Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
India Halts WhatsApp Usernames Rollout Due to Fraud Concerns
July 1, 2026
Critical Cursor IDE RCE Vulnerabilities Allow Zero-Click Prompt Injection
July 1, 2026
Automated Password Spray Attacks Target Microsoft Azure CLI
July 1, 2026
Home/Threats/NWHStealer Malware Spreads via Fake Proton VPN Sites and Gaming Mods
Threats

NWHStealer Malware Spreads via Fake Proton VPN Sites and Gaming Mods

Key Takeaways A new information stealer, NWHStealer, is actively compromising Windows systems through deceptive distribution methods. The malware spreads via fake VPN websites (including Proton VPN...

Jennifer sherman
Jennifer sherman
April 16, 2026 4 Min Read
37 0

Key Takeaways

  • A new information stealer, NWHStealer, is actively compromising Windows systems through deceptive distribution methods.
  • The malware spreads via fake VPN websites (including Proton VPN impersonations), gaming mods, and hardware utility tools.
  • NWHStealer targets browser data, saved passwords, and cryptocurrency wallet information, sending encrypted stolen data to command-and-control servers.
  • Attackers employ sophisticated techniques like DLL hijacking, process hollowing, UAC bypass, and scheduled tasks for persistence.
  • Users should download software only from official sources and exercise extreme caution with third-party downloads or links from untrusted sites.

NWHStealer Emerges, Exploiting Trust to Compromise Windows Systems

NWHStealer, a recently identified information-stealing malware, is actively compromising Windows systems through a sophisticated campaign that leverages fake VPN websites, gaming modifications, and hardware utility tools as lures. This threat distinguishes itself by embedding malicious payloads within files that users actively seek out and download, making detection significantly more challenging than typical email-based phishing attacks.

Table Of Content

  • Key Takeaways
  • NWHStealer Emerges, Exploiting Trust to Compromise Windows Systems
  • Immediate Risks and Technical Modus Operandi
  • Inside the Infection Mechanism
  • What You Should Do

The attackers employ a broad spectrum of distribution channels. NWHStealer is disseminated through fraudulent websites impersonating legitimate services, code-hosting platforms such as GitHub and GitLab, file-sharing sites like MediaFire and SourceForge, and even malicious links embedded in gaming and security-related YouTube videos.

The malware often masquerades as legitimate and desirable software, including VPN installers, hardware diagnostic utilities like OhmGraphite, Pachtop, and Sidebar Diagnostics, as well as popular gaming cheats and mods such as Xeno. This extensive reach across seemingly trustworthy platforms renders the campaign particularly hazardous.

Analysts at Malwarebytes have identified and tracked multiple active campaigns distributing NWHStealer. Their research indicates that the stealer can be loaded either through self-injection or by injecting itself into legitimate Windows processes, such as Microsoft’s Assembly Registration Tool, RegAsm.

Malwarebytes researchers observed that initial loaders often include additional wrappers, such as MSI packages and Node.js, before the final payload is delivered. According to a report authored by Malware Research Engineer Gabriele Orini, once NWHStealer successfully infiltrates a victim’s system, it is capable of exfiltrating browser data, saved passwords, and cryptocurrency wallet information. This stolen data can then be used by attackers for account takeover, fund depletion, or to facilitate subsequent attacks.

Immediate Risks and Technical Modus Operandi

Victims face severe immediate consequences. NWHStealer enumerates over 25 folders and registry keys associated with cryptocurrency wallets and targets popular browsers, including Edge, Chrome, Opera, Brave, Chromium, and Firefox, to extract saved credentials and session data. The stolen information is encrypted using AES-CBC before being transmitted to the attacker’s command-and-control (C2) server. To ensure operational resilience, if the primary C2 server becomes unavailable, the malware retrieves a new C2 domain via a Telegram-based dead drop mechanism.

A notable distribution vector identified in this campaign involves a free web hosting provider, onworks[.]net, which is ranked among the top 100,000 websites globally. This platform was found to host malicious ZIP archives within its download section. Files deceptively named like HardwareVisualizer_1.3.1.zip and Sidebar Diagnostics-3.6.5.zip appear innocuous but contain embedded malicious code that initiates the infection chain upon execution by the user.

Inside the Infection Mechanism

NWHStealer employs a multi-layered infection mechanism designed to evade detection at various stages. In one observed scenario, the malicious code is directly embedded within a seemingly legitimate executable, such as HardwareVisualizer.exe. When launched, this loader executes a series of operations: it first checks for analysis tools and terminates if any are found, then utilizes a custom decryption function for string processing, resolves Windows API functions via LoadLibraryA and GetProcAddress, and finally decrypts and loads the subsequent payload using AES-CBC through BCrypt APIs. The loader also incorporates junk code to complicate analysis and confuse automated detection tools.

In another documented case, fake Proton VPN websites distribute a malicious ZIP archive that leverages DLL hijacking to execute the stealer. Here, a file masquerading as a WinRAR executable contains a malicious library named WindowsCodecs.dll. This DLL decrypts two embedded resources, one of which is a second-stage DLL called runpeNew.dll. This second-stage DLL performs process hollowing, injecting the final NWHStealer payload into a running Windows process, such as RegAsm.exe, using low-level APIs like NtProtectVirtualMemory and NtAllocateVirtualMemory.

Once injected into the system, the malicious DLL uses PowerShell to create hidden directories within LOCALAPPDATA, adds these directories to Windows Defender exclusions, and forces a Group Policy update to solidify its changes. Additionally, scheduled tasks are established to ensure the payload runs at user logon with elevated privileges, providing the malware with persistent access. To bypass User Account Control (UAC), the stealer employs a known CMSTP UAC bypass technique, generating a random .inf file in the temporary folder and using cmstp.exe to elevate privileges without triggering a visible prompt.

What You Should Do

  • Always download software exclusively from official vendor websites. Avoid third-party download mirrors or unofficial repositories.
  • Exercise extreme caution with files obtained from code-hosting platforms (e.g., GitHub, GitLab) or file-sharing sites (e.g., MediaFire, SourceForge) unless the publisher’s legitimacy is unequivocally verified.
  • Before executing any downloaded file, meticulously check its digital signature and publisher details to confirm authenticity.
  • Never download tools or software via links provided in YouTube video descriptions or comments, as these are frequently used for malware distribution.
  • Prior to extracting or running software from compressed archives, verify the integrity, signature, and version information of all contained executables.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwarephishingSecurity

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Critical n8n Vulnerability Lets Attackers Deliver Malware via Webhooks

Next Post

McGraw Hill Data Breach Exposes 13.5 Million Users’ Personal Information

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Fluentd Vulnerabilities Allow Remote Code Execution
July 1, 2026
Weaponized Google Ads Install Malicious Claude Code to Hijack macOS
July 1, 2026
Critical Adobe ColdFusion Vulnerabilities Let Attackers Run Code
July 1, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us