New Windows malware called NWHStealer is spreading through fake Proton VPN websites, gaming cheats and hardware tools. Browser passwords and crypto wallets are all at risk. Read the article and know to how this campaign work.
NWHStealer Spread via Fake VPN Sites and Gaming Mods
In April 2026, security researchers at Malwarebytes discovered a new and very dangerous malware called NWHStealer. It is an information stealer i.e. a program that installs itself on your computer and silently steals your personal data. Browser passwords, saved cookies, cryptocurrency wallets and everything is under the radar of this malware.
What makes this campaign different from others is that these people do not send ordinary phishing emails. Their strategy is to hide the malware inside files that people find themselves and happily download. When someone searches and installs it himself and there is no doubt.
Gabriele Orini, Malware Research Engineer at Malwarebytes, documented this campaign. His investigation revealed that NWHStealer is present in many places fake websites pretending to be Proton VPN, files uploaded to GitHub and GitLab file-sharing services like MediaFire and SourceForge and links in video descriptions of gaming and security related YouTube channels.
The malware disguises itself as a variety of things a VPN installer, hardware diagnostic tools like OhmGraphite HardwareVisualizer Sidebar Diagnostics and gaming cheats and mods like Xeno. This means that the thing which you are downloading thinking it to be trustworthy and may have been sent by your enemy.
Malware Delivery Through Free Hosting Platforms
The most surprising thing that came to light during the investigation was that a free web hosting service called onworks[.]net which is among the top 100,000 websites globally and lets users run virtual machines in the browser was hosting malicious ZIP files in its download section.
The names of these files seemed completely normal like HardwareVisualizer_1.3.1.zip Sidebar Diagnostics-3.6.5.zip, Pachtop_1.2.2.zip. As soon as someone downloaded this archive and ran the executable inside, the infection started.
This executable contained a loader which checked the environment and if any analysis tool was found, it would immediately close. The next stage then decrypts and loads the payload using AES-CBC encryption. Junk code was also stuffed into the loader to confuse automated security tools.
Fake VPN Sites and DLL Hijacking
The second technique was a little more technical and multi-layered. Attackers created fake websites imitating Proton VPN and provided links to these websites on hacked YouTube channels, along with AI-generated videos demonstrating the installation process, to make everything appear legitimate. These websites downloaded a malicious ZIP file.
This ZIP file appeared to be a WinRAR executable but in reality, the malicious WindowsCodecs.dll library was attached to it. When the WinRAR executable was run, this DLL was automatically loaded – this is called DLL hijacking. This DLL decrypted two things: a second-stage DLL named runpeNew.dll and the actual payload.
The second-stage DLL process used a hollowing technique and injected malware into the legitimate Windows process RegAsm.exe. Means the malware was running under the name of a genuine Windows tool.
NWHStealer Behavior on Infected Systems
When NWHStealer is run on the system, it does a lot of things one after the other. First it enumerates more than 25 folders and registry keys that are associated with cryptocurrency wallets including Bitcoin, Ethereum and wallets of other currencies.
Then it collects data from browser Microsoft Edge, Google Chrome, Opera, Brave, Chromium, 360 Browser are all targeted. Just checking folders is not enough it injects a DLL directly into the browser processes msedge.exe, firefox.exe chrome.exe and decrypts the data inside.
The data it receives is encrypted with AES-CBC encryption and sent to the C2 server. If the primary server goes offline, the malware obtains a new C2 address from the Telegram channel a technique known as the dead drop technique.
How Windows Defender Was Bypassed
One of the amazing features of NWHStealer is that it also protects itself from Windows Defender. When injected into a browser process, it runs a PowerShell command that creates hidden directories in LOCALAPPDATA then adds those directories to Windows Defenders exclusion list meaning Defender will never see them.
It forces a Group Policy update so that the changes are locked and run the next time the computer starts. To do this, Windows creates Scheduled Tasks that run with elevated privileges on the user logon.
It uses an old technique called CMSTP bypass to bypass User Account Control which normally asks for administrator confirmation. Creates a random .inf file in the temp folder and elevates privileges via cmstp.exe without any visible prompt.
YouTube GitHub and Crypto Wallets Under Target
A particular target of this malware are cryptocurrency wallets. More than 25 different wallet types are enumerated including backup files of hardware wallets, software wallets, browser extensions like MetaMask. If someone has Bitcoin or any digital currency and their wallet was on that infected computer, then potentially all of that could be lost.
This is dangerous because cryptocurrency transactions are not reversible once the money is gone but it cannot be recovered. Researchers observed that the stolen information is immediately encrypted and sent to the server which means the chance of recovery was very low.
An important lesson of this campaign is that trusted platforms should not be trusted always. YouTube channels that have been hacked appear to have a completely normal subscriber count, old videos and new videos that appear to be professionally created by AI.
Anyone can create an account on GitHub and upload malicious files, and it is not necessary that every starred or popular-looking project is safe. SourceForge was also a trusted name that was weaponized in this campaign. Therefore, before downloading a file, always compare it with the official website, check the digital signature of the file, and verify the publisher.
How to Stay Safe
Malwarebytes has provided some important and practical advice. First of all, always download software from the official website. If you want Proton VPN go to protonvpn.com not any other site. Be very careful on GitHub, SourceForge and other file-sharing sites unless you confirm the name and verified identity of the publisher. Don’t click on links in YouTube video descriptions this is a very common trap.
Check the file signature and version of any executable before running it. And a practical tip install the Malwarebytes Browser Guard browser extension which blocks malicious URLs. For cryptocurrency wallets use a hardware wallet, which is physically separate and has no online exposure.
Critical Risks and Impact
The NWHStealer campaign is more dangerous than other malware campaigns because it goes after people who know how to use technology. Downloading VPNs, getting tools from GitHub, installing hardware diagnostic software are things normally done by tech-savy people.
But these same people fell prey to this campaign. Analysts at Malwarebytes confirmed that the campaign is still active and new distribution channels and new lures are constantly being added. And because C2 backup is on Telegram, it is difficult to shut down the infrastructure. This is a wake up call that no platform in the digital world is 100% safe and a moments negligence can lead to trouble.
