Cybercriminals Impersonate Malwarebytes to Steal User Credentials

Brand impersonation has become a favored vector for cyber‑criminals because it exploits the inherent trust users place in reputable software. By naming malicious archives after Malwarebytes—a well‑known anti‑malware solution—attackers bypass initial skepticism, increasing download rates. This tactic mirrors broader trends where threat actors co‑opt legitimate brand identities to mask ransomware, phishing, and supply‑chain attacks, forcing organizations to reassess how they validate software provenance and educate end‑users about deceptive naming schemes.

Technically, the campaign leverages DLL sideloading, a stealthy method where a malicious library replaces a legitimate one in the same directory as a trusted executable. The CoreMessaging.dll payload carries obscure metadata strings and randomised export names, deliberately designed to evade signature‑based detection. Consistent ZIP structures and a shared behash (4acaac53c8340a8c236c91e68244e6cb) provide a reliable hunting anchor, while a secondary behash (5ddb604194329c1f182d7ba74f6f5946) tags the final infostealer stage. The inclusion of a minimal TXT file with a GitHub URL acts as a pivot point; querying its execution parents on VirusTotal quickly surfaces related samples, illustrating how low‑complexity artifacts can amplify threat‑intel visibility.

Defenders can mitigate this threat by enforcing strict verification of installer sources, employing hash‑based whitelisting, and deploying behavior‑focused detection rules. YARA signatures that flag the unique export patterns or the CoreMessaging.dll filename, combined with EDR alerts for unexpected DLL loading, dramatically improve detection latency. Moreover, integrating VirusTotal API pivots into SOC workflows enables rapid clustering of new samples. As brand‑based lures proliferate, the security community must prioritize brand‑aware threat intelligence and reinforce supply‑chain hygiene to protect credentials and crypto assets from similar impersonation campaigns.