From fake Proton VPN sites to gaming mods, this Windows infostealer is everywhere
Essential information
- Published
- 15/04/2026 18:13
- Modified
- 20/04/2026 11:22
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- browser data theft cryptocurrency theft fake websites infostealer nwhstealer
- Tags
- 2026-04-15 2026-04-17 browser data theft cryptocurrency theft cryptocurrency wallet theft dll hijacking fake vpn fake websites infostealer nwhstealer process injection uac bypass
- Related entities
- 6 indicators, 6 observables, 27 techniques (mitre), 1 malware, 3 others
Description
Multiple campaigns are distributing NWHStealer through diverse platforms including fake VPN downloads, hardware utilities, and gaming modifications. The infostealer collects browser data, saved passwords, and cryptocurrency wallet information. Distribution occurs via fake websites impersonating legitimate services like Proton VPN, code hosting platforms such as GitHub and GitLab, file hosting services including MediaFire and SourceForge, and links from YouTube videos. Two primary infection methods are analyzed: one using a free web hosting provider distributing malicious ZIP files with self-injection loaders, and another employing fake websites with DLL hijacking techniques that inject into the RegAsm process. The stealer targets over 25 cryptocurrency wallets and multiple browsers, exfiltrating data to command-and-control servers using AES-CBC encryption and maintaining persistence through scheduled tasks and UAC bypass techniques.