A new malware campaign has emerged that tricks people into downloading fake Malwarebytes software, putting their login credentials and cryptocurrency wallets at serious risk.
Security researchers discovered this operation actively spreading between January 11 and January 15, 2026, using specially crafted ZIP files that impersonate legitimate Malwarebytes installers.
The fake files are named malwarebytes-windows-github-io-X.X.X.zip, making them appear authentic to unsuspecting users who believe they are downloading genuine antivirus protection.
The campaign’s primary goal centers on delivering an information-stealing malware that harvests sensitive user data.
Content of the TXT file (Source – VirusTotal)
These malicious ZIP archives contain a dangerous combination of files designed to bypass security defenses and establish persistence on infected systems.
When users extract and run what appears to be the legitimate Malwarebytes executable, they unknowingly trigger a chain of malicious events that ultimately compromises their digital security and personal information.
VirusTotal analysts identified the malware after examining the infection patterns and file structures, noting that all suspicious ZIP archives share a consistent identifier known as a behash value of “4acaac53c8340a8c236c91e68244e6cb.”
This technical marker became crucial in tracking the campaign’s scope and identifying additional variants used in the operation.
The researchers documented how the malware operates through a sophisticated layering technique that makes detection and analysis more challenging.
DLL Sideloading: The Attack Mechanism
The attack relies on a deceptive technique called DLL sideloading, which exploits how Windows loads legitimate software libraries. The malicious payload is hidden inside a file named CoreMessaging.dll.
The identified DLLs (Source – VirusTotal)
When the legitimate Malwarebytes executable runs, the operating system loads this malicious DLL instead of the genuine library file.
Threat actors place both the fake DLL and legitimate EXE in the same folder, tricking Windows into executing the malware without raising suspicion.
The malicious DLLs feature distinctive metadata including signature strings like “© 2026 Eosinophil LLC” and unusual exported functions containing alphanumeric sequences such as “15Mmm95ml1RbfjH1VUyelYFCf” and “2dlSKEtPzvo1mHDN4FYgv.”
These characteristics allow security researchers to hunt for related samples and track the broader campaign.
Once the malicious DLL executes, it drops secondary-stage infostealers that specifically target cryptocurrency wallet information and stored browser credentials, enabling attackers to commit identity theft and cryptocurrency theft.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Threat Actors Impersonate as MalwareBytes to Attack Users and Steal Logins appeared first on Cyber Security News.
