Modeling scammers are reinventing old tricks for the social media age—targeting not just the young, but older adults too.

The BBC reported on modeling scams targeting older models. Modeling scams aren’t new, but it’s worth looking at how they spread today, how to spot them, and—most importantly—how to avoid falling victim to them.

The classic pitch goes like this: Someone walks up to you in the street and says, “You look so good, you should be a model.” Very flattering and something many would have a hard time ignoring.

As you might expect, some of these unsolicited contacts are up to no good.

But in our current social-media-driven society, the same approach happens online—via direct messages and ads recruiting “nonstandard” models, including people way past their twenties.

For years, modeling scammers have targeted young people wanting to become rich and famous. Now, they’ve widened the net. You’ll see phrases like “silver hair models,” “mature models over 50,” or “experienced life models” to target older adults: an even more attractive target.

Scammers assume that older adults have more savings and less debt. They may also exploit social isolation and unfamiliarity with technology and online risks. This makes seniors appealing targets, especially for scams promising lucrative opportunities such as modeling contracts or paid photoshoots.

Scammers often pressure their targets to pay up front for portfolios, photoshoots and “registration fees,” steering them to specific providers and payment methods. Some insist that victims use PayPal’s Friends and Family option, which carries no extra fee but removes buyer protection and any possibility of a refund if disputes arise—meaning you cannot get your money back through PayPal.

Not every scam is about money. Some run fake casting calls or set up fabricated agency websites to collect personal information for future scams, or to obtain explicit photographs that they later sell or circulate on the dark web.

**How to avoid becoming a modeling scam victim**

*   **Research the company.** Search the school or agency name with terms like “scam,” “review,” or “complaint.” If possible, check recognized industry databases or legitimate talent listings. Inspect profiles for red flags like stolen photos or brand-new accounts with few followers.
*   **Never pay an agency up front.** Legitimate agencies earn a commission when you book work, not from “registration” or mandatory photo packages.
*   **Don’t let them dictate how to pay.** Avoid payment methods that reduce protection, like PayPal Friends and Family. If someone is specific on how you pay, that’s a warning sign.
*   **Avoid agencies that force you to use their staff for your photoshoots or auditions.** If an agency says you have to use its photographer or makeup artist, don’t work with them. An agency should let you hire your own makeup artist and photographer.
*   **Ask if the company or school is licensed or bonded, if your state requires it.** Check this information with your local consumer protection agency or your state attorney general—and make sure the license is current.
*   **Get references.** Ask for names and contact details of models or actors who’ve recently gotten work through the agency. Scam agencies sometimes display photos of successful models they never represented, or claim connections with well-known companies that never hired their talent. Verify these claims by contacting the people or companies directly.
*   **Get everything in writing.** Capture all promises and terms in a contract and keep copies of important documents.
*   **Watch for vague promises and guaranteed high earnings.** If someone promises “instant fame,” “guaranteed work,” or extremely high pay, it’s likely a scam. Legitimate modeling work is competitive and rarely guarantees jobs.
*   **Don’t send suggestive or personal photos or share private information****.** Professional agencies will not ask for explicit photos or ask for sensitive details like your address or financial information before you’re actually signed and onboarded.
*   **Trust your instincts—and get a second opinion.** If something feels off because of high-pressure tactics, pushy behavior, or you’re uncomfortable step back and rethink or ask a friend’s advice. Scammers often rush or pressure for quick commitments.

**We don’t just report on scams—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

 Modeling scams see mature models as attractive new prospects 

Threat actors with suspected ties to China have turned a legitimate open-source monitoring tool called Nezha into an attack weapon, using it to deliver a known malware called Gh0st RAT to targets.
The activity, observed by cybersecurity company Huntress in August 2025, is characterized by the use of an unusual technique called log poisoning (aka log injection) to plant a web shell on a web

Malware / Threat Intelligence

Threat actors with suspected ties to China have turned a legitimate open-source monitoring tool called **Nezha** into an attack weapon, using it to deliver a known malware called Gh0st RAT to targets.

The activity, observed by cybersecurity company Huntress in August 2025, is characterized by the use of an unusual technique called log poisoning (aka log injection) to plant a web shell on a web server.

"This allowed the threat actor to control the web server using ANTSWORD, before ultimately deploying Nezha, an operation and monitoring tool that allows commands to be run on a web server," researchers Jai Minton, James Northey, and Alden Schmidt said in a report shared with The Hacker News.

In all, the intrusion is said to have likely compromised more than 100 victim machines, with a majority of the infections reported in Taiwan, Japan, South Korea, and Hong Kong.

The attack chain pieced together by Huntress shows that the attackers, described as a "technically proficient adversary," leveraged a publicly exposed and vulnerable phpMyAdmin panel to obtain initial access, and then set the language to simplified Chinese.

The threat actors have been subsequently found to access the server SQL query interface and run various SQL commands in quick succession in order to drop a PHP web shell in a directory accessible over the internet after ensuring that the queries are logged to disk by enabling general query logging.

"They then issued a query containing their one-liner PHP web shell, causing it to be recorded in the log file," Huntress explained. "Crucially, they set the log file's name with a .php extension, allowing it to be executed directly by sending POST requests to the server."

The access afforded by the ANTSWORD web shell is then used to run the "whoami" command to determine the privileges of the web server and deliver the open-source Nezha agent, which can be used to remotely commandeer an infected host by connecting to an external server ("c.mid\[.\]al").

An interesting aspect of the attack is that the threat actor behind the operation has been running their Nezha dashboard in Russian, with over 100 victims listed across the world. A smaller concentration of victims is scattered across Singapore, Malaysia, India, the U.K., the U.S., Colombia, Laos, Thailand, Australia, Indonesia, France, Canada, Argentina, Sri Lanka, the Philippines, Ireland, Kenya, and Macao, among others.

The Nezha agent enables the next stage of the attack chain, facilitating the execution of an interactive PowerShell script to create Microsoft Defender Antivirus exclusions and launch Gh0st RAT, a malware widely used by Chinese hacking groups. The malware is executed by means of a loader that, in turn, runs a dropper responsible for configuring and starting the main payload.

"This activity highlights how attackers are increasingly abusing new and emerging publicly available tooling as it becomes available to achieve their goals," the researchers said.

"Due to this, it's a stark reminder that while publicly available tooling can be used for legitimate purposes, it's also commonly abused by threat actors due to the low research cost, ability to provide plausible deniability compared to bespoke malware, and likelihood of being undetected by security products."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Chinese Hackers Weaponize Open-Source Nezha Tool in New Attack Wave

SQL injection vulnerability based on the melis-cms module of the Melis platform from Melis Technology. This vulnerability allows an attacker to retrieve, create, update, and delete databases through the 'idPage' parameter in the '/melis/MelisCms/PageEdition/getTinyTemplates' endpoint.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-mrmx-jfw8-qhgv: Melis Platform CMS SQL Injection

File upload leading to remote code execution (RCE) in the “melis-cms-slider” module of Melis Technology's Melis Platform. This vulnerability allows an attacker to upload a malicious file via a POST request to '/melis/MelisCmsSlider/MelisCmsSliderDetails/saveDetailsForm' using the 'mcsdetail_img' parameter.

GHSA-chw4-gjvw-3gxc: Melis Platform CMS Unauthenticated File Upload Leading to RCE

Vulnerability in the melis-core module of Melis Technology's Melis Platform, which, if exploited, allows an unauthenticated attacker to create an administrator account via a request to '/melis/MelisCore/ToolUser/addNewUser'.

GHSA-p3vc-g9f9-mgw4: Melis Platform CMS Unauthenticated Admin Account Creation

Researchers have found a method they called Mic-E-Mouse, which turns your computer mouse into a spy that can listen in on your conversations.

The short answer is: probably not, but theoretically it’s possible.

Researchers at the University of California found a method they called Mic-E-Mouse, which turns your computer mouse into a spy that can listen in on your conversations.

The method uses high-performance optical sensors in optical mice, combined with artificial intelligence, to filter out background noise and:

> “achieve intelligible reconstruction of user speech.”

These sensors are highly sensitive (sometimes up to 20,000 dots per inch) and can detect the tiniest vibrations. And the attack doesn’t require expensive gear—the researchers used a $35 mouse to test their method and achieved 61% accuracy.

This is a classic side-channel attack—a way of stealing secrets not by breaking into software, but by observing physical clues that devices give off during normal use.

For example, let’s suppose you wanted to figure out someone’s bank password. A direct attack might involve trying to guess or steal the password. A side-channel attack, on the other hand, would be more like watching how they type, listening to the rhythm of their keyboard, or even detecting their body language as they log in.

What’s concerning about side-channel attacks is that they often don’t leave obvious clues.

Because the computer keeps working normally, there are usually no traces in logs, security alerts, or signs that anything’s wrong. Traditional defenses like antivirus software or firewalls can’t always detect them because these attacks rely on physical behavior—how a computer uses power, emits signals, or makes noise—which can’t easily be isolated or blocked without changing how the hardware itself works.

But it is possible to counter such an attack, since Mic-E-Mouse requires the target computer to run special software that security tools may detect as malicious. At some point, the software must send the collected data to the attacker, increasing the chance it will be intercepted. To avoid detection, attackers are unlikely to reconstruct speech on the victim’s computer; instead they may transfer the raw mouse-movement files directly to a computer or server they control somewhere on the internet.

Attack flow for Mic-E-Mouse—image courtesy of researchers at the University of California

For most users, this vulnerability isn’t cause for alarm. It’s noteworthy mainly because it transforms a trusted peripheral into a potential listening device without any visible signs or behavioral changes. But as high-DPI mice are now common in offices and gaming setups, this attack vector could be exploited by cybercriminals or spies to capture personal information, trade secrets, or private conversations. So, if you’re working in environments such as corporate offices, government sites, or home offices used for confidential tasks, the risk is higher.

**What can I do about Mic-E-Mouse?**

The researchers have notified 26 affected mouse manufacturers, which are now developing fixes to protect sensor data.

Until then, if you’re worried about this type of attack being deployed against you:

*   Use a mouse mat or desk cover to reduce the mouse’s ability to collect data via vibrations.
*   Work in a noisier environment (we recommend music).
*   Keep your mouse firmware and drivers up to date—manufacturers may release security patches.
*   Use up-to-date real-time anti-malware, preferably with a web protection component to block malicious software and outgoing traffic to known malicious servers.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Is your computer mouse eavesdropping on you? 

Every year, weak passwords lead to millions in losses — and many of those breaches could have been stopped.
Attackers don’t need advanced tools; they just need one careless login.
For IT teams, that means endless resets, compliance struggles, and sleepless nights worrying about the next credential leak.
This Halloween, The Hacker News and Specops Software invite you to a live webinar: “

Password Security / Cyber Attacks

Every year, weak passwords lead to millions in losses — and many of those breaches could have been stopped.

Attackers don't need advanced tools; they just need one careless login.

For IT teams, that means endless resets, compliance struggles, and sleepless nights worrying about the next credential leak.

This Halloween, The Hacker News and Specops Software invite you to a live webinar: "Cybersecurity Nightmares: Tales from the Password Graveyard" — a chilling reality check every IT leader needs.

You'll explore real-world password breaches, why traditional password policies fail, and how new tools can help you stop attacks before they happen.

**💀 What You'll Learn**

*   Real breach stories and the lessons behind them.
*   Why complexity alone doesn't protect your users.
*   How Specops blocks breached passwords in real time.
*   A live demo of creating stronger, compliant, user-friendly policies.
*   A simple three-step plan for IT leaders to eliminate password risks fast.

**👉 Register now to join the live demo and get your action plan.**

**🕸️ Make Passwords Secure — and Simple**

Poor password management doesn't just create risk — it wastes time and hurts productivity. Specops helps IT teams strengthen security without adding friction for users.

Join this session to learn how to:

*   Cut helpdesk resets.
*   Meet compliance requirements.
*   Stop credential-based attacks for good.

**🎃 Sign up today and end your password nightmares once and for all.**

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Step Into the Password Graveyard… If You Dare (and Join the Live Session)

As the go-to cybersecurity expert for your friends and family, you’ll want to be ready for those “I clicked a suspicious link — now what?” messages. Share this quick guide to help them know exactly what to do next.

Wednesday, October 8, 2025 06:00

October is Cybersecurity Awareness Month, and as the tech-savvy friend or family member, people probably come to you for advice. One of the most common questions is: “I clicked a suspicious link. What do I do now?” 

Don’t worry — panic won’t help, but a calm, step-by-step response will. Share this guide with your loved ones so everyone knows exactly how to respond and stay safe. 

If you clicked the link on a work device, immediately contact IT support and follow their instructions. Companies often have specific policies and tools to investigate and remediate security incidents. Quick reporting helps protect both you and your organization. 

If it’s a personal device, **here’s what to do next.**

**Scenario 1: You only clicked the link, and did not enter any information **

Clicking a malicious link can trigger automatic downloads, attempt to exploit browser vulnerabilities, or install malware without your knowledge. 

*   Exit the browser immediately. 
*   Make sure no files downloaded to your device; if so, delete them without opening. 
*   Monitor your device for unusual behavior, which can be a sign of malware. 
    *   _**Examples:** Higher-than normal battery drainage, apps crashing, unknown apps/profiles, and persistent pop-ups_ 
*   Stay alert for suspicious emails, texts, or calls.

Together, these steps help you catch and remove any threats before they cause harm, and keep you aware of follow-up attacks.

**Scenario 2: You entered your username and password **

Entering credentials on a phishing site can give attackers access to your account, leading to unauthorized activity, identity theft or further phishing. 

*   Change your password **immediately** for that account, and force a logout of all devices logged in. This locks out any unauthorized users who may have gained access. 
*   If you have multifactor authentication (MFA) enabled, watch for any push notifications that you did not initiate. Do not approve them. This could mean someone is actively trying to log in with your stolen credentials. 
*   Enable two-factor authentication (2FA) if available. 
*   Create new, unique passwords for any other accounts that used the same credentials. Attackers often try your compromised password on multiple sites (aka called credential stuffing). 
    *   _**Tip:** Instead of storing your credentials in your browser, use a password manager such as 1Password._ 
*   Watch for suspicious account activity.

By following these steps, you limit the attacker’s access and protect your other accounts from being compromised. 

**Scenario 3: You entered credit card or banking information **

Financial data can be quickly exploited for fraudulent transactions, identity theft, or even sold on the dark web. 

*   Contact your bank or card issuer right away. 
*   If possible, freeze your card and get a replacement. 
*   Monitor your statements and report any unauthorized charges. 
*   Enable fraud alerts if your bank offers them.

These actions help you contain the risk, minimize financial losses, and alert your bank to potential fraud on your account.

**Scenario 4: You downloaded or opened a file **

Downloaded files from suspicious links can contain malware, ransomware, spyware or other harmful software that may steal your data or harm your device. 

*   Disconnect your device from the internet until you have completed all of these steps. Isolating your device can prevent malware from communicating with attackers or spreading to other devices. 
*   Run a full antivirus and malware scan if on a desktop or laptop. 
*   Check to ensure no new apps were installed if on a phone. 
*   Delete any suspicious files. 
*   In a worst-case scenario, if you have conducted periodic backups it might be best to restore your device to a clean version, from before the file was downloaded.

**Remember to: **

*   Always verify links before you click on them.  
    *   _Tip: Hover over the link to make sure it leads to an official website. If you’re not sure, it’s safer to type in the URL manually._ 
*   Enable multifactor authentication for your accounts whenever it’s available. 
*   Keep your software and antivirus updated. 
*   Report all phishing attempts to your email provider and IT/security team. 

Phishing attacks are getting more sophisticated, but a little knowledge goes a long way. Share this guide with your friends and family so they’ll know what to do if they ever click a suspicious link.

Happy Cybersecurity Awareness Month from Cisco Talos!

What to do when you click on a suspicious link

One click, total mess. A convincing itch-style page can drop a stealthy stager instead of a game. Here’s how to spot it and what to do if you clicked.

You get a message from a Discord friend. Or maybe an unknown indie developer reaches out to you. “Can you test my game?” they ask. 

The webpage they send over a link to looks legit: screenshots, dev blurb, itch.io-style layout, and the download button is right there, waiting to be clicked.  

The problem is these lookalike pages don’t give you the real game. Instead they drop a stealthy loader that quietly prepares your PC for follow-up malware. 

One lure we’ve seen impersonates the popular 2D platformer Archimoulin (the real game can be found here: nicolasduboc.itch.io/archimoulin). 

This scam nails two things gamers trust: friends and downloads. 

1.  **A trusted delivery channel.** The lure often arrives in a DM from someone in your friends list—usually because the attacker used a compromised account. People are far more likely to click links from friends. 

2.  **Familiar hosting and UI.** The impersonators use Blogspot subdomains or cloud links and fake itch-style pages so the site looks legitimate. Sometimes downloads are served via Dropbox or similar service people trust. 

3.  **A convincing** **sign-****in page.** Some variants present a fake Discord sign-in page first to harvest credentials. This hands the attacker control of your account, which they can use to spread the link to your contacts. 

Reddit threads from victims show this pattern again and again: an innocuous “test my game” DM, a convincing page, then account takeover and mass-messaging to the victim’s friends. 

**What actually happens when you click? **

Here’s what the user sees, and what the stealth loader is really doing: 

*   Double-click the downloaded Setup Game.exe and… nothing obvious happens. No installer UI, no progress bar. (That’s deliberate – the attacker wants the install to happen without alarming you.) 

*   The executable spawns PowerShell with a long, encoded command. (Attackers hide commands in encoded strings so the malicious script isn’t obvious at first glance.) 

*   The command decodes another script and runs it directly in memory. (Running in memory means the malware doesn’t leave a neat file on disk for antivirus to find, so it’s harder to detect.) 

*   That inner script hides the PowerShell window using a tiny .NET trick, so there’s no black console popping up to make you suspicious. (With no visible window there’s nothing to make you stop and ask what’s running.) 

*   The code tries to relaunch itself with admin rights (runAs) and compiles a small helper on the fly using csc.exe. (You’ll see temp folders and RES*.tmp files while it runs.) 

*   It unpacks a Node.js runtime and native modules into your user cache (C:\Users\<you>\.cache\pkg\...). (The malware is giving itself a toolkit, making it more flexible in what it can do next.) 

*   The installer even runs taskkill to force-close major browsers (Chrome, Brave, Firefox, Edge, and Opera). (That stops you from immediately googling what’s happening and then stopping the install.) 

*   In our sandbox run it didn’t phone home right away; instead it performed checks (net session, registry queries, BIOS/network checks) to confirm it’s on a “real” machine, then waits for the right moment to download the main payload. (Malware often avoids sandboxes, looking for signs it’s on a real user’s computer before unleashing the main payload.) 

**Bottom line:** The Setup Game.exe is a stager/loader – quiet on purpose, ready to pull down follow-up malware (backdoors, keyloggers, coinminers, or worse) when conditions match what the attacker wants.  

**What to watch out for **

*   **Unexpected DM with a download link:** If you get a message offering an indie game you didn’t expect, verify it with the sender on another channel first. 

*   **N****o installer UI** **but strange behavior after running:** If there’s no installer window or progress bar, but your browsers crash or you see temporary compile folders appear, that’s a red flag. 

*   **Unexpected folders appear:** Look for new folders you didn’t create, like C:\Users\<you>\.cache\pkg\… or %TEMP%\xlfvhkx3\… especially if you haven’t installed developer tools. 

*   **PowerShell showing** -EncodedCommand**:** Check running processes logs for signs a hidden script is running. 

**What to do if you already ran it **

Act quickly and use a different, clean device for the first steps. 

*   From another device, change your passwords (Discord, email, Steam) and enable 2FA. 

*   Log out all sessions and revoke authorised apps/tokens. 

*   Disconnect the infected PC and run a full Malwarebytes scan. 

*   Remove obvious new files/folders (e.g., C:\Users\<you>\.cache\pkg\…, %TEMP%\xlfvhkx3\…). 

*   Tell your friends not to click links from your account and report the pages to the host (Blogger/Dropbox) and your platform (Discord/Steam). 

*   If you see signs of deeper compromise, back up essentials and do a clean reinstall or get professional help. 

**Final note—indie communities are built on trust **

Archimoulin is an indie game; the fake pages are not. Scammers are exploiting the goodwill between players and creators. That’s the worst bit of all: it weaponizes the community itself. 

A quick sanity check—to pause, verify the URL, and ask the sender via another app—is all it takes to avoid the hassle of cleaning up a compromised PC (or losing your account and friends). Share this with your clan: one click is all it takes for an attacker to turn a fun, indie moment into a mess. 

**Indicators of compromise (IOCs) **

cakewind\[.\]blogspot.com 

carnagev1\[.\]blogspot.com 

kelarigame\[.\]blogspot.com 

klorigame\[.\]blogspot.com 

meraliagame\[.\]blogspot.com 

ravielchy\[.\]blogspot.com 

ravielchygame\[.\]blogspot.com 

tamunagame\[.\]blogspot.com 

veriliagame\[.\]blogspot.com 

**We don’t just report on scams—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

 “Can you test my game?” Fake itch.io pages spread hidden malware to gamers 

Researchers warn of Shuyal Stealer, malware that gathers browser logins, system details, and Discord tokens, then erases evidence via Telegram.

Cybersecurity researchers at Point Wild’s Lat61 Threat Intelligence Team have found a new infostealer called Shuyal Stealer, a malware strain designed to steal login credentials from not one or two, but 17 different web browsers.

****How Shuyal Stealer Profiles and Exploits Systems****

Shuyal Stealer is also capable of profiling targeted machines in depth, collecting information about disks, input devices and display setups by using Windows Management Instrumentation commands. That kind of device mapping gives attackers a clear picture of a victim’s system, which can be used for targeted **identity theft** or other follow-on attacks.

The malware also captures contextual data that many infostealers ignore. It takes screenshots, records clipboard contents and extracts **Discord** authentication tokens. These capabilities let attackers have real context into what the victim is doing on their device, which can turn a straightforward password stealing into a complete account takeover and know more about the victim’s online activities than other malware would.

****Data Exfiltration and Persistence Methods****

According to the Lat61 **blog post** shared with HackRead.com, the malware compresses the collected files with PowerShell and sends them through a hardcoded **Telegram bot**. Researchers found a specific bot token and chat ID used to deliver the archive directly to the attacker’s account. After the transfer completes, Shuyal deletes the archive and clears traces to complicate forensic work.

Shuyal quietly copies its executable into the Windows Startup folder using the CopyFileA API. It also shuts down Task Manager processes and modifies the registry to disable Task Manager entirely, preventing users from spotting or stopping it.

Infection chain flow (Via Point Wild)

****Browser Targeting and Data Theft****

When analysing how it steals data, Point Wild’s researchers noted Shuyal’s efficiency. It specifically looks for the “Login Data” file found in browser directories, running a SQL query to extract URLs, usernames, and encrypted passwords.

Each stolen session or token is saved locally and then zipped for exfiltration. Files such as tokens.txt, clipboard.txt and ss.png document different parts of the victim’s digital life, from saved passwords to copied text and active windows. The malware keeps a history.txt log of which browsers and apps it scanned. Here is the list of targeted browsers:

1.  Tor
2.  Edge
3.  Epic
4.  Brave
5.  Opera
6.  Vivaldi
7.  Coc Coc
8.  Maxthon
9.  Chromium
10.  Waterfox
11.  Comodo
12.  Slimjet
13.  Yandex
14.  Falkon
15.  Chrome
16.  Opera GX
17.  360 Browser

****Self-Deletion, Expert Insight and Mitigation****

After exfiltration finishes, Shuyal runs a self-deletion routine. It launches a batch script named util.bat that removes the archive and related files, making incident response and attribution harder.

**Dr Zulfikar Ramzan**, CTO of Point Wild and head of the Lat61 Threat Intelligence Team, summarised the threat as a powerful infostealer that targets many browsers, disables Task Manager and quietly sends harvested data over Telegram, then removes its traces.

“Shuyal is an infostealer extraordinaire, built for breadth and stealth. It raids credentials from browsers, kills the Windows Task Manager, and quietly exfiltrates data over Telegram. It’s a smash-and-grab, then vanishes,” he said.

Unlike other infostealers, Shuyal Stealer is both a privacy and security risk because it takes credentials plus contextual data that help attackers turn stolen secrets into account takeovers. Its combination of system profiling, wide browser coverage and clean-up process places it among the more capable infostealers active today.

If you suspect an infection, Point Wild advises rebooting into Safe Mode with Networking and scanning with a **reliable antivirus**. The malware is detected as Trojan.W64.100925.Shuyal.YR.

Tag

#web