Threat Actors Impersonate Malwarebytes to Steal User Login Credentials

Security researchers have identified an active malware campaign running between January 11 and January 15, 2026, in which attackers impersonate Malwarebytes, a legitimate security software company, to trick users into downloading malicious files.

The campaign uses fake ZIP files named to mimic authentic Malwarebytes software downloads. All malicious files share a unique identifier (behash: 4acaac53c8340a8c236c91e68244e6cb), making them easy for security teams to track and identify.

How the Attack Works

The attack chain follows a simple but effective method called DLL sideloading. This technique tricks Windows into running harmful software by placing it next to a legitimate program file.

When users download what appears to be Malwarebytes software, they receive a ZIP archive containing both a real Windows program and a hidden malicious file named CoreMessaging.dll.

Once users extract and run the legitimate executable, Windows automatically loads the malicious DLL, starting the infection process without the user’s knowledge.

Inside each ZIP file, attackers also include a text file, sometimes named gitconfig.com.txt or Agreement_About.txt, containing a GitHub URL.

While this text file plays no direct role in the attack, it serves as a valuable tracking tool for security researchers investigating the campaign’s infrastructure and identifying related malicious samples.

The real danger lies in the secondary-stage payloads dropped after the malicious DLL executes. Researchers discovered that these payloads are infostealers, specialized malware designed to steal sensitive user information.

The infostealers specifically target: User login credentials and passwords,Cryptocurrency wallet browser extension identifiers,Personal financial information

The final payload uses another distinct identifier (behash: 5ddb604194329c1f182d7ba74f6f5946), allowing analysts to track all affected systems and variants across the internet.

The malicious DLL files contain unusual metadata signatures (“Peastaking plenipotence ductileness chilopodous codicillary” and “© 2026 Eosinophil LLC”) that appear nowhere in legitimate software.

Additionally, these DLLs export strange alphanumeric function names (15Mmm95ml1RbfjH1VUyelYFCf and 2dlSKEtPzvo1mHDN4FYgv) that developers don’t typically use, making them reliable indicators for detection.

Users should verify software downloads directly from official company websites and enable browser warnings for unknown file sources.

Organizations should deploy endpoint detection and response (EDR) tools to monitor for suspicious DLL loading and immediately block any files matching the identified IoCs.

Security teams can access a complete list of malicious file hashes and hunting queries through VirusTotal public collection for rapid investigation and threat hunting.

Indicator of Compromise

import "pe"
rule win_dll_sideload_eosinophil_infostealer_jan26
{
 meta:
 author = "VirusTotal"
 description = "Detects malicious DLLs (CoreMessaging.dll) from an infostealer campaign impersonating Malwarebytes via DLL sideloading"
 reference = "https://blog.virustotal.com/2026/01/malicious-infostealer-january-26.html"
 date = "2026-01-16"
 behash = "4acaac53c8340a8c236c91e68244e6cb"
 target_entity = "file"
 condition:
 (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and pe.is_dll()) and
 pe.exports("15Mmm95ml1RbfjH1VUyelYFCf") and pe.exports("2dlSKEtPzvo1mHDN4FYgv")
}

Malicious File Hashes (SHA256)

• 6773af31bd7891852c3d8170085dd4bf2d68ea24a165e4b604d777bd083caeaa
• 4294d6e8f1a63b88c473fce71b665bbc713e3ee88d95f286e058f1a37d4162be
• 5591156d120934f19f2bb92d9f9b1b32cb022134befef9b63c2191460be36899
• 42d53bf0ed5880616aa995cad357d27e102fb66b2fca89b17f92709b38706706
• 5aa6f4a57fb86759bbcc9fc6c61b5f74c0ca74604a22084f9e0310840aa73664
• 84021dcfad522a75bf00a07e6b5cb4e17063bd715a877ed01ba5d1631cd3ad71
• ca8467ae9527ed908e9478c3f0891c52c0266577ca59e4c80a029c256c1d4fce
• 9619331ef9ff6b2d40e77a67ec86fc81b050eeb96c4b5f735eb9472c54da6735
• a2842c7cfaadfba90b29e0b9873a592dd5dbea0ef78883d240baf3ee2d5670c5
• 4705fd47bf0617b60baef8401c47d21afb3796666092ce40fbb7fe51782ae280
• 580d37fc9d9cc95dc615d41fa2272f8e86c9b4da2988a336a8b3a3f90f4363c2
• d47fd17d1d82ea61d850ccc2af3bee54adce6975d762fb4dee8f4006692c5ef7
• 606baa263e87d32a64a9b191fc7e96ca066708b2f003bde35391908d3311a463
• fd855aa20467708d004d4aab5203dd5ecdf4db2b3cb2ed7e83c27368368f02bb
• a0687834ce9cb8a40b2bb30b18322298aff74147771896787609afad9016f4ea
• 4235732440506e626fd4d0fffad85700a8fcf3e83ba5c5bc8e19ada508a6498e
• cd1fe2762acf3fb0784b17e23e1751ca9e81a6c0518c6be4729e2bc369040ca5
• f798c24a688d7858efd6efeaa8641822ad269feeb3a74962c2f7c523cf8563ff
• 0698a2c6401059a3979d931b84d2d4b011d38566f20558ee7950a8bf475a6959
• 1b3bee041f2fffcb9c216522afa67791d4c658f257705e0feccc7573489ec06f
• 231c05f4db4027c131259d1acf940e87e15261bb8cb443c7521294512154379b
• ec2e30d8e5cacecdf26c713e3ee3a45ebc512059a64ba4062b20ca8bec2eb9e7
• 58bd2e6932270921028ab54e5ff4b0dbd1bf67424d4a5d83883c429cadeef662
• 57ed35e6d2f2d0c9bbc3f17ce2c94946cc857809f4ab5c53d7cb04a4e48c8b14
• cfcf3d248100228905ad1e8c5849bf44757dd490a0b323a10938449946eabeee
• f02be238d14f8e248ad9516a896da7f49933adc7b36db7f52a7e12d1c2ddc6af
• f60802c7bec15da6d84d03aad3457e76c5760e4556db7c2212f08e3301dc0d92
• 02dc9217f870790b96e1069acd381ae58c2335b15af32310f38198b5ee10b158
• f9549e382faf0033b12298b4fd7cd10e86c680fe93f7af99291b75fd3d0c9842
• 92f4d95938789a69e0343b98240109934c0502f73d8b6c04e8ee856f606015c8
• 66fba00b3496d61ca43ec3eae02527eb5222892186c8223b9802060a932a5a7a
• e5dd464a2c90a8c965db655906d0dc84a9ac84701a13267d3d0c89a3c97e1e9b
• 35211074b59417dd5a205618fed3402d4ac9ca419374ff2d7349e70a3a462a15
• 6863b4906e0bd4961369b8784b968b443f745869dbe19c6d97e2287837849385
• a83c478f075a3623da5684c52993293d38ecaa17f4a1ddca10f95335865ef1e2
• 43e2936e4a97d9bc43b423841b137fde1dd5b2f291abf20d3ba57b8f198d9fab
• f001ae3318ba29a3b663d72b5375d10da5207163c6b2746cfae9e46a37d975cf
• c67403d3b6e7750222f20fa97daa3c05a9a8cce39db16455e196cd81d087b54d
• 5ee9d4636b01fd3a35bd8e3dce86a8c114d8b0aa6b68b1d26ace7ef0f85b438a
• e84b0dadb0b6be9b00a063ed82c8ddba06a2bd13f07d510d14e6fd73cd613fba

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Threat Actors Impersonate Malwarebytes to Steal User Login Credentials appeared first on Cyber Security News.