you’re locked out	Use the “Forgot password” option on the login screen to start account recovery.	This can help you regain access even if the hacker changed your password.
3. Secure your email account	Change your email password and enable 2FA. Make sure only you can access it.	If your email is compromised, the hacker can keep resetting your X account.
4. Reverse suspicious email changes if possible	If you receive an email about an account email change, check for an option to undo it.	This may allow you to regain control before the hacker fully locks you out.
5. Revoke third-party app access	While logged in, review connected apps and remove anything you don’t recognize.	Some takeovers happen through malicious apps, not direct password guessing.
6. Revoke mobile app sessions if needed	If suspicious activity continues, revoke access for X mobile apps from your settings so they’re forced to re-authenticate.	X notes that password changes may not automatically log out mobile sessions.
7. Update your password anywhere it’s saved	If you use trusted apps or services that store your X password, update it there too.	Repeated failed login attempts can temporarily lock your account.
8. Turn on 2FA	Enable two-factor authentication as soon as you regain control.	This adds a strong layer of protection even if your password gets stolen again.
9. Contact X support if you still can’t regain access	Submit X’s hacked/compromised account request form. Include your username and the last date you had access.	If self-recovery fails, support may be able to help restore access.

If you’re still unable to log in after attempting recovery, visit X’s official hacked account support form for next steps. 

Watch for Phishing “X Support” Scams 

One of the most common ways X accounts get hacked is through phishing. 

Scammers impersonate: 

• X support 
• “verified account” teams 
• copyright warnings 
• fake sponsorship offers 
• fake security alerts claiming your account will be suspended 

They try to pressure you into clicking a link and logging in on a fake page designed to steal your password. 

If you receive a suspicious email or DM, don’t click. 

Instead, open X directly in the app or browser and check your account settings from there. 

Final Tips: Recovering From an X Hack 

A hacked X account can spread scams quickly, especially if the attacker uses your account to message followers directly. 

The most important steps are: 

• Act quickly 
• Change your password immediately 
• Secure the email account connected to X 
• Revoke suspicious third-party app access 
• Review X Pro / Teams access if applicable 
• Enable two-factor authentication (2FA) 
• Delete unauthorized posts once you regain control 
• Scan your device for malware 

McAfee offers a free antivirus scan that can help you detect malware or suspicious programs that may have compromised your account in the first place. 

And if you’re still locked out or something doesn’t look right, use X’s official support request form to report the account as hacked or compromised. 

Frequently Asked Questions 

Q: How do I know if my X account was hacked? A: Common signs include posts or DMs you didn’t send, unusual follows/unfollows, account changes you didn’t authorize, security alerts from X, or a password that suddenly stops working.

Q: If I change my password, will the hacker be logged out? A: Changing your password is critical, but some mobile sessions may remain active. X recommends revoking app access in your settings if suspicious activity continues.

Q: What should I do if my email address was changed? A: Check your inbox for an email from X about the change. In some cases, you may be able to reverse it using the security link. If you can’t, start account recovery immediately and submit a support request if needed.

Q: Should I remove third-party apps after a hack? A: Yes. X notes that malicious or untrusted third-party apps can compromise your account. Remove anything you don’t recognize or no longer use.

Q: What if I still can’t log in after resetting my password? A: Submit a hacked account support request through X’s official form. Be sure to include your username and the last date you had access.

Q: What’s the biggest mistake people make after their X account gets hacked? A: Only changing their password. If the attacker still has access through connected apps, a compromised email account, or saved sessions, they can regain control quickly.

 

The post X (Twitter) Account Hacked: What to Do Right Now appeared first on McAfee Blog.

Instagram hacks don’t always start with a dramatic “you’ve been locked out” moment. 

More often, it starts with something small: your followers asking why you just sent them a weird link. Your account suddenly following hundreds of random profiles. A post you didn’t write showing up in your feed. Or an email from Instagram saying your login details were changed. 

By the time you realize what’s happening, scammers may already be using your account to impersonate you, message your followers, or promote fake giveaways and crypto scams through your profile. 

This guide walks you through exactly what to do if your Instagram account has been hacked: how to spot the warning signs, how to regain access, and what to change immediately so it doesn’t happen again. 

And if you’re still having trouble at any stage, be sure to visit Instagram’s official recovery tools for additional support. 

Signs Your Instagram Account May Be Compromised 

Instagram account takeovers don’t always look obvious at first. In many cases, the first signs are subtle changes you didn’t make. 

Watch for these red flags: 

Password or email changes you didn’t request: You may receive an email saying your account information was updated. 

Suspicious login alerts: Notifications about a login attempt, new device, or verification code you didn’t request. 

Posts, Stories, or Reels you didn’t publish: Scammers often post crypto promotions, fake giveaways, or sketchy links. 

DMs you didn’t send: A common tactic is using your account to message your followers with phishing links. 

Your account starts following random accounts: Hackers may use compromised accounts to inflate scam pages or bot networks. 

Your profile info has been edited: Name, bio, profile photo, or website links changed without your permission. 

If any of these are happening, assume your account is compromised and start recovery steps immediately. 

What to Change Immediately If Your Instagram Account Was Hacked 

If your Instagram account was hacked, assume your login details may have been stolen. 

That means simply getting back into your account isn’t enough, you also need to update the passwords and settings attackers could still use. 

Here’s what to change right away: 

• Change your Instagram password 
• Change the password for the email account connected to Instagram 
• Turn on two-factor authentication (2FA) 
• Log out of all active sessions/devices 
• Remove suspicious third-party apps connected to your account 
• Confirm your phone number and email address are correct 
• Check Accounts Center and remove linked accounts you don’t recognize 
• Update any other accounts that share the same password 

If you suspect the hack started through malware or a phishing link, it’s also smart to update passwords for other sensitive accounts tied to your identity, like banking apps, payment apps, or your Apple/Google account. 

Using a password manager like McAfee’s can help you create strong, unique passwords for every account, and store them securely in one place. 

Step-by-Step: How to Recover a Hacked Instagram Account 

Instagram provides several recovery options depending on what information you still have access to (email, phone number, username, or trusted device). 

Step	What to Do	Why It Matters
1. Visit Instagram’s hacked account recovery page	Use Instagram’s official hacked account recovery flow in your browser or app.	This is often the fastest way to secure your account and start recovery.
2. Check your email for security messages from Instagram	Look for messages about password changes or email changes. If Instagram gives you a link to undo the change, use it immediately.	If a hacker changed your email address, this may be your quickest chance to reverse it.
3. Request a login link	Use “Forgot password?” to request a login link sent to your email or phone number.	This can restore access even if your password was changed.
4. Request a security code or additional support	If login links aren’t working, follow Instagram’s prompts to request further help. Use an email address only you can access.	If the attacker changed your contact info, you may need additional verification steps.
5. Complete identity verification if prompted	Instagram may ask you to verify your identity, including submitting a video selfie if your account contains photos of you.	This helps Instagram confirm you’re the real account owner.
6. Change your password immediately after regaining access	Reset your password to something strong and unique.	This cuts off access and helps prevent repeat takeovers.
7. Remove suspicious linked accounts and apps	Check Accounts Center and remove anything unfamiliar. Revoke access for any third-party apps you don’t trust.	Hackers may leave behind access routes to get back in later.
8. Turn on 2FA and login alerts	Enable two-factor authentication and set alerts for new logins.	This makes it much harder for attackers to regain access.

If you’re still unable to recover your account, visit Instagram’s official support and recovery tools for additional help. 

Watch for Phishing “Instagram Support” Scams 

One of the most common ways Instagram accounts get hacked is through phishing. 

Scammers impersonate: 

• Instagram support 
• verification teams 
• copyright violation notices 
• “your account will be deleted” warnings 
• fake giveaway collaborations 

Their goal is to pressure you into clicking a link and entering your password on a fake login page. 

If you receive a suspicious email or DM, don’t click. 

Instead, open Instagram directly in the app and check your security settings from there. 

If you think you entered your login info into a suspicious link, change your password immediately and secure your account right away. 

Final Tips: Recovering From an Instagram Hack 

A hacked Instagram account is stressful for a reason: it doesn’t just affect your profile. It affects your followers, your reputation, and your private messages. 

The most important steps are: 

• Act quickly 
• Check your email for Instagram security alerts 
• Use Instagram’s official hacked account recovery tools 
• Change your password immediately 
• Log out of all active sessions 
• Remove suspicious apps and linked accounts 
• Enable two-factor authentication (2FA) 
• Scan your device for malware 

McAfee offers a free antivirus scan that can help you detect malware or suspicious programs that may have compromised your account in the first place. 

And if you’re still locked out or something doesn’t look right, follow Instagram’s official recovery guidance and contact Instagram support directly. 

Frequently Asked Questions 

Q: How do I know if my Instagram account was hacked? A: Common signs include password or email changes you didn’t request, suspicious login alerts, DMs you didn’t send, posts you didn’t publish, or unexpected changes to your profile details.

Q: What if my Instagram email address was changed? A: Check your inbox for an email from Instagram about the change. In some cases, Instagram may provide a security link that lets you reverse it. If you can’t undo the change, start the hacked account recovery process as soon as possible.

Q: What if I can’t log in at all? A: Use Instagram’s official hacked account recovery tools. Depending on your situation, Instagram may offer login links, security codes, or identity verification options to help you regain access.

Q: Should I remove third-party apps after a hack? A: Yes. Some account takeovers happen because an unsafe app was given access. Remove anything you don’t recognize or no longer use.

Q: What’s the biggest mistake people make after getting hacked? A: Only changing their Instagram password. If the attacker still has access through your email account, linked accounts, or suspicious third-party apps, they can regain control quickly.

Q: Can Instagram ask me to verify my identity? A: Yes. In some cases, Instagram may ask you to confirm ownership through verification steps. This can include submitting additional information or completing a video selfie process.

 

The post My Instagram Has Been Hacked – What Do I Do Now? appeared first on McAfee Blog.