Hackers Use CypherLoc Kit for Fake Microsoft Browser-Locking Push

A newly identified scareware kit, dubbed CypherLoc, is actively locking victims’ web browsers and coercing them into calling fake Microsoft support lines. This browser-locking push, which aims to trick users into contacting fraudulent “Microsoft support” for technical assistance scams, is detailed in a recent security analysis. The comprehensive report on CypherLoc’s operations and tactics can be

The kit has been linked to roughly 2.8 million attacks since the start of 2026, making it one of the more aggressive browser-based threats observed this year.

Unlike traditional malware that requires a file to be downloaded and installed, CypherLoc runs entirely inside the web browser. It begins with a phishing email that nudges the victim toward a malicious web page through an embedded link or an attachment.

Once the page opens, it appears completely harmless at first. Over time, it quietly transforms into a full-screen scareware environment designed to terrify the user and keep them trapped on the page.

Barracuda Research, the threat intelligence arm of Barracuda, said in a report shared with Cyber Security News that the kit combines advanced evasion techniques, aggressive browser controls, and psychological manipulation to push victims into calling fraudulent technical support phone numbers.

Researchers at the firm have been tracking this kit closely since attacks began spiking earlier this year. What makes CypherLoc stand out is how well it hides from security scanners.

Its payload is encrypted and buried inside the web page code, and it will only activate if very specific conditions are met. If those conditions are missing, the page quietly redirects to a blank screen, hiding the threat from automated analysis tools and sandboxes.

The kit also fights back when someone tries to investigate it. Opening the browser’s developer tools triggers a flood of activity, including asset reloads and repeated layout recalculations, that overwhelms analysis tools and pushes the browser toward instability and system error dialogs.

Browser-Locking CypherLoc Kit

Once CypherLoc decrypts and activates, it takes full control of the browser. It switches to full-screen mode, disables right-click menus, hides the cursor, and covers the entire screen with overlays.

Every time the user tries to regain control, the page immediately relocks, creating a strong sense of entrapment. The kit adds audio pressure on top of the visual chaos. Warning sounds play automatically whenever the user clicks anywhere or the page reloads.

This extra noise makes the browser feel unstable, deepening the illusion that something is seriously wrong with the device.

To make things feel personal, CypherLoc retrieves and displays the victim’s real public IP address on the landing page, a psychological tactic designed to make the warning feel targeted and urgent.

Fake login forms also appear, asking victims to enter usernames and passwords. These forms never process any input.

Their purpose is psychological: they make the threat look legitimate, keep the victim on the page longer, and escalate panic when entering credentials fails.

A fraudulent phone number, presented as the only fix, stays prominently on screen throughout. When victims call, operators posing as Microsoft support staff continue the scam through a live conversation.

How CypherLoc Evades Detection

The technical engine behind CypherLoc is what sets it apart from older, cruder scareware. The payload is encrypted using AES and only unlocks when a specific value is present in the URL fragment.

The page also runs a series of cryptographic integrity checks before executing anything. If any check fails, the payload refuses to run and the user sees nothing suspicious.

After a successful decryption, the original page erases itself and replaces its content with a brand-new scareware page inside the browser. This sudden swap resets any live inspection scripts and makes the page feel dangerous rather than deliberately crafted.

Security teams should maintain robust anti-phishing, browser, and endpoint protections capable of detecting suspicious script behavior. User education is equally important, since legitimate security alerts never lock browsers, display phone numbers, or demand immediate action through pop-ups.

As attackers move away from traditional malware and toward browser-based manipulation, organizations need defenses focused on protecting people, not just devices. CypherLoc is a sharp reminder that fear itself can be a cybercriminal’s most effective tool.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.