Ddos 
A new and sophisticated malware campaign masquerading as legitimate software installers has been uncovered. In a recent analysis, Security Engineer Joseliyo Sánchez details an active operation observed between January 11 and January 15, 2026, where threat actors are impersonating the popular anti-malware software Malwarebytes to distribute information-stealing payloads.
The campaign was identified through a “Flash Hunting Findings” initiative, tracking a specific set of malicious ZIP archives. These files, often named using the pattern malwarebytes-windows-github-io-X.X.X.zip, rely on social engineering to trick users into executing them.
“The primary samples identified are ZIP files that mostly reference the MalwareBytes company and software… A notable feature for identification is that all of them share the same behash.”
The investigation highlights a specific behavioral hash (behash) — 4acaac53c8340a8c236c91e68244e6cb — which serves as a fingerprint for the campaign’s initial stage.
Rather than using a malicious executable directly, the attackers employ a “DLL Sideloading” technique. This method involves bundling a legitimate, trusted executable with a malicious Dynamic Link Library (DLL) file named CoreMessaging.dll.
“The campaign relies on a trusted executable to trick the operating system into loading a malicious payload, leading to the execution of secondary-stage infostealers.”
When a victim runs the legitimate executable found in the ZIP, the operating system inadvertently loads the malicious DLL located in the same folder.
“When an analyst or user runs the legitimate EXE, the operating system is tricked into loading the malicious CoreMessaging.dll.”
Sánchez’s analysis uncovered unique metadata within the malicious DLLs that allowed for broader infrastructure mapping. The files contained bizarre signature strings, such as “Peastaking plenipotence ductileness chilopodous codicillary” and a copyright string for a likely fictitious entity: “© 2026 Eosinophil LLC”.
Furthermore, a seemingly innocuous text file found in the archives, often named gitconfig.com.txt or Agreement_About.txt, provided a pivot point for researchers. By analyzing execution parents on VirusTotal, the investigation linked this campaign to other fake installers for software like Logitech G Hub, OpenIV, and Asus Armoury Crate.
The endgame of this campaign is the deployment of secondary-stage payloads designed to strip the victim’s machine of sensitive data. Sandbox analysis flagged these payloads as STEALER (BrowserStealerGeneric).
The malware specifically targets cryptocurrency assets and multifactor authentication (MFA) tools.
“This malicious component is identified by various YARA rules, including those specifically designed to detect signatures associated with stealing cryptocurrency wallet browser extension IDs among others.”
This report underscores the importance of verifying software sources, even when the executable appears to be signed and trusted.
Related Posts:
- Search Hijacking: Cybercriminals Turn Google Ads into Tech Support Scam Portals
- Massive Scam Surge: Google Ads Fueling Fraud
- Google Products Exploited in Sophisticated Malvertising Scheme
- Google to Restrict Android Sideloading in New Security Push
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
