A newly identified Windows malware strain, NWHStealer, is being distributed through files users deliberately seek out, not through bulk phishing or spam. That makes the campaign harder to spot: the lure is often a fake VPN installer, a hardware utility, or a gaming mod hosted on sites and services people may already recognize.
Malwarebytes researchers say the stealer has appeared across impersonation sites, code-hosting platforms, file-sharing services, YouTube-linked downloads, and malicious archives hosted through a free web service. Once installed, it is built to steal browser data, saved credentials, and cryptocurrency wallet information while maintaining contact with its operators even if primary infrastructure is disrupted.
A quieter delivery model makes the campaign more dangerous
Information stealers are not new, but this campaign reflects a shift in how they are delivered. Rather than trying to trick people into opening a suspicious attachment, the attackers package malware inside software categories that users actively want: VPN clients, diagnostics tools, cheats, and mods. That lowers suspicion at the point of download and gives the malicious file a more plausible reason to request execution.
The breadth of distribution is a major concern. Malwarebytes tracked samples tied to fake websites, GitHub and GitLab repositories, MediaFire and SourceForge links, and YouTube videos that point viewers to weaponized downloads. A malicious archive hosted on onworks[.]net, a widely visited free hosting provider, shows how ordinary web infrastructure can become part of the delivery chain without looking overtly malicious to a casual user.
How NWHStealer gets in and stays in
The infection chain is layered to frustrate analysis. In one case, malicious code was embedded in a legitimate-looking executable that checks for analysis tools, decrypts hidden strings, resolves Windows functions dynamically, and then loads the next payload with AES-CBC using Windows cryptographic APIs. Malware authors often add junk code in these loaders to slow reverse engineering and reduce the effectiveness of automated inspection.
In another case, fake Proton VPN sites delivered a ZIP archive that used DLL hijacking. A file presented as a WinRAR executable loaded a malicious WindowsCodecs.dll, which unpacked another stage and injected the final payload into a legitimate Windows process such as RegAsm.exe. This kind of process injection helps malware blend into normal system activity and can make security alerts less straightforward for users and defenders to interpret.
Persistence is handled aggressively. Researchers observed PowerShell commands creating hidden folders in LOCALAPPDATA, adding those paths to Microsoft Defender exclusions, forcing Group Policy updates, and creating scheduled tasks that relaunch the malware at logon with elevated privileges. The use of a CMSTP-based UAC bypass adds another layer, allowing privilege escalation without the kind of visible prompt many users would expect.
The theft target is broad, and the fallback channel is notable
NWHStealer goes after both account access and financial assets. It targets browsers including Edge, Chrome, Opera, Brave, Chromium, and Firefox for saved passwords and session data, and it enumerates more than 25 folders and registry keys linked to cryptocurrency wallets. Stolen data is encrypted before exfiltration, which is standard practice for modern stealers trying to hide the contents of outbound traffic.
One operational detail stands out: if its main command-and-control server becomes unavailable, the malware can fetch a fresh domain through a Telegram-based dead drop. That gives the operators resilience. Even when defenders block one server, the malware may still receive new instructions or infrastructure details through a separate channel that is simple, public-facing, and easy for attackers to update.
What users and organizations should change now
The practical lesson is less about one malware family than about a wider trust problem on the internet. A familiar file name, a polished download page, or a link posted beside a popular video is no longer a meaningful sign of safety. Software should be downloaded only from official vendor sites, and executable files should be checked for valid signatures and consistent publisher information before they are run.
Avoid third-party mirrors for utilities, VPN tools, and system diagnostics.
Treat code-hosting and file-sharing links as untrusted unless the publisher is clearly verified.
Be wary of software links in video descriptions and comments, especially for mods and cheats.
Inspect compressed archives before extraction and verify the files inside, not just the archive name.
For organizations, this campaign is a reminder that user-initiated downloads remain a persistent entry point. Detection has to extend beyond email and web filtering to include behavioral monitoring for process injection, suspicious scheduled tasks, unexpected Defender exclusions, and unusual use of tools such as RegAsm, PowerShell, and cmstp.exe. NWHStealer’s success depends on looking ordinary long enough to get a foothold.
