216.73.217.80

From fake Proton VPN sites to gaming mods, this Windows infostealer is everywhere

· Published 15/04/2026 18:13 · Modified 20/04/2026 11:22

Export JSON

Essential information

Published
15/04/2026 18:13
Modified
20/04/2026 11:22
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
browser data theft cryptocurrency theft fake websites infostealer nwhstealer
Tags
2026-04-15 2026-04-17 browser data theft cryptocurrency theft cryptocurrency wallet theft dll hijacking fake vpn fake websites infostealer nwhstealer process injection uac bypass
Related entities
6 indicators, 6 observables, 27 techniques (mitre), 1 malware, 3 others

Description

Multiple campaigns are distributing through diverse platforms including downloads, hardware utilities, and gaming modifications. The collects browser data, saved passwords, and cryptocurrency wallet information. Distribution occurs via impersonating legitimate services like Proton VPN, code hosting platforms such as GitHub and GitLab, file hosting services including MediaFire and SourceForge, and links from YouTube videos. Two primary infection methods are analyzed: one using a free web hosting provider distributing malicious ZIP files with self-injection loaders, and another employing with techniques that inject into the RegAsm process. The stealer targets over 25 cryptocurrency wallets and multiple browsers, exfiltrating data to command-and-control servers using AES-CBC encryption and maintaining persistence through scheduled tasks and techniques.

External references