What Happens When a Nuclear Site Is Hit?
We’re proud to share that McAfee’s “Keep It Real” campaign has been named a finalist in the 2026 Shorty Awards Social Good Campaign category.
This category recognizes work that doesn’t just perform, it matters: campaigns that raise awareness, inspire action, and make a real-world impact.
That’s exactly what “Keep It Real” set out to do.
Because behind every scam statistic is a person who thought they were making the right call. And too often, what follows isn’t just financial loss. It’s embarrassment, silence, and stigma.
We wanted to change that.
The campaign launched alongside McAfee Scam Detector to address a growing reality: scams powered by AI are becoming harder to recognize and easier to fall for.
“Keep It Real” paired real survivor stories with AI-driven protection to show how scams actually happen and how people can stop them in the moment.
The goal was simple:
Because when people feel safe talking about scams, they’re more likely to spot them and stop them.
The Shorty Awards honor the best work in social media, digital campaigns, and online storytelling across brands, creators, and organizations.
Now in their 18th year, the awards recognize campaigns that combine creativity, impact, and real-world relevance. Finalists are selected alongside leading global brands and judged on both industry evaluation and public voting.
McAfee’s Scam Detector is designed to help people identify scams across everyday digital moments.
It uses AI to fight AI by flagging suspicious:
By combining automatic detection with clear guidance, Scam Detector helps people better understand what they’re seeing and decide what to trust.
A core part of “Keep It Real” was giving space to people who experienced scams to share what happened, in their own words.
These stories helped show that scams can happen to anyone and played a key role in breaking the stigma around being targeted.
This recognition reflects the work across McAfee teams who built and brought this campaign to life, including product, engineering, research, creative, and communications.
It also reflects the individuals who chose to share their real scam stories to help others recognize scams, stay safer, and end the shame and stigma around being scammed.
The Shorty Awards include a public voting component.
If you’d like to support the campaign, you can vote here:
https://shortyawards.com/18th/keep-it-real-mcafees-ai-scam-media-relations-campaign
Voting is open through April 8, and you can vote once per day.
![]()
The post McAfee’s “Keep It Real” Campaign Named Shorty Awards Finalist appeared first on McAfee Blog.
McAfee’s mobile research team has uncovered a large-scale Android malware campaign we’re tracking as Operation NoVoice.
The campaign was distributed through more than 50 apps previously available on Google Play, disguised as everyday tools like cleaners, games, and photo utilities. Together, the apps were downloaded more than 2.3 million times, though it’s unclear how many devices may have been impacted.
If the attack succeeds, the malware can gain deep control of a device, allowing attackers to inject malicious code into apps as they are opened and access sensitive data.
However, the most serious impact depends on the device.
On older or unpatched Android devices, the malware can install a highly persistent form of infection that may survive a standard factory reset. Newer Android devices with up-to-date security protections are not vulnerable to the root exploit observed in this campaign, though they may still be exposed to other types of malicious activity from these apps.
In other words, on vulnerable devices, the malware can behave like a kind of digital “zombie,” continuing to operate in the background even after a reset.
Want the full technical breakdown? Dive into the McAfee Labs research here.
We break down what you need to know below:
Operation NoVoice is what security experts call a rootkit malware attack.
A rootkit is a type of malware designed to gain deep, privileged control of a device while hiding its presence from the user and the operating system’s normal security tools.
Breaking the term down:
Put simply, a rootkit allows attackers to operate underneath the normal apps and security protections on a phone, giving them powerful control while staying difficult to detect.
In the case of Operation NoVoice, the attack unfolds in several steps.
The campaign began with apps that appeared harmless on the Google Play Store. These apps advertised themselves as tools like phone cleaners, puzzle games, or gallery utilities.
When a user downloaded and opened one of these apps, it appeared to work normally. There are no obvious signs to the user that anything is wrong.
Behind the scenes, the app contacts a remote server controlled by the attackers.
The server collects information about the device, things like its hardware, operating system version, and security patch level. Based on that information, the attackers send back custom exploit code designed for that specific device.
If the exploit succeeds, the malware gains root-level access to the device.
At that point, the attackers can install additional malicious components and modify parts of the Android operating system itself.
Once the rootkit is installed, it modifies a core Android system library that every app relies on.
This allows attacker-controlled code to run inside any app the user opens.
That means the attackers could potentially access data from messaging apps, financial apps, or social media apps without the user noticing.
Operation NoVoice also includes persistence mechanisms designed to keep the malware active.
In some cases, the infection could survive a standard factory reset, because the malicious components modify parts of the system software that resets typically do not replace.
Fully removing the infection may require reinstalling the device’s firmware, something most users cannot easily do themselves.
*To be clear, these apps have been removed from Google Play and are no longer available for download.
The name Operation NoVoice comes from a hidden component inside the malware itself.
Researchers discovered a resource labeled “novioce” embedded in one of the attack’s later stages. The file contains a silent audio track that plays at zero volume.
This may seem strange, but it serves a purpose.
By continuously playing silent audio in the background, the malware can keep a foreground service running without drawing attention. This allows the malicious code to remain active while appearing harmless to the operating system.
The researchers believe the name “novioce” is likely a misspelling of “no voice,” referring to the silent audio trick used to keep the malware running.
Operation NoVoice highlights an important reality: even apps that appear legitimate can sometimes hide malicious behavior.
Fortunately, there are several steps users can take to reduce their risk.
Be cautious with unfamiliar apps
Even if an app appears on the Google Play Store, it’s still important to review:
Apps with very few reviews, vague descriptions, or suspicious developer accounts can sometimes be part of malware campaigns. And exercise even greater caution with apps promoted through advertisements or that create a a sense of urgency.
Many attacks rely on exploiting known vulnerabilities in older versions of Android.
Installing system updates and security patches helps reduce the chance that these exploits will work.
If you notice apps on your device that you don’t remember installing, review them carefully and remove anything suspicious.
Keeping your phone’s app list clean reduces the potential attack surface.
Mobile security software can help detect suspicious behavior and block known malware.
For example, McAfee Mobile Security detects this threat as Android/NoVoice and can warn users if a malicious app is identified.
McAfee offers more than traditional antivirus, combining multiple layers of digital protection in one app
Operation NoVoice highlights how mobile malware is evolving. Instead of obvious malicious apps, attackers are increasingly hiding their operations inside ordinary-looking tools distributed through legitimate app stores.
What makes this campaign particularly concerning isn’t just the number of downloads or the technical complexity. It’s the way the malware combines several advanced techniques, device-specific exploits, modular plugins, and deep system persistence, into a single attack chain.
That approach allows attackers to quietly turn an everyday app download into long-term control of a device.
That’s why keeping devices updated, reviewing apps carefully, and using mobile security protection are becoming increasingly important. As Operation NoVoice shows, today’s malware isn’t just trying to get onto devices; it’s trying to stay there.
The post Operation NoVoice: Android Malware Found in 50+ Apps Can Hijack Devices appeared first on McAfee Blog.
Authored By: Ahmad Zubair Zahid
McAfee’s mobile research team identified and investigated an Android rootkit campaign tracked as Operation Novoice. The malware described in this blog relies on vulnerabilities Android made patches available for in 2016 – 2021. All Android devices with a security patch level of 2021-05-01 or higher are not susceptible to the exploits that we were able to obtain from the command-and-control server. However patched devices that downloaded these apps could have been exposed to unknown potential payloads outside of what we discovered. The attack begins with apps that were previously available on Google Play that appear to be simple tools such as cleaners, games, or gallery utilities. When a user downloaded and opened one of these apps, it appeared to behave as advertised, giving no obvious signs of malicious activity.
In the background, however, the app contacts a remote server, profiles the device, and downloads root exploits tailored to that device’s specific hardware and software. If the exploits succeed, the malware gains full control of the device. From that moment onward, every app that the user opens are injected with attacker‑controlled code.
This allows the operators to access any app data and exfiltrate it to their servers. One of the targeted apps is WhatsApp. We recovered a payload designed to execute when WhatsApp launches, gather all necessary data to clone the session, and send it to the attacker’s infrastructure.
On older, unsupported devices (Android 7 and lower) that no longer receive Android security updates as of September 2021, this rootkit is highly persistent; a standard factory reset will not remove it, and only reflashing the device with a clean firmware will fully restore the device.
In total, we identified more than 50 of these malicious apps on Google Play, with at least 2.3 million downloads.
McAfee identified the malicious apps, conducted the technical analysis, and reported its findings to Google through responsible disclosure channels. Following McAfee’s report, Google removed the identified apps from Google Play and banned the associated developer accounts. McAfee is a member of the App Defense Alliance, which supports collaboration across the mobile ecosystem to improve user protection. McAfee Mobile Security detects this malware as a High-Risk Threat. For more information, and to get fully protected, visit McAfee Mobile Security.
Android malware has been moving toward modular frameworks that update themselves remotely and adapt to each device. Campaigns like Triada and Keenadu have shown that replacing system libraries gives attackers persistence to survive factory resets. BADBOX has shown that backdoors pre-installed through the supply chain can reach millions of devices. Recent research has confirmed links between several of these families, suggesting shared tooling rather than isolated efforts.
NoVoice fits both trends but does not rely on supply chain access. It reaches devices through Google Play and achieves the same level of persistence through exploitation. McAfee’s investigation revealed the following key findings:
The name comes from R.raw.novioce, a silent audio resource embedded in one of the later-stage payloads. It plays at zero volume to keep a foreground service alive, abusing Android’s media playback exemption. We believe it is a deliberate misspelling of “no voice.”
All carrier apps were distributed through Google Play and request no unusual permissions. Their manifests include the same SDKs any legitimate app would (Firebase, Google Analytics, Facebook SDK, AndroidX). The malicious components are registered under tampered com.facebook.utils, blending in with the real Facebook SDK classes the apps already include.

The initial payload is embedded in the app’s asset directory as a polyglot image. This means the file displays and renders a normal image, but a deeper inspection reveals that the encrypted malicious payload is appended after the PNG IEND marker. Since that marker signals to image viewers that the image data ends there, the appended payload remains hidden during normal viewing.
The geographical prevalence map shows the highest infection rates in Nigeria, Ethiopia, Algeria, India, and Kenya, regions where budget devices and older Android versions that no longer receive security updates are common.

The following breakdown walks through each stage of the chain in order, from the moment a user opens the app to the moment stolen data leaves the device. No single file contains the full chain. Each stage decrypts and loads the next, most are delivered from the server at runtime.

The moment the app opens, code injected into the legitimate Facebook SDK initialization path runs automatically. No user interaction is needed. It first checks whether the device has already been processed and, in most samples, whether it is running Android 12L or below. A subset of the carrier apps skips the version check entirely. If either check fails, it stops and logs a message disguised as a Facebook SDK error: “FacebookSdk: Failed in initStore.”
If the device was already processed, the code cleans up files assumed to be left behind by previous runs, including paths that do not belong to any standard Android component. None of these are visible to the user.
If the checks pass, the app reads a polyglot image from its own assets’ directory, extracts the encrypted payload (enc.apk) hidden after the image data, decrypts it to produce h.apk, and loads it into memory. It then deletes all intermediate files, temporary directories.


The decrypted payload (h.apk) loads a native library (libkwc.so) that controls the rest of this stage. It first verifies it is running inside the intended carrier app by checking the package name and signing certificate against hardcoded values. It also checks whether the app is running in a debug environment.
libkwc.so contains two encrypted embedded payloads. The first (sec.jar) is a gate designed to detect analysis environments. It runs 15 checks, including emulator detection, root indicators, debuggers, VPN and proxy connections, Xposed hooks, and GPS geofencing. If any check fails, the chain stops silently. The geofence compares the device’s location against bounding boxes for Beijing and Shenzhen hardcoded in the native library and excludes devices confirmed to be inside them. If the app does not have location permission, it cannot determine the device’s position and defaults to letting the chain continue. Two brands get special treatment: on Gionee devices, all checks except the geofence are skipped; on Meizu devices, the chain follows a separate code path entirely. Gionee devices have a documented history of shipping with pre-installed malware through supply chain compromise.
Only if all checks in sec.jar pass does libkwc.so decrypt and load the second payload (hex.jar), which begins contacting the C2 server. If the gate fails, it deletes the working directory and stops.

Once the gate passes, hex.jar sets up a plugin framework built on an internal codebase the authors refer to as “kuwo” in their package names. It checks in with a C2 server every 60 seconds. Updates are delivered the same way as the initial payload: as image files with encrypted data hidden after the image content. The server returns download URLs in a response field named warningIcon, disguising plugin downloads as icon fetches. A log-deletion routine runs alongside the framework to remove forensic traces from the device.
The first plugin delivered (rt) acts as an orchestrator. It manages sub-plugins and handles C2 communication. It checks in with the server, sending over 30 device identifiers including hardware model, kernel version, installed packages, and whether the device has already been rooted. The campaign’s name comes from this plugin: it embeds a silent audio resource named R.raw. novioce.
The checkin tells the server two things: who this device is and whether it has already been rooted. If it has not, rt_plugin downloads security.jar, moving the chain into root exploitation.

security.jar first checks whether the device is already rooted. If it has been, it stops. For unrooted devices, it sends the device’s chipset, kernel version, security patch date, and other identifiers to the C2. The server responds with a list of exploit binaries matched to that specific device.
Before running any exploit, the rootkit installer (CsKaitno.d) is decrypted from an embedded resource and written to disk. The rootkit is already in place before any exploit runs.
The exploits are downloaded one at a time from the C2’s CDN, each encrypted and verified before execution. We recovered 22 exploits in total. Our deep analysis of one revealed a three-stage kernel attack: an IPv6 use-after-free for kernel read, a Mali GPU driver vulnerability for kernel read/write, and finally credential patching and SELinux disablement.
The expected end result is the same across all exploits: a root shell with SELinux disabled. From that shell, the exploit loads CsKaitno.d. This is where exploitation ends and persistence begins.

CsKaitno.d carries four encrypted payloads: library hooks for ARM32 and ARM64 (asbymol and bdlomsd), a bytecode patcher (jkpatch), and a persistence daemon (watch_dog). It first removes files associated with possible competing rootkits, then decrypts and writes its own payloads to disk.
The installer backs up the original libandroid_runtime.so and replaces it with a hook binary matched to the device’s architecture. It also replaces libmedia_jni.so. The replacements are not copies of the original libraries. They are wrappers that intercept the system’s own functions. When any hooked function runs, it redirects to attacker code.

After replacing the libraries, jkpatch modifies pre-compiled framework bytecode on disk. This is a second layer of persistence: even if someone restores the original library, the framework’s own compiled code still contains the injected redirections
To survive reboots, the installer replaces the system crash handler with a rootkit launcher, installs recovery scripts, and stores a fallback copy of the exploitation stage on the system partition. If any component is removed, the rootkit can reinstall itself.
It then deploys a watchdog daemon (watch_dog) that checks the installation every 60 seconds. If anything is missing, it reinstalls it. If that fails repeatedly, it forces a reboot, bringing the device back up with the rootkit intact.
After cleaning up all staging files, the installer marks the device as compromised. On the next boot, the system’s process launcher (zygote) loads the replaced library, and every app it starts inherits the attacker’s code.

On the next boot, every app on the device loads the replaced system library. The injected code decides what to do based on which app it is running inside. Two payloads activate depending on the app. The malware authors named them BufferA and BufferB in their own code. Both are embedded as fragments inside the replaced libandroid_runtime.so from Stage 5, assembled in memory at runtime, and deleted from disk immediately after loading, leaving no files behind. BufferA runs inside the system’s package installer and can silently install or uninstall apps. BufferB runs inside any app with internet access.
BufferB is the campaign’s primary post-exploitation tool. It operates two independent C2 channels with separate encryption keys and beacon intervals. Both channels send device fingerprints to the C2 and receive task instructions in return.
If all primary domains fail and three or more days pass without contact, a fallback routine activates between 1 and 4 AM, reaching out to api[.]googlserves[.]com for a fresh domain list. Because BufferB runs inside any app with internet access, it can be active in dozens of apps simultaneously on a single device.

The only task payload we recovered is PtfLibc, delivered to BufferB from Alibaba Cloud OSS. Its target is WhatsApp.
PtfLibc copies WhatsApp’s encryption database, extracts the device’s Signal protocol identity keys and registration ID, and pulls the most recent signed prekey. It also reads 12 keys from WhatsApp’s local storage, including the phone number, push name, country code, and Google Drive backup account. For the client keypair, it tries multiple decryption methods depending on how the device stores the key.
It sends the stolen data to api[.]googlserves[.]com through multiple layers of encryption and deletes the temporary database copy when done.
With these keys and session data, an attacker can clone the victim’s WhatsApp session onto another device.

The campaign spreads its C2 communication across multiple domains, each serving a different function.
fcm[.]androidlogs[.]com handles initial device enrollment. Once the plugin framework activates, stat[.]upload-logs[.]com takes over as the primary C2 for plugin delivery, device checkin, exploit distribution, and result reporting. config[.]updatesdk[.]com serves as its fallback. Exploit binaries are hosted separately on download[.]androidlogs[.]com, with an S3-accelerated endpoint (logserves[.]s3-accelerate[.]amazonaws[.]com) as the primary CDN. This endpoint returned 403 errors during our analysis.
Task payloads for BufferB are hosted on Alibaba Cloud OSS (prod-log-oss-01[.]oss-ap-southeast-1[.]aliyuncs[.]com). PtfLibc beacons to api[.]googlserves[.]com, a domain designed to look like Google service traffic at a glance.
The domain separation is deliberate. Taking down one domain does not affect the others. The C2 can update BufferB’s domain lists at runtime, and a fallback routine fetches fresh domains from hardcoded backup endpoints if all configured domains go silent for three or more days.
Because the rootkit writes to the system partition, a factory reset does not remove it. A reset wipes user data but leaves system files intact. Compromised devices require a full firmware reflash to return to a clean state. Blocking the C2 domains and beacon patterns listed in this report at the network level can disrupt the chain at multiple stages.
Several indicators link NoVoice to the Android.Triada family. The property (os.config.ppgl.status) NoVoice sets to mark a device as compromised is a known indicator of compromise for Android.Triada.231, a variant that uses the same property to track installation state. Both NoVoice and Triada.231 persist by replacing libandroid_runtime.so and hooking system functions so that every app runs attacker code at launch. Whether NoVoice is a direct evolution of Triada.231, a fork of its codebase, or a separate group reusing proven techniques, the shared approach suggests access to a common toolchain.
What makes NoVoice dangerous is not any single technique. It is the engineering effort behind the full chain: a self-healing pipeline that goes from a Play Store install to code execution inside every app on the device, survives factory reset, and monitors its own installation. The operators built a delivery system, an infrastructure.
We recovered one task. The framework is designed to accept any number of them, for any app, at any time. The C2 infrastructure remains active. We do not know what other objectives have been deployed before, during, or after our analysis. The WhatsApp session theft we observed may be the least of it.
The rootkit’s persistence model, overwriting a system library inherited by every process, patching pre-compiled framework bytecode, and monitoring its own installation with a watchdog, makes remediation difficult.
This research underscores McAfee’s ongoing role in identifying advanced mobile threats and working with platform partners to protect users before large‑scale harm occurs.
https://www.kaspersky.com/blog/triada-trojan/11481/
api.googlserves[.]com
api.uplogconfig[.]com
avatar.ttaeae[.]com
awslog.oss-accelerate.aliyuncs[.]com
check.updateconfig[.]com
config.googleslb[.]com
config.updatesdk[.]com
dnskn.googlesapi[.]com
download.androidlogs[.]com
fcm.androidlogs[.]com
log.logupload[.]com
logserves.s3-accelerate.amazonaws[.]com
prod-log-oss-01.oss-ap-southeast-1.aliyuncs[.]com
sao.ttbebe[.]com
stat.upload-logs[.]com
upload.crash-report[.]com
nzxsxn.98kk89[.]com
98kk89[.]com
Carrier App Samples
03e62ac5080496c67676c0ef5f0bc50fc42fc31cf953538eda7d6ec6951979d8,com.filnishww.fluttbuber.storagecleaner,
066a096a3716e02a6a40f0d7e6c1063baecbebc9cbcc91e7f55b2f82c0dad413,com.wififinder.wificonnect,
0751decd391fa76d02329b0726c308206e58fc867f50283aa688d9fe0c70e835,com.wuniversal.lassistant,
07a9d41c1c775def78a017cf1f6e65266382e76de0f05400b3296e2230979664,com.dynamicpuzzle.cvbfhf,
0f28c49b24070a36dec09dd9d4b768e1ef6583b4891eca2e935a304ce704fcce,com.wgoddessg.sgallery,
106edd06b6961c3d38edfefd2869ee05285f11b68befe145b124794d0e79e766,com.crazycodes.blendphoto,
183e9174e51786be77d1341bcf7f05514f581823532028119c5844a8a5111848,com.colorbrickelim.inationl,
1e0376330ff9e97f798870da8433c81e39f3591c82497ca1f6b5f00878d0221a,com.crazycodes.photomotion,
1e7fe0ae7546162f23ff4f6e570f51b38562bf4f0ffd9305533b43d19574be38,com.swiftc.tcleans,
1e8b048c8d32662f340787893d9ca824b039c14fb91bcc16e185a8bb872e0b80,com.mybatice.googcomlayou.phonecleaner,
224e2395d3df96cf19e0b7be9731452da5b568026d81bd0981e48893f6a66859,com.glamorousg.sgoddesslys,
2c2c965f3d091693bc6906fc2ed8d03ffccb84e0665841f2d073c2f0a09261bc,com.myapps.gooble.mobile1.maxclean,
30504104f232a990f8226ff746b1718aafb727ce111d5a538962cc5e06c4259a,com.mybatice.smartersleep.junkfiles,
3937b0bec287662fd82fca4693c8b3619b8c61eca7fe6efa7540c1ae291f8759,com.crazycodes.beautycam,
4830a985f064974e6b5d19ae95d645d01fb57edd975a4fce5a1453c2ada70d4e,com.khanbro.gamestation,
4f7825647bab001298f768302d0eeb6e0d639d401dc8b5bf60a4b9841a93c980,com.wBoothCash_18748294,
4fbf1906fe02745cbf0350563440e9a05d19cd4a27c4fb6b67436392a18a0cd4,com.steppay.yrewards,
54224288aa9fa3d4281fb91ad7b202fbc3e5708b173e319b6b450ad15bcdab43,com.scleanm.nmastery,
594521e642fee75d474d8d0be839ebe9341f30196b19555882499145bf00746b,com.qwalkingr.grewards,
721d92d30fbb90fe643507055baa4cce937c8659f1520be1bbce7f9669af6f84,com.modes2048.gamepro,
7d90ee0be5eb63fbaa6839efdd6217b482576b1bab553731cac0b55f2fa1e6fa,com.jkesogeop.classicsudo,
7f00991e63154a79ea220b713fcfb2ef8b8db923a75366a61e9bc30d9c355274,com.glamorousg.sgoddesslys,
8cd77df7cf2242105b12297071ad1d11e91264f9de311d1b082666da19134476,com.wtoolboxp.xpro,
974a5d005d3cfe4c63bd7a46ca72c6716c6c6de397d2e3e19b1730def31f7825,com.systmapp.mobile1.cleanmanager,
98819230a6c3f5092517ada9652e9156e338acc27d29e4647b3cb69cddb668cb,com.crazycodes.airvpn,
98db4904c3299b8ac383dd177c3cde87af25c088df1988f484427aab3b5c4e0d,com.wlifetoolp.lpro,
9b9f55c4a68385e4a739c7d11159c9b4ab006660142331e8bdc477b5eba62aad,com.ulifea.eassistants,
a02694b5de7a8a6ef3024d53e54a54a676f992bfa1e070f07827ab9b5dd1365c,com.priceper.km,
a1e77c148f190b6bfdd40ce657722e902a31cedecab669dd6f78f38b6b18ddf7,crazycodes.notes.app,
a430123efe9611f322fbc3c459fc5ec13abbb0def88ba3ec56a05a361a51a9ac,com.gbversion.gbplus.gblatestversion,
ab6365bf7e6c7fba6867b44a80e8bf653c7b66ff91204ee3e2981b6532fea7ee,com.snowfindthesame.samethesnowswe,
b4438ac1694e3a08a994750a7ac76399c48d5d3446e90ebebbea1f8694bf3dd5,com.guidely.earningapp,
b8087e3535d395210b80637be35da6ae8e10450b6fb87de62a284d5d7397cd17,com.shcoob.groobe.timebuke,
bf47dc1577c8b862c4e849a7ce52e143239f2f7274421befa902baf4bd1c4a19,com.wlifet.etoolbox,
c332166f720e4d2f6f9b59993559df05281e7d2fbd56f90a7f2399a0ac620295,com.ebitans.tenstarbd,
c509a98d0823add0c1440a7b043586eb5a8069fbb776ca36252f5b7653c92cb7,com.whabitn.tnotes,
c517b26dfc8ffd5de7f49966ff3391475f80299ebc6ad9988bf166029cf76c91,com.filnishww.fluttbuber.storagecleaner,
cf945c433aa80120be10566b9f1ae88e043f96872996f599b75bb57c74248e56,com.mfunt.ttetris,
d72d96c6f299fe961dd98655e0468e45ed3ac03df0cfa499e27d4c399e304500,com.wififinder.wificonnect,
db1168f2cb3b25ef65e06eb4e788ddda237a428fbce0725de1e9d70b36e96833,com.whomea.eassistan,
ddc4da4c63c8bc7df53c3c7fe350b56ad31f313c7d95b472dc45a9fcf85273f0,com.mi2048nig.game,
df00753933359d7369668eddeb0dc2565f075c78e4b46f3cabd2e8ff31eda42e,com.sportscash.xyz,
e32c8a869585c107ccd1586b5edebc1d8eaa18017c2dd39b6267eec4db7f7410,com.biopops.mathly,
e5b8d25ef612f0240ce28fbffd550fd4e0b9abdbf325e3ff85718e8312b70c2b,com.wdailyn.anova,
e5f3aa5ef6b5b5fa94a921b55f52aa2c1011486b7370f1585deb6d571325ebcb,com.khan.pregnancyexercise,
ec79443aa53864e4d322b8fa8fd4aad0ef878221f01e7d32512694ba24992aee,com.merge2048joy.joy,
f654c5f926ebfcded4c0d07590972536280454e2501dc8a525390402fa945ff1,com.kgoddessv.svibe,
f7c664ea66c43a82801ed7da23369af1e285857c1a4bf200147b716715f09d3f,com.chall2048enge.game,
fc3b06c36feb38ed62f3034e428e814d6e1ac06ec1569ea22428374b8d15d848,com.jekunotesimple.notesimple,
fd62c2bfa2277eff8787926f9976aa4a11235a18a9a543ced71a509c6ebf2bf2,com.game.ludoplay,
The post Operation NoVoice: Rootkit Tells No Tales appeared first on McAfee Blog.
A text that looks like it came straight from a courthouse is making the rounds across the U.S. And yes, I got it too.
First things first, that’s a scam. And to be clear: DON’T SCAN THAT QR CODE.
It’s the same playbook as last year’s toll road scams, just dressed up with a little more authority and a lot more pressure.
Before doing anything, our team ran it through McAfee’s Scam Detector. It immediately flagged the message as suspicious, and that’s exactly the kind of moment this tool is built for. When something feels just real enough to second guess, it gives you a clear signal before you click, scan, or spiral.

The text claims you’ve missed a payment, violated a law, or have some kind of outstanding “case.” It then pushes you to scan a QR code or click a link to resolve it quickly.
From there, one of two things usually happens:
Either way, the goal is the same: get you to act fast before you have time to question it.

The red flags in this message
There are reports of this scam popping up nationwide, but the rule is simple: law enforcement does not text you to demand payment or resolve legal issues.
First, don’t panic. Then:
And that, my friends, is scam number one in this week’s This Week in Scams (new format, we’re experimenting a little).
Let’s get into what else is on our radar.
Anime streaming platform Crunchyroll is investigating claims of a data breach involving customer support ticket data, potentially impacting millions of users.
According to TechCrunch, access appears to involve a third-party vendor system, a reminder that even strong security setups still rely on people and partners, which can introduce risk in everyday moments.
Even if you’ve never entered your credit card into a support form, these tickets can still include:
That’s more than enough for scammers to build highly believable follow-ups.
When breaches like this surface, scammers don’t wait. They use the moment to send emails and messages that feel timely, relevant, and legitimate.
For example, scammers might send messages pretending to be Crunchyroll and suggesting you “click this link to secure your account” after the breach. In reality, that “security check” exposes your information.
This is where tools like Scam Detector come back into play, flagging suspicious links and messages even when they reference real companies or real events.
McAfee+ Advanced gives you multiple layers working together so you’re not left figuring it out in the moment:
Plus our instant QR code scam checks will flag suspicious QR codes before you scan them.
![]()
The reality is, these scams are designed to look normal. You shouldn’t have to be an expert to spot them. That’s why McAfee’s here to help.
We’ll be back next week with more scams making headlines.
The post Got a “Court Notice” Text? Ignore It. Plus, the Crunchyroll Breach: This Week in Scams appeared first on McAfee Blog.
A financially motivated data theft and extortion group is attempting to inject itself into the Iran war, unleashing a worm that spreads through poorly secured cloud services and wipes data on infected systems that use Iran’s time zone or have Farsi set as the default language.
Experts say the wiper campaign against Iran materialized this past weekend and came from a relatively new cybercrime group known as TeamPCP. In December 2025, the group began compromising corporate cloud environments using a self-propagating worm that went after exposed Docker APIs, Kubernetes clusters, Redis servers, and the React2Shell vulnerability. TeamPCP then attempted to move laterally through victim networks, siphoning authentication credentials and extorting victims over Telegram.
A snippet of the malicious CanisterWorm that seeks out and destroys data on systems that match Iran’s timezone or have Farsi as the default language. Image: Aikido.dev.
In a profile of TeamPCP published in January, the security firm Flare said the group weaponizes exposed control planes rather than exploiting endpoints, predominantly targeting cloud infrastructure over end-user devices, with Azure (61%) and AWS (36%) accounting for 97% of compromised servers.
“TeamPCP’s strength does not come from novel exploits or original malware, but from the large-scale automation and integration of well-known attack techniques,” Flare’s Assaf Morag wrote. “The group industrializes existing vulnerabilities, misconfigurations, and recycled tooling into a cloud-native exploitation platform that turns exposed infrastructure into a self-propagating criminal ecosystem.”
On March 19, TeamPCP executed a supply chain attack against the vulnerability scanner Trivy from Aqua Security, injecting credential-stealing malware into official releases on GitHub actions. Aqua Security said it has since removed the harmful files, but the security firm Wiz notes the attackers were able to publish malicious versions that snarfed SSH keys, cloud credentials, Kubernetes tokens and cryptocurrency wallets from users.
Over the weekend, the same technical infrastructure TeamPCP used in the Trivy attack was leveraged to deploy a new malicious payload which executes a wiper attack if the user’s timezone and locale are determined to correspond to Iran, said Charlie Eriksen, a security researcher at Aikido. In a blog post published on Sunday, Eriksen said if the wiper component detects that the victim is in Iran and has access to a Kubernetes cluster, it will destroy data on every node in that cluster.
“If it doesn’t it will just wipe the local machine,” Eriksen told KrebsOnSecurity.
Image: Aikido.dev.
Aikido refers to TeamPCP’s infrastructure as “CanisterWorm” because the group orchestrates their campaigns using an Internet Computer Protocol (ICP) canister — a system of tamperproof, blockchain-based “smart contracts” that combine both code and data. ICP canisters can serve Web content directly to visitors, and their distributed architecture makes them resistant to takedown attempts. These canisters will remain reachable so long as their operators continue to pay virtual currency fees to keep them online.
Eriksen said the people behind TeamPCP are bragging about their exploits in a group on Telegram and claim to have used the worm to steal vast amounts of sensitive data from major companies, including a large multinational pharmaceutical firm.
“When they compromised Aqua a second time, they took a lot of GitHub accounts and started spamming these with junk messages,” Eriksen said. “It was almost like they were just showing off how much access they had. Clearly, they have an entire stash of these credentials, and what we’ve seen so far is probably a small sample of what they have.”
Security experts say the spammed GitHub messages could be a way for TeamPCP to ensure that any code packages tainted with their malware will remain prominent in GitHub searches. In a newsletter published today titled GitHub is Starting to Have a Real Malware Problem, Risky Business reporter Catalin Cimpanu writes that attackers often are seen pushing meaningless commits to their repos or using online services that sell GitHub stars and “likes” to keep malicious packages at the top of the GitHub search page.
This weekend’s outbreak is the second major supply chain attack involving Trivy in as many months. At the end of February, Trivy was hit as part of an automated threat called HackerBot-Claw, which mass exploited misconfigured workflows in GitHub Actions to steal authentication tokens.
Eriksen said it appears TeamPCP used access gained in the first attack on Aqua Security to perpetrate this weekend’s mischief. But he said there is no reliable way to tell whether TeamPCP’s wiper actually succeeded in trashing any data from victim systems, and that the malicious payload was only active for a short time over the weekend.
“They’ve been taking [the malicious code] up and down, rapidly changing it adding new features,” Eriksen said, noting that when the malicious canister wasn’t serving up malware downloads it was pointing visitors to a Rick Roll video on YouTube.
“It’s a little all over the place, and there’s a chance this whole Iran thing is just their way of getting attention,” Eriksen said. “I feel like these people are really playing this Chaotic Evil role here.”
Cimpanu observed that supply chain attacks have increased in frequency of late as threat actors begin to grasp just how efficient they can be, and his post documents an alarming number of these incidents since 2024.
“While security firms appear to be doing a good job spotting this, we’re also gonna need GitHub’s security team to step up,” Cimpanu wrote. “Unfortunately, on a platform designed to copy (fork) a project and create new versions of it (clones), spotting malicious additions to clones of legitimate repos might be quite the engineering problem to fix.”
Update, 2:40 p.m. ET: Wiz is reporting that TeamPCP also pushed credential stealing malware to the KICS vulnerability scanner from Checkmarx, and that the scanner’s GitHub Action was compromised between 12:58 and 16:50 UTC today (March 23rd).
Today marks the start of Spring in the Northern Hemisphere, and with warmer weather setting in summer trips are vacation planning are starting to take shape.
But before you respond to that message about your hotel booking or payment confirmation, it’s worth asking: is it actually legit?
This week in scams, we’re breaking down a travel phishing scheme making the rounds through realistic booking messages, as well as new McAfee research on betting scams and AI-driven malware.
We’ll walk through what happened, what to watch for, and how McAfee’s tools can help you stay safe.
A new phishing campaign targeting travelers is exploiting hotel booking platforms like Booking.com, and it’s convincing enough to fool even cautious users.
According to reporting from ITBrew and Cybernews, attackers are running a multi-stage scam:
| Scam Stage | How It Works | What You’ll Notice | How to Protect Yourself | Where McAfee Helps |
| Stage 1: Hotel account gets compromised | Attackers phish or hack hotel staff to access booking platforms and guest reservation data. | You won’t see this part — it happens behind the scenes. | Use strong, unique passwords and enable multi-factor authentication on your own accounts to reduce risk of similar breaches. | Identity Monitoring can alert you if your personal information appears in suspicious places or data leaks. |
| Stage 2: You receive a realistic message | Scammers use stolen booking data to send messages via WhatsApp, email, or even booking platforms. | The message includes your real name, hotel, and travel dates, making it feel legitimate. | Be cautious of unexpected outreach, even if the details are correct. Don’t assume accuracy means authenticity. | Scam detection tools can help flag suspicious messages and identify potential phishing attempts. |
| Stage 3: Urgency is introduced | The message claims there’s an issue with your reservation and pushes you to act quickly. | Phrases like “confirm within 12 hours” or “risk cancellation” create pressure. | Pause before acting. Legitimate companies rarely require urgent payment changes without prior notice. | Scam detection can help identify high-risk messages designed to pressure you into quick decisions. |
| Stage 4: You’re sent to a fake payment page | A link leads to a convincing lookalike site designed to steal your payment details. | The page looks real but may have subtle URL differences or unusual formatting. | Always navigate directly to the official website or app instead of clicking links in messages. | Safe Browsing tools can help block risky or known malicious websites before you enter sensitive information. |
March Madness brings brackets, bets, and a flood of bad actors.
New McAfee research found that 1 in 3 Americans (32%) say they’ve experienced a betting or gambling scam, and nearly a quarter (24%) say they’ve lost money to one. On average, victims reported losing $547.
That’s not surprising when you look at the environment around the tournament. More than half of Americans are watching, more than half are participating in some form of betting, and 82% say they’ve seen betting promotions in the past year.
Some of the most common setups this season include:
The takeaway:
If a betting offer promises guaranteed results, demands the use of bizarre apps and sites, asks for money upfront, or pushes you to act quickly, it’s not an edge. It’s a scam.
Not all scams start with a message. Some start with a search.
McAfee Labs uncovered a large-scale malware campaign hiding inside hundreds of fake downloads, including game mods, AI tools, drivers, and trading utilities.
In January alone, researchers identified:
These weren’t hosted on obscure corners of the internet either. The files were distributed through platforms people recognize, including Discord, SourceForge, and file-sharing sites.
Here’s how the attack typically works:
Then, behind the scenes, malware loads quietly and begins pulling in additional code. In some cases, victims are shown fake error messages while the real infection happens in the background.
From there, attackers can:
What makes this campaign stand out is that some of the code appears to have been generated with help from AI tools.
That doesn’t mean AI is running the attack on its own. But it does suggest attackers are using AI to:
In other words, the barrier to building malware is getting lower.
The takeaway:
If a download is unofficial, hard to find, or feels like a shortcut, it’s worth slowing down. The file may look right, but that doesn’t mean it’s safe.
Whether it’s a message about your booking, a betting offer that looks legitimate, or a download that appears to be exactly what you were searching for, these scams all rely on the same thing: they blend into everyday moments.
That’s where having backup like McAfee+ Advanced comes in. It includes:
Stay skeptical, verify before you click, and we’ll see you next week with more.
The post This Week in Scams: Why That “Booking Confirmation” Message Might Be Fake appeared first on McAfee Blog.
The U.S. Justice Department joined authorities in Canada and Germany in dismantling the online infrastructure behind four highly disruptive botnets that compromised more than three million Internet of Things (IoT) devices, such as routers and web cameras. The feds say the four botnets — named Aisuru, Kimwolf, JackSkid and Mossad — are responsible for a series of recent record-smashing distributed denial-of-service (DDoS) attacks capable of knocking nearly any target offline.
Image: Shutterstock, @Elzicon.
The Justice Department said the Department of Defense Office of Inspector General’s (DoDIG) Defense Criminal Investigative Service (DCIS) executed seizure warrants targeting multiple U.S.-registered domains, virtual servers, and other infrastructure involved in DDoS attacks against Internet addresses owned by the DoD.
The government alleges the unnamed people in control of the four botnets used their crime machines to launch hundreds of thousands of DDoS attacks, often demanding extortion payments from victims. Some victims reported tens of thousands of dollars in losses and remediation expenses.
The oldest of the botnets — Aisuru — issued more than 200,000 attacks commands, while JackSkid hurled at least 90,000 attacks. Kimwolf issued more than 25,000 attack commands, the government said, while Mossad was blamed for roughy 1,000 digital sieges.
The DOJ said the law enforcement action was designed to prevent further infection to victim devices and to limit or eliminate the ability of the botnets to launch future attacks. The case is being investigated by the DCIS with help from the FBI’s field office in Anchorage, Alaska, and the DOJ’s statement credits nearly two dozen technology companies with assisting in the operation.
“By working closely with DCIS and our international law enforcement partners, we collectively identified and disrupted criminal infrastructure used to carry out large-scale DDoS attacks,” said Special Agent in Charge Rebecca Day of the FBI Anchorage Field Office.
Aisuru emerged in late 2024, and by mid-2025 it was launching record-breaking DDoS attacks as it rapidly infected new IoT devices. In October 2025, Aisuru was used to seed Kimwolf, an Aisuru variant which introduced a novel spreading mechanism that allowed the botnet to infect devices hidden behind the protection of the user’s internal network.
On January 2, 2026, the security firm Synthient publicly disclosed the vulnerability Kimwolf was using to propagate so quickly. That disclosure helped curtail Kimwolf’s spread somewhat, but since then several other IoT botnets have emerged that effectively copy Kimwolf’s spreading methods while competing for the same pool of vulnerable devices. According to the DOJ, the JackSkid botnet also sought out systems on internal networks just like Kimwolf.
The DOJ said its disruption of the four botnets coincided with “law enforcement actions” conducted in Canada and Germany targeting individuals who allegedly operated those botnets, although no further details were available on the suspected operators.
In late February, KrebsOnSecurity identified a 22-year-old Canadian man as a core operator of the Kimwolf botnet. Multiple sources familiar with the investigation told KrebsOnSecurity the other prime suspect is a 15-year-old living in Germany.
McAfee Labs has uncovered a widespread malware campaign hiding inside fake downloads for things like game mods, AI tools, drivers, and trading utilities.
In January 2026, researchers observed 443 malicious ZIP files impersonating software people might actively search for online. Across those files, McAfee identified 48 malicious WinUpdateHelper.dll variants used to infect devices. The campaign was spread through a mix of file-hosting and content delivery services, including Discord, SourceForge, FOSSHub, and mydofiles[.]com.
What makes this campaign especially notable is that some parts of it appear to have been built with help from large language models (LLMs). McAfee researchers found signs that certain scripts likely used AI-generated code, which may have helped the attackers create and scale the campaign faster.
That does not mean AI created the whole operation on its own. But it does suggest AI may be helping cybercriminals lower the effort needed to build malware and launch attacks.
Want the full research? Dive in here.
We break down the top takeaways below.
| Finding | What it means |
| 443 malicious ZIP files | Attackers created many different fake downloads to reach more victims |
| 48 malicious DLL variants | The campaign used multiple versions of the malware, not just one file |
| 1,700+ file names observed | The same threat was repackaged under many different names to look convincing |
| 17 distinct kill chains | Researchers found multiple attack flows, but they followed a similar overall pattern |
| Hosted on familiar platforms | The malware was distributed through services users may recognize, including Discord and SourceForge |
| AI-assisted code suspected | Some scripts contained explanatory comments and patterns that strongly suggest LLM assistance |
| Cryptomining and additional malware observed | Infected devices could be used to mine cryptocurrency or receive more malicious payloads |
In this case, “AI-written malware” does not mean an AI system independently invented and launched the attack.
Instead, McAfee Labs found evidence that the attackers very likely used AI tools to help generate some of the code used in the campaign, especially in certain PowerShell scripts.
Put simply:
| Term | Plain-English meaning |
| Large language model (LLM) | An AI system that can generate text and code based on prompts |
| AI-assisted malware | Malware where attackers appear to have used AI tools to help write or structure parts of the code |
| Vibe coding | A style of coding where someone describes what they want and an AI does much of the writing |
This matters because it can make malware development faster, easier, and more scalable for attackers.

The attack begins when someone searches for software online and downloads what looks like the tool they wanted.
That tool might appear to be a game mod, AI voice changer, emulator, trading utility, VPN, or driver. But behind the scenes, the ZIP archive includes malicious components that start the infection.
| Step | What happens |
| 1. A user downloads a fake file | The ZIP archive is disguised as something useful or desirable, such as a mod menu, AI tool, or driver |
| 2. The file appears normal at first | In some cases, the package includes a legitimate executable so it feels more convincing |
| 3. A malicious DLL is loaded | A hidden malicious file, often WinUpdateHelper.dll, starts the real attack |
| 4. The user is distracted | The malware may display a fake “missing dependency” message and redirect the user to install unrelated software |
| 5. A PowerShell script is pulled from a remote server | While the user is distracted, the malware contacts a command-and-control server and runs additional code |
| 6. More malware is installed | Depending on the sample, the device may receive coin miners, infostealers, or remote access tools |
| 7. The infected device is abused for profit | In many cases, attackers use the victim’s system resources to mine cryptocurrency in the background |
McAfee found that the attackers cast a very wide net. The malicious ZIP files impersonated many types of software, including:
| Bait category | Examples |
| Gaming tools | game mods, cheats, executors, Roblox-related tools |
| AI-themed tools | AI image generators, AI voice changers, AI-branded downloads |
| System utilities | graphics drivers, USB drivers, emulators, VPNs |
| Trading or finance tools | stock-market utilities and related downloads |
| Fake security or malware tools | fake stealers, decryptors, and other risky-looking utilities |
That broad range is part of what made the campaign effective. It was designed to catch people already looking for shortcuts, unofficial tools, or hard-to-find software.
One of the strongest clues came from the comments inside some of the attack scripts.
McAfee researchers found explanatory comments that looked more like AI-generated instructions than the kind of shorthand attackers usually leave for themselves. In one example, a comment referred to downloading a file from “your GitHub URL,” which suggests the code may have come from a generated template and was not fully cleaned up before use.
These details do not prove every part of the campaign was AI-made. But they do support McAfee’s assessment that certain components were likely generated with help from large language models.
In many cases, the malware was used to turn victims’ computers into quiet crypto-mining machines.
McAfee observed mining activity involving several cryptocurrencies, including:
Some samples also downloaded additional payloads such as SalatStealer or Mesh Agent.
For victims, that can mean:
| Possible effect | What it may look like |
| Slower performance | apps lag, games stutter, system feels unusually sluggish |
| High CPU or GPU usage | fans run constantly, laptop gets hot, battery drains faster |
| Background malware activity | unknown processes, suspicious downloads, unexpected behavior |
| Potential data theft | if an infostealer or remote access tool is installed |
McAfee was also able to trace several Bitcoin wallets tied to the campaign. At the time of the report, those wallets held about $4,536 in Bitcoin, while total funds received were approximately $11,497.70. Researchers note the real total could be higher because some of the currencies involved are harder to trace.
This campaign was observed most heavily in:
That does not mean users elsewhere were unaffected. These were simply the countries where researchers saw the highest prevalence.

Even though the campaign used advanced techniques, the warning signs for users were often familiar.
| Red flag | Why it matters |
| You found the file through a random link | Unofficial forums, Discord links, and file-hosting pages are common malware delivery paths |
| The download is a ZIP for something sketchy or unofficial | Cheats, cracks, mod tools, and unofficial utilities carry higher risk |
| You get a “missing dependency” message | Attackers may use this to push a second download while the real infection happens in the background |
| The file name looks right, but the source feels wrong | Familiar names can be faked easily |
| Your PC suddenly slows down or overheats | Hidden cryptominers often abuse system resources |
| You notice new, unrelated software installed | The campaign sometimes used unwanted software installs as a distraction |
This campaign is a reminder that not every convincing file is a safe one. A few habits can reduce your risk significantly.
| Safety step | Why it helps |
| Download software only from official sources | This lowers the chance of accidentally installing a trojanized file |
| Avoid cheats, cracks, and unofficial mods | These categories are common bait for malware campaigns |
| Be skeptical of dependency prompts | Unexpected requests to install helper files or missing components can be part of the attack |
| Keep your security software updated | Current protection can help detect known threats and suspicious behavior |
| Pay attention to system performance | A suddenly hot, loud, or slow PC may be a sign something is running in the background |
| Review what you download before opening it | Even a familiar file name does not guarantee a file is legitimate |
McAfee helps protect against malware threats like these with multiple layers of security, including malware detection and safer browsing protections designed to help stop risky downloads before they can do damage.
If you think you downloaded and ran a suspicious file like one described in this campaign:
| Action | Why it matters |
| Disconnect from the internet | This can help interrupt communication with attacker-controlled servers |
| Run a full security scan | A trusted scan can help identify malicious files and behavior |
| Delete suspicious downloads | Remove the file and avoid reopening it |
| Check for unfamiliar software or startup items | The infection may have installed additional components |
| Change important passwords from a clean device | This is especially important if data-stealing malware may have been involved |
| Monitor accounts for unusual activity | Keep an eye on email, banking, and other sensitive accounts |
If your computer continues acting strangely after a scan, it may be worth getting professional help.
This campaign highlights how cybercrime is evolving.
The core risk is not just fake downloads. It is the fact that attackers are using AI tools to help generate code, create variations, and speed up parts of the malware development process.
That can make campaigns like this easier to scale and harder to ignore.
For everyday users, the takeaway is simple: if a file seems unofficial, rushed, or too good to be true, pause before opening it. A fake download may look like a shortcut, but it can quietly turn your device into a target.
| FAQs |
| Q: What is AI-written malware?
A: AI-written malware generally refers to malicious code, or parts of a malware campaign, that appear to have been created with help from AI coding tools or large language models. |
| Q: Did AI create this entire malware campaign?
A: McAfee Labs did not say that. The research suggests that certain components, especially some scripts, were likely generated with help from large language models. |
| Q: What was this malware disguised as?
A: The malicious files impersonated game mods, AI tools, drivers, trading utilities, VPNs, emulators, and other software downloads. |
| Q: What can happen if you open one of these fake files?
A: Depending on the sample, the malware may install coin miners, steal data, establish persistence, or download additional malicious tools. |
| Q: Can malware really use my computer to mine cryptocurrency?
A: Yes. McAfee observed samples in this campaign that used victims’ CPU and GPU resources to mine cryptocurrency in the background. |
| Q: What is the safest way to avoid this kind of malware?
A: Download software only from official or trusted sources, avoid unofficial tools and cheats, be cautious of fake dependency prompts, and keep your security protection up to date. |
Want to learn more? Dive into the full research here.
The post New Research: Hackers Are Using AI-Written Code to Spread Malware appeared first on McAfee Blog.
Authored by Aayush Tyagi
The term ‘Vibe coding,’ first coined back in February of 2025 by OpenAI researchers, has exploded across digital platforms. With hundreds of articles and YouTube Videos discussing the dangers of Vibe coding and warning the internet about the rise of “Vibe Coders”, while others labelled it as the fundamental shift in software development and the future of coding.
Vibe Coding is an approach where the AI does heavy lifting, rather than the user. Instead of manually writing code or implementing algorithms, users describe their intent through text-based prompt, and the LLMs respond with fully functional code and explanation. Unsurprisingly, the internet is now flooded with guides on the best LLMs and prompts to generate “perfect” code.
Given the ease of generating fully functional code, McAfee Labs has also seen a rise in vibe-coded malware. In these campaigns, certain components of the kill chain contain AI-generated code, significantly reducing the effort and knowledge required to execute new malware campaigns. This shift not only makes malware campaigns more scalable but also lowers the barrier to entry for new malware authors.
In January 2026, McAfee Labs observed 443 malicious zip files impersonating a wide range of software, including AI image generators and voice-changing tools, stock-market trading utilities, game mods and modding tools, game hacks, graphics card and USB drivers, ransomware decryptors, VPNs, emulators, and even infostealer, cookie-stealer, and backdoor malware, to infect users.
Across the 440+ zip files, we observed 48 unique malicious WinUpdateHelper.dll variants, responsible for the infections. McAfee has been detecting variants of this threat since December 2024, although the vibe coding observed in certain components appears to be a recent addition. These files are distributed through various legitimate content delivery network (CDN) services and file-hosting websites, such as Discord, SourceForge, FOSSHub, and MediaFire, to name a few. Another website that was actively delivering this malware was mydofiles[.]com.
Here, the attackers implement volume-driven malware distribution techniques to infect as many users as possible.

This attack begins when users surf the internet looking for tools and software that promise to simplify their tasks. Instead, they encounter trojanized zip files.
We discovered over 100 URLs actively spreading this malware, of which approximately 61 were hosted on Discord, 17 on SourceForge, and 15 on mydofiles[.]com.
On running the executable, it loads a malicious WinUpdateHelper.dll file, which redirects the user to file-hosting websites, under the disguise that they are missing crucial dependencies and tricks them into installing unrelated software, which is a distraction. Meanwhile, the DLL has already requested and executed a malicious PowerShell script from a command-and-control (C2) server.
This script infects the user’s system and downloads additional mining software, and abuses the system’s resources, or it downloads additional payloads such as SalatStealer or Mesh Agent, depending on the WinUpdateHelper.dll sample which infected the user.
In this PowerShell script, the presence of explanatory comments and structured sections strongly indicates the use of LLM models to generate this code.
Read more about this in the Using AI to generate malware? section below.
So far, we’ve observed the mining of Ravencoin, Zephyr, Monero, Bitcoin Gold, Ergo, and Clore cryptocurrencies.
Due to the presence of hardcoded Bitcoin wallet credentials within these malware samples, we were able to trace on-chain transactions and identify wallets containing over $4,500 USD that are part of this campaign.
Since most of the mining activity targets privacy-focused cryptocurrencies such as Zephyr, Ravencoin and Monero, the real financial impact is likely to be nearly double the amount identified through Bitcoin tracing alone.

This malware campaign has specifically targeted users in the following counties, ranked by prevalence: The United States of America, followed by United Kingdom, India, Brazil, France, Canada, Australia.
The availability of LLMs capable of generating code instantly, combined with the widespread accessibility of technical knowledge, has created a low-effort, high-reward environment, making malware deployment increasingly accessible.
At McAfee Labs, we have been doing hard work so that you don’t need to worry. But it always helps to be informed and educated on the latest threat that steps into the threat landscape.
We will continue monitoring these campaigns to ensure our customers remain informed and protected across platforms.
Here we see malware distribution at a large scale and by analyzing the filenames of these ZIP archives, we can infer to the users that are being targeted. These are some of the names we’ve witnessed in the wild.

The attackers are actively impersonating video game cheats and game mods for popular titles, and well-known script executors for Roblox, such as Delta Executor and Solara as seen above.

Names such as Panther-Stealer and Zerotrace-Stealer indicate that even users looking for malware on the internet are not safe either, reinforcing the notion that there is truly no honor among thieves.
The campaign also leverages drivers and AI-themed tools as part of its lure portfolio among other tools. Interestingly, we see the name ‘DeepSeek.zip’, where attackers are exploiting a prominent LLM model, DeepSeek. McAfee had encountered these types of attacks in early 2025 and covered them extensively.
Read the previous blog here: Look Before You Leap: Imposter DeepSeek Software Seek Gullible Users
Once the user downloads the ZIP archive from Discord or any other website. They get the following set of files.

Here, the executable named ‘gta-5-online-mod-menu.exe’ (Highlighted in Blue) is a legitimate and clean file. Whereas the file named ‘WinUpdateHelper.dll’ (Highlighted in Red) is malicious.

On executing ‘gta-5-online-mod-menu.exe’, the malicious DLL is loaded. The user is informed that they are missing dependencies, and they’re redirected to the following URL via default browser.
hxxps://igk[.]filexspace.com/getfile/XKQLPSK?title=DependencyCore&tracker=gta-5-online-mod-menu
Here, within the URL, a tracker variable is used to identify which malware has infected the user. In this instance, it was ‘gta-5-online-mod-menu’.

Dependecycore.zip is a setup file. On execution, it installs unrelated 3rd party software on the victim’s system.

In this instance, iTop Easy Desktop was installed.
This unwanted installation is meant to subvert users’ attention. As, the WinUpdateHelper.dll has already connected to the C2 server and infected the system.
Once the redirection code is executed, the malware executes the malicious code.

In the above code snippet, which is present in the WinUpdateHelper.dll, we can see that a new service has been created under the name “Microsoft Console Host” to make it appear to be benign (Highlighted in Red). The parameters passed to this service ensure that it executes at system boot. This is done to maintain persistence in the system.
The service executes a PowerShell command that dynamically generates the C2 domain using the UNIX time stamp.
Using the following code,
$([Math]::Floor([DateTimeOffset]::UtcNow.ToUnixTimeSeconds() / 5000000) * 5000000).xyz
It generates a domain name that changes once every 5,000,000 seconds or 58 days.
The latest C2 domain we’ve discovered that is up and running is
1770000000[.]xyz/script?id=fA9zQk2L0M&tag=WinUpdateHelper
During our analysis we observed the following domain
1765000000[.]xyz/script?id=fA9zQk2L0M&tag=WinUpdateHelper, which is present in the following images.
Here the id=fA9zQk2L0M is randomly generated, to uniquely identify the user and tag=WinUpdateHelper is used to identify the malware campaign.
The malware connects to the above-mentioned C2 server to download a PowerShell script and execute it in memory. This fileless execution ensures improved evasion against signature-based detections.

It is funny to note here, that the first comment of this script says “# I am forever sorry” which indicates that the attacks do carry some guilt regarding their actions, but not enough to stop the campaign. We found similar comments, such as “# sorry lol”, across multiple PowerShell scripts we discovered.
The first set of commands (Highlighted in Green) are used to delete windows services and scheduled tasks. This is done to remove older or conflicting persistence mechanisms and to avoid duplicate miners from running on the same system.
The second set of commands (Highlighted in Red) are registry modifications, that adds “C:\ProgramData” to Windows Defender exclusion paths. That is, ProgramData Folder won’t be scanned by Windows Defender anymore. This exclusion allows malware to drop additional payloads to disk, without the risk of them being detected and removed.
The third set of commands (Highlighted in Blue) does exactly that. It downloads the next level payload from the URL “hxxps://1765000000[.]xyz/download/xbhgjahddaa” and stored it at this path “C:\ProgramData\fontdrvhost.exe”.
Again the name ‘fontdrvhost.exe’ imitates a legitimate Windows binary, to masquerade its true intent. After the download, the file is decoded using a simple arithmetic decryption routine. This provides protection against static signature detection and network detection.
The payload is an XMRIG miner sample. In the next command, the miner is initialized and executed. Here, we see the miner connecting to “solo-zeph.2miners.com:4444” and start CPU based Zephyr coin mining using the following wallet address: ‘ZEPHsCY4zbcHGgz2U8PvkEjkWjopuPurPNv8nnSFnM5MN8hBas8kBN4hoNKmc7uMRfUQh4Fc9AHyGxL6NFARnc217m2vYgbKxf’.

In the second half of the script, we see another miner being set up and executed using the same technique (Highlighted in Red). This time the file is stored as “RuntimeBroker.exe” in the ProgramData folder. The miner is connecting to “solo-rvn.2miners.com:7070” to mine Ravencoin and it is using the system’s GPU instead of the CPU for mining (Highlighted in Blue).
This is the wallet address used for mining in this instance ‘bc1q9a59scnfwkdlm6wlcu5w76zm2uesjrqdy4fr8r’.
Hence, we see a dual coin-mining deployment infrastructure utilizing both CPU and GPU resources to optimize mining efficiency.
What is interesting here is that attackers have used a bitcoin wallet address for mining Ravencoin, which indicates they are using multi-coin pools for mining. The attackers are using the victims’ machine to mine Ravencoin and automatically convert the mining rewards to Bitcoin before the payout.
This is done for a variety of reasons, such as, bitcoin offers higher liquidity and has broader acceptance, but most importantly, Ravencoin is computationally easier and economically viable to mine on victim’s system. Bitcoin requires specialized ASIC hardware for profitable mining and attempting to mine Bitcoin directly on infected systems would generate negligible returns. We’ve seen the same behaviour in multiple samples.
This is a smoking gun. Unlike Zephyr coin or Monero, Bitcoin’s blockchain is fully traceable. Every Satoshi, the smallest unit of Bitcoin, can be traced across the blockchain from the moment it was mined to its current holder. From there, it becomes easy to determine how much cryptocurrency the threat actor is receiving. More on this later.
The attackers have meticulously designed the campaign and have implemented various anti-analysis techniques to thwart researchers.
The PowerShell script we’ve seen above is responsible for downloading and initializing the coin miner samples. It is only accessible via PowerShell. If we try to access the server via Curl, we get the following response.

This indicates that the server is actively monitoring the User-Agent of incoming requests and deploys the payload only when the request originates from PowerShell.
Similarly, the URLs embedded within the PowerShell script that download the next payload are unique to each victim and remain active for 60 seconds. After that, they return a 404 Not Found error.

These techniques are meant to confuse and disorient researchers, making the analysis difficult.
While working on this malware campaign, we came across over 440 unique zip files. These same zip files were distributed with over 1700 different names, targeting various software.
Across these 440 zip files, we noticed 48 unique variants of WinUpdateHelper.dll. These 48 files can be clustered together into 17 distinct kill chains, each featuring their own C2 infrastructure, misleading installation setups, second-stage PowerShell scripts and final payloads, yet the cryptocurrency wallet credentials remain similar.
In the above technical analysis, we’ve only covered 1 kill chain. Yet, across these 17 kill chains, we’ve noticed the flow remain the same.

Across multiple second stage payloads, we encounter multiple comments such as the following, embedded within the code:
# === Create and execute run.bat in C:\ProgramData ===
:: This batch file:
:: – Creates the hidden folder C:\ProgramData\cvtres if it doesn”t exist (using CMD attrib for hidden + system)
:: – Downloads cvtres.exe from your GitHub URL
:: – Saves it to C:\ProgramData\cvtres\cvtres.exe
:: – Executes it immediately
:: – Runs completely hidden/minimized (no window visible)
The presence of such explanatory-style comments indicates that large language models were likely used during the development of these scripts. Especially, the comment “Downloads cvtres.exe from your GitHub URL”, where ‘Your GitHub URL’ refers to the threat actor’s GitHub repository that is hosting the malware, which indicates potential vibe coding.
During analysis of this malware campaign, we came across few instances where the final payload was Infostealer malware. In most cases it was coin miner samples.
In these cases, we encountered wallet credentials and mining pool URLs for several alternative cryptocurrencies such as Ravencoin, Zephyr, Monero, which aren’t traceable.
Fortunately, we came across 7 bitcoin wallets that are part of this malware campaign and are actively receiving mined cryptocurrency.
bc1q9a59scnfwkdlm6wlcu5w76zm2uesjrqdy4fr8r bc1q7cpwxjatrtpa29u85tayvggs67f6fxwyggm8kd
bc1qyy0cv8snz7zqummg0yucdfzpxv2a5syu7xzsdq bc1qxhp6mn0h7k9r89w8amalqjn38t4j5yaa7t89rp
bc1qxnkkpnuhydckmpx8fmkp73e38dfed93uhfh68l bc1qrtztxnqnjk9q4d5hupnla245c7620ncj3tzp7h
bc1q97yd574m9znar99fa0u799rvm55tnjzkw9l33w
As of writing this blog, these wallets contain Bitcoin valued at approximately $4,536.20 USD.

These wallets have seen regular withdrawals, with total funds received amounting to approximately $11,497.7 USD.
McAfee has extensive coverage for this Coinminer Malware Campaign. We’re proactively covering new samples observed in the wild.
Trojan:Win/Phishing.AP
Trojan:Script/Coinminer.AT
Trojan:Win/Dropper.AT
| File Type | SHA256/URLs | File Name |
| SHA256 | 94de957259c8e23f635989dd793cd
fd058883834672b2c8ac0a3e80784fce819 |
WinUpdateHelper.dll |
| db8afdafbe39637fec3572829dd0a
1a2f00c9b50f947f1eb544ede75e499dca7 |
WinUpdateHelper.dll | |
| f15098661d99a436c460f8a6f839
a6903aebd2d8f1445c3bccfc9bf64868f3b0 |
WinUpdateHelper.dll | |
| 3abf66e0a886ec0454d0382369dd6
d23c036c0dd5d413093c16c43c72b8ccb0b |
WinUpdateHelper.dll | |
| 767b63d11cee8cfb401a9b72d7bcc
a23b949149f2a9d7456e6e16553afcef169 |
WinUpdateHelper.dll | |
| 12850f78fc497e845e9bf9f10314c4ecc
6a659dcd90e79ef5bd357004021ba78 |
WinUpdateHelper.dll | |
| 0a8a58d18adc86977b7386416c6be8db
850a3384949b6750a6c6b2136138684a |
WinUpdateHelper.dll | |
| 1a60852904ff9c710cd754fa187ce58cb18c69
e35ea4962a8639953abe380f64 |
WinUpdateHelper.dll | |
| 4ab63b5ccd60dfd66c7510d1b3bc1f45f0
c31c2d4c16b63b523d05ccac3fcb9d |
WinUpdateHelper.dll | |
| 1390e61a45dd81fa245a3078a3b305
e3c7cdeb5fa1e63d9daca22096b699f9e8 |
WinUpdateHelper.dll | |
| a0c3de95e5bf84cb616fe1ee1791e96ff57
53778b36201610e6730d025a6cb12 |
WinUpdateHelper.dll | |
| ea65298d8d8ce4b868511a1026f8657abcc
6b2e333854f4fc1bd498463b24084 |
WinUpdateHelper.dll | |
| 6ea34fd213674f31a83c0eee2fb521303d2
a7c23e324bbdfa1a8edd7b6b6b6f1 |
WinUpdateHelper.dll | |
| 7bec5e37777e6a2ca50e765b07e8cb
65e88f4822ab19d98c32f1c69444228e5c |
WinUpdateHelper.dll | |
| 64c96f0251363aaf35c3709c134aab52b9
81508b0ce9445e42774d151e43686b |
WinUpdateHelper.dll | |
| 393f6c6b307aecfe46acc603da812cc17f
0ebf24b66632660a2e533dfa4f463f |
WinUpdateHelper.dll | |
| 94077065d049e821803986316408b
82edad43fcd5a154f6807b4382eece705c3 |
WinUpdateHelper.dll | |
| a206ff592aea155d2bb42231afc3f060
494ffa8f3de8f25aaf8881639c500b44 |
WinUpdateHelper.dll | |
| cb2eebf27def80261eef6b80d898e06
f443294371463accd45ca24ce132fad98 |
WinUpdateHelper.dll | |
| 3fea0a031ffd78c8d08f6499c2bbc
6a9edac5dc88b9ba224921f8f142e5a9adb |
WinUpdateHelper.dll | |
| 4fe5d461aaa752b94d016ca4e742e
02d30d3d4848a32787ce3564b5393017d77 |
WinUpdateHelper.dll | |
| 04399f9f3ef87d8dd15556628532a84
d63d628eaae0ed81166d6efbee428cdba |
WinUpdateHelper.dll | |
| dd37cd62fa18af798018a706f20a91a537f
0993f0254a0c84d64097c6480afb2 |
WinUpdateHelper.dll | |
| 1d85ffe28d065780c9327078941cb76
2915c69c69012303e45eee44c092f8046 |
WinUpdateHelper.dll | |
| 86e14dd0ab29ee0eab21874811b7e4
50d609feb606f77206627b62cccbd58afa |
WinUpdateHelper.dll | |
| 17704d58fb9c4e68c54a56fa97cd32599
792d00da53691b8bdb58e49296b7feb |
WinUpdateHelper.dll | |
| 491019e31af8f1489aea8d4c0f9816
813698def0301a2abb88e5248b37753d2b |
WinUpdateHelper.dll | |
| c0ab89c3d9c7b9a04df5169eb175d517
3c6de08a4ef3674cd6d7f9a925d63151 |
WinUpdateHelper.dll | |
| df0ca0f15926964040bb43978f97faccc0
0bae5f6a00d8bd7d105d8c7d32efb1 |
WinUpdateHelper.dll | |
| e40f2628b2981226b1afe16c1cf3796b94
82b2ac070adac999707fc09909327c |
WinUpdateHelper.dll | |
| f6093084196acded1179d3a1466908beb
966dceaba03e1dfeb02a2628fdb0423 |
WinUpdateHelper.dll | |
| fcc512630ee95d3f4c31e3aabc75ad2e29
dfacb4d4bcce7a12abe9a516979dbd |
WinUpdateHelper.dll | |
| fe02d8d7a6b8f66624b238665d63094
a2bcd19c44a3f9c449788cadbb1b741a6 |
WinUpdateHelper.dll | |
| 1967f6f42710b43506a0784a28ca8785a
f91b84dfa8629ec5be92be8eec564c6 |
WinUpdateHelper.dll | |
| 5280b0ecb6c7246db84a9b194f5c85cc3
03c028475900b558306fdd4e51f4fc3 |
WinUpdateHelper.dll | |
| ce06d83adb53c8b9d240202193ca4c04d
0163994dad707aed0f0e67fdd2a42fe |
WinUpdateHelper.dll | |
| 13976bdc28d3b3ae88ed92fcf49ff9e083b
0ce5fd53e60680df00cd92bdfb33b |
WinUpdateHelper.dll | |
| 4135754b26dfac10cd19dcf6e03677b53
7244cf69fdce9c4138589e59449b443 |
WinUpdateHelper.dll | |
| 7d69eca36c0f69b3007cdbf908f15545
e95611acf4bad8b9e30e54687a6d33bb |
WinUpdateHelper.dll | |
| 085dc279b422d761729374b01eae1e2
2375ef9538a6c4bc7cc35e8a812450f93 |
WinUpdateHelper.dll | |
| 99ff2045d1377db7342420160eb254b7
b09cc4ce41a97b6bf0ec4d3f65d9ede6 |
WinUpdateHelper.dll | |
| 396f397099a459f3adeba057788aa3d3488
2eea7d1665c828449f205a86dc80f |
WinUpdateHelper.dll | |
| 908d35e6afd90da2e7c71cf82c8a61b5534
10ca920e67dba1bae35c2b6b19bad |
WinUpdateHelper.dll | |
| 7029d68969814f1473e4e4a22abd4be8
5678a03bbe4c0f6194f3b7e421872ab3 |
WinUpdateHelper.dll | |
| d3ba17aa83748c539c75cee7eedb03a4
83f2e86af10b69da3f0c8e549f014ac3 |
WinUpdateHelper.dll | |
| d758820962ead89d5eaf7e45930a5eb
6ab11d5508988087faf84d8d7524408f1 |
WinUpdateHelper.dll | |
| e863f45099f3dc057a5aee5990fabfb4
e8ea8849cd5bc895092ff0a305a3f85d |
WinUpdateHelper.dll | |
| 0db26e9a1213d09521fc0dbfe15f807c9
960f62bc1cf4071001f58f210c53e9c |
WinUpdateHelper.dll | |
| 94de957259c8e23f635989dd793cdfd
058883834672b2c8ac0a3e80784fce819 |
WinUpdateHelper.dll | |
| C2 URLs | hxxp://85[.]235[.]75[.]242/script[.]ps11 | |
| hxxp://41[.]216[.]188[.]184/downloads/loader[.]ps1 | ||
| hxxp://46[.]151[.]182[.]238:6969/script | ||
| hxxps://mydofiles[.]com/script[.]ps1 | ||
| hxxp://45[.]141[.]119[.]191/jjj[.]txt | ||
| hxxps://getthishasg[.]live/cz8wl3k[.]php?
cnv_id=cee43wfhqb7b81&payout=1 |
||
| hxxps://gocrazy[.]gg/script?id=fA9z
Qk2L0M`&tag=schtasks |
||
| hxxps://dystoria[.]cc/mon | ||
| hxxp://85[.]235[.]75[.]242/script[.]ps1 | ||
| hxxps://github[.]com/dextamoggan4-sudo/
shineex/releases/download/python/script[.]ps1 |
||
| hxxp://45[.]141[.]119[.]191/gg[.]txt | ||
| hxxps://codeberg[.]org/Yesdev123/
load/raw/branch/main/testfile[.]txt |
||
| hxxp://45[.]141[.]119[.]191/jjjj[.]tt | ||
| hxxps://kenovn[.]net/script | ||
| hxxps://1765000000[.]xyz/script?
id=fA9zQk2L0M&tag=WinUpdateHelper |
||
| hxxp://46[.]151[.]182[.]238:6969/scrpt | ||
| hxxp://46[.]151[.]182[.]238:6969/script | ||
| hxxps://cutt[.]ly/ke0WRr70 | ||
| hxxps://cutt[.]ly/pe0WRidw | ||
| hxxps://1770000000[.]xyz/script?id
=fA9zQk2L0M&tag=WinUpdateHelper |
||
| hxxp://150[.]241[.]64[.]28/panfish | ||
| Final Payload URLs | hxxps://github[.]com/gaescmo-ai/justin/
releases/download/son/xmrig[.]exe |
|
| hxxps://github[.]com/gaescmo-ai/justin/
releases/download/son/ethminer[.]exe |
||
| hxxp://41[.]216[.]188[.]184/downloads
/windows-service[.]zip |
||
| hxxp://46[.]151[.]182[.]238:6969/exe/rat[.]exe | ||
| hxxp://46[.]151[.]182[.]238:6969/exe/miner[.]exe | ||
| hxxp://46[.]151[.]182[.]238:6969/exe/titledetector[.]exe | ||
| hxxps://github[.]com/jimbrock44/filezilla2025/
raw/refs/heads/main/sc[.]msi |
||
| hxxps://github[.]com/softwarelouv/software/
raw/refs/heads/main/scvhosts[.]exe |
||
| hxxps://github[.]com/softwarelouv/software/
raw/refs/heads/main/cvtres[.]exe |
||
| hxxp://109[.]120[.]177[.]217:8082/download | ||
| hxxp://45[.]141[.]119[.]191/fontdrvhost[.]exe | ||
| hxxps://codeberg[.]org/Yesdev123/load/raw/
branch/main/source[.]exe |
||
| hxxps://1765000000[.]xyz/download/xbhgjahddaa | ||
| hxxps://1765000000[.]xyz/download/ebhgjahddaa | ||
| hxxp://46[.]151[.]182[.]238:6969/autoexec | ||
| hxxp://62[.]113[.]112[.]203/adm[.]exe | ||
| hxxps://evilmods[.]com/api/nothingtoseehere[.]exe | ||
| hxxps://evilmods[.]com/api/nothingbeme[.]exe | ||
| hxxps://evilmods[.]com/DependencyCore2 | ||
| hxxps://evilmods[.]com/DependencyCore | ||
| Unwanted Installers | CD1B15644BF0D7CBF270E8F21CEAE5E6 | Dependecycore.zip |
| 7d18257b55588bccb52159d261f9cd7f | Dependecycore.zip | |
| A518FB6B9D2689737CE668675EEDE98F | iTop Easy Desktop | |
| E3BB21152BA90990E3CCBC1A05842F8B | Opera Installer | |
| A6BC4C6A58AC533D3DB5F96D24DDE0EF | Docs Helper Setup | |
| FA24733F5A6A6F44D0E65D7D98B84AA6 | Windows Manager | |
| CDB67B1C54903F223F7DCCA14AEA67DF | eld4.exe | |
| Final Payloads | e07a76cc4258c6b4b3f85451ea2174d5 | xmrig.exe |
| d32395a3a340e033e11bd89acddaa9cd | ethminer.exe | |
| 14f1de874c78221e7b6889af7463de69 | WindowsService.exe | |
| 47c8731b2526613e1e3bc61a88680cd0 | rat.exe | |
| fbac126407b5735583dac5ea7cf519b3 | SalatStealer | |
| 4dc93730ebe04a9b508a9f9dae74ae09 | miner.exe | |
| 90e10b510144719613b1017abe227b87 | titledetector.exe | |
| 8dadf8a4b77a340fcbb402789f9a07db | agent | |
| 4c8e8e2fdc23bb7b24e6b410eb69fb4a | scvhosts.exe | |
| 79ea41812bd3310e11fc95403504f048 | sc.msi | |
| 1b1bd2783d4e8d1c2d444ffa8689677b | cvtres.exe | |
| 16b70d148b66c20c709b7eed70100a96 | source.exe | |
| e2af5595c9a0b7feaa9291b405d4c991 | XMRIG _Miner | |
| b133229ed0be8788c84a975656a7339c | CoinMiner | |
| 754b581c7e3593446f0a06852031564a | MeshAgent | |
| a7400236ffab02ae5af5c9a0f61e7300 | NiceHash Miner | |
| d7d34c0559b3f6ba70be089e4cc6172c | lolMiner | |
| PowerShell Scripts | 02a4d24d0cdaa6f9a3ecf4b71e3f2eec | |
| 2a153877acc9270406d676403e999490 | ||
| 77f491c1c50e224d0c61ed608445d8a9 | ||
| c60a3307d21840d1e15ee78b07d3eb04 | ||
| d17b85de54d0c438c092c1e889b8c63f | ||
| e35c04a7c31f8641757374404edea395 | ||
| fa8b5b5a302c0e353f4983973cf4b37e | ||
| d2ad87a1fd1e8812c5ba4b259de4f885 | ||
| Wallet Address | 46NgyMUVMf6Xzsao9XR
C6BTjJpjUJFfA12F8BPmD 86Y7biz4gZdjCWsSXMUZo mtuUs8crujryAvhRFMyvhzb s6naMKucHFi |
Monero (XMR) wallet address |
| RJe6FfyoWDq6M4i3b17LxvjdT2fSNTLTYA | Ravencoin (RVN) wallet address | |
| ZEPHsCY4zbcHGgz2U8
PvkEjkWjopuPurPNv8nnSFn M5MN8hBas8kBN4hooNKmc7uMRfU Qh4Fc9AHyGxL6NFARnc217m2vYgbKxf |
Zephyr (ZEPH) wallet address | |
| bc1qyy0cv8snz7zqummg0yucd
fzpxv2a5syu7xzsdq |
Bitcoin (BTC) address | |
| bc1q7cpwxjatrtpa29u85tayvggs
67f6fxwyggm8kd |
Bitcoin (BTC) address | |
| bc1qxhp6mn0h7k9r89w8amalqj
n38t4j5yaa7t89rp |
Bitcoin (BTC) address | |
| bc1qxnkkpnuhydckmpx8fmkp73e3
8dfed93uhfh68l |
Bitcoin (BTC) address | |
| bc1qrtztxnqnjk9q4d5hupnla245c762
0ncj3tzp7h |
Bitcoin (BTC) address | |
| bc1q9a59scnfwkdlm6wlcu5w76zm2
uesjrqdy4fr8r |
Bitcoin (BTC) address | |
| bc1q97yd574m9znar99fa0u799rvm
55tnjzkw9l33w |
Bitcoin (BTC) address | |
| URL Distributing Malware | http://www[.]mydofiles[.]com/
MultiClicker[.]zip |
|
| http://www[.]mydofiles[.]com/
ProCheatsInstaller[.]zip |
||
| http://www[.]mydofiles[.]com/
RobloxCheatEngine[.]zip |
||
| http://www[.]mydofiles[.]com/
ST-Bot[.]zip |
||
| https://sourceforge[.]net/projects/
delta-executor-for-pc/files/latest/download |
||
| https://ixpeering[.]dl[.]sourceforge[.]net/project/
delta-executor-for-pc/DeltaExecutor[.]zip?viasf=1 |
||
| https://sourceforge[.]net/projects/
delta-executor-for-pc/files/DeltaExecutor[.]zip/download |
||
| https://cdn[.]discordapp[.]com/
attachments/1436383055471185961/ 1454995091423887442/Keyser[.]zip? ex=6953c606&is=69527486&hm= e3ba56d122cc6b6228d787d29c6b5db31 709fd16be119fa8d3a09d92cb0291e4& |
||
| https://cdn[.]discordapp[.]com/attachments/
1436746541669945409/1454995359754358875/ Matcha[.]zip?ex=6953c646&is=695274c6&hm= 1bae58927d0bcd6a1971b604644035ad938c1d535 61f7d4e951fdf5454d52f8d& |
||
| https://cdn[.]discordapp[.]com/
attachments/1437009916224209018/ 1454995174328500318/CheatLoverz[.]zip? ex=69531d5a&is=6951cbda&hm= f1ac26bebf4394c43cbf21ed531f5dfdf7 d31f30853b126611c1a39b970b81bc& |
||
| https://cdn[.]discordapp[.]com/attachments/
1438966596222849134/1454995223171170386/ Complex[.]zip?ex=69531d65&is=6951cbe5&hm= b66d9539c0d487fc63125982db773e42eee01dfc 4bc5a28dc1a7a773134a7bc6& |
||
| https://cdn[.]discordapp[.]com/attachments/
1438966596222849134/1454995223171170386/ Complex[.]zip?ex=6953c625&is=695274a5&hm= 0d6ba0e247e275a9824a838969ee06452e188310 c434c5d852141bfad3eedff2& |
||
| https://cdndownloads[.]com/
download?clickid=277af8wcia4d4b |
||
| https://cdndownloads[.]com/
download?clickid=53ba0myoj8p617 |
||
| https://download[.]fosshub[.]com/Protected/
expiretime=1735860643;badurl=aHR0cHM6L y93d3cuZm9zc2h1Yi5jb20vQnVsay1DcmFwLVV uaW5zdGFsbGVyLmh0bWw=/db8e43d66065d d656635ff00c50d96369d2fc4dddad18f52c5d00 05f868649b8/5b964d315dc7e865ea596350/67 3508bbeeeeed04938b399f/BCUninstaller_5 [.]8[.]2_setup[.]exe |
||
| https://download[.]fosshub[.]com/
Protected/expiretime=1738877220; badurl=aHR0cHM6Ly93d3cuZm9z c2h1Yi5jb20vQnVsay1DcmFwLVVu aW5zdGFsbGVyLmh0bWw=/bd26 b0ced684ddb98f194568d7f05c819 71932a5bfb323ed73296940dd8ec74d/ 5b964d315dc7e865ea596350/673508bb eeeeed04938b399f/BCUninstaller_5[.]8[.] 2_setup[.]exe |
||
| Malicious ZIPs | 001cdd8e978b8233a958cfb81b202
72a5d3a9c53ce2eb9dda28f0755f95f3e14 |
bluetoothCore.zip |
| 00226d16b97c2a2201ca806491f5a6df
3650a70c19e82b791740aaef7cf93e72 |
octet-stream | |
| 00d70985e5e73cba934ffc7b886cea5df
2d9f04c72b80f1e653ae709910666da |
FreeFireForPC.zip | |
| 0165aa283b6dd66db66d5865907e75
3acc68b894fc8086bffe106ac3d550d0df |
AIVoiceChanger.zip | |
| 020b6449605713404d9ea6bd332df47
f815663f239b39c368208158b1411efb2 |
r6s-multi.zip | |
| 04d3477a22a0693c3278c5a86f9c882
89a7ccc2565cb61f8a78c9b269666baff |
EZFN.zip | |
| 054d2da6e959466490cb0c3cdc2acb9
602e47ac56b977a3d365b4d1728eb2dd5 |
download | |
| 057121dd0ecbb242f7a26ec277249614
7ae2ec2ee03abd6e79a2bfb5a6ac60e9 |
demonCore.zip | |
| 063d5400db74f7e064141e3cb9bdc6e
71fec88956560de94c280cf59bbc65c78 |
Nihon-Executor.zip | |
| 3be99fb0b3bcaa125583bd1763537216
34c090233dd018e56cd3fa8ac89c3aee |
Panther-Stealer.zip | |
| 07aa31bd8b220f79acd6b26accfb84ab
6b67f1e6b1baa57ad2f48c5db6771ec5 |
DeltaExecutor.zip | |
| 1097bc1ed1dd2e46f65fe16f18f431a1539
cf73f97599aec2b81d1ad07f2e485 |
gta-5-online-mod-menu.zip | |
| 112c08db627e759a499ab96e7964425f7
21fda8b56029e15ab27c762bf1d91cc |
DeltaExecutor.zip | |
| 113c38d3c1b6d6a87bc99dcfda4020245
47ecdbdc1d7577a4c0cb3a88569582a |
Fortnite-External.zip | |
| 116760f2d7d0b138a2d62683bc08d4620
87dbd278e491177ae9c978e1fddb1a0 |
roblox-multi.zip | |
| 11b129c8373b6621343dbfe837e21c016f6
fe1f9bdbb2a40283c15cc046fd0ba |
Matcha.rar | |
| 1217e31084df1dbe3fb37cd2b0c65bc70ec2
0278ab11471f0adafe845ed482d9 |
roblox-counter-blox-multi.zip | |
| 12e5890426baa26062077ec41d407ddfcd
8df88480cce6308c0b4064530e767f |
AIAutoClicker.zip | |
| 1366f9bf45a11fed9ec6a2f40a571f273661523
3567c3d91bb1b09916bf5068c |
demonCore.zip | |
| 140c985db532c9085b2de4adcc885a67199dac2
c36a465afd7a2655b4f797b17 |
TheExecutor.zip | |
| 14df8e6e7aadab0866e1a7b17adb247014343f5e31
43249e78a6846051b1e620 |
AIVoiceChanger.zip | |
| 152914827e68584725b0890a46d62e45122789
d1341e50f134b586aa7e139d3c |
TemuForPC.zip | |
| 179e55bb20de0def4f9a5272397a11b7
cb5b4c55a24539da22720f64738a95eb |
AutoClicker.zip | |
| 17e0302f15475a90e807550ea4abe57f
e75a3630fbcc6d9b8feec4c645b7c31b |
Roblox-Injector.zip | |
| 17eff164be5859f8ed5b4c4d9969f9384
523f4ac9a8bd1b6e73ee2ea7d1761e2 |
1vqckj.zip | |
| 188148aae3bdf973ba88b387db68feae
da58daf3a70477766ac34f3b125651a9 |
Roblox-MMap-Injector.zip | |
| 19c6d61936af8a650eebe50b7a21260
cbc365cb09e27b9104a095eda3dbc85a9 |
release-delta-executor.zip | |
| 1aa12327f111d30f0a973070e2a941322b0
7710b9c90c02b0c5c0eda26c902cc |
DeltaExecutor.zip | |
| 1baea27d6148bf630d85c28b24d5aa91
14ad32800d10f2977acecd7845275ecf |
Osiris.zip | |
| 1cdd70b8b8aac60584f17b9396c5f8086
105c92e630fcb81649d395c461c71f9 |
TLifeForPC.zip | |
| 1db8d6d66ab97ed3e1415a02b356a05d8
ec846d69e5fa533f443b8d5d29949ef |
ProExt.zip | |
| 206265f971c6b6bea2b74ceef0ec1417e79
54d2cb83261ffa1b63f82964e5792 |
Lo4f-Malware.zip | |
| 347601eae5851ef7a6cf5a6b7f93ae6078
969bafd191f6a8812a20fa6bf43996 |
pubg-cheat.zip | |
| 35aa1d44c71bdac70faa11b51fc29c13348e
99cf981faa7119861df3ab7e50ba |
Complex.zip | |
| 36b339f53a8bf65b030bedf5ad3bfde04eb
dad3b150ec75ebb77f4a4b3c0cdd7 |
HWIDSpoofer.zip | |
| 37aead580cea7b82a1e76cb642a9269b9a
d1dcdb60f36660e59ee5f8e00cc7b8 |
AIVoiceChanger.zip | |
| 42b0ba7953a014a56a27c07cb8c97c0109
a1b38b78f34f230ea356f9403007ee |
sony-playstation-vita-emulator.zip | |
| 3a02d75900ba42443c40667182711584b
83844911fdf212747b1e087269d3632 |
FortniteDev.zip | |
| 3dafa158ccb63f989aaab41541ea9c02d2cf1a
2b5f50c5a7b98abc1bcadd73f1 |
r6-multi.zip |
The post AI Wrote This Malware: Dissecting the Insides of a Vibe-Coded Malware Campaign appeared first on McAfee Blog.
Whether you’re a hardcore basketball fan or the office colleague who gets roped into filling out a bracket every year, March Madness is the season for brackets, office pools, and last-minute picks.
More than half of Americans (57%) plan to watch the NCAA basketball tournament, and 55% say they participate in some kind of betting or bracket activity during March Madness, from office pools to licensed sportsbook wagers.
But where there’s excitement and money, scammers aren’t far behind.
New research from McAfee finds that 1 in 3 Americans (32%) say they’ve experienced a betting or gambling scam, and 24% say they’ve lost money to one, with victims losing an average of $547.
Big events like March Madness create the perfect storm: massive attention, constant betting promotions, and fans searching online for predictions, tips, and an edge.
Scammers know it, and they’re exploiting the moment.

Sports betting promotions are everywhere during major events like March Madness.
According to McAfee research, 82% of Americans say they’ve seen sports betting promotions or offers in the past year, often on social media, streaming broadcasts, and sports websites.
That flood of promotions makes it easier for scams to blend in with legitimate content.
Many scams start the same way legitimate offers do, through messages, ads, or links promising bonuses or tips. But once someone clicks or responds, the situation can escalate quickly.
For example:
In many cases, victims are then asked to send money to unlock winnings, activate accounts, or access premium betting picks.
The payout rarely exists.
Betting scams come in several forms, but many follow familiar patterns.
Here are some of the most common tactics reported in McAfee’s research:
| Scam Type | Definition | How It Works | Red Flags |
| Guaranteed Win Scam | A betting scam where someone promises a “guaranteed win,” “sure bet,” or “can’t lose” outcome in exchange for money, clicks, or sign-ups. According to McAfee Findings, about 1 in 6 Americans say they’ve received these kinds of messages, which are designed to lure fans looking for an edge. | Scammers send private messages, emails, or social posts claiming they have insider knowledge or a lock on a game. The goal is usually to get the victim to pay for picks, join a private group, or click a malicious link. | Claims that a bet is guaranteed, pressure to act fast, requests for payment to access picks, and promises that sound risk-free. |
| Fake Free Bet Promotion Scam | A scam that pretends to offer bonus bets, deposit matches, or free credits through a fake sportsbook promotion. | The victim sees what looks like a real sportsbook offer, often through social media, email, or text. Clicking may lead to a fake site that steals login details, payment information, or deposits. | Unfamiliar brand names, unofficial links, urgent sign-up language, and promotions that seem unusually generous. |
| Winnings Release Fee Scam | A scam where a victim is told they have winnings waiting, but must first pay a fee, deposit, or processing charge to collect them. | The scammer claims the user has won money, then invents a reason payment is required before the funds can be released. Once the fee is sent, the payout never arrives. | Requests to pay before receiving winnings, vague “processing” or “verification” fees, and pressure to send money immediately. |
| Fake Betting App or Website Scam | A scam involving a fraudulent app or website designed to look like a real sportsbook or betting platform. | Victims are directed to a fake platform where they may create an account, enter personal information, or deposit money. The site may appear legitimate, but withdrawals are blocked or impossible. | Slightly misspelled URLs, strange app download paths, poor website quality, and platforms that make deposits easy but withdrawals difficult. |
| Sportsbook Impersonation Scam | A scam in which someone pretends to represent a legitimate betting platform or sportsbook support team. | The scammer contacts the victim claiming there is an issue with an account, a bonus, or winnings. They then ask for login credentials, payment details, or personal information. | Requests for passwords, bank details, or identity information; unexpected outreach; and messages pushing you to resolve an “account issue” through a link. |
| Fake Insider Tip Scam | A scam that uses claims of insider information, fixed games, or special access to make a betting offer sound exclusive and trustworthy. | Scammers position themselves as experts, insiders, or connected sources who can help the victim beat the odds. The real goal is usually payment, account access, or enrollment in a scam betting channel. | Claims of fixed outcomes, “insider” knowledge, exclusive access, and offers that rely on secrecy or urgency. |
| Celebrity or Influencer Endorsement Scam | A betting scam that uses fake or misleading celebrity, athlete, or influencer endorsements to make an offer seem legitimate. | Scammers create ads, videos, or posts that appear to feature a public figure recommending a betting platform, app, or tip service. In some cases, AI-generated content makes these endorsements look more convincing. | Endorsements that seem off-brand, videos or graphics that look unnatural, unfamiliar accounts, and promotions tied to fake urgency or suspicious links. |
| Private Betting Group Scam | A scam that tries to move betting conversations into private channels like WhatsApp, Telegram, or Signal. | After initial contact on social media or another public platform, the scammer encourages the victim to join a private group for “exclusive picks,” “VIP bets,” or “premium insights.” These groups are often used to pressure victims into sending money or clicking malicious links. | Pressure to move off-platform quickly, promises of VIP access, requests for payment to join, and little proof that the group is legitimate. |
McAfee’s research found that Americans under 45 are significantly more likely to encounter betting scams, with 44% saying they’ve experienced one compared with 19% of those over 45.
Men also report higher exposure, with 40% saying they’ve experienced a betting scam, compared with 25% of women.
Men and younger adults are also more likely to participate in brackets, fantasy sports, or sportsbook betting, the same spaces where scams often appear.

Artificial intelligence is beginning to change how scams look and sound.
About 1 in 5 Americans say they’ve encountered betting scams that appeared more realistic because of AI, and 27% believe they’ve seen AI-generated betting content such as fake promotions, images, or videos.
Among those who encountered AI-driven scams:
As these tools improve, scam messages are becoming smoother, more convincing, and harder to distinguish from legitimate promotions.
| Safety Check | What To Do |
| Be skeptical of “guaranteed wins” | No bet is risk-free. Ignore messages promising sure bets, insider picks, or guaranteed outcomes. |
| Use only licensed sportsbooks | Stick to official betting apps and well-known sportsbooks. Avoid unfamiliar websites or apps. |
| Don’t click betting links from unknown messages | If you receive a betting offer via email, text, or social media, go directly to the official site instead of clicking the link. |
| Never pay fees to unlock winnings | If someone says you must send money to claim winnings or activate a betting account, it’s almost certainly a scam. |
| Be cautious of private betting groups | Invitations to “VIP betting groups” on apps like Telegram or WhatsApp are often used to promote scam picks or collect payments. |
| Protect your accounts | Use strong passwords and turn on two-factor authentication wherever possible. Try our free strong password generator. |
| Use scam detection tools | Tools like McAfee’s Scam Detector can flag suspicious links, websites, and messages before you engage. |
March Madness is meant to be fun, filling out brackets, debating picks with friends, and cheering for the next big upset. Betting can be part of that excitement, but it’s worth remembering that scammers are watching the tournament too.
A simple rule of thumb can go a long way: if a betting offer promises guaranteed wins, asks for money upfront, or pushes you to act quickly, take a step back and verify it first.
The safest plays are the ones where you slow down, stick to trusted platforms, and keep your personal information protected.

Sports betting can be fun, but for some people it can become difficult to manage. If you or someone you know is struggling with gambling, help is available through the National Problem Gambling Helpline (1-800-MY-RESET), operated by the National Council on Problem Gambling.
The post 1 in 3 Has Experienced a Betting Scam. What March Madness Fans Should Know appeared first on McAfee Blog.
McAfee Total Protection has been recognized with three major honors in the AV-TEST Best Awards 2025, receiving awards for Best Performance, Best Advanced Protection, and Best Usability.
Among consumer security products, McAfee was the only solution to receive both the Best Performance and Best Advanced Protection awards, highlighting its ability to deliver strong security while keeping everyday devices running smoothly.
The awards are issued by AV-TEST, an independent cybersecurity research institute that evaluates security products through thousands of lab tests each year.
Together, these recognitions reinforce what matters most for people using security software every day: protection that works quietly in the background without slowing down your system or interrupting your workflow.
Pretty big! The AV-TEST Awards recognize security products that deliver consistently strong results across independent testing throughout the year.
To qualify, products must demonstrate exceptional performance across multiple categories, including protection against modern threats, system performance impact, and usability.
In the 2025 test cycle, McAfee Total Protection earned recognition in three key areas.
Security software needs to protect your system without slowing it down.
In AV-TEST’s Windows performance testing, researchers measure how much a security solution impacts system resources during everyday tasks such as launching applications, installing programs, browsing the web, and copying files.
McAfee Total Protection earned the Best Performance Award for maintaining strong protection while keeping system impact minimal.
For users, that means protection that runs efficiently in the background so your PC stays responsive while you work, stream, or game.
Modern cyberattacks rarely rely on a single tactic. Today’s threats often combine multiple techniques, including ransomware, infostealers, and other advanced attack methods.
To evaluate how well security products handle these complex threats, AV-TEST runs Advanced Threat Protection (ATP) tests, which simulate real-world attacks using the latest techniques.
In the 2025 testing cycle, McAfee Total Protection delivered consistently strong results across these real-world attack scenarios, earning the Best Advanced Protection Award for consumer users.
These results demonstrate how multiple protection layers inside the product work together to detect and stop threats, even if an attack attempts to bypass initial defenses.
Strong security should also be easy to live with.
In AV-TEST’s usability tests, researchers evaluate how accurately a product distinguishes between legitimate files and malicious ones, while monitoring for false alarms.
McAfee Total Protection earned the Best Usability Award for its accurate threat detection and low rate of false positives.
That means fewer unnecessary alerts and interruptions, while still maintaining strong protection against real threats.
According to AV-TEST’s testing team, McAfee stood out across multiple categories in the 2025 evaluation.
“The team of the AV-TEST Institute is delighted to present McAfee with three of the highly coveted trophies. The manufacturer received recognition for its consistently efficient use of system resources, clear distinction between benign and malicious files, and strong results in Advanced Threat Protection testing.”
— Marcel Wabersky, Lead Mobile & Network Testing, AV-TEST
Independent testing plays an important role in helping consumers evaluate cybersecurity tools.
The AV-TEST Institute is an independent IT security research organization based in Germany and operating for more than 20 years. The institute runs one of the world’s largest testing laboratories dedicated to cybersecurity products.
From its headquarters in Magdeburg, Germany, AV-TEST researchers analyze new malware, study emerging attack techniques, and conduct large-scale comparative testing of security software used by both consumers and businesses.
These tests are designed to be standardized, transparent, and repeatable, allowing security products to be evaluated under the same conditions across multiple vendors.
The AV-TEST Best Awards recognize products that deliver consistently strong results across a full year of testing. Because the awards are based on sustained performance rather than a single test cycle, they are widely used as an indicator of long-term security reliability.
For McAfee users, these awards reinforce the goal behind McAfee Total Protection: delivering powerful protection that stays fast, accurate, and easy to use.
| FAQ |
| Q: What are the AV-TEST Best Awards?
A: The AV-TEST Best Awards are annual honors given by the independent cybersecurity testing institute AV-TEST. The awards recognize security products that deliver consistently strong results across a full year of testing in areas such as protection, performance, and usability. |
| Q: What awards did McAfee win in the AV-TEST Awards 2025?
A: McAfee Total Protection received three AV-TEST Best Awards for 2025: Best Performance, Best Advanced Protection, and Best Usability. McAfee was also the only consumer security product to receive both the Best Performance and Best Advanced Protection awards in the 2025 evaluation. |
| Q: What does the AV-TEST Best Performance award mean?
A: The AV-TEST Best Performance award recognizes security software that provides strong protection while using minimal system resources. AV-TEST measures how security products affect everyday activities such as launching programs, installing applications, browsing the web, and copying files. |
| Q: What is Advanced Threat Protection (ATP) testing?
A: Advanced Threat Protection (ATP) testing simulates real-world cyberattacks using techniques such as ransomware and infostealer malware. AV-TEST runs these scenarios to evaluate how well security products detect and stop attacks at multiple stages of an infection attempt. |
| Q: What does the AV-TEST Best Usability award measure?
A: The AV-TEST Best Usability award evaluates how accurately security software distinguishes between safe files and malicious threats. Products that score well demonstrate strong detection capabilities while minimizing false alarms and unnecessary alerts. |
| Q: Why do independent cybersecurity tests matter?
A: Independent cybersecurity testing organizations like AV-TEST evaluate security products using standardized and transparent testing methods. These tests help consumers compare protection tools based on measurable results rather than marketing claims. |
The post McAfee Wins 3 Major AV-TEST Awards for 2025 Security Performance appeared first on McAfee Blog.
This week in scams, the Pokémon Trainer pursuit to “catch ’em all” is being hijacked by criminals posting fake trading card listings online; duping buyers, including young collectors, out of hundreds of dollars.
Meanwhile, threatening email extortion scams claiming your personal data has been stolen are flooding inboxes around the world. And a viral “wedding photo” of Tom Holland and Zendaya shows how AI-generated images can blur the line between real and fake online.
Here’s what to know.
The booming market for collectible Pokémon cards has become a new target for scammers.
According to reporting from The Straits Times, Singapore police recently arrested a 25-year-old man suspected of running a series of e-commerce scams involving Pokémon trading cards. Victims reportedly lost more than $135,000 after paying for limited-edition cards that never arrived.
Authorities say the suspect allegedly advertised pre-orders for rare cards on the online marketplace Carousell. After receiving payment through bank transfers or digital payment apps, the seller either became unreachable or claimed there were delivery problems.
Police say at least 35 reports tied to the suspect have been filed since October 2025, and more broadly there have been over 600 reported Pokémon card e-commerce scams totaling more than $1.1 million in losses during that same period.
Collectibles create the perfect storm for online scams. Limited releases, hype, and rising resale values make buyers feel pressure to act quickly before items “sell out.” Scammers take advantage of that urgency.
If you’re buying trading cards or other collectibles online:
When demand spikes for a product, whether it’s sneakers, concert tickets, or Pokémon cards, scams usually follow.
Another scam spreading widely right now arrives in a much more intimidating format: a threatening email claiming hackers have stolen your personal data.
According to reporting from Fox News, many people are receiving messages that claim the sender has access to their passwords, files, or financial information. The message then demands payment in Bitcoin to prevent the data from being sold on the dark web.
At first glance, these emails can feel frightening. They often use dramatic language like:
But in most cases, there’s one major problem with the claim.
There’s no proof.
Security experts note that these messages usually include no screenshots, no passwords, and no evidence of a real breach. Instead, scammers send the same message to thousands of email addresses at once, hoping a small percentage of recipients will panic and pay.
Often, the scammers obtained your email address from old data breach lists circulating online, which makes the message feel more believable.
If you receive a threatening extortion email:
Reporting the message helps email providers improve spam filters and prevent similar scams from reaching others.
The biggest tactic here is fear. Once you slow down and evaluate the message, the scam usually falls apart.
A viral image circulating on social media this week claimed to show Tom Holland and Zendaya’s wedding, sparking massive speculation online.
But many viewers quickly suspected the image wasn’t real.
According to reporting on Yahoo Entertainment, the photo appeared to originate from a fan account on X (formerly Twitter) that claimed the image had been “confirmed” by major outlets like Vogue and Cosmopolitan. However, no such confirmation existed, and soon the official label was added marking the content as AI-generated.

Celebrity rumors already spread quickly online. Add generative AI to the mix, and fabricated images can travel even faster.
While a fake celebrity wedding photo may seem harmless, the same technology can easily be used in more serious ways.
AI-generated visuals are already being used to create:
The line between real and synthetic content is getting harder to spot.
If a viral image seems surprising or dramatic:
When something looks shocking online, that’s often exactly why it spreads. McAfee’s built-in Scam Detector can help you spot AI-generated audio and video.
A few simple habits can help reduce your risk across all three of these scenarios:
Scams today don’t always look like scams. They often look like exciting deals, urgent warnings, or AI depictions of people you trust.
The best defense is slowing down before clicking, paying, or sharing.
From collectible card fraud to email extortion campaigns and AI-generated viral content, the tactics scammers use may change, but the strategy is the same: manipulate emotion and urgency.
Stay skeptical, verify before you trust, and we’ll be back next week with another breakdown of the scams making headlines, and what they mean for your security.
The post This Week in Scams: Pokémon Card Cons, Email Extortion, and a Viral AI Wedding Photo appeared first on McAfee Blog.
A hacktivist group with links to Iran’s intelligence agencies is claiming responsibility for a data-wiping attack against Stryker, a global medical technology company based in Michigan. News reports out of Ireland, Stryker’s largest hub outside of the United States, said the company sent home more than 5,000 workers there today. Meanwhile, a voicemail message at Stryker’s main U.S. headquarters says the company is currently experiencing a building emergency.
Based in Kalamazoo, Michigan, Stryker [NYSE:SYK] is a medical and surgical equipment maker that reported $25 billion in global sales last year. In a lengthy statement posted to Telegram, a hacktivist group known as Handala (a.k.a. Handala Hack Team) claimed that Stryker’s offices in 79 countries have been forced to shut down after the group erased data from more than 200,000 systems, servers and mobile devices.
A manifesto posted by the Iran-backed hacktivist group Handala, claiming a mass data-wiping attack against medical technology maker Stryker.
“All the acquired data is now in the hands of the free people of the world, ready to be used for the true advancement of humanity and the exposure of injustice and corruption,” a portion of the Handala statement reads.
The group said the wiper attack was in retaliation for a Feb. 28 missile strike that hit an Iranian school and killed at least 175 people, most of them children. The New York Times reports today that an ongoing military investigation has determined the United States is responsible for the deadly Tomahawk missile strike.
Handala was one of several hacker groups recently profiled by Palo Alto Networks, which links it to Iran’s Ministry of Intelligence and Security (MOIS). Palo Alto says Handala surfaced in late 2023 and is assessed as one of several online personas maintained by Void Manticore, a MOIS-affiliated actor.
Stryker’s website says the company has 56,000 employees in 61 countries. A phone call placed Wednesday morning to the media line at Stryker’s Michigan headquarters sent this author to a voicemail message that stated, “We are currently experiencing a building emergency. Please try your call again later.”
A report Wednesday morning from the Irish Examiner said Stryker staff are now communicating via WhatsApp for any updates on when they can return to work. The story quoted an unnamed employee saying anything connected to the network is down, and that “anyone with Microsoft Outlook on their personal phones had their devices wiped.”
“Multiple sources have said that systems in the Cork headquarters have been ‘shut down’ and that Stryker devices held by employees have been wiped out,” the Examiner reported. “The login pages coming up on these devices have been defaced with the Handala logo.”
Wiper attacks usually involve malicious software designed to overwrite any existing data on infected devices. But a trusted source with knowledge of the attack who spoke on condition of anonymity told KrebsOnSecurity the perpetrators in this case appear to have used a Microsoft service called Microsoft Intune to issue a ‘remote wipe’ command against all connected devices.
Intune is a cloud-based solution built for IT teams to enforce security and data compliance policies, and it provides a single, web-based administrative console to monitor and control devices regardless of location. The Intune connection is supported by this Reddit discussion on the Stryker outage, where several users who claimed to be Stryker employees said they were told to uninstall Intune urgently.
Palo Alto says Handala’s hack-and-leak activity is primarily focused on Israel, with occasional targeting outside that scope when it serves a specific agenda. The security firm said Handala also has taken credit for recent attacks against fuel systems in Jordan and an Israeli energy exploration company.
“Recent observed activities are opportunistic and ‘quick and dirty,’ with a noticeable focus on supply-chain footholds (e.g., IT/service providers) to reach downstream victims, followed by ‘proof’ posts to amplify credibility and intimidate targets,” Palo Alto researchers wrote.
The Handala manifesto posted to Telegram referred to Stryker as a “Zionist-rooted corporation,” which may be a reference to the company’s 2019 acquisition of the Israeli company OrthoSpace.
Stryker is a major supplier of medical devices, and the ongoing attack is already affecting healthcare providers. One healthcare professional at a major university medical system in the United States told KrebsOnSecurity they are currently unable to order surgical supplies that they normally source through Stryker.
“This is a real-world supply chain attack,” the expert said, who asked to remain anonymous because they were not authorized to speak to the press. “Pretty much every hospital in the U.S. that performs surgeries uses their supplies.”
John Riggi, national advisor for the American Hospital Association (AHA), said the AHA is not aware of any supply-chain disruptions as of yet.
“We are aware of reports of the cyber attack against Stryker and are actively exchanging information with the hospital field and the federal government to understand the nature of the threat and assess any impact to hospital operations,” Riggi said in an email. “As of this time, we are not aware of any direct impacts or disruptions to U.S. hospitals as a result of this attack. That may change as hospitals evaluate services, technology and supply chain related to Stryker and if the duration of the attack extends.”
According to a March 11 memo from the state of Maryland’s Institute for Emergency Medical Services Systems, Stryker indicated that some of their computer systems have been impacted by a “global network disruption.” The memo indicates that in response to the attack, a number of hospitals have opted to disconnect from Stryker’s various online services, including LifeNet, which allows paramedics to transmit EKGs to emergency physicians so that heart attack patients can expedite their treatment when they arrive at the hospital.
“As a precaution, some hospitals have temporarily suspended their connection to Stryker systems, including LIFENET, while others have maintained the connection,” wrote Timothy Chizmar, the state’s EMS medical director. “The Maryland Medical Protocols for EMS requires ECG transmission for patients with acute coronary syndrome (or STEMI). However, if you are unable to transmit a 12 Lead ECG to a receiving hospital, you should initiate radio consultation and describe the findings on the ECG.”
This is a developing story. Updates will be noted with a timestamp.
Update, 2:54 p.m. ET: Added comment from Riggi and perspectives on this attack’s potential to turn into a supply-chain problem for the healthcare system.
Update, Mar. 12, 7:59 a.m. ET: Added information about the outage affecting Stryker’s online services.
Tax season is a headache for many people, and when a shortcut promises to make filing easier, it’s hard to resist. This year, one of the newest trends is using AI chatbots like ChatGPT to help prepare tax returns.
According to new McAfee research, 30% of people say they plan to use an AI tool, such as ChatGPT, to help with their taxes, with younger adults leading the trend.
At first glance, it makes sense. AI tools can explain confusing tax rules, summarize IRS forms, and answer questions instantly.
But there’s an important line that should never be crossed: Do not enter your personal tax information into AI chatbots.
That includes Social Security numbers, income records, home addresses, bank details, or anything else tied to your identity.
Here’s why:
Think about it this way: when you type something into an AI chatbot, you’re sending that information over the internet to a system that processes and stores data.
In practical terms, entering sensitive information into an AI tool is similar to typing it directly into a search engine or submitting it to an online form.
Once it leaves your device, you lose direct control over where it travels and how it may be stored.
Even companies with strong security protections are transparent about this risk.
OpenAI’s privacy documentation explains that they use encryption and strict access controls to protect user data. However, they also note that no internet transmission or digital storage system can be guaranteed completely secure.
This is true across the internet, not just for AI tools.
Security incidents can happen anywhere online, including companies with robust security programs.
For example, in late 2025, OpenAI disclosed a security incident involving a third-party analytics provider called Mixpanel. The breach occurred within the vendor’s systems, not OpenAI’s infrastructure, but some limited user profile data associated with the platform was exposed.
According to OpenAI’s disclosure, the data involved information such as:
Importantly, chat content, passwords, payment information, and government IDs were not exposed in that incident.
But the event highlights a broader cybersecurity reality:
Even when a company takes strong security precautions, third-party services, vendors, and other parts of the digital ecosystem can still introduce risk.
That’s why cybersecurity experts recommend limiting what personal information you share online whenever possible.
Tax information is one of the most valuable targets for cybercriminals.
If scammers obtain the details commonly found in tax filings, they may be able to:
Tax returns typically include multiple pieces of highly sensitive data, including:
Instead of relying on AI chatbots for filing, stick with trusted tax preparation options designed to securely handle sensitive data:
These systems are specifically built with compliance, encryption, and identity verification in mind.
AI tools can be incredibly useful for learning and research. But they are not secure tax filing platforms.
If you wouldn’t feel comfortable posting your Social Security number publicly online, you shouldn’t paste it into a chatbot either. When it comes to taxes, the safest rule is simple: Use AI for advice, not for your personal data.
The post Using an AI like ChatGPT to File Your Taxes? Stop and Read This First appeared first on McAfee Blog.
We’re back with another roundup of must-know scams and cybersecurity news making headlines this week, including a scam that features the name of the Jim Carrey movie, The Truman Show.
Let’s break it down.
So, why the name of this scam?
In the 1998 film The Truman Show, the main character unknowingly lives inside a staged reality TV world where everything around him is carefully controlled. In the “Truman Show” scam, criminals try to place victims into a similarly staged investment environment, complete with fake group chats, fake investors, and fake profits designed to build trust. It doesn’t actually have anything to do with the movie.
The “Truman Show” scam is an AI-powered investment scam where criminals create an entire fake online community to convince victims an investment opportunity is real.
According to reports, scammers invite people into group chats on platforms like Telegram or WhatsApp that appear full of investors sharing tips and celebrating profits. In reality, many of the participants, moderators, and conversations may be run by AI bots designed to simulate a lively trading community.
Security researchers say the moderator and the other “investors” in the group may actually be AI-driven bots, programmed to simulate real conversations and enthusiasm around the investment strategy.
The scam often includes:
The app itself may appear legitimate. But in reality, it often redirects users to a malicious website where scammers collect personal and financial information.
Once victims deposit money, the criminals can quickly drain accounts or block withdrawals.
McAfee’s State of the Scamiverse research shows just how convincing scams have become. One in three Americans (33%) say they feel less confident spotting scams than they did a year ago, as criminals increasingly use polished branding, realistic conversations, and AI-generated content to make fraudulent opportunities look legitimate.
Why this works: people naturally trust social proof. When it looks like dozens of other investors are making money, people lower their skepticism.
Another scam to be aware of this week includes spoofed letters impersonating local government offices.
According to reporting from WGME in Maine, residents in multiple towns recently received official-looking notices requesting payment for supposed municipal fees tied to development applications.
The letters appeared convincing. They used formal language, official seals, and department names. But there was a problem.
One of the notices claimed it came from a “Board of Commissioners,” even though the town in question does not have one.
Officials say the letters instructed recipients to send payments by wire transfer, a method legitimate government offices almost never use for these kinds of transactions.
McAfee’s experts say these scams are effective because they rely on volume. Fraudsters send thousands of letters hoping a small percentage of recipients will respond before verifying the request. And remember, these types of scams occur all the time and across the globe. While today’s reports are in Maine, it’s important to be vigilant wherever you live.
Red flags to watch for:
The safest move is simple: verify the request independently. Contact the government office directly using phone numbers listed on its official website, not the ones in the letter.
Meanwhile, a well-known data analytics company is dealing with a breach after hackers published stolen files online.
According to BleepingComputer, LexisNexis Legal & Professional confirmed that attackers accessed some of its servers and obtained limited customer and business information. The confirmation came after a hacking group leaked roughly 2GB of stolen data on underground forums.
LexisNexis says the compromised systems contained mostly older or “legacy” data from before 2020, including:
The company says highly sensitive financial information, Social Security numbers, and active passwords were not part of the exposed data.
However, attackers claim they accessed millions of database records and hundreds of thousands of cloud user profiles tied to the company’s systems.
LexisNexis says it has contained the intrusion and is working with cybersecurity experts and law enforcement.
Why breaches like this matter: even when the stolen data appears limited, it can still be used in targeted phishing attacks.
For example, scammers might use real names, email addresses, or business roles to send convincing messages that appear legitimate.
Breaches often trigger waves of follow-up scams weeks or months later. (We know we cover this one a lot, but it’s key to remember!)
A few simple habits can make these schemes much easier to spot.
We’ll be back next week with another roundup of the scams and cybersecurity news making headlines and what they mean for your digital safety.
The post This Week in Scams: The AI “Truman Show” Scam Draining Bank Accounts appeared first on McAfee Blog.
John C. isn’t the person you picture getting scammed.
He’s 36. He’s tech-savvy. He’s a mechanical engineer leading a team at a national energy lab in Denver. And he told us his story for one reason: “Scammers will target anyone.”
It began with a phone call from someone claiming to be the IRS. They said John had underpaid his taxes and needed to resolve it quickly. The caller sounded polished and convincing, so convincing that John didn’t stop to question it.
“I thought maybe they sent back too much money [in my refund], and they needed it back,” he said. “I was just so busy and overwhelmed that I never really stopped to think about the situation.”
A follow-up email arrived with IRS logos, clean formatting, and a big payment button. John was trying to move fast between classes as he finished up his PhD, and he wanted to correct the situation as quickly as possible.
“I was like, let me just hurry up and do this, get it over with.”
He clicked. He paid. But later, when he checked his statement, he saw the charge didn’t look like an IRS payment at all. In fact, it was an international charge. The whole thing was a scam.
John said the scammer on the phone had appealed to his emotions and been incredibly convincing.
“It was absolutely masterful,” John said. “I would give him an Oscar for it.
And new McAfee research shows John isn’t alone, with nearly 1 in 4 (23%) US adults surveyed revealing they’ve lost money to a tax scam.

Here’s what our January 2026 survey of 3,008 U.S. adults found:
In addition to our consumer survey findings, McAfee Labs analyzed malicious URLs, apps, texts, and emails in the months leading up to filing season.
The major takeaway: tax scams don’t wait for April.
Scam activity began climbing as early as November and has again continued building steadily into 2026.
Between September 1, 2025, and February 19, 2026, McAfee Labs identified 1,468 malicious or suspicious tax-themed unique domains, an average of 43 new fake tax websites every day.
In early November 2025 alone, the average number of new tax-themed malicious domains nearly doubled in just over a week. After a brief dip in late December, activity resumed climbing into February, a pattern we expect to intensify as the April filing deadline approaches.

Scammers are rapidly creating lookalike IRS domains that mimic official government URLs.
They use small changes, extra letters, added words, subtle misspellings, to trick taxpayers into believing they’re on a legitimate IRS site.
Examples include domains that insert additional text around “irs.gov” or add misleading subdomains designed to pass a quick glance.
These fake portals are used to:
In some cases, these sites don’t just steal, they overcharge.
McAfee Labs observed scam services offering to file for an EIN (Employer Identification Number), something the IRS provides for free, and charging as much as $319 for it.
![]()
Example of a scam website we found charging for an EIN.
The official IRS website explicitly warns: you never have to pay a fee to obtain an EIN.
Other scam sites misuse legitimate policy terms, like the “Fresh Start Initiative,” to harvest personal data and enroll victims in aggressive robocall and marketing campaigns.
Tax scams don’t always steal outright. Sometimes they monetize confusion.

Most tax scams aren’t one single message. They’re a sequence, designed to make you panic, click, and comply.
Below is the common playbook, plus the red flags that show up repeatedly.
*Note: Scammers may swap the details like AI voice, fake IRS videos, cloned websites, or impersonating tax software, but the pattern stays familiar.
| Step | What happens | Red flags you’ll see at this step | Red flags that are true every time | What to do instead |
| 1) The hook | You get a call, text, or email claiming there’s a tax issue (refund problem, underpayment, verification needed). | Message arrives out of nowhere, often during busy hours; “final notice” language; spoofed caller ID. | Unexpected contact + urgency. | Don’t engage. Pause. Go directly to IRS.gov or your tax provider’s official site (type it in). |
| 2) The authority move | They lean hard on being “the IRS” or “state tax authority,” sometimes with personal details. | They sound polished; may use AI voice cloning; may cite a “case number.” Fake or meaningless case numbers are very common. | They want you to trust the title, not verify the source. | Ask for written notice and time. Real tax issues can be verified through official channels. |
| 3) The link | They send a link to a “secure portal” or “refund page.” | Lookalike website, subtle misspellings, weird domain, shortened link, email button that says “Pay Now.” | They’re trying to pull you off official channels. | Never click the link. Navigate to the real site yourself. If unsure, delete it. |
| 4) The data grab | The site (or “agent”) asks for SSN, banking info, login credentials, or details from a prior return. | Requests that are broader than needed; “verify identity” prompts; form fields that feel too invasive. | They want sensitive info fast. | Stop. Don’t type anything. If you already did, assume it’s compromised and act quickly (see next section). |
| 5) The payment push | They demand payment to “avoid penalties,” “release your refund,” or “resolve a mistake.” | Gift cards, crypto, wire transfers, payment apps; pressure to pay today; threats. | Urgency + unusual payment method. | The IRS does not demand immediate payment via text/social, and doesn’t require gift cards or crypto. Verify independently. |
| 6) The escalation | If you hesitate, they intensify: threats, “law enforcement,” or AI video/audio that “proves” it’s real. | Deepfake IRS video, intimidating language, “you’ll be arrested,” “your license will be revoked.” | Fear is the product. | Hang up. Save evidence. Talk to a trusted person. Contact official support through verified numbers. |
| 7) The aftermath | You realize it was a scam—often after noticing a strange charge or login activity. | Charges from odd merchants; new accounts; IRS account alerts; failed tax filing due to “duplicate return.” | Shame keeps people quiet—scammers count on that. | Report it and protect your identity right away. You’re not alone, and it’s not your fault. |
Key point: A message can look “official” and still be fake. AI is making scam language smoother and scams more believable. The safest habit is simple: slow down, and verify using official sources you navigate to yourself.
First: take a breath. Scams are designed to trick you, especially when you’re overwhelmed, rushed, or just trying to fix a problem quickly.
John said it plainly: “Don’t be embarrassed. It does happen. It’s common… they will target anyone.”
And he’s right. The most important thing is what you do next.
Take screenshots and save:
If a scammer gets into your email, they can reset passwords for everything else.
Do this today:
Important: If you clicked a suspicious link, downloaded a file, or gave someone remote access to your computer, make sure you use a different, trusted device (like your phone or another computer) to change passwords. Why? If a scammer installed malware or has access to your computer, they may be able to see all of your brand-new passwords as you’re making them.
Tip: A password manager like McAfee’s can help you create strong, unique passwords quickly, without having to memorize them all.
Tax scams often turn into identity theft. Watch for:
If you suspect tax-related identity theft:
McAfee’s Identity Monitoring can help restore your sense of security and privacy online.
Reporting helps you and helps stop the next person from getting hit.
Common reporting options include:
Scammers don’t just use what you give them. They also use what they can look up.
Removing your personal details from risky data broker sites can reduce how easily scammers can target you again. Tools like Personal Data Cleanup can help you identify where your information is exposed and guide removal.
Tax season scams often come in waves, especially if scammers think your info is “good.”
Helpful layers include:
Tax season creates the perfect storm: time pressure, sensitive data, and a lot of official-looking communication.
Our research shows most people are worried, and for good reason. Scammers are getting more convincing, and AI is raising the bar on what “real” looks and sounds like.
“Tell your friends, tell your family,” John said. “Everyone I know at some point has heard this story, and it might just prevent someone from losing… thousands of dollars.”
If you remember just three things this season, make them these:
The post Tax Scams Hit Nearly 1 in 4 Adults. Spot the Red Flags appeared first on McAfee Blog.