Threat Actors Impersonate Malwarebytes to Steal User Login Credentials
The campaign uses fake ZIP files named to mimic authentic Malwarebytes software downloads. All malicious files share a unique identifier (behash: 4acaac53c8340a8c236c91e68244e6cb), making them easy for security teams to track and identify.
The attack chain follows a simple but effective method called DLL sideloading. This technique tricks Windows into running harmful software by placing it next to a legitimate program file.
When users download what appears to be Malwarebytes software, they receive a ZIP archive containing both a real Windows program and a hidden malicious file named CoreMessaging.dll.
Once users extract and run the legitimate executable, Windows automatically loads the malicious DLL, starting the infection process without the user’s knowledge.
Inside each ZIP file, attackers also include a text file, sometimes named gitconfig.com.txt or Agreement_About.txt, containing a GitHub URL.
While this text file plays no direct role in the attack, it serves as a valuable tracking tool for security researchers investigating the campaign’s infrastructure and identifying related malicious samples.
The real danger lies in the secondary-stage payloads dropped after the malicious DLL executes. Researchers discovered that these payloads are infostealers, specialized malware designed to steal sensitive user information.
The infostealers specifically target: User login credentials and passwords,Cryptocurrency wallet browser extension identifiers,Personal financial information
The final payload uses another distinct identifier (behash: 5ddb604194329c1f182d7ba74f6f5946), allowing analysts to track all affected systems and variants across the internet.
The malicious DLL files contain unusual metadata signatures (“Peastaking plenipotence ductileness chilopodous codicillary” and “© 2026 Eosinophil LLC”) that appear nowhere in legitimate software.
Additionally, these DLLs export strange alphanumeric function names (15Mmm95ml1RbfjH1VUyelYFCf and 2dlSKEtPzvo1mHDN4FYgv) that developers don’t typically use, making them reliable indicators for detection.
Users should verify software downloads directly from official company websites and enable browser warnings for unknown file sources.
Organizations should deploy endpoint detection and response (EDR) tools to monitor for suspicious DLL loading and immediately block any files matching the identified IoCs.
Security teams can access a complete list of malicious file hashes and hunting queries through VirusTotal public collection for rapid investigation and threat hunting.
import "pe"
rule win_dll_sideload_eosinophil_infostealer_jan26
{
meta:
author = "VirusTotal"
description = "Detects malicious DLLs (CoreMessaging.dll) from an infostealer campaign impersonating Malwarebytes via DLL sideloading"
reference = "https://blog.virustotal.com/2026/01/malicious-infostealer-january-26.html"
date = "2026-01-16"
behash = "4acaac53c8340a8c236c91e68244e6cb"
target_entity = "file"
condition:
(uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and pe.is_dll()) and
pe.exports("15Mmm95ml1RbfjH1VUyelYFCf") and pe.exports("2dlSKEtPzvo1mHDN4FYgv")
}Malicious File Hashes (SHA256)
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Threat Actors Impersonate Malwarebytes to Steal User Login Credentials appeared first on Cyber Security News.
Netflix is officially bringing Barbie director Greta Gerwig back to theaters with a release date…
The Academy of Motion Pictures Arts and Sciences has revealed a collection of major rule…
An intrepid Crimson Desert player has ventured far out of bounds and discovered a deserted…
There are a ton of VPN options out there, but they’re not all created equally.…
Bluetti is well known for its high quality yet affordable power stations and solar generators.…
Despite reports that it's far from the most lucrative part of the Apple ecosystem, Apple…
This website uses cookies.