NWHStealer Malware Spreads via Fake Proton VPN Sites and Gaming Mods
Key Takeaways A new information stealer, NWHStealer, is actively compromising Windows systems through deceptive distribution methods. The malware spreads via fake VPN websites (including Proton VPN...
Key Takeaways
- A new information stealer, NWHStealer, is actively compromising Windows systems through deceptive distribution methods.
- The malware spreads via fake VPN websites (including Proton VPN impersonations), gaming mods, and hardware utility tools.
- NWHStealer targets browser data, saved passwords, and cryptocurrency wallet information, sending encrypted stolen data to command-and-control servers.
- Attackers employ sophisticated techniques like DLL hijacking, process hollowing, UAC bypass, and scheduled tasks for persistence.
- Users should download software only from official sources and exercise extreme caution with third-party downloads or links from untrusted sites.
NWHStealer Emerges, Exploiting Trust to Compromise Windows Systems
NWHStealer, a recently identified information-stealing malware, is actively compromising Windows systems through a sophisticated campaign that leverages fake VPN websites, gaming modifications, and hardware utility tools as lures. This threat distinguishes itself by embedding malicious payloads within files that users actively seek out and download, making detection significantly more challenging than typical email-based phishing attacks.
Table Of Content
The attackers employ a broad spectrum of distribution channels. NWHStealer is disseminated through fraudulent websites impersonating legitimate services, code-hosting platforms such as GitHub and GitLab, file-sharing sites like MediaFire and SourceForge, and even malicious links embedded in gaming and security-related YouTube videos.
The malware often masquerades as legitimate and desirable software, including VPN installers, hardware diagnostic utilities like OhmGraphite, Pachtop, and Sidebar Diagnostics, as well as popular gaming cheats and mods such as Xeno. This extensive reach across seemingly trustworthy platforms renders the campaign particularly hazardous.
Analysts at Malwarebytes have identified and tracked multiple active campaigns distributing NWHStealer. Their research indicates that the stealer can be loaded either through self-injection or by injecting itself into legitimate Windows processes, such as Microsoft’s Assembly Registration Tool, RegAsm.
Malwarebytes researchers observed that initial loaders often include additional wrappers, such as MSI packages and Node.js, before the final payload is delivered. According to a report authored by Malware Research Engineer Gabriele Orini, once NWHStealer successfully infiltrates a victim’s system, it is capable of exfiltrating browser data, saved passwords, and cryptocurrency wallet information. This stolen data can then be used by attackers for account takeover, fund depletion, or to facilitate subsequent attacks.
Immediate Risks and Technical Modus Operandi
Victims face severe immediate consequences. NWHStealer enumerates over 25 folders and registry keys associated with cryptocurrency wallets and targets popular browsers, including Edge, Chrome, Opera, Brave, Chromium, and Firefox, to extract saved credentials and session data. The stolen information is encrypted using AES-CBC before being transmitted to the attacker’s command-and-control (C2) server. To ensure operational resilience, if the primary C2 server becomes unavailable, the malware retrieves a new C2 domain via a Telegram-based dead drop mechanism.
A notable distribution vector identified in this campaign involves a free web hosting provider, onworks[.]net, which is ranked among the top 100,000 websites globally. This platform was found to host malicious ZIP archives within its download section. Files deceptively named like HardwareVisualizer_1.3.1.zip and Sidebar Diagnostics-3.6.5.zip appear innocuous but contain embedded malicious code that initiates the infection chain upon execution by the user.
Inside the Infection Mechanism
NWHStealer employs a multi-layered infection mechanism designed to evade detection at various stages. In one observed scenario, the malicious code is directly embedded within a seemingly legitimate executable, such as HardwareVisualizer.exe. When launched, this loader executes a series of operations: it first checks for analysis tools and terminates if any are found, then utilizes a custom decryption function for string processing, resolves Windows API functions via LoadLibraryA and GetProcAddress, and finally decrypts and loads the subsequent payload using AES-CBC through BCrypt APIs. The loader also incorporates junk code to complicate analysis and confuse automated detection tools.
In another documented case, fake Proton VPN websites distribute a malicious ZIP archive that leverages DLL hijacking to execute the stealer. Here, a file masquerading as a WinRAR executable contains a malicious library named WindowsCodecs.dll. This DLL decrypts two embedded resources, one of which is a second-stage DLL called runpeNew.dll. This second-stage DLL performs process hollowing, injecting the final NWHStealer payload into a running Windows process, such as RegAsm.exe, using low-level APIs like NtProtectVirtualMemory and NtAllocateVirtualMemory.
Once injected into the system, the malicious DLL uses PowerShell to create hidden directories within LOCALAPPDATA, adds these directories to Windows Defender exclusions, and forces a Group Policy update to solidify its changes. Additionally, scheduled tasks are established to ensure the payload runs at user logon with elevated privileges, providing the malware with persistent access. To bypass User Account Control (UAC), the stealer employs a known CMSTP UAC bypass technique, generating a random .inf file in the temporary folder and using cmstp.exe to elevate privileges without triggering a visible prompt.
What You Should Do
- Always download software exclusively from official vendor websites. Avoid third-party download mirrors or unofficial repositories.
- Exercise extreme caution with files obtained from code-hosting platforms (e.g., GitHub, GitLab) or file-sharing sites (e.g., MediaFire, SourceForge) unless the publisher’s legitimacy is unequivocally verified.
- Before executing any downloaded file, meticulously check its digital signature and publisher details to confirm authenticity.
- Never download tools or software via links provided in YouTube video descriptions or comments, as these are frequently used for malware distribution.
- Prior to extracting or running software from compressed archives, verify the integrity, signature, and version information of all contained executables.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.