A sophisticated cybersecurity campaign is actively targeting users by impersonating Malwarebytes, a popular cybersecurity software, with the intent of stealing sensitive login credentials and cryptocurrency. This malicious operation, discovered by security researchers, was observed spreading actively between January 11 and January 15, 2026. Threat actors are distributing specially crafted ZIP files that mimic legitimate Malwarebytes installers, posing a significant risk to unsuspecting individuals seeking to enhance their digital security.
The compromised installers are named in a way that suggests authenticity, such as “malwarebytes-windows-github-io-X.X.X.zip.” This tactic aims to deceive users into believing they are downloading genuine antivirus protection. The primary objective of this campaign is to deploy an information-stealing malware designed to pilfer critical user data, including financial information and online account credentials.
DLL Sideloading: The Attack Mechanism Used to Impersonate Malwarebytes
Security researchers analyzing the infection patterns and file structures identified the malware through a consistent identifier, a behash value of “4acaac53c8340a8c236c91e68244e6cb,” across all suspicious ZIP archives. This technical marker has been instrumental in mapping the campaign’s reach and uncovering additional variants employed in the operation. The malware’s operational strategy involves a layered approach, making detection and analysis notably challenging for cybersecurity professionals.
At the core of this attack is a deceptive technique known as DLL sideloading. This method exploits how the Windows operating system loads legitimate software libraries. In this scenario, the malicious payload is concealed within a file named CoreMessaging.dll. When a user attempts to run what they believe is the legitimate Malwarebytes executable, the operating system is tricked into loading this malicious DLL instead of the authentic library file.
Threat actors facilitate this deception by placing both the fake DLL and the legitimate executable in the same folder. This proximity causes Windows to prioritize the execution of the malicious DLL without raising immediate suspicion. The compromised DLLs exhibit unique metadata, including signature strings such as “© 2026 Eosinophil LLC” and unusual exported functions that consist of alphanumeric sequences like “15Mmm95ml1RbfjH1VUyelYFCf” and “2dlSKEtPzvo1mHDN4FYgv.” These distinctive characteristics enable cybersecurity researchers to trace and identify related malicious samples, effectively tracking the broader scope of the campaign.
Once the malicious DLL is executed, it proceeds to deploy secondary-stage infostealers. These tools are specifically engineered to target information stored in cryptocurrency wallets and saved browser credentials. The successful exfiltration of this data allows attackers to engage in identity theft and illicit cryptocurrency transactions, leading to substantial financial losses for victims.
The distribution mechanism of these fake Malwarebytes installers remains under active investigation. However, the sophistication of the social engineering tactics employed, combined with the technical methods used to bypass security measures, highlights the evolving nature of cyber threats. Users are strongly advised to exercise extreme caution when downloading software, particularly from unofficial sources, and to always verify the authenticity of installers before execution. Maintaining up-to-date antivirus software and practicing good cybersecurity hygiene are crucial defenses against such targeted attacks.