Albiriox now targets over 400 financial apps and lets criminals operate your phone almost exactly as if it were in their hands.

Albiriox is a new family of Android banking malware that gives attackers live remote control over infected phones, letting them quietly drain bank and crypto accounts during real sessions.

Researchers have analyzed a new Android malware family called Albiriox which is showing signs of developing rapidly and already has strong capabilities. Albiriox is sold as Malware-as-a-Service (MaaS), meaning entry-level cybercriminals can simply rent access and launch their own fraud campaigns. It was first observed in September 2025 when attackers started a limited recruitment phase.

Albiriox is an Android Remote Access Trojan (RAT) and banking Trojan built for on-device fraud, where criminals perform transactions directly on the victim’s phone instead of just stealing passwords. It has a structured architecture with loaders, command modules, and control panels tailored to financial apps and cryptocurrency services worldwide.

In one early campaign, Albiriox targeted Austria. But unlike older mobile malware that focused on a single bank or country, Albiriox already targets hundreds of banking, fintech, payment, and crypto apps across multiple regions. Its internal application-monitoring database included more than 400 applications.

Since it’s a MaaS service, attackers can distribute Albiriox in any way they like. The usual methods are through fake apps and social engineering, often via smishing or links that impersonate legitimate brands or app stores. In at least one campaign, victims were lured with a bogus retailer app that mimicked a Google Play download page to trick them into installing a malicious dropper.

The first app victims see is usually just a loader that downloads and installs the main Albiriox payload after gaining extra permissions. To stay under the radar, the malware uses obfuscation and crypting services to make detection harder for security products.

**What makes Albiriox stand out?**

Albiriox combines several advanced capabilities that work together to give attackers almost the same control over your phone as if they were holding it in their hands:

*   **Live remote control**: The malware streams the device screen to the attacker, who can tap, swipe, type, and navigate in real time.
*   **On‑device fraud tools:** Criminals can open your banking or crypto apps, start transfers, and approve them using your own device and session.
*   **Accessibility abuse:** It misuses Android Accessibility Services to automate clicks, read on‑screen content, and bypass some security prompts.
*   **Overlay attacks** (under active development): It can show fake login or verification screens on top of real apps to harvest credentials and codes, with templates that are being refined.
*   **Black****‑****screen masking:** The malware can show a black or fake screen while the attacker operates in the background, hiding fraud from the user.

The live remote control is hidden by this masking, so victims don’t notice anything going on.

Because the fraud happens on the victim’s own device and session, criminals can often bypass multi-factor authentication and device-fingerprinting checks.

**How to stay safe**

If you notice strange behavior on your device or spot apps with generic names that include “utility,” “security,” “retailer,” or “investment” that you don’t remember installing from the official Play Store, run a full system scan with a trusted Android anti-malware solution.

But prevention is better:

*   Only install apps from official app stores whenever possible and avoid installing apps promoted in links in SMS, email, or messaging apps.
*   Before installing finance‑related or retailer apps, verify the developer name, number of downloads, and user reviews rather than trusting a single promotional link.
*   Protect your devices. Use an up-to-date real-time anti-malware solution like Malwarebytes for Android, which already detects this malware.
*   Scrutinize permissions. Does an app really need the permissions it’s requesting to do the job you want it to do? Especially if it asks for accessibility, SMS, or camera access.
*   Keep Android, Google Play services, and all banking or crypto apps up to date so you get the latest security fixes.
*   Enable multi-factor authentication on banking and crypto services, and prefer app‑based or hardware‑based codes over SMS where possible. And if possible, set up account alerts for new payees, large transfers, or logins from new devices.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

**About the author**

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

 New Android malware lets criminals control your phone and drain your bank account 

Scams are sneakier, more direct, and harder to spot than ever, so we're proud to work with GASA to help keep people safer online.

We are excited to share that Malwarebytes has officially joined the Global Anti-Scam Alliance (GASA) as a supporting member. Working with GASA helps us stay aligned with others who are focused on reducing scams and keeping people safer online.  

Modern-day scams aren’t the clumsy, obvious tricks they once were. They are sneakier, more direct, and harder to spot.  

Earlier this year, when we surveyed more than 1,300 people across the world about their online habits for shopping, clicking, swiping, and sending messages, we discovered a mobile landscape littered with scams: 

*   Nearly half of mobile users encounter scam attempts every day.  
*   Just 15% feel confident they can recognize one.  
*   More than a third have fallen victim, with 75% of victims saying they walked away with emotional harm and a shaken sense of trust. 

One thing is certain—scams are no longer rare; they’re a daily reality for most people, and they are taking a toll. 

As Mark Beare, general manager of consumer business for Malwarebytes, said:

> “Scams and consumer fraud aren’t fringe issues. They’ve become a global crisis, draining hundreds of billions of dollars each year and inflicting devastating emotional harm. We’re committed to tackling this complex problem through new technology like our AI-powered scam detector, Scam Guard, investigative research, industry collaboration, and perhaps most importantly, human support.”

This is exactly why we built Scam Guard, our free mobile scam detector: to give people real-time guidance, actionable tips, and simple scam reporting tools that make staying safe feel doable, not daunting. With Scam Guard, users can identify suspicious messages and links, instantly take action, and help others stay informed by reporting new scams as they appear.

Beare added: 

> “Today’s scams are sophisticated, leveraging deep-fake technology, AI-manipulated images, and highly targeted lures from the troves of data we’ve all lost in countless breaches. We’re proud to join GASA to further amplify our efforts and stop scammers in their tracks.”

At Malwarebytes, protecting people is at the heart of what we do. By partnering with the Global Anti-Scam Alliance, we’re extending that protection to more communities around the world.  

Stay protected and try Malwarebytes Scam Guard today! 

**We don’t just report on scams—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

 Malwarebytes joins Global Anti-Scam Alliance (GASA) as supporting member  

A list of topics we covered in the week of November 24 to November 30 of 2025

November 28, 2025 - This blog explains why vulnerability scoring matters, how CVSS works, and what’s new in version 4.0.

November 27, 2025 - A ransomware attack against the CodeRED emergency alert platform has triggered warnings across the US.

November 27, 2025 - Scammers are stepping up their game for the holidays, impersonating brands to trick people into handing over their accounts.

November 26, 2025 - Scammers are using fake jobs and a phony video update to infect Mac users with a multi-stage stealer designed for long-term access and data theft.

November 25, 2025 - ClickFix just got more convincing, hiding malware in PNG images and faking Windows updates to make users run dangerous commands.

 A week in security (November 24 &#8211; November 30) 

This blog explains why vulnerability scoring matters, how CVSS works, and what’s new in version 4.0.

The Common Vulnerability Scoring System (CVSS) provides software developers, testers, and security and IT professionals with a standardized way to assess vulnerabilities. You can use CVSS to assess the threat level of each vulnerability and then prioritize mitigation accordingly.

This article explains how the CVSS works, reviews its components, and describes why using a standardized process helps organizations assess vulnerabilities consistently.

A software vulnerability is any weakness in the codebase that can be exploited. Vulnerabilities can result from a variety of coding mistakes, including faulty logic, inadequate validation mechanisms, or lack of protection against buffer overflows. Attackers can exploit these weaknesses to gain unauthorized access, execute arbitrary code, or disrupt system operations.

**Why use a standardized scoring system?**

With thousands of vulnerabilities disclosed each year, organizations need a way to prioritize which ones to address first. A standardized scoring system like CVSS helps teams:

*   Compare vulnerabilities objectively
*   Prioritize patching and mitigation efforts
*   Communicate risk to stakeholders

CVSS is maintained by the Forum of Incident Response and Security Teams (FIRST) and is widely used by organizations and vulnerability databases, including the National Vulnerability Database (NVD).

**CVSS v3.x metric groups**

CVSS v3.x included three main metric groups:

1.  **Base metrics:** Intrinsic characteristics of a vulnerability that are constant over time and across user environments.
2.  **Temporal metrics:** Characteristics that change over time, but not among user environments.
3.  **Environmental metrics:** Characteristics that are relevant and unique to a particular user’s environment.

**What’s new in CVSS v4.0?**

The CVSS v4.0 update, released in late 2023, brings several significant changes and improvements over previous versions (v3.0/v3.1). Here’s what’s new and what’s changed:

1. **Expanded metric groups**

*   **Base metrics** now include more granular distinctions, such as the new Attack Requirements (AT) metric and improved definitions for Privileges Required and User Interaction.
*   **Threat metrics** are a new, optional metric group for capturing real-world exploitation and threat intelligence, helping to prioritize vulnerabilities based on active exploitation.
*   **Supplemental metrics**, provide additional context—such as safety, automation, and recovery—to tailor scoring for specific industries or use cases.

2. **Refined scoring and terminology**

*   **Attack Vector (AV)** introduced a clearer distinction between network, adjacent, local, and physical vectors, with improved definitions.
*   **Attack Requirements (AT)** is introduced to capture conditions that must exist for successful exploitation, but are outside the attacker’s control.
*   **Privileges Required (PR) and User Interaction (UI)** have been clarified and expanded to reflect modern attack scenarios.
*   The scope is now called “vulnerable system,” providing more precise language about what is affected.

3. **Greater flexibility and customization**

*   **Modular scoring** allows organizations to use the base, threat, and supplemental metrics independently or together.
*   **Industry-specific extensions** let sectors like healthcare, automotive, or critical infrastructure apply more tailored scoring.

4. **Improved guidance and usability**

*   **Clearer documentation:** The new specification now includes better examples and more detailed guidance to reduce ambiguity in scoring.
*   **Backwards compatibility:** CVSS v4.0 scores are not directly comparable to v3.x scores, but the new system was designed to coexist during the transition period.

**How the CVSS scoring process works (v4.0)**

1.  **Assess the base metrics**
    *   Evaluate the exploitability and impact of the vulnerability using the updated metric definitions.
2.  **Incorporate threat metrics** (optional)
    *   If there’s intelligence about active exploitation, adjust the score accordingly to reflect real-world risk.
3.  **Add environmental and supplemental metrics**
    *   Tailor the score to your organization’s environment and industry-specific requirements.
4.  **Calculate the final score**
    *   The CVSS calculator (now updated for v4.0) combines the selected metrics to produce a score between 0.0 (no risk) and 10.0 (critical risk).

**Example of a CVSS v4.0 score**

Suppose a newly discovered vulnerability allows remote code execution over the network with no privileges required and no user interaction. Under CVSS v4.0, you would:

*   Assign the appropriate base metrics (e.g., Network, Low complexity, No privileges, No user interaction).
*   If there is evidence of active exploitation, use the threat metric to increase the urgency.
*   Add any environmental or supplemental metrics relevant to your organization.

The resulting score helps you prioritize remediation efforts based on both the technical details and the real-world threat landscape.

**Why the update matters**

The improvements in CVSS v4.0 reflect the changing nature of software vulnerabilities and the need for more nuanced, actionable risk assessments. By incorporating real-world threat intelligence and industry-specific context, organizations can make better-informed decisions about vulnerability management.

**Key takeaways:**

*   CVSS v4.0 provides more accurate, flexible, and actionable vulnerability scoring.
*   New metric groups allow for customization and real-world prioritization.
*   Organizations should transition to CVSS v4.0 for a more comprehensive approach to vulnerability risk management.

For more information and to access the latest CVSS v4.0 calculator and documentation, visit the FIRST CVSS v4.0 page**.**

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 How CVSS v4.0 works: characterizing and scoring vulnerabilities 

A ransomware attack against the CodeRED emergency alert platform has triggered warnings across the US.

A nationwide cyberattack against the OnSolve CodeRED emergency notifications system has prompted cities and counties across the US to warn residents and advise them to change their passwords.

CodeRED is used by local governments to deliver fast, targeted alerts during severe weather, evacuations, missing persons, and other urgent events. Both the data breach and the service outage have serious implications for communities.

The OnSolve CodeRED system is a cloud-based platform used by city, county, and state agencies to send emergency alerts via voice calls, SMS, email, mobile app notifications, and national alerting systems. Because of the incident, some regions temporarily lost access to the system and had to rely on social media or other methods to reach the public.

To avoid confusion: CodeRED is not the same as the Emergency Alert System (EAS), which is the federal government-managed emergency notifications system. The CodeRED emergency notification system is a voluntary program where residents can sign up to receive notifications and emergency alerts affecting the city they live in.

**What’s happened?**

Among the many affected municipalities, the City of Cambridge’s Emergency Communications, Police, and Fire Departments issued an alert urging users to change their passwords, especially if they reused the same password elsewhere. Similar advisories have been published by towns and counties in multiple states as the scale of the attack became clear.

The City of University Park, Texas, also warned residents:

> “As a precaution, we want to make residents aware of a recent cybersecurity incident involving the City’s third-party emergency alert system, CodeRED. We were notified that a cybercriminal group targeted the system, which caused disruption and may have compromised some user data. This incident did not affect any City systems or services and remains isolated to the CodeRED software.”

The cause is reportedly a ransomware attack claimed by the INC Ransom group. The group posted screenshots that appear to show stolen customer data, including email addresses and associated clear-text passwords.

The INC Ransom group also published part of the alleged ransom negotiation, suggesting that Crisis24 (the provider behind CodeRED) initially offered $100,000, later increasing the offer to $150,000, which INC rejected.

The incident forced Crisis24 to shut down its legacy environment and rebuild the system in a new, isolated infrastructure. Some regions, such as Douglas County, Colorado, have terminated their CodeRED contracts following the outage.

****Why this matters****

Cyberattacks happen, and data breaches are not always preventable. But storing your subscriber database—including passwords in clear text—seems rather careless. Providers should assume people reuse passwords, especially for accounts they don’t view as very sensitive.

Not that ransomware groups care, of course, but systems like CodeRED genuinely saves lives. When that system goes down or cannot be trusted, communities may miss evacuation orders, severe weather warnings, or active-shooter alerts when minutes matter.

Users are now being told to change their passwords, sometimes across multiple websites. But has everyone been notified? And even if they have, will they actually take action?

**Protecting yourself after a data breach**

If you think you have been the victim of a data breach, here are steps you can take to protect yourself:

*   **Check the vendor’s advice.** Every breach is different, so check with the vendor to find out what’s happened and follow any specific advice it offers.
*   **Change your password.** You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
*   **Enable two-factor authentication (2FA****).** If you can, use a FIDO2-compliant hardware key, laptop, or phone as your second factor. Some forms of 2FA can be phished just as easily as a password, but 2FA that relies on a FIDO2 device can’t be phished.
*   **Watch out for impersonators.** The thieves may contact you posing as the breached platform. Check the official website to see if it’s contacting victims and verify the identity of anyone who contacts you using a different communication channel.
*   **Take your time.** Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
*   **Consider not storing your card details**. It’s definitely more convenient to let sites remember your card details, but we highly recommend not storing that information on websites.
*   **Set up identity monitoring**, which alerts you if your personal information is found being traded illegally online and helps you recover after.

**We don’t just report on threats—we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.

 Millions at risk after nationwide CodeRED alert system outage and data breach 

Scammers are stepping up their game for the holidays, impersonating brands to trick people into handing over their accounts.

The FBI has issued a public service announcement warning about a surge in account takeover (ATO) fraud, and the timing lines up with a major alert Amazon has just sent to its 300 million customers about brand impersonation scams.

**How ATO fraud works**

Account takeover fraud is just what it says: Scammers figure out a way to hijack your account and use it for their own gain. It affects everything from email and social media to retailer, travel, and banking accounts. Criminals use plenty of tactics, including malware on your computer or phone, or “credential stuffing,” where they try compromised passwords across lots of sites.

The FBI’s new alert focuses on attackers who impersonate customer support or tech support from your bank. Amazon’s warning describes almost identical techniques, but aimed at Amazon shoppers instead of banking customers.

Attackers send texts, emails and make phone calls designed to fool you into giving away your username and password, and even your multi-factor authentication (MFA) codes. Once they’re in the account, scammers quickly reset passwords or other access controls, locking you out of your own account.

****Fake websites, fake alerts, and fake customer support****

The FBI highlights another technique used for similar purposes: website-based phishing. The scammer will direct you to a fake site that looks just like your bank’s login page. The moment you enter your details, the criminals steal them and use them on the real banking site.

Amazon says the same thing is happening to its customers. In a warning email sent November 24, it listed the attacks it is seeing most often:

*   Fake delivery notices or account-issue messages
*   Third-party ads offering unbelievable deals
*   Messages via unofficial channels requesting login or payment information
*   Links to look-alike websites
*   Unsolicited “Amazon support” phone calls

One of the FBI’s examples mirrors this almost exactly: Attackers claim there has been fraudulent activity on your account and urge you to click a link to “fix” it, but it sends you straight to a phishing site.

**How do the scammers get you to these sites?**

Search engine optimization (SEO) poisoning is one common technique, the FBI says. Scammers buy ads with search engines that direct users to their malicious sites. Many mimic household names with tiny variations that are easy to miss when you’re in a hurry.

Amazon’s warning is backed up by research from FortiGuard Labs, which found that 19,000+ new domains set up to imitate major retail brands. 2,900 of those were proven to be malicious.

This wave of impersonation attacks isn’t limited to search ads and look-alike domains. Researchers have also uncovered a system called Matrix Push C2 that abuses browser push notifications to deliver fake alerts designed to look like they’re from trusted brands such as Netflix, PayPal, and Cloudflare. Once clicked, those alerts lead victims to phishing pages or malware, giving attackers yet another path to steal login details or take over accounts.

**A growing epidemic**

This type of fraud is on the rise. According to TransUnion, digital account takeover climbed 21% from H1 2024 to H1 2025, and 141% since H1 2021. It’s big business; the FBI has received over 5,100 complaints since January, and says that losses have hit $262 million.

This is a popular time for scammers to ramp up ATO fraud. Amazon’s alert comes at one of the busiest online shopping periods of the year—Black Friday and the run-up to the holidays.

And while MFA is important, it doesn’t always save you. Proofpoint found that 65% of compromised accounts had MFA enabled. But if you give up your secrets to a scammer, they have the keys to the kingdom.

Passwordless options such as passkeys promise better security because then there’s no MFA code to give up (you just use biometric access or click on a browser prompt to log in). However, those are still relatively uncommon compared to passwords, and when they do exist, people don’t often use them.

**How to protect yourself**

Cybercriminals prey on the vulnerable and the distracted. Brand impersonation works because attackers lean hard on urgency. They claim your account has been breached, or a large transaction has gone through, or a delivery can’t be completed.

Scammers are experts at using fear to get past your emotional defenses. In one inventive twist highlighted by the FBI, scammers told victims their details were used for firearms purchases, then transferred them to a fake “law enforcement” accomplice. Once fear kicks in, people act fast.

Whether the scammer is posing as Amazon, your bank, or a courier service, the same rules apply:

*   **Bookmark your bank and retailer login pages.** Don’t search for them, as results can be spoofed.
*   **Use official apps.** Download your bank or Amazon app directly from an official link, not through a search engine.
*   **Be stingy with personal info.** Pet names, schools, and birthdays can help criminals with “security questions.”
*   **Be skeptical of caller ID.** It can be spoofed. Hang up, then call back using a verified number.
*   **Use passkeys if offered.** They cut out SMS codes entirely and help prevent phishing.
*   **Never share one-time codes.** No legitimate company will ask.

Amazon also reminds users:

*   It will **never** ask for payment information over the phone.
*   It will **never** send emails asking customers to verify login details.
*   All account changes, tracking, and refunds should go through the Amazon app or website only.

If you do think you’ve been hit by an ATO scam, contact your bank immediately to try and recall or reverse any fraudulent transactions. It might still not be too late, but every second counts. Also, file a complaint with the FBI’s IC3 online crime unit.

**We don’t just report on scams—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

 Holiday shoppers targeted as Amazon and FBI warn of surge in account takeover attacks 

Scammers are using fake jobs and a phony video update to infect Mac users with a multi-stage stealer designed for long-term access and data theft.

Researchers have discovered a new attack targeting Mac users. It lures them to a fake job website, then tricks them into downloading malware via a bogus software update.

The attackers pose as recruiters and contact people via LinkedIn, encouraging them to apply for a role. As part of the application process, victims are required to record a video introduction and upload it to a special website.

On that website, visitors are tricked into installing a so-called update for FFmpeg media file-processing software which is, in reality, a backdoor. This method, known as the Contagious Interview campaign, points to the Democratic People’s Republic of Korea (DPRK).

Contagious Interview is an illicit job-platform campaign that targets job seekers with social engineering tactics. The actors impersonate well-known brands and actively recruit software developers, artificial intelligence researchers, cryptocurrency professionals, and candidates for both technical and non-technical roles.

The malicious website first asks the victim to complete a “job assessment.” When the applicant tries to record a video, the site claims that access to the camera or microphone is blocked. To “fix” it, the site prompts the user to download an “update” for FFmpeg.

Much like in ClickFix attacks, victims are given a curl command to run in their Terminal. That command downloads a script which ultimately installs a backdoor onto their system. A “decoy” application then appears with a window styled to look like Chrome, telling the user Chrome needs camera access. Next, a window prompts for the user’s password, which, once entered, is sent to the attackers via Dropbox.

Images courtesy of Jamf

The end-goal of the attackers is Flexible Ferret, a multi-stage macOS malware chain active since early 2025. Here’s what it does and why it’s dangerous for affected Macs and users:

After stealing the password, the malware immediately establishes persistence by creating a LaunchAgent. This ensures it reloads every time the user logs in, giving attackers long-term, covert access to the infected Mac.

FlexibleFerret’s core payload is a Go-based backdoor. It enables attackers to:

*   Collect detailed information about the victim’s device and environment
*   Upload and download files
*   Execute shell commands (providing full system control)
*   Extract Chrome browser profile data
*   Automate additional credential and data theft

Basically, this means the infected Mac becomes part of a remote-controlled botnet with direct access for cybercriminals.

**How to stay safe**

While this campaign targets Mac users, that doesn’t mean Windows users are safe. The same lure is used, but the attacker is known to use the information stealer InvisibleFerret against Windows users.

The best way to stay safe is to be able to recognize attacks like these, but there are some other things you can do.

*   Always keep your operating system, software, and security tools updated regularly with the latest patches to close vulnerabilities.
*   Do not follow instructions to execute code on your machine that you don’t fully understand. Never run code or commands copied from websites, emails, or messages unless you trust the source and understand the action’s purpose. Verify instructions independently. If a website tells you to execute a command or perform a technical action, check through official documentation or contact support before proceeding.
*   Use a real-time anti-malware solution with a web protection component.
*   Be extremely cautious with unsolicited communications, especially those inviting you to meetings or requesting software installs or updates; verify the sender and context independently.
*   Avoid clicking on links or downloading attachments from unknown or unexpected sources. Verify their authenticity first.
*   Compare the URL in the browser’s address bar to what you’re expecting.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Fake LinkedIn jobs trick Mac users into downloading Flexible Ferret malware 

ClickFix just got more convincing, hiding malware in PNG images and faking Windows updates to make users run dangerous commands.

Several researchers have flagged a new development in the ongoing ClickFix campaign: Attackers are now mimicking a Windows update screen to trick people into running malware.

ClickFix campaigns use convincing lures, historically “Human Verification” screens, and now a fake “Windows Update” splash page that exactly mimics the real Windows update interface. Both require the user to paste a command from the clipboard, making the attack depend heavily on user interaction.

As shown by Joe Security, ClickFix now displays its deceptive instructions on a page designed to look exactly like a Windows update.

In full-screen mode, visitors running Windows see instructions telling them to copy and paste a malicious command into the Run box.

> “Working on updates. Please do not turn off your computer.  
> Part 3 of 3: Check security  
> 95% complete
> 
> Attention!  
> To complete the update, install  
> the critical Security Update
> 
> \[… followed by the steps to open the Run box, paste “something” from your clipboard, and press OK to run it\]

The “something” the attackers want you to run is an mshta command that downloads and runs a malware dropper. Usually, the final payload is the Rhadamanthys infostealer.

**Technical details**

If the user follows the displayed instructions this launches a chain of infection steps:

*   **Stage 1:** mshta.exe downloads a script (usually JScript). URLs consistently use hex-encoding for the second octet and often rotate URI paths to evade signature-based blocklists
*   **Stage 2:** The script runs PowerShell code, which is obfuscated with junk code to confuse analysis.
*   **Stage 3:** PowerShell decrypts and loads a .NET assembly acting as a loader.
*   **Stage 4:** The loader extracts the next stage (malicious shellcode) hidden within a resource image using custom steganography. In essence, we use the name steganography for every technique that conceals secret messages in something that doesn’t immediately cause suspicion. In this case, the malware is embedded in specific pixel color data within PNG files, making detection difficult.
*   **Stage 5:** The shellcode is injected into a trusted Windows process (like explorer.exe), using classic in-memory techniques like VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread.
*   **Final payload:** Recent attacks delivered info-stealing malware like LummaC2 (with configuration extractors provided by Huntress) and the Rhadamanthys information stealer.

**Details about the steganography used by ClickFix:**

Malicious payloads are encoded directly into PNG pixel color channels (especially the red channel). A custom steganographic algorithm is used to extract the shellcode from the raw PNG file.

*   The attackers secretly insert parts of the malware into the image’s pixels, especially by carefully changing the color values in the red channel (which controls how red each pixel is).
*   To anyone viewing the picture, it still looks totally normal. No clues that it’s something more than just an image.
*   But when the malware script runs, it knows exactly where to “look” inside the image to find those hidden bits.
*   The script extracts and decrypts this pixel data, stitches the pieces together, and reconstructs the malware directly in your computer’s memory.
*   Since the malware is never stored as an obvious file on disk and is hidden inside an innocent-looking picture, it’s much harder for anti-malware or security programs to catch.

**How to stay safe**

With ClickFix running rampant—and it doesn’t look like it’s going away anytime soon—it’s important to be aware, careful, and protected.

*   **Slow down.** Don’t rush to follow instructions on a webpage or prompt, especially if it asks you to run commands on your device or copy-paste code. Attackers rely on urgency to bypass your critical thinking, so be cautious of pages urging immediate action. Sophisticated ClickFix pages add countdowns, user counters, or other pressure tactics to make you act quickly.
*   **Avoid running commands or scripts from untrusted sources.** Never run code or commands copied from websites, emails, or messages unless you trust the source and understand the action’s purpose. Verify instructions independently. If a website tells you to execute a command or perform a technical action, check through official documentation or contact support before proceeding.
*   **Limit the use of copy-paste for commands.** Manually typing commands instead of copy-pasting can reduce the risk of unknowingly running malicious payloads hidden in copied text.
*   **Secure your devices.** Use an up-to-date real-time anti-malware solution with a web protection component.
*   **Educate yourself on evolving attack techniques.** Understanding that attacks may come from unexpected vectors and evolve helps maintain vigilance. Keep reading our blog!

**Pro tip:** Did you know that the free Malwarebytes Browser Guard extension warns you when a website tries to copy something to your clipboard?

**We don’t just report on scams—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

 New ClickFix wave infects users with hidden malware in images and fake Windows updates 

A weak spot in WhatsApp’s API allowed researchers to scrape data linked to 3.5 billion registered accounts, including profile photos and “about” text.

Messaging giant WhatsApp has around three billion users in more than 180 countries. Researchers say they were able to identify around 3.5 billion registered WhatsApp accounts thanks to a flaw in the software. That higher number is possible because WhatsApp’s API returns all accounts registered to phone numbers, including inactive, recycled, or abandoned ones, not just active users.

If you’re going to message a WhatsApp user, first you need to be sure that they have an account with the service. WhatsApp lets apps do that by sending a person’s phone number to an application programming interface (API). The API checks whether each number is registered with WhatsApp and returns basic public information.

WhatsApp’s API will tell any program that asks it if a phone number has a WhatsApp account registered to it, because that’s how it identifies its users. But this is only supposed to process small numbers of requests at a time.

In theory, WhatsApp should limit how many of these lookups you can do in a short period, to stop abuse. In practice, researchers at the University of Vienna and security lab SBA Research found that those “intended limits” were easy to blow past.

They generated billions of phone numbers matching valid formats in 245 countries and fired them at WhatsApp’s servers. The contact discovery API replied quickly enough for them to query more than 100 million numbers per hour and confirm over 3.5 billion active accounts.

The team sent around 7,000 queries per second from a single source IP address. That volume of traffic should raise the eyebrows of any decent IT administrator, yet WhatsApp didn’t block the IP or the test accounts, and the researchers say they experienced no effective rate-limiting:

> “To our surprise, neither our IP address nor our accounts have been blocked by WhatsApp. Moreover, we did not experience any prohibitive rate-limiting.”

**Data-palooza at WhatsApp**

The data exposed goes beyond identification of active phone numbers. By checking the numbers against other publicly accessible WhatsApp endpoints, the researchers were able to collect:

*   profile pictures (publicly visible ones)
*   “about” profile text
*   metadata tied to accounts

Profile photos were available for a large portion of users–roughly two-thirds are in the US region–based on a sample. That raises obvious privacy concerns, especially when combined with modern AI tools. The researchers warned:

> “In the hands of a malicious actor, this data could be used to construct a facial recognition–based lookup service — effectively a ‘reverse phone book’ — where individuals and their related phone numbers and available metadata can be queried based on their face.”

The “about” text, which defaults to “Hey there! I’m using WhatsApp,” can also reveal more than intended. Some users include political views, sexual identity or orientation, religious affiliation, or other details considered highly sensitive under GDPR. Others post links to OnlyFans accounts, or work email addresses at sensitive organisations including the military. That’s information intended for contacts, not the entire internet.

Although ethics rules prevented the team from examining individual people, they did perform higher-level analysis… and found some striking things. In particular, they found millions of active registered WhatsApp accounts in countries where the service is banned. Their dataset contained:

*   nearly 60 million accounts in Iran before the ban was lifted last Christmas Eve, rising to 67 million afterward
*   2.3 million accounts in China
*   1.6 million in Myanmar
*   and even a handful (five) in North Korea

This isn’t Meta’s first time accidentally serving up data on a silver platter. In 2021, 533 million Facebook accounts were publicly leaked after someone scraped them from Facebook’s own contact import feature.

This new project shows how long-lasting the effects of those leaks can be. The researchers at the University of Vienna and SBA Research found that 58% of the phone numbers leaked in the Facebook scrape were still active WhatsApp accounts this year. Unlike passwords, phone numbers rarely change, which makes scraped datasets useful to attackers for a long time.

The researchers argue that with billions of users, WhatsApp now functions much like public communication infrastructure but without anything close to the transparency of regulated telecom networks or open internet standards. They wrote,

> “Due to its current position, WhatsApp inherits a responsibility akin to that of a public telecommunication infrastructure or Internet standard (e.g., email). However, in contrast to core Internet protocols which are governed by openly published RFCs and maintained through collaborative standards — this platform does not offer the same level of transparency or verifiability to facilitate third-party scrutiny.”

So what did Meta do? It began implementing stricter rate limits last month, after the researchers disclosed the issues through Meta’s bug bounty program in April.

In a statement to SBA Research, WhatsApp VP Nitin Gupta said the company was “already working on industry-leading anti-scraping systems.” He added that the scraped data was already publicly available elsewhere, and that message content remained safe thanks to end-to-end encryption.

We were fortunate that this dataset ended up in the hands of researchers—but the obvious question is what would have happened if it hadn’t? Or whether they were truly the first to notice? The paper itself highlights that concern, warning:

> “The fact that we could obtain this data unhindered allows for the possibility that others may have already done so as well.”

For people living under restrictive regimes, data like this could be genuinely dangerous if misused. And while WhatsApp says it has “no evidence of malicious actors abusing this vector,” absence of evidence is not evidence of absence, especially for scraping activity, which is notoriously hard to detect after the fact.

**What can you do to protect yourself?**

If someone has already scraped your data, you can’t undo it. But you can reduce what’s visible going forward:

*   Avoid putting sensitive details in your WhatsApp “about” section, or in any social network profile.
*   Set your profile photo and “about” information to be visible only to your contacts.
*   Assume your phone number acts as a long-term identifier. Keep public information linked to it minimal.

**We don’t just report on data privacy—we help you remove your personal information**

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

 WhatsApp closes loophole that let researchers collect data on 3.5B accounts 

New research shows that "modded Amazon Fire TV Sticks" and piracy apps often lead to scams, stolen data, and financial loss.

Ahead of the holiday season, people who have bought cheap Amazon Fire TV Sticks or similar devices online should be aware that some of them could let cybercriminals access personal data, bank accounts, and even steal money.

BeStreamWise, a UK initiative established to counter illegal streaming, says the rise of illicit streaming devices preloaded with software that bypasses licensing and offers “free” films, sports, and TV comes with a risk.

Dodgy stick streaming typically involves preloaded or modified devices, frequently Amazon Fire TV Sticks, sold with unauthorized apps that connect to pirated content streams. These apps unlock premium subscription content like films, sports, and TV shows without proper licensing.

The main risks of using dodgy streaming sticks include:

*   **Legal risks**: Mostly for sellers, but in some cases for users too
*   **Exposure to inappropriate content**: Unregulated apps lack parental controls and may expose younger viewers to explicit ads or unsuitable content.
*   **Growing countermeasures:** Companies like Amazon are actively blocking unauthorized apps and updating firmware to prevent illegal streaming. Your access can disappear overnight because it depends on illegal channels.
*   **Malware:** These sticks, and the unofficial apps that run on them, often contain malware—commonly in the form of spyware.

BeStreamWise warns specifically about “modded Amazon Fire TV Sticks.” Reporting around the campaign notes that around two in five illegal streamers have fallen prey to fraud, likely linked to compromised hardware or the risky apps and websites that come with illegal streaming.

According to BeStreamWise, citing Dynata research:

> “1 in 3 (32%) people who illegally stream in the UK say they, or someone they know, have been a victim of fraud, scams, or identity theft as a result.”

Victims lost an average of almost £1,700 (about $2,230) each. You could pay for a lot of legitimate streaming services with that. But it’s not just money that’s at stake. In January, The Sun warned all Fire TV Stick owners about an app that was allegedly “stealing identities,” showing how easily unsafe apps can end up on modified devices.

And if it’s not the USB device that steals your data or money, then it might be the website you use to access illegal streams. FACT highlights research from Webroot showing that:

> “Of 50 illegal streaming sites analysed, every single one contained some form of malicious content – from sophisticated scams to extreme and explicit content.”

So, from all this we can conclude that illegal streaming is not the victimless crime that many assume it is. It creates victims on all sides: media networks lose revenue and illegal users can lose far more than they bargained for.

**How to stay safe**

The obvious advice here is to stay away from illegal streaming and be careful about the USB devices you plug into your computer or TV. When you think about it, you’re buying something from someone breaking the law, and hoping they’ll treat your data honestly.

There are a few additional precautions you can take though:

*   Disable auto-run or autoplay features on your computer before inserting a USB stick. This stops programs on the USB from launching automatically.
*   Mount the USB device in read-only mode if your operating system supports it (especially on Linux). This prevents any unwanted actions.
*   Use an up-to-date anti-malware solution to scan the  external drive with a Custom scan. 

If you have already used a USB device or visited a website that you don’t trust:

*   Update your anti-malware solution.
*   Disconnect from the internet to prevent any further data being sent.
*   Run a full system scan for malware.
*   Monitor your accounts for unusual activity.
*   Change passwords and/or enable multifactor authentication (MFA/2FA) on the important ones.

**We don’t just report on threats—we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.

Source

Malwarebytes