MALWAREBYTES reports that a Windows infostealer, tracked as NWHStealer, is being spread through a variety of campaigns using fake VPN downloads, hardware utilities and gaming mods. According to Malwarebytes, the threats can exfiltrate browser data, saved passwords and cryptocurrency wallet information, enabling account takeovers or further attacks. The campaigns deploy self-injection or injection into other processes such as RegAsm, with loaders wrapped in MSI or Node[.]js files to disguise the payload.
Lures include VPN installers, hardware utilities (for example OhmGraphite, Pachtop, HardwareVisualizer, Sidebar Diagnostics), mining software, and games or mods like Xeno, and are hosted across fake Proton VPN websites, GitHub, GitLab, MediaFire and SourceForge, as well as via links in gaming- and security-related YouTube videos. In one described scenario, a free web hosting provider onworks[.]net distributed a malicious ZIP that loads the stealer, while DLL hijacking delivers the malware in other campaigns.
The final payload runs in memory or injects into processes like RegAsm[.]exe, enumerating cryptocurrency wallets and extracting data from multiple browsers before exfiltrating it to a C2 server.