SECURITY researchers have sounded the alarm over CypherLoc, a browser-based scareware campaign that locks users’ browsers and pushes them towards fraudulent tech support. Since the start of 2026, Barracuda researchers said they have observed around 2.8 million attacks using the scareware.
The campaign typically begins with a phishing email that directs the victim to a malicious web page via a link in the email or an attachment, with the full scareware environment only triggering when the page meets several conditions. The code decrypts only under the right conditions, and if the hidden fragment is missing or the page is opened in a scanner, sandbox or test environment, the malicious payload refuses to run and redirects to a blank screen to hinder detection.
The sequence then displays full-screen overlays, plays warning sounds, reveals the user’s IP address, and presents a login popup to escalate panic, while a fraudulent support phone number remains visible as the purported fix. According to Barracuda, the end goal remains unclear, though credential theft is one option.