Trusted Software, Trojan Threat: Fake VPNs and Game Mods Fuel NWHStealer Malware Surge

It begins with a simple search for a VPN or a game mod - everyday actions for millions of users. But lurking behind realistic-looking websites and YouTube tutorials is a new breed of cyberattack: the NWHStealer operation, which weaponizes trust in well-known software to compromise Windows systems on a massive scale.

Fast Facts

• Attackers are spreading NWHStealer via fake ProtonVPN installers, gaming mods, and system utilities.
• Malicious files are hosted on lookalike domains, GitHub, SourceForge, and even free VM web hosting platforms.
• YouTube channels with AI-generated tutorials direct unsuspecting users to download infected installers.
• NWHStealer targets browser credentials, cryptocurrency wallets, and disables security defenses.
• The malware uses advanced techniques like DLL hijacking, process injection, and encrypted C2 communications.

How the NWHStealer Campaign Works

Unlike basic phishing scams, this campaign leverages the credibility of beloved brands. Cybercriminals set up convincing doppelganger websites for ProtonVPN and other tools, mimicking their appearance down to the installer files. These sites, along with links in gaming or tech YouTube videos, lure victims into downloading ZIP archives that appear legitimate but conceal a sophisticated threat.

Researchers uncovered that attackers are also abusing platforms like onworks[.]net - a legitimate service offering browser-based virtual machines - to host infected archives. These files, often named after real utilities such as OhmGraphite or Sidebar Diagnostics, contain executables packed with custom loaders and anti-analysis tricks.

Once launched, the malware injects itself into trusted Windows processes like RegAsm.exe, making detection difficult. Some variants hijack DLLs in tools like WinRAR, while others use MSI-based loaders or process hollowing. The goal: slip past security software and load NWHStealer directly into system memory.

In the case of fake ProtonVPN sites, archives include malicious DLLs that exploit legitimate binaries. YouTube videos - often AI-voiced and produced - demonstrate the “installation,” encouraging viewers to follow suit. Victims have no idea they’re running code that will quietly harvest their browser data, passwords, and cryptocurrency wallet contents.

NWHStealer’s reach is broad: it attacks Chrome, Edge, Brave, Opera, and other Chromium-based browsers. It injects code to decrypt and extract sensitive data, which is then encrypted again before being sent to a command-and-control server. If the main server is unreachable, the malware fetches new instructions via Telegram. To ensure persistence, it disables Windows Defender, hides folders, and schedules tasks - sometimes even using known Windows privilege escalation tricks.

Trust, But Verify

This wave of attacks is a sobering reminder: even familiar download sources can be weaponized. Users are urged to download only from official vendor sites, double-check digital signatures, and steer clear of “free” or “modded” software found via YouTube or file-sharing platforms. With NWHStealer’s techniques growing more advanced, vigilance is the only defense against malware that wears a trusted mask.

WIKICROOK

• DLL Hijacking: DLL Hijacking is a cyberattack where a fake DLL file is loaded by an application, allowing attackers to run malicious code on a system.
• Process Injection: Process injection is when malware hides within legitimate software processes, making it harder for security tools to detect and remove the threat.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
• Process Hollowing: Process hollowing is a technique where malware hides in a legitimate program’s memory, allowing it to evade detection and execute malicious actions.
• Privilege Escalation: Privilege escalation occurs when an attacker gains higher-level access, moving from a regular user account to administrator privileges on a system or network.