A brand new malware marketing campaign has emerged that tips folks into downloading pretend Malwarebytes software program, placing their login credentials and cryptocurrency wallets at critical threat.
Safety researchers found this operation actively spreading between January 11 and January 15, 2026, utilizing specifically crafted ZIP recordsdata that impersonate official Malwarebytes installers.
The pretend recordsdata are named malwarebytes-windows-github-io-X.X.X.zip, making them seem genuine to unsuspecting customers who consider they’re downloading real antivirus safety.
The marketing campaign’s major aim facilities on delivering an information-stealing malware that harvests delicate consumer information.
Content material of the TXT file (Supply – VirusTotal)
These malicious ZIP archives include a harmful mixture of recordsdata designed to bypass safety defenses and set up persistence on contaminated programs.
When customers extract and run what seems to be the official Malwarebytes executable, they unknowingly set off a series of malicious occasions that finally compromises their digital safety and private data.
VirusTotal analysts recognized the malware after analyzing the an infection patterns and file constructions, noting that every one suspicious ZIP archives share a constant identifier often called a behash worth of “4acaac53c8340a8c236c91e68244e6cb.”
This technical marker grew to become essential in monitoring the marketing campaign’s scope and figuring out extra variants used within the operation.
The researchers documented how the malware operates via a complicated layering approach that makes detection and evaluation tougher.
DLL Sideloading: The Assault Mechanism
The assault depends on a misleading approach referred to as DLL sideloading, which exploits how Home windows masses official software program libraries. The malicious payload is hidden inside a file named CoreMessaging.dll.
The recognized DLLs (Supply – VirusTotal)
When the official Malwarebytes executable runs, the working system masses this malicious DLL as an alternative of the real library file.
Risk actors place each the pretend DLL and bonafide EXE in the identical folder, tricking Home windows into executing the malware with out elevating suspicion.
The malicious DLLs function distinctive metadata together with signature strings like “© 2026 Eosinophil LLC” and strange exported capabilities containing alphanumeric sequences resembling “15Mmm95ml1RbfjH1VUyelYFCf” and “2dlSKEtPzvo1mHDN4FYgv.”
These traits enable safety researchers to hunt for associated samples and observe the broader marketing campaign.
As soon as the malicious DLL executes, it drops secondary-stage infostealers that particularly goal cryptocurrency pockets data and saved browser credentials, enabling attackers to commit identification theft and cryptocurrency theft.
Observe us on Google Information, LinkedIn, and X to Get Extra On the spot Updates, Set CSN as a Most well-liked Supply in Google.
