A malware campaign documented by Malwarebytes is using fake Proton VPN download pages, counterfeit utility software, cheat tools, and gaming mods to infect Windows systems with NWHStealer, an information-stealing program built to siphon passwords, browser data, and cryptocurrency wallet details. The activity matters because it blends familiar internet distribution channels with stealthy Windows techniques that make malicious files look routine and harder to catch.
How the campaign reaches victims
The operation does not depend on a single lure. Malwarebytes found malicious ZIP archives hosted on open and low-friction platforms, including onworks[.]net, as well as files promoted through GitHub, SourceForge, and YouTube videos. Some of those videos were reportedly AI-generated, a sign of how cheaply attackers can now produce convincing promotional material at scale.
That mix of channels reflects a broader shift in cybercrime. Rather than building custom infrastructure alone, attackers increasingly hide in plain sight on widely used services and piggyback on software categories that already attract users looking for free downloads: VPN clients, hardware monitors, mining tools, tweaks, and unofficial add-ons. The social engineering is simple but effective. People often lower their guard when the file appears to solve a practical problem or promises a familiar brand.
Why NWHStealer is difficult to detect
NWHStealer is designed for data theft, but its delivery chain shows a level of operational care that goes beyond a basic credential grabber. Malwarebytes says some samples execute directly in memory or inject into legitimate Windows processes such as RegAsm.exe. Others arrive through DLL hijacking, pairing a legitimate executable with a malicious library so the attack begins under the cover of trusted software. In fake Proton VPN cases, the executable was often a repackaged WinRAR binary used to load the hidden payload.
Once active, the malware checks its environment, decrypts its components with AES-CBC through Windows cryptographic APIs, and in some cases uses process hollowing to run malicious code inside another process. It then moves into live browser processes to extract decrypted information that would otherwise remain protected at rest. That is a common and effective tactic because modern browsers encrypt stored credentials, but they must also decrypt them for normal use.
What data is at risk
The malware targets browser-stored credentials, autofill records, and cryptocurrency wallets. Malwarebytes says it seeks data from Chrome, Edge, Firefox, Opera, Brave, and other browsers, while also scanning more than 25 wallet-related directories and registry locations. For many victims, browser autofill can be as valuable to criminals as passwords, since it may expose email addresses, payment details, and other personal identifiers that support account takeover or fraud.
The focus on crypto wallets is also telling. Infostealers have become a persistent threat because they monetize stolen data in several ways at once: direct theft from wallets, resale of credentials, and reuse of browser session data in follow-on intrusions. A single infection can create risks that continue long after the initial compromise, especially if a victim reuses passwords or stores recovery information on the same machine.
Persistence, privilege escalation, and what users should do
NWHStealer reportedly tries to stay on infected systems by creating scheduled tasks, adding Windows Defender exclusions, and dropping payloads disguised as normal Windows processes such as svchost.exe or RuntimeBroker.exe. It can also abuse cmstp.exe, a legitimate Windows utility, to bypass User Account Control by generating a temporary INF file and approving the elevation flow through Windows APIs. If its main command server is down, it can fetch backup infrastructure from a Telegram-based dead drop, giving the operation resilience.
The most practical defense is still the least glamorous: download software only from official vendor sites, not from links in video descriptions, reposted archives, or cloned pages that imitate real brands. Users should inspect publisher details and digital signatures before running installers, and treat ZIP-based “setup” files for well-known applications with particular suspicion. For organizations, the campaign is another reminder that browser data, local wallet files, and user trust remain prime targets, and that modern malware often looks less like a noisy virus than a convincing piece of everyday software.
