Reading view

Germany Doxes “UNKN,” Head of RU Ransomware Gangs REvil, GandCrab

An elusive hacker who went by the handle “UNKN” and ran the early Russian ransomware groups GandCrab and REvil now has a name and a face. Authorities in Germany say 31-year-old Russian Daniil Maksimovich Shchukin headed both cybercrime gangs and helped carry out at least 130 acts of computer sabotage and extortion against victims across the country between 2019 and 2021.

Shchukin was named as UNKN (a.k.a. UNKNOWN) in an advisory published by the German Federal Criminal Police (the “Bundeskriminalamt” or BKA for short). The BKA said Shchukin and another Russian — 43-year-old Anatoly Sergeevitsch Kravchuk — extorted nearly $2 million euros across two dozen cyberattacks that caused more than 35 million euros in total economic damage.

Daniil Maksimovich SHCHUKIN, a.k.a. UNKN, and Anatoly Sergeevitsch Karvchuk, alleged leaders of the GandCrab and REvil ransomware groups.

Germany’s BKA said Shchukin acted as the head of one of the largest worldwide operating ransomware groups GandCrab and REvil, which pioneered the practice of double extortion — charging victims once for a key needed to unlock hacked systems, and a separate payment in exchange for a promise not to publish stolen data.

Shchukin’s name appeared in a Feb. 2023 filing (PDF) from the U.S. Justice Department seeking the seizure of various cryptocurrency accounts associated with proceeds from the REvil ransomware gang’s activities. The government said the digital wallet tied to Shchukin contained more than $317,000 in ill-gotten cryptocurrency.

The GandCrab ransomware affiliate program first surfaced in January 2018, and paid enterprising hackers huge shares of the profits just for hacking into user accounts at major corporations. The GandCrab team would then try to expand that access, often siphoning vast amounts of sensitive and internal documents in the process. The malware’s curators shipped five major revisions to the GandCrab code, each corresponding with sneaky new features and bug fixes aimed at thwarting the efforts of computer security firms to stymie the spread of the malware.

On May 31, 2019, the GandCrab team announced the group was shutting down after extorting more than $2 billion from victims. “We are a living proof that you can do evil and get off scot-free,” GandCrab’s farewell address famously quipped. “We have proved that one can make a lifetime of money in one year. We have proved that you can become number one by general admission, not in your own conceit.”

The REvil ransomware affiliate program materialized around the same as GandCrab’s demise, fronted by a user named UNKNOWN who announced on a Russian cybercrime forum that he’d deposited $1 million in the forum’s escrow to show he meant business. By this time, many cybersecurity experts had concluded REvil was little more than a reorganization of GandCrab.

UNKNOWN also gave an interview to Dmitry Smilyanets, a former malicious hacker hired by Recorded Future, wherein UNKNOWN described a rags-to-riches tale unencumbered by ethics and morals.

“As a child, I scrounged through the trash heaps and smoked cigarette butts,” UNKNOWN told Recorded Future. “I walked 10 km one way to the school. I wore the same clothes for six months. In my youth, in a communal apartment, I didn’t eat for two or even three days. Now I am a millionaire.”

As described in The Ransomware Hunting Team by Renee Dudley and Daniel Golden, UNKNOWN and REvil reinvested significant earnings into improving their success and mirroring practices of legitimate businesses. The authors wrote:

“Just as a real-world manufacturer might hire other companies to handle logistics or web design, ransomware developers increasingly outsourced tasks beyond their purview, focusing instead on improving the quality of their ransomware. The higher quality ransomware—which, in many cases, the Hunting Team could not break—resulted in more and higher pay-outs from victims. The monumental payments enabled gangs to reinvest in their enterprises. They hired more specialists, and their success accelerated.”

“Criminals raced to join the booming ransomware economy. Underworld ancillary service providers sprouted or pivoted from other criminal work to meet developers’ demand for customized support. Partnering with gangs like GandCrab, ‘cryptor’ providers ensured ransomware could not be detected by standard anti-malware scanners. ‘Initial access brokerages’ specialized in stealing credentials and finding vulnerabilities in target networks, selling that access to ransomware operators and affiliates. Bitcoin “tumblers” offered discounts to gangs that used them as a preferred vendor for laundering ransom payments. Some contractors were open to working with any gang, while others entered exclusive partnerships.”

REvil would evolve into a feared “big-game-hunting” machine capable of extracting hefty extortion payments from victims, largely going after organizations with more than $100 million in annual revenues and fat new cyber insurance policies that were known to pay out.

Over the July 4, 2021 weekend in the United States, REvil hacked into and extorted Kaseya, a company that handled IT operations for more than 1,500 businesses, nonprofits and government agencies. The FBI would later announce they’d infiltrated the ransomware group’s servers prior to the Kaseya hack but couldn’t tip their hand at the time. REvil never recovered from that core compromise, or from the FBI’s release of a free decryption key for REvil victims who couldn’t or didn’t pay.

Shchukin is from Krasnodar, Russia and is thought to reside there, the BKA said.

“Based on the investigations so far, it is assumed that the wanted person is abroad, presumably in Russia,” the BKA advised. “Travel behaviour cannot be ruled out.”

There is little that connects Shchukin to UNKNOWN’s various accounts on the Russian crime forums. But a review of the Russian crime forums indexed by the cyber intelligence firm Intel 471 shows there is plenty connecting Shchukin to a hacker identity called “Ger0in” who operated large botnets and sold “installs” — allowing other cybercriminals to rapidly deploy malware of their choice to thousands of PCs in one go. However, Ger0in was only active between 2010 and 2011, well before UNKNOWN’s appearance as the REvil front man.

A review of the mugshots released by the BKA at the image comparison site Pimeyes found a match on this birthday celebration from 2023, which features a young man named Daniel wearing the same fancy watch as in the BKA photos.

Images from Daniil Shchukin’s birthday party celebration in Krasnodar in 2023.

Update, April 6, 12:06 p.m. ET: A reader forwarded this English-dubbed audio recording from a ccc.de (37C3) conference talk in Germany from 2023 that previously outed Shchukin as the REvil leader (Shchuckin is mentioned at around 24:25).

  •  

Meta Pauses Work With Mercor After Data Breach Puts AI Industry Secrets at Risk

Major AI labs are investigating a security incident that impacted Mercor, a leading data vendor. The incident could have exposed key data about how they train AI models.

  •  

Oklahoma Tax Breach and FBI Impersonation Scam: This Week in Scams

Suspects wanted by the FBI

A tax system breach in Oklahoma is putting highly sensitive personal information at risk. And unfortunately, this is exactly the kind of situation scammers love to exploit. 

Hackers reportedly accessed W-2 and 1099 files through Oklahoma’s online tax portal, according to state officials, exposing the kind of information that can open the door to tax fraud, identity theft, and highly targeted phishing attempts. 

Before the follow-up scams start rolling in, this is the kind of moment where layered protection matters. McAfee+ Advanced includes identity monitoring and data cleansup that can help alert you if your personal information starts circulating where it shouldn’t, and Scam Detector can flag suspicious messages if scammers try to use this breach as a hook. 

What Happened in Oklahoma 

According to a statement by the Oklahoma Tax Commission and reported by KOCO News 5, a local ABC affiliate, suspicious activity inside the state’s Oklahoma Taxpayer Access Point system was identified in December 2025. The agency says impacted individuals have been notified directly by mail, and complimentary credit monitoring and fraud assistance are being offered. 

When W-2s, 1099s, Social Security numbers, and tax-related records are exposed, scammers can use that information to: 

  • File fraudulent tax returns  
  • Try to open new accounts  
  • Build phishing emails or texts that feel unusually real  

Either way, the goal is the same: use real information to make the next scam more believable. 

Red Flags of a Scam After a Breach Like This 

The breach itself is real. But what often follows is a second wave of scams pretending to help. 

Watch For: 

  • Emails or texts about your “tax account” that create urgency  
  • Messages asking you to verify personal information  
  • Fake alerts about refunds, filings, or suspicious activity  
  • Links telling you to log in and “secure” your account  

That’s where people can get hit twice: once by the breach, and again by the scam that follows it. 

What To Do If You’re Impacted 

First, don’t panic. Then: 

  • Take advantage of any free credit monitoring or fraud assistance being offered  
  • Monitor your bank accounts, tax records, and credit reports closely  
  • Consider placing a fraud alert or credit freeze if needed  
  • Be extra careful with any message referencing taxes, refunds, or account access 
  • Go directly to official sites instead of clicking links in emails or texts  

And that, my friends, is scam number one in this week’s This Week in Scams. 

Let’s get into what else is on our radar. 

The FBI Impersonation Scam Showing Up Across the U.S. 

Scammers pretending to be federal agents are making the rounds across the country, and this one is built to make people panic fast. 

Field offices, including Chicago and Houston, are warning the public about fraudsters posing as FBI agents in calls, texts, and emails. In some cases, the scammers claim you’re connected to an investigation. In others, they say you’re a victim of fraud and need to act immediately to protect yourself. 

Sometimes they do not stop there. They may also pretend to be bank employees working alongside the FBI, all to make the story feel more convincing and get access to your money or personal information. 

Suspects wanted by the FBI
The FBI has shared images of these suspects pretending to be agents. If you are contacted by these officials, report it to the FBI.

Why This Scam Works

This scam plays on the same pressure tactics we’ve seen over and over again: authority, urgency, and confusion. 

If someone claims to be a federal agent, many people freeze up and assume they need to cooperate immediately. That’s exactly what scammers are counting on. 

The FBI has been clear about this: federal law enforcement will not ask you for money or sensitive personal information over the phone, by text, or by email. 

The Red Flags in This Message

  • Unsolicited outreach from someone claiming to be federal law enforcement  
  • Pressure to act immediately  
  • Requests for money, gift cards, prepaid cards, or personal information  
  • Instructions to keep the conversation secret  
  • Stories involving a bank “working with” the FBI  

If it feels dramatic, high-pressure, and just a little off, trust that instinct. 

What To Do if You Get One Of These Messages

  • Do not respond  
  • Do not send money or share personal information  
  • Contact the agency directly using publicly listed contact information  
  • Save the message for your records  
  • Report it to the FBI: 1-800-CALL-FBI (225-5324), or online at tips.fbi.gov.

This is also exactly the kind of message McAfee’s Scam Detector is built to flag before you get pulled in. 

How McAfee Helps You Stay Ahead of Scams and Breaches 

McAfee+ Advanced gives you multiple layers working together so you are not left figuring it out after the damage is done: 

  • Identity Monitoring alerts you if your personal info shows up where it should not, so you can act fast
  • Personal Data Cleanup helps remove your information from data broker sites, making you harder to target in the first place
  • Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage
  • Safe Browsing helps block risky sites if you do click
  • Device Security helps detect malicious apps or downloads
  • Secure VPN keeps your data private, especially on public Wi-Fi  

This kind of layered protection is critical in cases like ghost student scams, where the first sign of fraud often comes after financial damage has already happened. 

Safety tips to carry into next week 

  • Be extra cautious after any real breach makes headlines  
  • Do not trust unsolicited messages just because they reference real institutions  
  • Never send money to someone claiming to be law enforcement  
  • Go directly to official websites instead of clicking links  
  • Use tools that flag suspicious messages in real time so you do not have to guess 

The reality is, scams are getting better at looking official. 

You should not have to be an expert to spot them. That’s why McAfee is here to help. We’re Safer Together.

We’ll be back next week with more scams making headlines. 

The post Oklahoma Tax Breach and FBI Impersonation Scam: This Week in Scams appeared first on McAfee Blog.

  •  

McAfee’s “Keep It Real” Campaign Named Shorty Awards Finalist

We’re proud to share that McAfee’s “Keep It Real” campaign has been named a finalist in the 2026 Shorty Awards Social Good Campaign category. 

This category recognizes work that doesn’t just perform, it matters: campaigns that raise awareness, inspire action, and make a real-world impact. 

That’s exactly what “Keep It Real” set out to do. 

Because behind every scam statistic is a person who thought they were making the right call. And too often, what follows isn’t just financial loss. It’s embarrassment, silence, and stigma. 

We wanted to change that. 

The campaign launched alongside McAfee Scam Detector to address a growing reality: scams powered by AI are becoming harder to recognize and easier to fall for. 

“Keep It Real” paired real survivor stories with AI-driven protection to show how scams actually happen and how people can stop them in the moment. 

The goal was simple: 

  • Normalize the experience  
  • Remove shame around being scammed 
  • Help more people recognize scams faster  

Because when people feel safe talking about scams, they’re more likely to spot them and stop them. 

What Are the Shorty Awards? 

The Shorty Awards honor the best work in social media, digital campaigns, and online storytelling across brands, creators, and organizations. 

Now in their 18th year, the awards recognize campaigns that combine creativity, impact, and real-world relevance. Finalists are selected alongside leading global brands and judged on both industry evaluation and public voting. 

How McAfee’s Scam Detector Fits In 

McAfee’s Scam Detector is designed to help people identify scams across everyday digital moments. 

It uses AI to fight AI by flagging suspicious: 

  • Text messages and emails  
  • QR codes and links  
  • Social media messages  
  • AI-generated and deepfake content  

By combining automatic detection with clear guidance, Scam Detector helps people better understand what they’re seeing and decide what to trust. 

Real Stories Behind the Campaign 

A core part of “Keep It Real” was giving space to people who experienced scams to share what happened, in their own words. 

These stories helped show that scams can happen to anyone and played a key role in breaking the stigma around being targeted. 

 

This recognition reflects the work across McAfee teams who built and brought this campaign to life, including product, engineering, research, creative, and communications. 

It also reflects the individuals who chose to share their real scam stories to help others recognize scams, stay safer, and end the shame and stigma around being scammed. 

Support the Campaign 

The Shorty Awards include a public voting component. 

If you’d like to support the campaign, you can vote here:
https://shortyawards.com/18th/keep-it-real-mcafees-ai-scam-media-relations-campaign 

Voting is open through April 8, and you can vote once per day. 

Examples of real messages sent in response to our campaign.

The post McAfee’s “Keep It Real” Campaign Named Shorty Awards Finalist appeared first on McAfee Blog.

  •  

Operation NoVoice: Android Malware Found in 50+ Apps Can Hijack Devices

McAfee’s mobile research team has uncovered a large-scale Android malware campaign we’re tracking as Operation NoVoice.

The campaign was distributed through more than 50 apps previously available on Google Play, disguised as everyday tools like cleaners, games, and photo utilities. Together, the apps were downloaded more than 2.3 million times, though it’s unclear how many devices may have been impacted.

If the attack succeeds, the malware can gain deep control of a device, allowing attackers to inject malicious code into apps as they are opened and access sensitive data.

However, the most serious impact depends on the device. 

On older or unpatched Android devices, the malware can install a highly persistent form of infection that may survive a standard factory reset. Newer Android devices with up-to-date security protections are not vulnerable to the root exploit observed in this campaign, though they may still be exposed to other types of malicious activity from these apps.

In other words, on vulnerable devices, the malware can behave like a kind of digital “zombie,” continuing to operate in the background even after a reset.

Want the full technical breakdown? Dive into the McAfee Labs research here. 

We break down what you need to know below: 

How “Operation NoVoice” Works 

Operation NoVoice is what security experts call a rootkit malware attack. 

rootkit is a type of malware designed to gain deep, privileged control of a device while hiding its presence from the user and the operating system’s normal security tools. 

Breaking the term down: 

  • “Root” refers to the highest level of access on a system (administrator-level control). 
  • “Kit” refers to a collection of tools used by an attacker to maintain that control. 

Put simply, a rootkit allows attackers to operate underneath the normal apps and security protections on a phone, giving them powerful control while staying difficult to detect.

In the case of Operation NoVoice, the attack unfolds in several steps. 

1) A normal-looking app starts the attack

The campaign began with apps that appeared harmless on the Google Play Store. These apps advertised themselves as tools like phone cleaners, puzzle games, or gallery utilities. 

When a user downloaded and opened one of these apps, it appeared to work normally. There are no obvious signs to the user that anything is wrong. 

2) The malware quietly checks the device

Behind the scenes, the app contacts a remote server controlled by the attackers. 

The server collects information about the device, things like its hardware, operating system version, and security patch level. Based on that information, the attackers send back custom exploit code designed for that specific device.

3) The attack gains deep system access

If the exploit succeeds, the malware gains root-level access to the device.

At that point, the attackers can install additional malicious components and modify parts of the Android operating system itself. 

4) Every app on the phone can be affected

Once the rootkit is installed, it modifies a core Android system library that every app relies on. 

This allows attacker-controlled code to run inside any app the user opens. 

That means the attackers could potentially access data from messaging apps, financial apps, or social media apps without the user noticing. 

5) The malware can remain even after a reset

Operation NoVoice also includes persistence mechanisms designed to keep the malware active. 

In some cases, the infection could survive a standard factory reset, because the malicious components modify parts of the system software that resets typically do not replace.

Fully removing the infection may require reinstalling the device’s firmware, something most users cannot easily do themselves.

*To be clear, these apps have been removed from Google Play and are no longer available for download. 

Why The Name “Operation NoVoice” 

The name Operation NoVoice comes from a hidden component inside the malware itself. 

Researchers discovered a resource labeled “novioce” embedded in one of the attack’s later stages. The file contains a silent audio track that plays at zero volume. 

This may seem strange, but it serves a purpose. 

By continuously playing silent audio in the background, the malware can keep a foreground service running without drawing attention. This allows the malicious code to remain active while appearing harmless to the operating system. 

The researchers believe the name “novioce” is likely a misspelling of “no voice,” referring to the silent audio trick used to keep the malware running. 

How To Stay Safe from Malware Disguised as Apps 

Operation NoVoice highlights an important reality: even apps that appear legitimate can sometimes hide malicious behavior. 

Fortunately, there are several steps users can take to reduce their risk. 

Be cautious with unfamiliar apps 

Even if an app appears on the Google Play Store, it’s still important to review: 

  • the developer’s name 
  • the number of downloads 
  • recent user reviews (check for negative reviews) 

Apps with very few reviews, vague descriptions, or suspicious developer accounts can sometimes be part of malware campaigns. And exercise even greater caution with apps promoted through advertisements or that create a a sense of urgency.  

Keep your phone updated 

Many attacks rely on exploiting known vulnerabilities in older versions of Android. 

Installing system updates and security patches helps reduce the chance that these exploits will work.

Remove apps you don’t recognize 

If you notice apps on your device that you don’t remember installing, review them carefully and remove anything suspicious. 

Keeping your phone’s app list clean reduces the potential attack surface. 

Use mobile security protection 

Mobile security software can help detect suspicious behavior and block known malware. 

For example, McAfee Mobile Security detects this threat as Android/NoVoice and can warn users if a malicious app is identified.  

McAfee offers more than traditional antivirus, combining multiple layers of digital protection in one app  

What Operation NoVoice Tells Us About the Future of Mobile Threats 

Operation NoVoice highlights how mobile malware is evolving. Instead of obvious malicious apps, attackers are increasingly hiding their operations inside ordinary-looking tools distributed through legitimate app stores.

What makes this campaign particularly concerning isn’t just the number of downloads or the technical complexity. It’s the way the malware combines several advanced techniques, device-specific exploits, modular plugins, and deep system persistence, into a single attack chain.

That approach allows attackers to quietly turn an everyday app download into long-term control of a device.

That’s why keeping devices updated, reviewing apps carefully, and using mobile security protection are becoming increasingly important. As Operation NoVoice shows, today’s malware isn’t just trying to get onto devices; it’s trying to stay there. 

The post Operation NoVoice: Android Malware Found in 50+ Apps Can Hijack Devices appeared first on McAfee Blog.

  •  

Operation NoVoice: Rootkit Tells No Tales

Authored By: Ahmad Zubair Zahid 

McAfee’s mobile research team identified and investigated an Android rootkit campaign tracked as Operation Novoice. The malware described in this blog relies on vulnerabilities Android made patches available for in 2016 – 2021. All Android devices with a security patch level of 2021-05-01 or higher are not susceptible to the exploits that we were able to obtain from the command-and-control server. However patched devices that downloaded these apps could have been exposed to unknown potential payloads outside of what we discovered. The attack begins with apps that were previously available on Google Play that appear to be simple tools such as cleaners, games, or gallery utilities. When a user downloaded and opened one of these apps, it appeared to behave as advertised, giving no obvious signs of malicious activity.  

In the background, however, the app contacts a remote server, profiles the device, and downloads root exploits tailored to that device’s specific hardware and software. If the exploits succeed, the malware gains full control of the device. From that moment onward, every app that the user opens are injected with attacker‑controlled code.  

This allows the operators to access any app data and exfiltrate it to their servers. One of the targeted apps is WhatsApp. We recovered a payload designed to execute when WhatsApp launches, gather all necessary data to clone the session, and send it to the attacker’s infrastructure.   

On older, unsupported devices (Android 7 and lower) that no longer receive Android security updates as of September 2021, this rootkit is highly persistent; a standard factory reset will not remove it, and only reflashing the device with a clean firmware will fully restore the device.   

In total, we identified more than 50 of these malicious apps on Google Play, with at least 2.3 million downloads.  

McAfee identified the malicious apps, conducted the technical analysis, and reported its findings to Google through responsible disclosure channels. Following McAfee’s report, Google removed the identified apps from Google Play and banned the associated developer accounts. McAfee is a member of the App Defense Alliance, which supports collaboration across the mobile ecosystem to improve user protection. McAfee Mobile Security detects this malware as a High-Risk Threat. For more information, and to get fully protected, visit McAfee Mobile Security 

Background And Key Findings

Android malware has been moving toward modular frameworks that update themselves remotely and adapt to each device. Campaigns like Triada and Keenadu have shown that replacing system libraries gives attackers persistence to survive factory resets. BADBOX has shown that backdoors pre-installed through the supply chain can reach millions of devices. Recent research has confirmed links between several of these families, suggesting shared tooling rather than isolated efforts. 

NoVoice fits both trends but does not rely on supply chain access. It reaches devices through Google Play and achieves the same level of persistence through exploitation. McAfee’s investigation revealed the following key findings: 

  • All carrier apps were distributed through Google Play. No sideloading required, no user interaction beyond opening the app. 
  • C2 infrastructure remains active at the time of publication. 
  • The C2 server profiles each device and delivers root exploits matched to its hardware and software version. 
  • The rootkit overwrites a core system library, causing every app on the device to run attacker code at launch. 
  • The infection survives factory reset and can only be removed by reflashing the firmware. 
  • The chain is fully plugin-based. Operators can push any payload to any app on the device at runtime. 
  • The only task we recovered clones WhatsApp sessions, but the framework is designed to accept any objective.

Naming  

The name comes from R.raw.novioce, a silent audio resource embedded in one of the later-stage payloads. It plays at zero volume to keep a foreground service alive, abusing Android’s media playback exemption. We believe it is a deliberate misspelling of “no voice.” 

Distribution Method 

All carrier apps were distributed through Google Play and request no unusual permissions. Their manifests include the same SDKs any legitimate app would (Firebase, Google Analytics, Facebook SDK, AndroidX). The malicious components are registered under tampered com.facebook.utils, blending in with the real Facebook SDK classes the apps already include.  

An example of one of the apps with hidden malware.
Figure 1One of the carrier apps on Google Play 

The initial payload is embedded in the app’s asset directory as a polyglot image. This means the file displays and renders a normal image, but a deeper inspection reveals that the encrypted malicious payload is appended after the PNG IEND marker. Since that marker signals to image viewers that the image data ends there, the appended payload remains hidden during normal viewing.

Geographical Prevalence 

The geographical prevalence map shows the highest infection rates in Nigeria, Ethiopia, Algeria, India, and Kenya, regions where budget devices and older Android versions that no longer receive security updates are common. 

Figure 2: Affected Users Around the World
Figure 2: Affected users around the world

Malware Analysis

The following breakdown walks through each stage of the chain in order, from the moment a user opens the app to the moment stolen data leaves the device. No single file contains the full chain. Each stage decrypts and loads the next, most are delivered from the server at runtime. 

Figure 3. The NoVoice Rootkit Payloads
Figure 3. The NoVoice rootkit payloads

Stage 1: The Delivery

The moment the app opens, code injected into the legitimate Facebook SDK initialization path runs automatically. No user interaction is needed. It first checks whether the device has already been processed and, in most samples, whether it is running Android 12L or below. A subset of the carrier apps skips the version check entirely. If either check fails, it stops and logs a message disguised as a Facebook SDK error: “FacebookSdk: Failed in initStore.” 

If the device was already processed, the code cleans up files assumed to be left behind by previous runs, including paths that do not belong to any standard Android component. None of these are visible to the user. 

If the checks pass, the app reads a polyglot image from its own assets’ directory, extracts the encrypted payload (enc.apk) hidden after the image data, decrypts it to produce h.apk, and loads it into memory. It then deletes all intermediate files, temporary directories. 

Figure 4: Normal Looking Image with Malicious Payload
Figure 4: Normal looking image with malicious payload
Figure 5: The malicious payload begins after the IEND marker, starting with the magic value CAFEBABE.
Figure 5: The malicious payload begins after the IEND marker, starting with the magic value CAFEBABE

Stage 2: The Gatekeeper 

The decrypted payload (h.apk) loads a native library (libkwc.so) that controls the rest of this stage. It first verifies it is running inside the intended carrier app by checking the package name and signing certificate against hardcoded values. It also checks whether the app is running in a debug environment. 

libkwc.so contains two encrypted embedded payloads. The first (sec.jar) is a gate designed to detect analysis environments. It runs 15 checks, including emulator detection, root indicators, debuggers, VPN and proxy connections, Xposed hooks, and GPS geofencing. If any check fails, the chain stops silently. The geofence compares the device’s location against bounding boxes for Beijing and Shenzhen hardcoded in the native library and excludes devices confirmed to be inside them. If the app does not have location permission, it cannot determine the device’s position and defaults to letting the chain continue. Two brands get special treatment: on Gionee devices, all checks except the geofence are skipped; on Meizu devices, the chain follows a separate code path entirely. Gionee devices have a documented history of shipping with pre-installed malware through supply chain compromise. 

Only if all checks in sec.jar pass does libkwc.so decrypt and load the second payload (hex.jar), which begins contacting the C2 server. If the gate fails, it deletes the working directory and stops. 

Figure 6: 15 validation checks before proceeding to the next stage
Figure 6: 15 validation checks before proceeding to the next stage

Stage 3: The Plugin 

Once the gate passes, hex.jar sets up a plugin framework built on an internal codebase the authors refer to as “kuwo” in their package names. It checks in with a C2 server every 60 seconds. Updates are delivered the same way as the initial payload: as image files with encrypted data hidden after the image content. The server returns download URLs in a response field named warningIcon, disguising plugin downloads as icon fetches. A log-deletion routine runs alongside the framework to remove forensic traces from the device. 

The first plugin delivered (rt) acts as an orchestrator. It manages sub-plugins and handles C2 communication. It checks in with the server, sending over 30 device identifiers including hardware model, kernel version, installed packages, and whether the device has already been rooted. The campaign’s name comes from this plugin: it embeds a silent audio resource named R.raw. novioce. 

The checkin tells the server two things: who this device is and whether it has already been rooted. If it has not, rt_plugin downloads security.jar, moving the chain into root exploitation. 

Figure 7: MediaPlayer initialized to load the embedded no voice audio
Figure 7: MediaPlayer initialized to load the embedded NoVoice audio

Stage 4: The Exploit 

security.jar first checks whether the device is already rooted. If it has been, it stops. For unrooted devices, it sends the device’s chipset, kernel version, security patch date, and other identifiers to the C2. The server responds with a list of exploit binaries matched to that specific device. 

Before running any exploit, the rootkit installer (CsKaitno.d) is decrypted from an embedded resource and written to disk. The rootkit is already in place before any exploit runs. 

The exploits are downloaded one at a time from the C2’s CDN, each encrypted and verified before execution. We recovered 22 exploits in total. Our deep analysis of one revealed a three-stage kernel attack: an IPv6 use-after-free for kernel read, a Mali GPU driver vulnerability for kernel read/write, and finally credential patching and SELinux disablement. 

The expected end result is the same across all exploits: a root shell with SELinux disabled. From that shell, the exploit loads CsKaitno.d. This is where exploitation ends and persistence begins. 

Figure 8: SELinux enforcement disabled as part of the exploit chain.
Figure 8: SELinux enforcement disabled as part of the exploit chain

Stage 5: The Rootkit 

CsKaitno.d carries four encrypted payloads: library hooks for ARM32 and ARM64 (asbymol and bdlomsd), a bytecode patcher (jkpatch), and a persistence daemon (watch_dog). It first removes files associated with possible competing rootkits, then decrypts and writes its own payloads to disk. 

The installer backs up the original libandroid_runtime.so and replaces it with a hook binary matched to the device’s architecture. It also replaces libmedia_jni.so. The replacements are not copies of the original libraries. They are wrappers that intercept the system’s own functions. When any hooked function runs, it redirects to attacker code. 

Figure 9: Rootkit copying and preparing modified system libraries before remounting the filesystem as writable.
Figure 9: Rootkit copying and preparing modified system libraries before remounting the filesystem as writable

After replacing the libraries, jkpatch modifies pre-compiled framework bytecode on disk. This is a second layer of persistence: even if someone restores the original library, the framework’s own compiled code still contains the injected redirections

Stage 6: The Watchdog 

To survive reboots, the installer replaces the system crash handler with a rootkit launcher, installs recovery scripts, and stores a fallback copy of the exploitation stage on the system partition. If any component is removed, the rootkit can reinstall itself. 

It then deploys a watchdog daemon (watch_dog) that checks the installation every 60 seconds. If anything is missing, it reinstalls it. If that fails repeatedly, it forces a reboot, bringing the device back up with the rootkit intact. 

After cleaning up all staging files, the installer marks the device as compromised. On the next boot, the system’s process launcher (zygote) loads the replaced library, and every app it starts inherits the attacker’s code. 

Figure 10: Watchdog payload decrypted, written to disk, permissioned, and launched with a 60‑second restart interval.
Figure 10: Watchdog payload decrypted, written to disk, permissioned, and launched with a 60‑second restart interval

Stage 7: The Injection 

On the next boot, every app on the device loads the replaced system library. The injected code decides what to do based on which app it is running inside. Two payloads activate depending on the app. The malware authors named them BufferA and BufferB in their own code. Both are embedded as fragments inside the replaced libandroid_runtime.so from Stage 5, assembled in memory at runtime, and deleted from disk immediately after loading, leaving no files behind. BufferA runs inside the system’s package installer and can silently install or uninstall apps. BufferB runs inside any app with internet access. 

BufferB is the campaign’s primary post-exploitation tool. It operates two independent C2 channels with separate encryption keys and beacon intervals. Both channels send device fingerprints to the C2 and receive task instructions in return. 

If all primary domains fail and three or more days pass without contact, a fallback routine activates between 1 and 4 AM, reaching out to api[.]googlserves[.]com for a fresh domain list. Because BufferB runs inside any app with internet access, it can be active in dozens of apps simultaneously on a single device. 

Figure 11: Injection logic selecting BufferA for the package installer and BufferB for all other apps.
Figure 11: Injection logic selecting BufferA for the package installer and BufferB for all other apps

Stage 8: The Theft 

The only task payload we recovered is PtfLibc, delivered to BufferB from Alibaba Cloud OSS. Its target is WhatsApp. 

PtfLibc copies WhatsApp’s encryption database, extracts the device’s Signal protocol identity keys and registration ID, and pulls the most recent signed prekey. It also reads 12 keys from WhatsApp’s local storage, including the phone number, push name, country code, and Google Drive backup account. For the client keypair, it tries multiple decryption methods depending on how the device stores the key. 

It sends the stolen data to api[.]googlserves[.]com through multiple layers of encryption and deletes the temporary database copy when done. 

With these keys and session data, an attacker can clone the victim’s WhatsApp session onto another device. 

Figure 12: Code accessing and copying WhatsApp’s encrypted Signal protocol databases for exfiltration.
Figure 12: Code accessing and copying WhatsApp’s encrypted Signal protocol databases for exfiltration

Infrastructure 

The campaign spreads its C2 communication across multiple domains, each serving a different function. 

fcm[.]androidlogs[.]com handles initial device enrollment. Once the plugin framework activates, stat[.]upload-logs[.]com takes over as the primary C2 for plugin delivery, device checkin, exploit distribution, and result reporting. config[.]updatesdk[.]com serves as its fallback. Exploit binaries are hosted separately on download[.]androidlogs[.]com, with an S3-accelerated endpoint (logserves[.]s3-accelerate[.]amazonaws[.]com) as the primary CDN. This endpoint returned 403 errors during our analysis. 

Task payloads for BufferB are hosted on Alibaba Cloud OSS (prod-log-oss-01[.]oss-ap-southeast-1[.]aliyuncs[.]com). PtfLibc beacons to api[.]googlserves[.]com, a domain designed to look like Google service traffic at a glance. 

The domain separation is deliberate. Taking down one domain does not affect the others. The C2 can update BufferB’s domain lists at runtime, and a fallback routine fetches fresh domains from hardcoded backup endpoints if all configured domains go silent for three or more days. 

Recommendations 

Because the rootkit writes to the system partition, a factory reset does not remove it. A reset wipes user data but leaves system files intact. Compromised devices require a full firmware reflash to return to a clean state. Blocking the C2 domains and beacon patterns listed in this report at the network level can disrupt the chain at multiple stages. 

Attribution  

Several indicators link NoVoice to the Android.Triada family. The property (os.config.ppgl.status) NoVoice sets to mark a device as compromised is a known indicator of compromise for Android.Triada.231, a variant that uses the same property to track installation state. Both NoVoice and Triada.231 persist by replacing libandroid_runtime.so and hooking system functions so that every app runs attacker code at launch. Whether NoVoice is a direct evolution of Triada.231, a fork of its codebase, or a separate group reusing proven techniques, the shared approach suggests access to a common toolchain. 

Conclusion 

What makes NoVoice dangerous is not any single technique. It is the engineering effort behind the full chain: a self-healing pipeline that goes from a Play Store install to code execution inside every app on the device, survives factory reset, and monitors its own installation. The operators built a delivery system, an infrastructure. 

We recovered one task. The framework is designed to accept any number of them, for any app, at any time. The C2 infrastructure remains active. We do not know what other objectives have been deployed before, during, or after our analysis. The WhatsApp session theft we observed may be the least of it. 

The rootkit’s persistence model, overwriting a system library inherited by every process, patching pre-compiled framework bytecode, and monitoring its own installation with a watchdog, makes remediation difficult. 

This research underscores McAfee’s ongoing role in identifying advanced mobile threats and working with platform partners to protect users before largescale harm occurs. 

References 

https://www.kaspersky.com/blog/triada-trojan/11481/ 

https://www.kaspersky.com/about/press-releases/kaspersky-discovers-keenadu-a-multifaceted-android-malware-that-can-come-preinstalled-on-new-devices 

https://www.humansecurity.com/learn/blog/badbox-peachpit-and-the-fraudulent-device-in-your-delivery-box/ 

Indicators of Compromise 

Command and Control Servers 

api.googlserves[.]com 

api.uplogconfig[.]com 

avatar.ttaeae[.]com 

awslog.oss-accelerate.aliyuncs[.]com 

check.updateconfig[.]com 

config.googleslb[.]com 

config.updatesdk[.]com 

dnskn.googlesapi[.]com 

download.androidlogs[.]com 

fcm.androidlogs[.]com 

log.logupload[.]com 

logserves.s3-accelerate.amazonaws[.]com 

prod-log-oss-01.oss-ap-southeast-1.aliyuncs[.]com 

sao.ttbebe[.]com 

stat.upload-logs[.]com 

upload.crash-report[.]com 

nzxsxn.98kk89[.]com 

98kk89[.]com 

Carrier App Samples 

03e62ac5080496c67676c0ef5f0bc50fc42fc31cf953538eda7d6ec6951979d8,com.filnishww.fluttbuber.storagecleaner, 

066a096a3716e02a6a40f0d7e6c1063baecbebc9cbcc91e7f55b2f82c0dad413,com.wififinder.wificonnect, 

0751decd391fa76d02329b0726c308206e58fc867f50283aa688d9fe0c70e835,com.wuniversal.lassistant, 

07a9d41c1c775def78a017cf1f6e65266382e76de0f05400b3296e2230979664,com.dynamicpuzzle.cvbfhf, 

0f28c49b24070a36dec09dd9d4b768e1ef6583b4891eca2e935a304ce704fcce,com.wgoddessg.sgallery, 

106edd06b6961c3d38edfefd2869ee05285f11b68befe145b124794d0e79e766,com.crazycodes.blendphoto, 

183e9174e51786be77d1341bcf7f05514f581823532028119c5844a8a5111848,com.colorbrickelim.inationl, 

1e0376330ff9e97f798870da8433c81e39f3591c82497ca1f6b5f00878d0221a,com.crazycodes.photomotion, 

1e7fe0ae7546162f23ff4f6e570f51b38562bf4f0ffd9305533b43d19574be38,com.swiftc.tcleans, 

1e8b048c8d32662f340787893d9ca824b039c14fb91bcc16e185a8bb872e0b80,com.mybatice.googcomlayou.phonecleaner, 

224e2395d3df96cf19e0b7be9731452da5b568026d81bd0981e48893f6a66859,com.glamorousg.sgoddesslys, 

2c2c965f3d091693bc6906fc2ed8d03ffccb84e0665841f2d073c2f0a09261bc,com.myapps.gooble.mobile1.maxclean, 

30504104f232a990f8226ff746b1718aafb727ce111d5a538962cc5e06c4259a,com.mybatice.smartersleep.junkfiles, 

3937b0bec287662fd82fca4693c8b3619b8c61eca7fe6efa7540c1ae291f8759,com.crazycodes.beautycam, 

4830a985f064974e6b5d19ae95d645d01fb57edd975a4fce5a1453c2ada70d4e,com.khanbro.gamestation, 

4f7825647bab001298f768302d0eeb6e0d639d401dc8b5bf60a4b9841a93c980,com.wBoothCash_18748294, 

4fbf1906fe02745cbf0350563440e9a05d19cd4a27c4fb6b67436392a18a0cd4,com.steppay.yrewards, 

54224288aa9fa3d4281fb91ad7b202fbc3e5708b173e319b6b450ad15bcdab43,com.scleanm.nmastery, 

594521e642fee75d474d8d0be839ebe9341f30196b19555882499145bf00746b,com.qwalkingr.grewards, 

721d92d30fbb90fe643507055baa4cce937c8659f1520be1bbce7f9669af6f84,com.modes2048.gamepro, 

7d90ee0be5eb63fbaa6839efdd6217b482576b1bab553731cac0b55f2fa1e6fa,com.jkesogeop.classicsudo, 

7f00991e63154a79ea220b713fcfb2ef8b8db923a75366a61e9bc30d9c355274,com.glamorousg.sgoddesslys, 

8cd77df7cf2242105b12297071ad1d11e91264f9de311d1b082666da19134476,com.wtoolboxp.xpro, 

974a5d005d3cfe4c63bd7a46ca72c6716c6c6de397d2e3e19b1730def31f7825,com.systmapp.mobile1.cleanmanager, 

98819230a6c3f5092517ada9652e9156e338acc27d29e4647b3cb69cddb668cb,com.crazycodes.airvpn, 

98db4904c3299b8ac383dd177c3cde87af25c088df1988f484427aab3b5c4e0d,com.wlifetoolp.lpro, 

9b9f55c4a68385e4a739c7d11159c9b4ab006660142331e8bdc477b5eba62aad,com.ulifea.eassistants, 

a02694b5de7a8a6ef3024d53e54a54a676f992bfa1e070f07827ab9b5dd1365c,com.priceper.km, 

a1e77c148f190b6bfdd40ce657722e902a31cedecab669dd6f78f38b6b18ddf7,crazycodes.notes.app, 

a430123efe9611f322fbc3c459fc5ec13abbb0def88ba3ec56a05a361a51a9ac,com.gbversion.gbplus.gblatestversion, 

ab6365bf7e6c7fba6867b44a80e8bf653c7b66ff91204ee3e2981b6532fea7ee,com.snowfindthesame.samethesnowswe, 

b4438ac1694e3a08a994750a7ac76399c48d5d3446e90ebebbea1f8694bf3dd5,com.guidely.earningapp, 

b8087e3535d395210b80637be35da6ae8e10450b6fb87de62a284d5d7397cd17,com.shcoob.groobe.timebuke, 

bf47dc1577c8b862c4e849a7ce52e143239f2f7274421befa902baf4bd1c4a19,com.wlifet.etoolbox, 

c332166f720e4d2f6f9b59993559df05281e7d2fbd56f90a7f2399a0ac620295,com.ebitans.tenstarbd, 

c509a98d0823add0c1440a7b043586eb5a8069fbb776ca36252f5b7653c92cb7,com.whabitn.tnotes, 

c517b26dfc8ffd5de7f49966ff3391475f80299ebc6ad9988bf166029cf76c91,com.filnishww.fluttbuber.storagecleaner, 

cf945c433aa80120be10566b9f1ae88e043f96872996f599b75bb57c74248e56,com.mfunt.ttetris, 

d72d96c6f299fe961dd98655e0468e45ed3ac03df0cfa499e27d4c399e304500,com.wififinder.wificonnect, 

db1168f2cb3b25ef65e06eb4e788ddda237a428fbce0725de1e9d70b36e96833,com.whomea.eassistan, 

ddc4da4c63c8bc7df53c3c7fe350b56ad31f313c7d95b472dc45a9fcf85273f0,com.mi2048nig.game, 

df00753933359d7369668eddeb0dc2565f075c78e4b46f3cabd2e8ff31eda42e,com.sportscash.xyz, 

e32c8a869585c107ccd1586b5edebc1d8eaa18017c2dd39b6267eec4db7f7410,com.biopops.mathly, 

e5b8d25ef612f0240ce28fbffd550fd4e0b9abdbf325e3ff85718e8312b70c2b,com.wdailyn.anova, 

e5f3aa5ef6b5b5fa94a921b55f52aa2c1011486b7370f1585deb6d571325ebcb,com.khan.pregnancyexercise, 

ec79443aa53864e4d322b8fa8fd4aad0ef878221f01e7d32512694ba24992aee,com.merge2048joy.joy, 

f654c5f926ebfcded4c0d07590972536280454e2501dc8a525390402fa945ff1,com.kgoddessv.svibe, 

f7c664ea66c43a82801ed7da23369af1e285857c1a4bf200147b716715f09d3f,com.chall2048enge.game, 

fc3b06c36feb38ed62f3034e428e814d6e1ac06ec1569ea22428374b8d15d848,com.jekunotesimple.notesimple, 

fd62c2bfa2277eff8787926f9976aa4a11235a18a9a543ced71a509c6ebf2bf2,com.game.ludoplay, 

The post Operation NoVoice: Rootkit Tells No Tales appeared first on McAfee Blog.

  •  

Got a “Court Notice” Text? Ignore It. Plus, the Crunchyroll Breach: This Week in Scams

A text that looks like it came straight from a courthouse is making the rounds across the U.S. And yes, I got it too. 

First things first, that’s a scam. And to be clear: DON’T SCAN THAT QR CODE. 

It’s the same playbook as last year’s toll road scams, just dressed up with a little more authority and a lot more pressure. 

Before doing anything, our team ran it through McAfee’s Scam Detector. It immediately flagged the message as suspicious, and that’s exactly the kind of moment this tool is built for. When something feels just real enough to second guess, it gives you a clear signal before you click, scan, or spiral. 

This shows how Scam Detector immediately flagged the text message and court image as suspicious.  
A screenshot showing Scam Detector in action.

How the scam works 

The text claims you’ve missed a payment, violated a law, or have some kind of outstanding “case.” It then pushes you to scan a QR code or click a link to resolve it quickly. 

From there, one of two things usually happens: 

  1. You’re taken to a fake payment page designed to steal your money, or 
  2. You’re prompted to download something that gives scammers access to your device or data  

Either way, the goal is the same: get you to act fast before you have time to question it. 

Here's the fake text our author received
Here’s the scam text I got in California. You’ll notice it looks exactly like the others across the country. 

The red flags in this message 

  • Urgent, threatening language about fines, penalties, or legal action  
  • Vague accusations with no real details about what you supposedly did  
  • Official-looking formatting like case numbers, clerk signatures, and judge names  
  • Copy-paste consistency across states: McAfee employees in New York and California received nearly identical messages with the same names  

There are reports of this scam popping up nationwide, but the rule is simple: law enforcement does not text you to demand payment or resolve legal issues. 

What to do if you scanned the QR code 

First, don’t panic. Then: 

  • Do not pay anything or enter personal information  
  • Do not delete apps you were told to install (this can make it harder to detect what happened)  
  • Run a device scan using a trusted security tool like McAfee’s free antivirus  
  • Keep an eye on your financial accounts and logins for unusual activity  

And that, my friends, is scam number one in this week’s This Week in Scams (new format, we’re experimenting a little).  

Let’s get into what else is on our radar. 

What to Know About an Alleged Crunchyroll Breach 

Anime streaming platform Crunchyroll is investigating claims of a data breach involving customer support ticket data, potentially impacting millions of users. 

According to TechCrunch, access appears to involve a third-party vendor system, a reminder that even strong security setups still rely on people and partners, which can introduce risk in everyday moments. 

Even if you’ve never entered your credit card into a support form, these tickets can still include: 

  • Email addresses  
  • Usernames  
  • Screenshots or account details  
  • Conversations that reveal habits, subscriptions, or personal context  

That’s more than enough for scammers to build highly believable follow-ups. 

Why this matters right now 

When breaches like this surface, scammers don’t wait. They use the moment to send emails and messages that feel timely, relevant, and legitimate. 

For example, scammers might send messages pretending to be Crunchyroll and suggesting you “click this link to secure your account” after the breach. In reality, that “security check” exposes your information.

This is where tools like Scam Detector come back into play, flagging suspicious links and messages even when they reference real companies or real events. 

What to do if you have a Crunchyroll account 

  • Change your password, especially if you’ve reused it elsewhere  
  • Turn on two-factor authentication  
  • Be cautious of emails referencing the breach or asking you to “secure your account”  
  • Avoid clicking links and go directly to the official site instead  

How McAfee Helps You Stay Ahead of Scams and Breaches

McAfee+ Advanced gives you multiple layers working together so you’re not left figuring it out in the moment: 

  • Scam Detector flags suspicious texts, emails, links, and even deepfake videos before you engage  
  • Safe Browsing helps block risky sites if you do click or scan  
  • Device Security helps detect and remove malicious apps or downloads  
  • Identity Monitoring alerts you if your personal info shows up where it shouldn’t, so you can act fast  
  • Personal Data Cleanup helps remove your information from data broker sites, making you a harder target in the first place  
  • Secure VPN keeps your data private, especially on public Wi-Fi  

Plus our instant QR code scam checks will flag suspicious QR codes before you scan them.

QR Scan Example

Safety tips to carry into next week 

  • Slow down when a message creates urgency. That’s the hook  
  • Don’t scan QR codes or click links from unexpected texts  
  • Go directly to official websites instead of using links sent to you  
  • Use tools that flag scams in real time so you don’t have to guess  

The reality is, these scams are designed to look normal. You shouldn’t have to be an expert to spot them. That’s why McAfee’s here to help. 

We’ll be back next week with more scams making headlines. 

The post Got a “Court Notice” Text? Ignore It. Plus, the Crunchyroll Breach: This Week in Scams appeared first on McAfee Blog.

  •  

‘CanisterWorm’ Springs Wiper Attack Targeting Iran

A financially motivated data theft and extortion group is attempting to inject itself into the Iran war, unleashing a worm that spreads through poorly secured cloud services and wipes data on infected systems that use Iran’s time zone or have Farsi set as the default language.

Experts say the wiper campaign against Iran materialized this past weekend and came from a relatively new cybercrime group known as TeamPCP. In December 2025, the group began compromising corporate cloud environments using a self-propagating worm that went after exposed Docker APIs, Kubernetes clusters, Redis servers, and the React2Shell vulnerability. TeamPCP then attempted to move laterally through victim networks, siphoning authentication credentials and extorting victims over Telegram.

A snippet of the malicious CanisterWorm that seeks out and destroys data on systems that match Iran’s timezone or have Farsi as the default language. Image: Aikido.dev.

In a profile of TeamPCP published in January, the security firm Flare said the group weaponizes exposed control planes rather than exploiting endpoints, predominantly targeting cloud infrastructure over end-user devices, with Azure (61%) and AWS (36%) accounting for 97% of compromised servers.

“TeamPCP’s strength does not come from novel exploits or original malware, but from the large-scale automation and integration of well-known attack techniques,” Flare’s Assaf Morag wrote. “The group industrializes existing vulnerabilities, misconfigurations, and recycled tooling into a cloud-native exploitation platform that turns exposed infrastructure into a self-propagating criminal ecosystem.”

On March 19, TeamPCP executed a supply chain attack against the vulnerability scanner Trivy from Aqua Security, injecting credential-stealing malware into official releases on GitHub actions. Aqua Security said it has since removed the harmful files, but the security firm Wiz notes the attackers were able to publish malicious versions that snarfed SSH keys, cloud credentials, Kubernetes tokens and cryptocurrency wallets from users.

Over the weekend, the same technical infrastructure TeamPCP used in the Trivy attack was leveraged to deploy a new malicious payload which executes a wiper attack if the user’s timezone and locale are determined to correspond to Iran, said Charlie Eriksen, a security researcher at Aikido. In a blog post published on Sunday, Eriksen said if the wiper component detects that the victim is in Iran and has access to a Kubernetes cluster, it will destroy data on every node in that cluster.

“If it doesn’t it will just wipe the local machine,” Eriksen told KrebsOnSecurity.

Image: Aikido.dev.

Aikido refers to TeamPCP’s infrastructure as “CanisterWorm” because the group orchestrates their campaigns using an Internet Computer Protocol (ICP) canister — a system of tamperproof, blockchain-based “smart contracts” that combine both code and data. ICP canisters can serve Web content directly to visitors, and their distributed architecture makes them resistant to takedown attempts. These canisters will remain reachable so long as their operators continue to pay virtual currency fees to keep them online.

Eriksen said the people behind TeamPCP are bragging about their exploits in a group on Telegram and claim to have used the worm to steal vast amounts of sensitive data from major companies, including a large multinational pharmaceutical firm.

“When they compromised Aqua a second time, they took a lot of GitHub accounts and started spamming these with junk messages,” Eriksen said. “It was almost like they were just showing off how much access they had. Clearly, they have an entire stash of these credentials, and what we’ve seen so far is probably a small sample of what they have.”

Security experts say the spammed GitHub messages could be a way for TeamPCP to ensure that any code packages tainted with their malware will remain prominent in GitHub searches. In a newsletter published today titled GitHub is Starting to Have a Real Malware Problem, Risky Business reporter Catalin Cimpanu writes that attackers often are seen pushing meaningless commits to their repos or using online services that sell GitHub stars and “likes” to keep malicious packages at the top of the GitHub search page.

This weekend’s outbreak is the second major supply chain attack involving Trivy in as many months. At the end of February, Trivy was hit as part of an automated threat called HackerBot-Claw, which mass exploited misconfigured workflows in GitHub Actions to steal authentication tokens.

Eriksen said it appears TeamPCP used access gained in the first attack on Aqua Security to perpetrate this weekend’s mischief. But he said there is no reliable way to tell whether TeamPCP’s wiper actually succeeded in trashing any data from victim systems, and that the malicious payload was only active for a short time over the weekend.

“They’ve been taking [the malicious code] up and down, rapidly changing it adding new features,” Eriksen said, noting that when the malicious canister wasn’t serving up malware downloads it was pointing visitors to a Rick Roll video on YouTube.

“It’s a little all over the place, and there’s a chance this whole Iran thing is just their way of getting attention,” Eriksen said. “I feel like these people are really playing this Chaotic Evil role here.”

Cimpanu observed that supply chain attacks have increased in frequency of late as threat actors begin to grasp just how efficient they can be, and his post documents an alarming number of these incidents since 2024.

“While security firms appear to be doing a good job spotting this, we’re also gonna need GitHub’s security team to step up,” Cimpanu wrote. “Unfortunately, on a platform designed to copy (fork) a project and create new versions of it (clones), spotting malicious additions to clones of legitimate repos might be quite the engineering problem to fix.”

Update, 2:40 p.m. ET: Wiz is reporting that TeamPCP also pushed credential stealing malware to the KICS vulnerability scanner from Checkmarx, and that the scanner’s GitHub Action was compromised between 12:58 and 16:50 UTC today (March 23rd).

  •  

This Week in Scams: Why That “Booking Confirmation” Message Might Be Fake

Today marks the start of Spring in the Northern Hemisphere, and with warmer weather setting in summer trips are vacation planning are starting to take shape.   

But before you respond to that message about your hotel booking or payment confirmation, it’s worth asking: is it actually legit? 

This week in scams, we’re breaking down a travel phishing scheme making the rounds through realistic booking messages, as well as new McAfee research on betting scams and AI-driven malware. 

We’ll walk through what happened, what to watch for, and how McAfee’s tools can help you stay safe. 

Scammers Who Know Your Exact Travel Reservation Details 

A new phishing campaign targeting travelers is exploiting hotel booking platforms like Booking.com, and it’s convincing enough to fool even cautious users. 

According to reporting from ITBrew and Cybernews, attackers are running a multi-stage scam: 

How The Booking Scam Works 

Scam Stage  How It Works  What You’ll Notice  How to Protect Yourself  Where McAfee Helps 
Stage 1: Hotel account gets compromised  Attackers phish or hack hotel staff to access booking platforms and guest reservation data.  You won’t see this part — it happens behind the scenes.  Use strong, unique passwords and enable multi-factor authentication on your own accounts to reduce risk of similar breaches.  Identity Monitoring can alert you if your personal information appears in suspicious places or data leaks. 
Stage 2: You receive a realistic message  Scammers use stolen booking data to send messages via WhatsApp, email, or even booking platforms.  The message includes your real name, hotel, and travel dates, making it feel legitimate.  Be cautious of unexpected outreach, even if the details are correct. Don’t assume accuracy means authenticity.  Scam detection tools can help flag suspicious messages and identify potential phishing attempts. 
Stage 3: Urgency is introduced  The message claims there’s an issue with your reservation and pushes you to act quickly.  Phrases like “confirm within 12 hours” or “risk cancellation” create pressure.  Pause before acting. Legitimate companies rarely require urgent payment changes without prior notice.  Scam detection can help identify high-risk messages designed to pressure you into quick decisions. 
Stage 4: You’re sent to a fake payment page  A link leads to a convincing lookalike site designed to steal your payment details.  The page looks real but may have subtle URL differences or unusual formatting.  Always navigate directly to the official website or app instead of clicking links in messages.  Safe Browsing tools can help block risky or known malicious websites before you enter sensitive information. 

March Madness Brackets, Bets, and Bad Actors 

March Madness brings brackets, bets, and a flood of bad actors. 

New McAfee research found that 1 in 3 Americans (32%) say they’ve experienced a betting or gambling scam, and nearly a quarter (24%) say they’ve lost money to one. On average, victims reported losing $547. 

That’s not surprising when you look at the environment around the tournament. More than half of Americans are watching, more than half are participating in some form of betting, and 82% say they’ve seen betting promotions in the past year. 

Some of the most common setups this season include: 

  • “Guaranteed win” or “can’t lose” betting tips that require payment upfront 
  • Fake sportsbook promotions offering bonus bets or free credits 
  • Messages claiming you have winnings, but need to pay a fee to unlock them 
  • Impersonation scams posing as sportsbook support or betting platforms 
  • Invitations to private “VIP betting groups” on WhatsApp or Telegram 

The takeaway:
If a betting offer promises guaranteed results, demands the use of bizarre apps and sites, asks for money upfront, or pushes you to act quickly, it’s not an edge. It’s a scam. 

“AI-Written” Malware Is Hiding in Everyday Downloads 

Not all scams start with a message. Some start with a search. 

McAfee Labs uncovered a large-scale malware campaign hiding inside hundreds of fake downloads, including game mods, AI tools, drivers, and trading utilities. 

In January alone, researchers identified: 

  • 443 malicious ZIP files disguised as legitimate software 
  • 1,700+ file names used to make those downloads look credible 
  • 48 variants of a malicious DLL file used to infect devices 

These weren’t hosted on obscure corners of the internet either. The files were distributed through platforms people recognize, including Discord, SourceForge, and file-sharing sites. 

Here’s how the attack typically works: 

  • You search for a tool. 
  • You download what looks like the right file. 
  • It opens normally at first. 

Then, behind the scenes, malware loads quietly and begins pulling in additional code. In some cases, victims are shown fake error messages while the real infection happens in the background. 

From there, attackers can: 

  • Turn your device into a cryptocurrency mining machine 
  • Install additional malware like infostealers or remote access tools 
  • Slow down your system while running hidden processes 

What makes this campaign stand out is that some of the code appears to have been generated with help from AI tools. 

That doesn’t mean AI is running the attack on its own. But it does suggest attackers are using AI to: 

  • Generate code faster 
  • Create more variations of malware 
  • Scale campaigns more efficiently 

In other words, the barrier to building malware is getting lower. 

The takeaway:
If a download is unofficial, hard to find, or feels like a shortcut, it’s worth slowing down. The file may look right, but that doesn’t mean it’s safe. 

How McAfee+ Advanced Works in These Scam Moments 

Whether it’s a message about your booking, a betting offer that looks legitimate, or a download that appears to be exactly what you were searching for, these scams all rely on the same thing: they blend into everyday moments. 

That’s where having backup like McAfee+ Advanced comes in. It includes: 

  • McAfee’s Scam Detector, which helps flag suspicious links in texts and messages like the ones used in these booking and betting scams, so you can spot something risky before you engage
  • Web protection and real-time device security, helping protect against risky links, malicious sites, and evolving threats if you do click, including fake betting platforms or malware hidden in downloads
  • Personal Data Cleanup, which helps remove your information from sites that sell it, making it harder for scammers to access the personal details that make messages and scams feel legitimate
  • Secure VPN, which helps keep your personal info safe and private anywhere you use public Wi-Fi, like hotels, airports, and cafés while traveling
  • Identity Monitoring and alerts, with 24/7 scans of the dark web to help ensure your personal and financial information isn’t being exposed or reused
  • Credit and transaction monitoring, so you can get alerts about suspicious financial activity if your information is ever compromised 
  • Identity restoration support and up to $2 million in identity theft coverage, giving you access to US-based experts and added peace of mind if something does go wrong 

Stay skeptical, verify before you click, and we’ll see you next week with more. 

The post This Week in Scams: Why That “Booking Confirmation” Message Might Be Fake appeared first on McAfee Blog.

  •  

Feds Disrupt IoT Botnets Behind Huge DDoS Attacks

The U.S. Justice Department joined authorities in Canada and Germany in dismantling the online infrastructure behind four highly disruptive botnets that compromised more than three million Internet of Things (IoT) devices, such as routers and web cameras. The feds say the four botnets — named Aisuru, Kimwolf, JackSkid and Mossad — are responsible for a series of recent record-smashing distributed denial-of-service (DDoS) attacks capable of knocking nearly any target offline.

Image: Shutterstock, @Elzicon.

The Justice Department said the Department of Defense Office of Inspector General’s (DoDIG) Defense Criminal Investigative Service (DCIS) executed seizure warrants targeting multiple U.S.-registered domains, virtual servers, and other infrastructure involved in DDoS attacks against Internet addresses owned by the DoD.

The government alleges the unnamed people in control of the four botnets used their crime machines to launch hundreds of thousands of DDoS attacks, often demanding extortion payments from victims. Some victims reported tens of thousands of dollars in losses and remediation expenses.

The oldest of the botnets — Aisuru — issued more than 200,000 attacks commands, while JackSkid hurled at least 90,000 attacks. Kimwolf issued more than 25,000 attack commands, the government said, while Mossad was blamed for roughy 1,000 digital sieges.

The DOJ said the law enforcement action was designed to prevent further infection to victim devices and to limit or eliminate the ability of the botnets to launch future attacks. The case is being investigated by the DCIS with help from the FBI’s field office in Anchorage, Alaska, and the DOJ’s statement credits nearly two dozen technology companies with assisting in the operation.

“By working closely with DCIS and our international law enforcement partners, we collectively identified and disrupted criminal infrastructure used to carry out large-scale DDoS attacks,” said Special Agent in Charge Rebecca Day of the FBI Anchorage Field Office.

Aisuru emerged in late 2024, and by mid-2025 it was launching record-breaking DDoS attacks as it rapidly infected new IoT devices. In October 2025, Aisuru was used to seed Kimwolf, an Aisuru variant which introduced a novel spreading mechanism that allowed the botnet to infect devices hidden behind the protection of the user’s internal network.

On January 2, 2026, the security firm Synthient publicly disclosed the vulnerability Kimwolf was using to propagate so quickly. That disclosure helped curtail Kimwolf’s spread somewhat, but since then several other IoT botnets have emerged that effectively copy Kimwolf’s spreading methods while competing for the same pool of vulnerable devices. According to the DOJ, the JackSkid botnet also sought out systems on internal networks just like Kimwolf.

The DOJ said its disruption of the four botnets coincided with “law enforcement actions” conducted in Canada and Germany targeting individuals who allegedly operated those botnets, although no further details were available on the suspected operators.

In late February, KrebsOnSecurity identified a 22-year-old Canadian man as a core operator of the Kimwolf botnet. Multiple sources familiar with the investigation told KrebsOnSecurity the other prime suspect is a 15-year-old living in Germany.

  •  

New Research: Hackers Are Using AI-Written Code to Spread Malware

McAfee Labs has uncovered a widespread malware campaign hiding inside fake downloads for things like game mods, AI tools, drivers, and trading utilities. 

In January 2026, researchers observed 443 malicious ZIP files impersonating software people might actively search for online. Across those files, McAfee identified 48 malicious WinUpdateHelper.dll variants used to infect devices. The campaign was spread through a mix of file-hosting and content delivery services, including Discord, SourceForge, FOSSHub, and mydofiles[.]com. 

What makes this campaign especially notable is that some parts of it appear to have been built with help from large language models (LLMs). McAfee researchers found signs that certain scripts likely used AI-generated code, which may have helped the attackers create and scale the campaign faster. 

That does not mean AI created the whole operation on its own. But it does suggest AI may be helping cybercriminals lower the effort needed to build malware and launch attacks. 

Want the full research? Dive in here. 

We break down the top takeaways below. 

What McAfee Found 

Finding  What it means 
443 malicious ZIP files  Attackers created many different fake downloads to reach more victims 
48 malicious DLL variants  The campaign used multiple versions of the malware, not just one file 
1,700+ file names observed  The same threat was repackaged under many different names to look convincing 
17 distinct kill chains  Researchers found multiple attack flows, but they followed a similar overall pattern 
Hosted on familiar platforms  The malware was distributed through services users may recognize, including Discord and SourceForge 
AI-assisted code suspected  Some scripts contained explanatory comments and patterns that strongly suggest LLM assistance 
Cryptomining and additional malware observed  Infected devices could be used to mine cryptocurrency or receive more malicious payloads 

What Is “AI-Written Malware”? 

In this case, “AI-written malware” does not mean an AI system independently invented and launched the attack. 

Instead, McAfee Labs found evidence that the attackers very likely used AI tools to help generate some of the code used in the campaign, especially in certain PowerShell scripts. 

Put simply: 

Term  Plain-English meaning 
Large language model (LLM)  An AI system that can generate text and code based on prompts 
AI-assisted malware  Malware where attackers appear to have used AI tools to help write or structure parts of the code 
Vibe coding  A style of coding where someone describes what they want and an AI does much of the writing 

This matters because it can make malware development faster, easier, and more scalable for attackers. 

Figure 1: Attack Vector
Figure 1: Attack Vector

 

How The Fake Download Attack Works 

The attack begins when someone searches for software online and downloads what looks like the tool they wanted. 

That tool might appear to be a game mod, AI voice changer, emulator, trading utility, VPN, or driver. But behind the scenes, the ZIP archive includes malicious components that start the infection. 

Step  What happens 
1. A user downloads a fake file  The ZIP archive is disguised as something useful or desirable, such as a mod menu, AI tool, or driver 
2. The file appears normal at first  In some cases, the package includes a legitimate executable so it feels more convincing 
3. A malicious DLL is loaded  A hidden malicious file, often WinUpdateHelper.dll, starts the real attack 
4. The user is distracted  The malware may display a fake “missing dependency” message and redirect the user to install unrelated software 
5. A PowerShell script is pulled from a remote server  While the user is distracted, the malware contacts a command-and-control server and runs additional code 
6. More malware is installed  Depending on the sample, the device may receive coin miners, infostealers, or remote access tools 
7. The infected device is abused for profit  In many cases, attackers use the victim’s system resources to mine cryptocurrency in the background 

What Kinds of Files Were Used as Bait 

McAfee found that the attackers cast a very wide net. The malicious ZIP files impersonated many types of software, including: 

Bait category  Examples 
Gaming tools  game mods, cheats, executors, Roblox-related tools 
AI-themed tools  AI image generators, AI voice changers, AI-branded downloads 
System utilities  graphics drivers, USB drivers, emulators, VPNs 
Trading or finance tools  stock-market utilities and related downloads 
Fake security or malware tools  fake stealers, decryptors, and other risky-looking utilities 

That broad range is part of what made the campaign effective. It was designed to catch people already looking for shortcuts, unofficial tools, or hard-to-find software. 

Why McAfee Researchers Believe AI Was Used 

One of the strongest clues came from the comments inside some of the attack scripts. 

McAfee researchers found explanatory comments that looked more like AI-generated instructions than the kind of shorthand attackers usually leave for themselves. In one example, a comment referred to downloading a file from “your GitHub URL,” which suggests the code may have come from a generated template and was not fully cleaned up before use. 

These details do not prove every part of the campaign was AI-made. But they do support McAfee’s assessment that certain components were likely generated with help from large language models. 

What Happens on an Infected Device 

In many cases, the malware was used to turn victims’ computers into quiet crypto-mining machines. 

McAfee observed mining activity involving several cryptocurrencies, including: 

  • Ravencoin 
  • Zephyr 
  • Monero 
  • Bitcoin Gold 
  • Ergo 
  • Clore 

Some samples also downloaded additional payloads such as SalatStealer or Mesh Agent. 

For victims, that can mean: 

Possible effect  What it may look like 
Slower performance  apps lag, games stutter, system feels unusually sluggish 
High CPU or GPU usage  fans run constantly, laptop gets hot, battery drains faster 
Background malware activity  unknown processes, suspicious downloads, unexpected behavior 
Potential data theft  if an infostealer or remote access tool is installed 

McAfee was also able to trace several Bitcoin wallets tied to the campaign. At the time of the report, those wallets held about $4,536 in Bitcoin, while total funds received were approximately $11,497.70. Researchers note the real total could be higher because some of the currencies involved are harder to trace. 

Who Was Targeted Most 

This campaign was observed most heavily in: 

  • United States 
  • United Kingdom 
  • India 
  • Brazil 
  • France 
  • Canada 
  • Australia 

That does not mean users elsewhere were unaffected. These were simply the countries where researchers saw the highest prevalence. 

Figure 2: Geographical Prevalence 
Figure 2: Geographical Prevalence 

  Red Flags To Watch For 

Even though the campaign used advanced techniques, the warning signs for users were often familiar. 

Red flag  Why it matters 
You found the file through a random link  Unofficial forums, Discord links, and file-hosting pages are common malware delivery paths 
The download is a ZIP for something sketchy or unofficial  Cheats, cracks, mod tools, and unofficial utilities carry higher risk 
You get a “missing dependency” message  Attackers may use this to push a second download while the real infection happens in the background 
The file name looks right, but the source feels wrong  Familiar names can be faked easily 
Your PC suddenly slows down or overheats  Hidden cryptominers often abuse system resources 
You notice new, unrelated software installed  The campaign sometimes used unwanted software installs as a distraction 

How To Stay Safe From Malware Hidden in Fake Downloads 

This campaign is a reminder that not every convincing file is a safe one. A few habits can reduce your risk significantly. 

Safety step  Why it helps 
Download software only from official sources  This lowers the chance of accidentally installing a trojanized file 
Avoid cheats, cracks, and unofficial mods  These categories are common bait for malware campaigns 
Be skeptical of dependency prompts  Unexpected requests to install helper files or missing components can be part of the attack 
Keep your security software updated  Current protection can help detect known threats and suspicious behavior 
Pay attention to system performance  A suddenly hot, loud, or slow PC may be a sign something is running in the background 
Review what you download before opening it  Even a familiar file name does not guarantee a file is legitimate 

McAfee helps protect against malware threats like these with multiple layers of security, including malware detection and safer browsing protections designed to help stop risky downloads before they can do damage. 

What To Do If You Think You Opened One of These Files 

If you think you downloaded and ran a suspicious file like one described in this campaign: 

Action  Why it matters 
Disconnect from the internet  This can help interrupt communication with attacker-controlled servers 
Run a full security scan  A trusted scan can help identify malicious files and behavior 
Delete suspicious downloads  Remove the file and avoid reopening it 
Check for unfamiliar software or startup items  The infection may have installed additional components 
Change important passwords from a clean device  This is especially important if data-stealing malware may have been involved 
Monitor accounts for unusual activity  Keep an eye on email, banking, and other sensitive accounts 

If your computer continues acting strangely after a scan, it may be worth getting professional help. 

What This Means for the Future of Malware 

This campaign highlights how cybercrime is evolving. 

The core risk is not just fake downloads. It is the fact that attackers are using AI tools to help generate code, create variations, and speed up parts of the malware development process. 

That can make campaigns like this easier to scale and harder to ignore. 

For everyday users, the takeaway is simple: if a file seems unofficial, rushed, or too good to be true, pause before opening it. A fake download may look like a shortcut, but it can quietly turn your device into a target.  

Frequently Asked Questions 

FAQs 
Q: What is AI-written malware?

A: AI-written malware generally refers to malicious code, or parts of a malware campaign, that appear to have been created with help from AI coding tools or large language models. 

Q: Did AI create this entire malware campaign? 

A: McAfee Labs did not say that. The research suggests that certain components, especially some scripts, were likely generated with help from large language models. 

Q: What was this malware disguised as? 

A: The malicious files impersonated game mods, AI tools, drivers, trading utilities, VPNs, emulators, and other software downloads. 

Q: What can happen if you open one of these fake files? 

A: Depending on the sample, the malware may install coin miners, steal data, establish persistence, or download additional malicious tools. 

Q: Can malware really use my computer to mine cryptocurrency? 

A: Yes. McAfee observed samples in this campaign that used victims’ CPU and GPU resources to mine cryptocurrency in the background. 

Q: What is the safest way to avoid this kind of malware? 

A: Download software only from official or trusted sources, avoid unofficial tools and cheats, be cautious of fake dependency prompts, and keep your security protection up to date. 

Want to learn more? Dive into the full research here. 

The post New Research: Hackers Are Using AI-Written Code to Spread Malware appeared first on McAfee Blog.

  •  

AI Wrote This Malware: Dissecting the Insides of a Vibe-Coded Malware Campaign

Authored by Aayush Tyagi  

Background 

The term ‘Vibe coding,’ first coined back in February of 2025 by OpenAI researchers, has exploded across digital platforms. With hundreds of articles and YouTube Videos discussing the dangers of Vibe coding and warning the internet about the rise of “Vibe Coders”, while others labelled it as the fundamental shift in software development and the future of coding.  

Vibe Coding is an approach where the AI does heavy lifting, rather than the user. Instead of manually writing code or implementing algorithms, users describe their intent through text-based prompt, and the LLMs respond with fully functional code and explanation. Unsurprisingly, the internet is now flooded with guides on the best LLMs and prompts to generate “perfect” code. 

Given the ease of generating fully functional code, McAfee Labs has also seen a rise in vibe-coded malware. In these campaigns, certain components of the kill chain contain AI-generated code, significantly reducing the effort and knowledge required to execute new malware campaigns. This shift not only makes malware campaigns more scalable but also lowers the barrier to entry for new malware authors. 

Executive summary 

In January 2026, McAfee Labs observed 443 malicious zip files impersonating a wide range of software, including AI image generators and voice-changing tools, stock-market trading utilities, game mods and modding tools, game hacks, graphics card and USB drivers, ransomware decryptors, VPNs, emulators, and even infostealer, cookie-stealer, and backdoor malware, to infect users.  

Across the 440+ zip files, we observed 48 unique malicious WinUpdateHelper.dll variants, responsible for the infections. McAfee has been detecting variants of this threat since December 2024, although the vibe coding observed in certain components appears to be a recent addition. These files are distributed through various legitimate content delivery network (CDN) services and file-hosting websites, such as Discord, SourceForge, FOSSHub, and MediaFire, to name a few. Another website that was actively delivering this malware was mydofiles[.]com. 

Here, the attackers implement volume-driven malware distribution techniques to infect as many users as possible.  

Figure 1: Attack Vector
Figure 1: Attack Vector

This attack begins when users surf the internet looking for tools and software that promise to simplify their tasks. Instead, they encounter trojanized zip files.  

We discovered over 100 URLs actively spreading this malware, of which approximately 61 were hosted on Discord, 17 on SourceForge, and 15 on mydofiles[.]com. 

On running the executable, it loads a malicious WinUpdateHelper.dll file, which redirects the user to file-hosting websites, under the disguise that they are missing crucial dependencies and tricks them into installing unrelated software, which is a distraction. Meanwhile, the DLL has already requested and executed a malicious PowerShell script from a command-and-control (C2) server.  

This script infects the user’s system and downloads additional mining software, and abuses the system’s resources, or it downloads additional payloads such as SalatStealer or Mesh Agent, depending on the WinUpdateHelper.dll sample which infected the user.  

In this PowerShell script, the presence of explanatory comments and structured sections strongly indicates the use of LLM models to generate this code. 

Read more about this in the Using AI to generate malware? section below.  

So far, we’ve observed the mining of RavencoinZephyr, Monero, Bitcoin Gold, Ergo, and Clore cryptocurrencies.    

Due to the presence of hardcoded Bitcoin wallet credentials within these malware samples, we were able to trace on-chain transactions and identify wallets containing over $4,500 USD that are part of this campaign.  

Since most of the mining activity targets privacy-focused cryptocurrencies such as Zephyr, Ravencoin and Monero, the real financial impact is likely to be nearly double the amount identified through Bitcoin tracing alone.  

Geographical Prevalence 

Figure 2: Geographical Prevalence  
Figure 2: Geographical Prevalence  

This malware campaign has specifically targeted users in the following counties, ranked by prevalence: The United States of America, followed by United Kingdom, India, Brazil, France, Canada, Australia. 

Bottom Line

The availability of LLMs capable of generating code instantly, combined with the widespread accessibility of technical knowledge, has created a low-effort, high-reward environment, making malware deployment increasingly accessible. 

At McAfee Labs, we have been doing hard work so that you don’t need to worry. But it always helps to be informed and educated on the latest threat that steps into the threat landscape. 
We will continue monitoring these campaigns to ensure our customers remain informed and protected across platforms. 

Technical Analysis  

Impersonated Applications

Here we see malware distribution at a large scale and by analyzing the filenames of these ZIP archives, we can infer to the users that are being targeted. These are some of the names we’ve witnessed in the wild. 

Figure 3: Malware Impersonating gaming software
Figure 3: Malware Impersonating gaming software

The attackers are actively impersonating video game cheats and game mods for popular titles, and well-known script executors for Roblox, such as Delta Executor and Solara as seen above.  

Figure 4: Malware Impersonating tools, malware and drivers 
Figure 4: Malware Impersonating tools, malware and drivers

Names such as Panther-Stealer and Zerotrace-Stealer indicate that even users looking for malware on the internet are not safe either, reinforcing the notion that there is truly no honor among thieves. 

The campaign also leverages drivers and AI-themed tools as part of its lure portfolio among other tools. Interestingly, we see the name ‘DeepSeek.zip’, where attackers are exploiting a prominent LLM model, DeepSeek. McAfee had encountered these types of attacks in early 2025 and covered them extensively.  

Read the previous blog here: Look Before You Leap: Imposter DeepSeek Software Seek Gullible Users  

Stage 1 Payload – Misleading Installation  

Once the user downloads the ZIP archive from Discord or any other website. They get the following set of files.

Figure 5: Files within the zip archive. 
Figure 5: Files within the zip archive.

Here, the executable named ‘gta-5-online-mod-menu.exe’ (Highlighted in Blue) is a legitimate and clean file. Whereas the file named ‘WinUpdateHelper.dll’ (Highlighted in Red) is malicious.  

Figure 6: Command Prompt misinforming the user 
Figure 6: Command Prompt misinforming the user

On executing ‘gta-5-online-mod-menu.exe’, the malicious DLL is loaded. The user is informed that they are missing dependencies, and they’re redirected to the following URL via default browser.  

hxxps://igk[.]filexspace.com/getfile/XKQLPSK?title=DependencyCore&tracker=gta-5-online-mod-menu 

Here, within the URL, a tracker variable is used to identify which malware has infected the user. In this instance, it was ‘gta-5-online-mod-menu’.  

Figure 7: Website prompting users to download dependencycore.zip 
Figure 7: Website prompting users to download dependencycore.zip

Dependecycore.zip is a setup file. On execution, it installs unrelated 3rd party software on the victim’s system. 

Figure 8: Files dropped by Dependecycore.zip in temp folder 
Figure 8: Files dropped by Dependecycore.zip in temp folder

In this instance, iTop Easy Desktop was installed. 

This unwanted installation is meant to subvert users’ attention. As, the WinUpdateHelper.dll has already connected to the C2 server and infected the system.   

Stage 1 Payload – Malicious Functionality  

Once the redirection code is executed, the malware executes the malicious code.  

Figure 9: Malicious code within WinUpdateHelper.dll 
Figure 9: Malicious code within WinUpdateHelper.dll

In the above code snippet, which is present in the WinUpdateHelper.dll, we can see that a new service has been created under the name “Microsoft Console Host” to make it appear to be benign (Highlighted in Red). The parameters passed to this service ensure that it executes at system boot. This is done to maintain persistence in the system.

The service executes a PowerShell command that dynamically generates the C2 domain using the UNIX time stamp.  

Using the following code, 
$([Math]::Floor([DateTimeOffset]::UtcNow.ToUnixTimeSeconds() / 5000000) * 5000000).xyz 

It generates a domain name that changes once every 5,000,000 seconds or 58 days. 

The latest C2 domain we’ve discovered that is up and running is 
1770000000[.]xyz/script?id=fA9zQk2L0M&tag=WinUpdateHelper

During our analysis we observed the following domain 
1765000000[.]xyz/script?id=fA9zQk2L0M&tag=WinUpdateHelper, which is present in the following images.  

Here the id=fA9zQk2L0M is randomly generated, to uniquely identify the user and tag=WinUpdateHelper is used to identify the malware campaign.  

The malware connects to the above-mentioned C2 server to download a PowerShell script and execute it in memory. This fileless execution ensures improved evasion against signature-based detections. 

Stage 2 Payload – PowerShell Script  

Figure 10: PowerShell downloaded from the C2 server 
Figure 10: PowerShell downloaded from the C2 server

It is funny to note here, that the first comment of this script says “# I am forever sorry” which indicates that the attacks do carry some guilt regarding their actions, but not enough to stop the campaign. We found similar comments, such as “# sorry lol”, across multiple PowerShell scripts we discovered.  

The first set of commands (Highlighted in Green) are used to delete windows services and scheduled tasks. This is done to remove older or conflicting persistence mechanisms and to avoid duplicate miners from running on the same system. 

The second set of commands (Highlighted in Red) are registry modifications, that adds “C:\ProgramData” to Windows Defender exclusion paths. That is, ProgramData Folder won’t be scanned by Windows Defender anymore. This exclusion allows malware to drop additional payloads to disk, without the risk of them being detected and removed.  

The third set of commands (Highlighted in Blue) does exactly that. It downloads the next level payload from the URL “hxxps://1765000000[.]xyz/download/xbhgjahddaa” and stored it at this path “C:\ProgramData\fontdrvhost.exe”.

Again the name ‘fontdrvhost.exe’ imitates a legitimate Windows binary, to masquerade its true intent. After the download, the file is decoded using a simple arithmetic decryption routine. This provides protection against static signature detection and network detection. 

The payload is an XMRIG miner sample. In the next command, the miner is initialized and executed. Here, we see the miner connecting to “solo-zeph.2miners.com:4444” and start CPU based Zephyr coin mining using the following wallet address: ‘ZEPHsCY4zbcHGgz2U8PvkEjkWjopuPurPNv8nnSFnM5MN8hBas8kBN4hoNKmc7uMRfUQh4Fc9AHyGxL6NFARnc217m2vYgbKxf’. 

Figure 11: PowerShell downloaded from the C2 server continued  
Figure 11: PowerShell downloaded from the C2 server continued

In the second half of the script, we see another miner being set up and executed using the same technique (Highlighted in Red). This time the file is stored as “RuntimeBroker.exe” in the ProgramData folder. The miner is connecting to “solo-rvn.2miners.com:7070” to mine Ravencoin and it is using the system’s GPU instead of the CPU for mining (Highlighted in Blue).  

This is the wallet address used for mining in this instance ‘bc1q9a59scnfwkdlm6wlcu5w76zm2uesjrqdy4fr8r’.  

Hence, we see a dual coin-mining deployment infrastructure utilizing both CPU and GPU resources to optimize mining efficiency. 

Bitcoin? Interesting…  

What is interesting here is that attackers have used a bitcoin wallet address for mining Ravencoin, which indicates they are using multi-coin pools for mining. The attackers are using the victims’ machine to mine Ravencoin and automatically convert the mining rewards to Bitcoin before the payout.  

This is done for a variety of reasons, such as, bitcoin offers higher liquidity and has broader acceptance, but most importantly, Ravencoin is computationally easier and economically viable to mine on victim’s system. Bitcoin requires specialized ASIC hardware for profitable mining and attempting to mine Bitcoin directly on infected systems would generate negligible returns. We’ve seen the same behaviour in multiple samples. 

This is a smoking gun. Unlike Zephyr coin or Monero, Bitcoin’s blockchain is fully traceable. Every Satoshi, the smallest unit of Bitcoin, can be traced across the blockchain from the moment it was mined to its current holder. From there, it becomes easy to determine how much cryptocurrency the threat actor is receiving. More on this later.  

Anti-Analysis Techniques 

The attackers have meticulously designed the campaign and have implemented various anti-analysis techniques to thwart researchers.  

The PowerShell script we’ve seen above is responsible for downloading and initializing the coin miner samples. It is only accessible via PowerShell. If we try to access the server via Curl, we get the following response.  

Figure 12: 301 Response from the server 
Figure 12: 301 Response from the server

 This indicates that the server is actively monitoring the User-Agent of incoming requests and deploys the payload only when the request originates from PowerShell. 

 Similarly, the URLs embedded within the PowerShell script that download the next payload are unique to each victim and remain active for 60 seconds. After that, they return a 404 Not Found error.  

Figure 13: URLs within the PowerShell 
Figure 13: URLs within the PowerShell

These techniques are meant to confuse and disorient researchers, making the analysis difficult.  

Using AI to generate malware?  

While working on this malware campaign, we came across over 440 unique zip files. These same zip files were distributed with over 1700 different names, targeting various software. 

Across these 440 zip files, we noticed 48 unique variants of WinUpdateHelper.dll. These 48 files can be clustered together into 17 distinct kill chains, each featuring their own C2 infrastructure, misleading installation setups, second-stage PowerShell scripts and final payloads, yet the cryptocurrency wallet credentials remain similar. 

In the above technical analysis, we’ve only covered 1 kill chain. Yet, across these 17 kill chains, we’ve noticed the flow remain the same.  

Figure 14: PowerShell Script with LLM-Generated Comments 
Figure 14: PowerShell Script with LLM-Generated Comments

Across multiple second stage payloads, we encounter multiple comments such as the following, embedded within the code:

# === Create and execute run.bat in C:\ProgramData ===

:: This batch file:

:: – Creates the hidden folder C:\ProgramData\cvtres if it doesn”t exist (using CMD attrib for hidden + system)

:: – Downloads cvtres.exe from your GitHub URL

:: – Saves it to C:\ProgramData\cvtres\cvtres.exe

:: – Executes it immediately

:: – Runs completely hidden/minimized (no window visible)

The presence of such explanatory-style comments indicates that large language models were likely used during the development of these scripts. Especially, the comment “Downloads cvtres.exe from your GitHub URL”, where ‘Your GitHub URL’ refers to the threat actor’s GitHub repository that is hosting the malware, which indicates potential vibe coding.  

Tracking Bitcoin Across the Blockchain 

During analysis of this malware campaign, we came across few instances where the final payload was Infostealer malware. In most cases it was coin miner samples. 
In these cases, we encountered wallet credentials and mining pool URLs for several alternative cryptocurrencies such as RavencoinZephyr, Monero, which aren’t traceable.  

Fortunately, we came across 7 bitcoin wallets that are part of this malware campaign and are actively receiving mined cryptocurrency. 

bc1q9a59scnfwkdlm6wlcu5w76zm2uesjrqdy4fr8r     bc1q7cpwxjatrtpa29u85tayvggs67f6fxwyggm8kd 

bc1qyy0cv8snz7zqummg0yucdfzpxv2a5syu7xzsdq    bc1qxhp6mn0h7k9r89w8amalqjn38t4j5yaa7t89rp 

bc1qxnkkpnuhydckmpx8fmkp73e38dfed93uhfh68l    bc1qrtztxnqnjk9q4d5hupnla245c7620ncj3tzp7h 

bc1q97yd574m9znar99fa0u799rvm55tnjzkw9l33w 

As of writing this blog, these wallets contain Bitcoin valued at approximately $4,536.20 USD. 

Figure 15: Wallet Snapshot displaying the total value  
Figure 15: Wallet Snapshot displaying the total value  

These wallets have seen regular withdrawals, with total funds received amounting to approximately $11,497.7 USD. 

McAfee Coverage

McAfee has extensive coverage for this Coinminer Malware Campaign. We’re proactively covering new samples observed in the wild. 

Trojan:Win/Phishing.AP 

Trojan:Script/Coinminer.AT 

Trojan:Win/Dropper.AT 

Indicator of Compromise(s)

File Type  SHA256/URLs  File Name 
SHA256  94de957259c8e23f635989dd793cd

fd058883834672b2c8ac0a3e80784fce819 

WinUpdateHelper.dll 
  db8afdafbe39637fec3572829dd0a

1a2f00c9b50f947f1eb544ede75e499dca7 

WinUpdateHelper.dll 
  f15098661d99a436c460f8a6f839

a6903aebd2d8f1445c3bccfc9bf64868f3b0 

WinUpdateHelper.dll 
  3abf66e0a886ec0454d0382369dd6

d23c036c0dd5d413093c16c43c72b8ccb0b 

WinUpdateHelper.dll 
  767b63d11cee8cfb401a9b72d7bcc

a23b949149f2a9d7456e6e16553afcef169 

WinUpdateHelper.dll 
  12850f78fc497e845e9bf9f10314c4ecc

6a659dcd90e79ef5bd357004021ba78 

WinUpdateHelper.dll 
  0a8a58d18adc86977b7386416c6be8db

850a3384949b6750a6c6b2136138684a 

WinUpdateHelper.dll 
  1a60852904ff9c710cd754fa187ce58cb18c69

e35ea4962a8639953abe380f64 

WinUpdateHelper.dll 
  4ab63b5ccd60dfd66c7510d1b3bc1f45f0

c31c2d4c16b63b523d05ccac3fcb9d 

WinUpdateHelper.dll 
  1390e61a45dd81fa245a3078a3b305

e3c7cdeb5fa1e63d9daca22096b699f9e8 

WinUpdateHelper.dll 
  a0c3de95e5bf84cb616fe1ee1791e96ff57

53778b36201610e6730d025a6cb12 

WinUpdateHelper.dll 
  ea65298d8d8ce4b868511a1026f8657abcc

6b2e333854f4fc1bd498463b24084 

WinUpdateHelper.dll 
  6ea34fd213674f31a83c0eee2fb521303d2

a7c23e324bbdfa1a8edd7b6b6b6f1 

WinUpdateHelper.dll 
  7bec5e37777e6a2ca50e765b07e8cb

65e88f4822ab19d98c32f1c69444228e5c 

WinUpdateHelper.dll 
  64c96f0251363aaf35c3709c134aab52b9

81508b0ce9445e42774d151e43686b 

WinUpdateHelper.dll 
  393f6c6b307aecfe46acc603da812cc17f

0ebf24b66632660a2e533dfa4f463f 

WinUpdateHelper.dll 
  94077065d049e821803986316408b

82edad43fcd5a154f6807b4382eece705c3 

WinUpdateHelper.dll 
  a206ff592aea155d2bb42231afc3f060

494ffa8f3de8f25aaf8881639c500b44 

WinUpdateHelper.dll 
  cb2eebf27def80261eef6b80d898e06

f443294371463accd45ca24ce132fad98 

WinUpdateHelper.dll 
  3fea0a031ffd78c8d08f6499c2bbc

6a9edac5dc88b9ba224921f8f142e5a9adb 

WinUpdateHelper.dll 
  4fe5d461aaa752b94d016ca4e742e

02d30d3d4848a32787ce3564b5393017d77 

WinUpdateHelper.dll 
  04399f9f3ef87d8dd15556628532a84

d63d628eaae0ed81166d6efbee428cdba 

WinUpdateHelper.dll 
  dd37cd62fa18af798018a706f20a91a537f

0993f0254a0c84d64097c6480afb2 

WinUpdateHelper.dll 
  1d85ffe28d065780c9327078941cb76

2915c69c69012303e45eee44c092f8046 

WinUpdateHelper.dll 
  86e14dd0ab29ee0eab21874811b7e4

50d609feb606f77206627b62cccbd58afa 

WinUpdateHelper.dll 
  17704d58fb9c4e68c54a56fa97cd32599

792d00da53691b8bdb58e49296b7feb 

WinUpdateHelper.dll 
  491019e31af8f1489aea8d4c0f9816

813698def0301a2abb88e5248b37753d2b 

WinUpdateHelper.dll 
  c0ab89c3d9c7b9a04df5169eb175d517

3c6de08a4ef3674cd6d7f9a925d63151 

WinUpdateHelper.dll 
  df0ca0f15926964040bb43978f97faccc0

0bae5f6a00d8bd7d105d8c7d32efb1 

WinUpdateHelper.dll 
  e40f2628b2981226b1afe16c1cf3796b94

82b2ac070adac999707fc09909327c 

WinUpdateHelper.dll 
  f6093084196acded1179d3a1466908beb

966dceaba03e1dfeb02a2628fdb0423 

WinUpdateHelper.dll 
  fcc512630ee95d3f4c31e3aabc75ad2e29

dfacb4d4bcce7a12abe9a516979dbd 

WinUpdateHelper.dll 
  fe02d8d7a6b8f66624b238665d63094

a2bcd19c44a3f9c449788cadbb1b741a6 

WinUpdateHelper.dll 
  1967f6f42710b43506a0784a28ca8785a

f91b84dfa8629ec5be92be8eec564c6 

WinUpdateHelper.dll 
  5280b0ecb6c7246db84a9b194f5c85cc3

03c028475900b558306fdd4e51f4fc3 

WinUpdateHelper.dll 
  ce06d83adb53c8b9d240202193ca4c04d

0163994dad707aed0f0e67fdd2a42fe 

WinUpdateHelper.dll 
  13976bdc28d3b3ae88ed92fcf49ff9e083b

0ce5fd53e60680df00cd92bdfb33b 

WinUpdateHelper.dll 
  4135754b26dfac10cd19dcf6e03677b53

7244cf69fdce9c4138589e59449b443 

WinUpdateHelper.dll 
  7d69eca36c0f69b3007cdbf908f15545

e95611acf4bad8b9e30e54687a6d33bb 

WinUpdateHelper.dll 
  085dc279b422d761729374b01eae1e2

2375ef9538a6c4bc7cc35e8a812450f93 

WinUpdateHelper.dll 
  99ff2045d1377db7342420160eb254b7

b09cc4ce41a97b6bf0ec4d3f65d9ede6 

WinUpdateHelper.dll 
  396f397099a459f3adeba057788aa3d3488

2eea7d1665c828449f205a86dc80f 

WinUpdateHelper.dll 
  908d35e6afd90da2e7c71cf82c8a61b5534

10ca920e67dba1bae35c2b6b19bad 

WinUpdateHelper.dll 
  7029d68969814f1473e4e4a22abd4be8

5678a03bbe4c0f6194f3b7e421872ab3 

WinUpdateHelper.dll 
  d3ba17aa83748c539c75cee7eedb03a4

83f2e86af10b69da3f0c8e549f014ac3 

WinUpdateHelper.dll 
  d758820962ead89d5eaf7e45930a5eb

6ab11d5508988087faf84d8d7524408f1 

WinUpdateHelper.dll 
  e863f45099f3dc057a5aee5990fabfb4

e8ea8849cd5bc895092ff0a305a3f85d 

WinUpdateHelper.dll 
  0db26e9a1213d09521fc0dbfe15f807c9

960f62bc1cf4071001f58f210c53e9c 

WinUpdateHelper.dll 
  94de957259c8e23f635989dd793cdfd

058883834672b2c8ac0a3e80784fce819 

WinUpdateHelper.dll 
     
C2 URLs   hxxp://85[.]235[.]75[.]242/script[.]ps11   
  hxxp://41[.]216[.]188[.]184/downloads/loader[.]ps1    
  hxxp://46[.]151[.]182[.]238:6969/script    
  hxxps://mydofiles[.]com/script[.]ps1   
  hxxp://45[.]141[.]119[.]191/jjj[.]txt    
  hxxps://getthishasg[.]live/cz8wl3k[.]php?

cnv_id=cee43wfhqb7b81&payout=1  

 
  hxxps://gocrazy[.]gg/script?id=fA9z

Qk2L0M`&tag=schtasks 

 
  hxxps://dystoria[.]cc/mon   
  hxxp://85[.]235[.]75[.]242/script[.]ps1   
  hxxps://github[.]com/dextamoggan4-sudo/

shineex/releases/download/python/script[.]ps1 

 
  hxxp://45[.]141[.]119[.]191/gg[.]txt   
  hxxps://codeberg[.]org/Yesdev123/

load/raw/branch/main/testfile[.]txt 

 
  hxxp://45[.]141[.]119[.]191/jjjj[.]tt   
  hxxps://kenovn[.]net/script   
  hxxps://1765000000[.]xyz/script?

id=fA9zQk2L0M&tag=WinUpdateHelper 

 
  hxxp://46[.]151[.]182[.]238:6969/scrpt   
  hxxp://46[.]151[.]182[.]238:6969/script   
  hxxps://cutt[.]ly/ke0WRr70   
  hxxps://cutt[.]ly/pe0WRidw   
  hxxps://1770000000[.]xyz/script?id

=fA9zQk2L0M&tag=WinUpdateHelper 

 
  hxxp://150[.]241[.]64[.]28/panfish    
Final Payload URLs  hxxps://github[.]com/gaescmo-ai/justin/

releases/download/son/xmrig[.]exe 

 
  hxxps://github[.]com/gaescmo-ai/justin/

releases/download/son/ethminer[.]exe 

 
  hxxp://41[.]216[.]188[.]184/downloads

/windows-service[.]zip  

 
  hxxp://46[.]151[.]182[.]238:6969/exe/rat[.]exe   
  hxxp://46[.]151[.]182[.]238:6969/exe/miner[.]exe   
  hxxp://46[.]151[.]182[.]238:6969/exe/titledetector[.]exe   
  hxxps://github[.]com/jimbrock44/filezilla2025/

raw/refs/heads/main/sc[.]msi 

 
  hxxps://github[.]com/softwarelouv/software/

raw/refs/heads/main/scvhosts[.]exe 

 
  hxxps://github[.]com/softwarelouv/software/

raw/refs/heads/main/cvtres[.]exe 

 
  hxxp://109[.]120[.]177[.]217:8082/download   
  hxxp://45[.]141[.]119[.]191/fontdrvhost[.]exe   
  hxxps://codeberg[.]org/Yesdev123/load/raw/

branch/main/source[.]exe 

 
  hxxps://1765000000[.]xyz/download/xbhgjahddaa   
  hxxps://1765000000[.]xyz/download/ebhgjahddaa   
  hxxp://46[.]151[.]182[.]238:6969/autoexec   
  hxxp://62[.]113[.]112[.]203/adm[.]exe   
  hxxps://evilmods[.]com/api/nothingtoseehere[.]exe   
  hxxps://evilmods[.]com/api/nothingbeme[.]exe   
  hxxps://evilmods[.]com/DependencyCore2   
  hxxps://evilmods[.]com/DependencyCore   
     
Unwanted Installers  CD1B15644BF0D7CBF270E8F21CEAE5E6  Dependecycore.zip 
  7d18257b55588bccb52159d261f9cd7f  Dependecycore.zip 
  A518FB6B9D2689737CE668675EEDE98F  iTop Easy Desktop 
  E3BB21152BA90990E3CCBC1A05842F8B  Opera Installer 
  A6BC4C6A58AC533D3DB5F96D24DDE0EF  Docs Helper Setup 
  FA24733F5A6A6F44D0E65D7D98B84AA6  Windows Manager 
  CDB67B1C54903F223F7DCCA14AEA67DF  eld4.exe 
     
Final Payloads  e07a76cc4258c6b4b3f85451ea2174d5  xmrig.exe 
  d32395a3a340e033e11bd89acddaa9cd  ethminer.exe 
  14f1de874c78221e7b6889af7463de69  WindowsService.exe 
  47c8731b2526613e1e3bc61a88680cd0  rat.exe 
  fbac126407b5735583dac5ea7cf519b3  SalatStealer 
  4dc93730ebe04a9b508a9f9dae74ae09  miner.exe  
  90e10b510144719613b1017abe227b87  titledetector.exe 
  8dadf8a4b77a340fcbb402789f9a07db  agent 
  4c8e8e2fdc23bb7b24e6b410eb69fb4a  scvhosts.exe 
  79ea41812bd3310e11fc95403504f048  sc.msi 
  1b1bd2783d4e8d1c2d444ffa8689677b  cvtres.exe 
  16b70d148b66c20c709b7eed70100a96  source.exe 
  e2af5595c9a0b7feaa9291b405d4c991  XMRIG _Miner 
  b133229ed0be8788c84a975656a7339c  CoinMiner 
  754b581c7e3593446f0a06852031564a  MeshAgent 
  a7400236ffab02ae5af5c9a0f61e7300  NiceHash Miner 
  d7d34c0559b3f6ba70be089e4cc6172c   lolMiner 
     
PowerShell Scripts  02a4d24d0cdaa6f9a3ecf4b71e3f2eec   
  2a153877acc9270406d676403e999490   
  77f491c1c50e224d0c61ed608445d8a9   
  c60a3307d21840d1e15ee78b07d3eb04   
  d17b85de54d0c438c092c1e889b8c63f   
  e35c04a7c31f8641757374404edea395   
  fa8b5b5a302c0e353f4983973cf4b37e   
  d2ad87a1fd1e8812c5ba4b259de4f885   
Wallet Address  46NgyMUVMf6Xzsao9XR

C6BTjJpjUJFfA12F8BPmD

86Y7biz4gZdjCWsSXMUZo

mtuUs8crujryAvhRFMyvhzb

s6naMKucHFi 

Monero (XMR) wallet address 
  RJe6FfyoWDq6M4i3b17LxvjdT2fSNTLTYA  Ravencoin (RVN) wallet address 
  ZEPHsCY4zbcHGgz2U8

PvkEjkWjopuPurPNv8nnSFn

M5MN8hBas8kBN4hooNKmc7uMRfU

Qh4Fc9AHyGxL6NFARnc217m2vYgbKxf 

Zephyr (ZEPH) wallet address 
  bc1qyy0cv8snz7zqummg0yucd

fzpxv2a5syu7xzsdq 

Bitcoin (BTC) address 
  bc1q7cpwxjatrtpa29u85tayvggs

67f6fxwyggm8kd 

Bitcoin (BTC) address 
  bc1qxhp6mn0h7k9r89w8amalqj

n38t4j5yaa7t89rp 

Bitcoin (BTC) address 
  bc1qxnkkpnuhydckmpx8fmkp73e3

8dfed93uhfh68l 

Bitcoin (BTC) address 
  bc1qrtztxnqnjk9q4d5hupnla245c762

0ncj3tzp7h 

Bitcoin (BTC) address 
  bc1q9a59scnfwkdlm6wlcu5w76zm2

uesjrqdy4fr8r 

Bitcoin (BTC) address 
  bc1q97yd574m9znar99fa0u799rvm

55tnjzkw9l33w 

Bitcoin (BTC) address 
URL Distributing Malware  http://www[.]mydofiles[.]com/

MultiClicker[.]zip 

 
  http://www[.]mydofiles[.]com/

ProCheatsInstaller[.]zip 

 
  http://www[.]mydofiles[.]com/

RobloxCheatEngine[.]zip 

 
  http://www[.]mydofiles[.]com/

ST-Bot[.]zip 

 
  https://sourceforge[.]net/projects/

delta-executor-for-pc/files/latest/download 

 
  https://ixpeering[.]dl[.]sourceforge[.]net/project/

delta-executor-for-pc/DeltaExecutor[.]zip?viasf=1 

 
  https://sourceforge[.]net/projects/

delta-executor-for-pc/files/DeltaExecutor[.]zip/download 

 
  https://cdn[.]discordapp[.]com/

attachments/1436383055471185961/

1454995091423887442/Keyser[.]zip?

ex=6953c606&is=69527486&hm=

e3ba56d122cc6b6228d787d29c6b5db31

709fd16be119fa8d3a09d92cb0291e4& 

 
  https://cdn[.]discordapp[.]com/attachments/

1436746541669945409/1454995359754358875/

Matcha[.]zip?ex=6953c646&is=695274c6&hm=

1bae58927d0bcd6a1971b604644035ad938c1d535

61f7d4e951fdf5454d52f8d& 

 
  https://cdn[.]discordapp[.]com/

attachments/1437009916224209018/

1454995174328500318/CheatLoverz[.]zip?

ex=69531d5a&is=6951cbda&hm=

f1ac26bebf4394c43cbf21ed531f5dfdf7

d31f30853b126611c1a39b970b81bc& 

 
  https://cdn[.]discordapp[.]com/attachments/

1438966596222849134/1454995223171170386/

Complex[.]zip?ex=69531d65&is=6951cbe5&hm=

b66d9539c0d487fc63125982db773e42eee01dfc

4bc5a28dc1a7a773134a7bc6& 

 
  https://cdn[.]discordapp[.]com/attachments/

1438966596222849134/1454995223171170386/

Complex[.]zip?ex=6953c625&is=695274a5&hm=

0d6ba0e247e275a9824a838969ee06452e188310

c434c5d852141bfad3eedff2& 

 
  https://cdndownloads[.]com/

download?clickid=277af8wcia4d4b 

 
  https://cdndownloads[.]com/

download?clickid=53ba0myoj8p617 

 
  https://download[.]fosshub[.]com/Protected/

expiretime=1735860643;badurl=aHR0cHM6L

y93d3cuZm9zc2h1Yi5jb20vQnVsay1DcmFwLVV

uaW5zdGFsbGVyLmh0bWw=/db8e43d66065d

d656635ff00c50d96369d2fc4dddad18f52c5d00

05f868649b8/5b964d315dc7e865ea596350/67

3508bbeeeeed04938b399f/BCUninstaller_5

[.]8[.]2_setup[.]exe 

 
  https://download[.]fosshub[.]com/

Protected/expiretime=1738877220;

badurl=aHR0cHM6Ly93d3cuZm9z

c2h1Yi5jb20vQnVsay1DcmFwLVVu

aW5zdGFsbGVyLmh0bWw=/bd26

b0ced684ddb98f194568d7f05c819

71932a5bfb323ed73296940dd8ec74d/

5b964d315dc7e865ea596350/673508bb

eeeeed04938b399f/BCUninstaller_5[.]8[.]

2_setup[.]exe 

 
     
Malicious ZIPs  001cdd8e978b8233a958cfb81b202

72a5d3a9c53ce2eb9dda28f0755f95f3e14 

bluetoothCore.zip  
  00226d16b97c2a2201ca806491f5a6df

3650a70c19e82b791740aaef7cf93e72 

octet-stream  
  00d70985e5e73cba934ffc7b886cea5df

2d9f04c72b80f1e653ae709910666da 

FreeFireForPC.zip  
  0165aa283b6dd66db66d5865907e75

3acc68b894fc8086bffe106ac3d550d0df 

AIVoiceChanger.zip  
  020b6449605713404d9ea6bd332df47

f815663f239b39c368208158b1411efb2 

r6s-multi.zip  
  04d3477a22a0693c3278c5a86f9c882

89a7ccc2565cb61f8a78c9b269666baff 

EZFN.zip  
  054d2da6e959466490cb0c3cdc2acb9

602e47ac56b977a3d365b4d1728eb2dd5 

download  
  057121dd0ecbb242f7a26ec277249614

7ae2ec2ee03abd6e79a2bfb5a6ac60e9 

demonCore.zip  
  063d5400db74f7e064141e3cb9bdc6e

71fec88956560de94c280cf59bbc65c78 

Nihon-Executor.zip  
  3be99fb0b3bcaa125583bd1763537216

34c090233dd018e56cd3fa8ac89c3aee 

Panther-Stealer.zip  
  07aa31bd8b220f79acd6b26accfb84ab

6b67f1e6b1baa57ad2f48c5db6771ec5 

DeltaExecutor.zip  
  1097bc1ed1dd2e46f65fe16f18f431a1539

cf73f97599aec2b81d1ad07f2e485 

gta-5-online-mod-menu.zip  
  112c08db627e759a499ab96e7964425f7

21fda8b56029e15ab27c762bf1d91cc 

DeltaExecutor.zip  
  113c38d3c1b6d6a87bc99dcfda4020245

47ecdbdc1d7577a4c0cb3a88569582a 

Fortnite-External.zip  
  116760f2d7d0b138a2d62683bc08d4620

87dbd278e491177ae9c978e1fddb1a0 

roblox-multi.zip  
  11b129c8373b6621343dbfe837e21c016f6

fe1f9bdbb2a40283c15cc046fd0ba 

Matcha.rar  
  1217e31084df1dbe3fb37cd2b0c65bc70ec2

0278ab11471f0adafe845ed482d9 

roblox-counter-blox-multi.zip  
  12e5890426baa26062077ec41d407ddfcd

8df88480cce6308c0b4064530e767f 

AIAutoClicker.zip  
  1366f9bf45a11fed9ec6a2f40a571f273661523

3567c3d91bb1b09916bf5068c 

demonCore.zip  
  140c985db532c9085b2de4adcc885a67199dac2

c36a465afd7a2655b4f797b17 

TheExecutor.zip  
  14df8e6e7aadab0866e1a7b17adb247014343f5e31

43249e78a6846051b1e620 

AIVoiceChanger.zip  
  152914827e68584725b0890a46d62e45122789

d1341e50f134b586aa7e139d3c 

TemuForPC.zip  
  179e55bb20de0def4f9a5272397a11b7

cb5b4c55a24539da22720f64738a95eb 

AutoClicker.zip  
  17e0302f15475a90e807550ea4abe57f

e75a3630fbcc6d9b8feec4c645b7c31b 

Roblox-Injector.zip  
  17eff164be5859f8ed5b4c4d9969f9384

523f4ac9a8bd1b6e73ee2ea7d1761e2 

1vqckj.zip  
  188148aae3bdf973ba88b387db68feae

da58daf3a70477766ac34f3b125651a9 

Roblox-MMap-Injector.zip  
  19c6d61936af8a650eebe50b7a21260

cbc365cb09e27b9104a095eda3dbc85a9 

release-delta-executor.zip  
  1aa12327f111d30f0a973070e2a941322b0

7710b9c90c02b0c5c0eda26c902cc 

DeltaExecutor.zip  
  1baea27d6148bf630d85c28b24d5aa91

14ad32800d10f2977acecd7845275ecf 

Osiris.zip  
  1cdd70b8b8aac60584f17b9396c5f8086

105c92e630fcb81649d395c461c71f9 

TLifeForPC.zip  
  1db8d6d66ab97ed3e1415a02b356a05d8

ec846d69e5fa533f443b8d5d29949ef 

ProExt.zip  
  206265f971c6b6bea2b74ceef0ec1417e79

54d2cb83261ffa1b63f82964e5792 

Lo4f-Malware.zip  
  347601eae5851ef7a6cf5a6b7f93ae6078

969bafd191f6a8812a20fa6bf43996 

pubg-cheat.zip  
  35aa1d44c71bdac70faa11b51fc29c13348e

99cf981faa7119861df3ab7e50ba 

Complex.zip  
  36b339f53a8bf65b030bedf5ad3bfde04eb

dad3b150ec75ebb77f4a4b3c0cdd7 

HWIDSpoofer.zip  
  37aead580cea7b82a1e76cb642a9269b9a

d1dcdb60f36660e59ee5f8e00cc7b8 

AIVoiceChanger.zip  
  42b0ba7953a014a56a27c07cb8c97c0109

a1b38b78f34f230ea356f9403007ee 

sony-playstation-vita-emulator.zip  
  3a02d75900ba42443c40667182711584b

83844911fdf212747b1e087269d3632 

FortniteDev.zip  
  3dafa158ccb63f989aaab41541ea9c02d2cf1a

2b5f50c5a7b98abc1bcadd73f1 

r6-multi.zip  

The post AI Wrote This Malware: Dissecting the Insides of a Vibe-Coded Malware Campaign appeared first on McAfee Blog.

  •  
❌