IT NEWS

Researchers have discovered a new attack targeting Mac users. It lures them to a fake job website, then tricks them into downloading malware via a bogus software update.

The attackers pose as recruiters and contact people via LinkedIn, encouraging them to apply for a role. As part of the application process, victims are required to record a video introduction and upload it to a special website.

On that website, visitors are tricked into installing a so-called update for FFmpeg media file-processing software which is, in reality, a backdoor. This method, known as the Contagious Interview campaign, points to the Democratic People’s Republic of Korea (DPRK).

Contagious Interview is an illicit job-platform campaign that targets job seekers with social engineering tactics. The actors impersonate well-known brands and actively recruit software developers, artificial intelligence researchers, cryptocurrency professionals, and candidates for both technical and non-technical roles.

The malicious website first asks the victim to complete a “job assessment.” When the applicant tries to record a video, the site claims that access to the camera or microphone is blocked. To “fix” it, the site prompts the user to download an “update” for FFmpeg.

Much like in ClickFix attacks, victims are given a curl command to run in their Terminal. That command downloads a script which ultimately installs a backdoor onto their system. A “decoy” application then appears with a window styled to look like Chrome, telling the user Chrome needs camera access. Next, a window prompts for the user’s password, which, once entered, is sent to the attackers via Dropbox.

The end-goal of the attackers is Flexible Ferret, a multi-stage macOS malware chain active since early 2025. Here’s what it does and why it’s dangerous for affected Macs and users:

After stealing the password, the malware immediately establishes persistence by creating a LaunchAgent. This ensures it reloads every time the user logs in, giving attackers long-term, covert access to the infected Mac.

FlexibleFerret’s core payload is a Go-based backdoor. It enables attackers to:

• Collect detailed information about the victim’s device and environment
• Upload and download files
• Execute shell commands (providing full system control)
• Extract Chrome browser profile data
• Automate additional credential and data theft

Basically, this means the infected Mac becomes part of a remote-controlled botnet with direct access for cybercriminals.

How to stay safe

While this campaign targets Mac users, that doesn’t mean Windows users are safe. The same lure is used, but the attacker is known to use the information stealer InvisibleFerret against Windows users.

The best way to stay safe is to be able to recognize attacks like these, but there are some other things you can do.

• Always keep your operating system, software, and security tools updated regularly with the latest patches to close vulnerabilities.
• Do not follow instructions to execute code on your machine that you don’t fully understand. Never run code or commands copied from websites, emails, or messages unless you trust the source and understand the action’s purpose. Verify instructions independently. If a website tells you to execute a command or perform a technical action, check through official documentation or contact support before proceeding.
• Use a real-time anti-malware solution with a web protection component.
• Be extremely cautious with unsolicited communications, especially those inviting you to meetings or requesting software installs or updates; verify the sender and context independently.
• Avoid clicking on links or downloading attachments from unknown or unexpected sources. Verify their authenticity first.
• Compare the URL in the browser’s address bar to what you’re expecting.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Several researchers have flagged a new development in the ongoing ClickFix campaign: Attackers are now mimicking a Windows update screen to trick people into running malware.

ClickFix campaigns use convincing lures, historically “Human Verification” screens, and now a fake “Windows Update” splash page that exactly mimics the real Windows update interface. Both require the user to paste a command from the clipboard, making the attack depend heavily on user interaction.

As shown by Joe Security, ClickFix now displays its deceptive instructions on a page designed to look exactly like a Windows update.

In full-screen mode, visitors running Windows see instructions telling them to copy and paste a malicious command into the Run box.

“Working on updates. Please do not turn off your computer.
Part 3 of 3: Check security
95% complete

Attention!
To complete the update, install
the critical Security Update

[… followed by the steps to open the Run box, paste “something” from your clipboard, and press OK to run it]

The “something” the attackers want you to run is an mshta command that downloads and runs a malware dropper. Usually, the final payload is the Rhadamanthys infostealer.

Technical details

If the user follows the displayed instructions this launches a chain of infection steps:

• Stage 1: mshta.exe downloads a script (usually JScript). URLs consistently use hex-encoding for the second octet and often rotate URI paths to evade signature-based blocklists
• Stage 2: The script runs PowerShell code, which is obfuscated with junk code to confuse analysis.
• Stage 3: PowerShell decrypts and loads a .NET assembly acting as a loader.
• Stage 4: The loader extracts the next stage (malicious shellcode) hidden within a resource image using custom steganography. In essence, we use the name steganography for every technique that conceals secret messages in something that doesn’t immediately cause suspicion. In this case, the malware is embedded in specific pixel color data within PNG files, making detection difficult.
• Stage 5: The shellcode is injected into a trusted Windows process (like explorer.exe), using classic in-memory techniques like VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread.
• Final payload: Recent attacks delivered info-stealing malware like LummaC2 (with configuration extractors provided by Huntress) and the Rhadamanthys information stealer.

Details about the steganography used by ClickFix:

Malicious payloads are encoded directly into PNG pixel color channels (especially the red channel). A custom steganographic algorithm is used to extract the shellcode from the raw PNG file.

• The attackers secretly insert parts of the malware into the image’s pixels, especially by carefully changing the color values in the red channel (which controls how red each pixel is).
• To anyone viewing the picture, it still looks totally normal. No clues that it’s something more than just an image.
• But when the malware script runs, it knows exactly where to “look” inside the image to find those hidden bits.
• The script extracts and decrypts this pixel data, stitches the pieces together, and reconstructs the malware directly in your computer’s memory.
• Since the malware is never stored as an obvious file on disk and is hidden inside an innocent-looking picture, it’s much harder for anti-malware or security programs to catch.

How to stay safe

With ClickFix running rampant—and it doesn’t look like it’s going away anytime soon—it’s important to be aware, careful, and protected.

• Slow down. Don’t rush to follow instructions on a webpage or prompt, especially if it asks you to run commands on your device or copy-paste code. Attackers rely on urgency to bypass your critical thinking, so be cautious of pages urging immediate action. Sophisticated ClickFix pages add countdowns, user counters, or other pressure tactics to make you act quickly.
• Avoid running commands or scripts from untrusted sources. Never run code or commands copied from websites, emails, or messages unless you trust the source and understand the action’s purpose. Verify instructions independently. If a website tells you to execute a command or perform a technical action, check through official documentation or contact support before proceeding.
• Limit the use of copy-paste for commands. Manually typing commands instead of copy-pasting can reduce the risk of unknowingly running malicious payloads hidden in copied text.
• Secure your devices. Use an up-to-date real-time anti-malware solution with a web protection component.
• Educate yourself on evolving attack techniques. Understanding that attacks may come from unexpected vectors and evolve helps maintain vigilance. Keep reading our blog!

Pro tip: Did you know that the free Malwarebytes Browser Guard extension warns you when a website tries to copy something to your clipboard?

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

Messaging giant WhatsApp has around three billion users in more than 180 countries. Researchers say they were able to identify around 3.5 billion registered WhatsApp accounts thanks to a flaw in the software. That higher number is possible because WhatsApp’s API returns all accounts registered to phone numbers, including inactive, recycled, or abandoned ones, not just active users.

If you’re going to message a WhatsApp user, first you need to be sure that they have an account with the service. WhatsApp lets apps do that by sending a person’s phone number to an application programming interface (API). The API checks whether each number is registered with WhatsApp and returns basic public information.

WhatsApp’s API will tell any program that asks it if a phone number has a WhatsApp account registered to it, because that’s how it identifies its users. But this is only supposed to process small numbers of requests at a time.

In theory, WhatsApp should limit how many of these lookups you can do in a short period, to stop abuse. In practice, researchers at the University of Vienna and security lab SBA Research found that those “intended limits” were easy to blow past.

They generated billions of phone numbers matching valid formats in 245 countries and fired them at WhatsApp’s servers. The contact discovery API replied quickly enough for them to query more than 100 million numbers per hour and confirm over 3.5 billion active accounts.

The team sent around 7,000 queries per second from a single source IP address. That volume of traffic should raise the eyebrows of any decent IT administrator, yet WhatsApp didn’t block the IP or the test accounts, and the researchers say they experienced no effective rate-limiting:

“To our surprise, neither our IP address nor our accounts have been blocked by WhatsApp. Moreover, we did not experience any prohibitive rate-limiting.”

Data-palooza at WhatsApp

The data exposed goes beyond identification of active phone numbers. By checking the numbers against other publicly accessible WhatsApp endpoints, the researchers were able to collect:

• profile pictures (publicly visible ones)
• “about” profile text
• metadata tied to accounts

Profile photos were available for a large portion of users–roughly two-thirds are in the US region–based on a sample. That raises obvious privacy concerns, especially when combined with modern AI tools. The researchers warned:

“In the hands of a malicious actor, this data could be used to construct a facial recognition–based lookup service — effectively a ‘reverse phone book’ — where individuals and their related phone numbers and available metadata can be queried based on their face.”

The “about” text, which defaults to “Hey there! I’m using WhatsApp,” can also reveal more than intended. Some users include political views, sexual identity or orientation, religious affiliation, or other details considered highly sensitive under GDPR. Others post links to OnlyFans accounts, or work email addresses at sensitive organisations including the military. That’s information intended for contacts, not the entire internet.

Although ethics rules prevented the team from examining individual people, they did perform higher-level analysis… and found some striking things. In particular, they found millions of active registered WhatsApp accounts in countries where the service is banned. Their dataset contained:

• nearly 60 million accounts in Iran before the ban was lifted last Christmas Eve, rising to 67 million afterward
• 2.3 million accounts in China
• 1.6 million in Myanmar
• and even a handful (five) in North Korea

This isn’t Meta’s first time accidentally serving up data on a silver platter. In 2021, 533 million Facebook accounts were publicly leaked after someone scraped them from Facebook’s own contact import feature.

This new project shows how long-lasting the effects of those leaks can be. The researchers at the University of Vienna and SBA Research found that 58% of the phone numbers leaked in the Facebook scrape were still active WhatsApp accounts this year. Unlike passwords, phone numbers rarely change, which makes scraped datasets useful to attackers for a long time.

The researchers argue that with billions of users, WhatsApp now functions much like public communication infrastructure but without anything close to the transparency of regulated telecom networks or open internet standards. They wrote,

“Due to its current position, WhatsApp inherits a responsibility akin to that of a public telecommunication infrastructure or Internet standard (e.g., email). However, in contrast to core Internet protocols which are governed by openly published RFCs and maintained through collaborative standards — this platform does not offer the same level of transparency or verifiability to facilitate third-party scrutiny.”

So what did Meta do? It began implementing stricter rate limits last month, after the researchers disclosed the issues through Meta’s bug bounty program in April.

In a statement to SBA Research, WhatsApp VP Nitin Gupta said the company was “already working on industry-leading anti-scraping systems.” He added that the scraped data was already publicly available elsewhere, and that message content remained safe thanks to end-to-end encryption.

We were fortunate that this dataset ended up in the hands of researchers—but the obvious question is what would have happened if it hadn’t? Or whether they were truly the first to notice? The paper itself highlights that concern, warning:

“The fact that we could obtain this data unhindered allows for the possibility that others may have already done so as well.”

For people living under restrictive regimes, data like this could be genuinely dangerous if misused. And while WhatsApp says it has “no evidence of malicious actors abusing this vector,” absence of evidence is not evidence of absence, especially for scraping activity, which is notoriously hard to detect after the fact.

What can you do to protect yourself?

If someone has already scraped your data, you can’t undo it. But you can reduce what’s visible going forward:

• Avoid putting sensitive details in your WhatsApp “about” section, or in any social network profile.
• Set your profile photo and “about” information to be visible only to your contacts.
• Assume your phone number acts as a long-term identifier. Keep public information linked to it minimal.

We don’t just report on data privacy—we help you remove your personal information

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

Ahead of the holiday season, people who have bought cheap Amazon Fire TV Sticks or similar devices online should be aware that some of them could let cybercriminals access personal data, bank accounts, and even steal money.

BeStreamWise, a UK initiative established to counter illegal streaming, says the rise of illicit streaming devices preloaded with software that bypasses licensing and offers “free” films, sports, and TV comes with a risk.

Dodgy stick streaming typically involves preloaded or modified devices, frequently Amazon Fire TV Sticks, sold with unauthorized apps that connect to pirated content streams. These apps unlock premium subscription content like films, sports, and TV shows without proper licensing.

The main risks of using dodgy streaming sticks include:

• Legal risks: Mostly for sellers, but in some cases for users too
• Exposure to inappropriate content: Unregulated apps lack parental controls and may expose younger viewers to explicit ads or unsuitable content.
• Growing countermeasures: Companies like Amazon are actively blocking unauthorized apps and updating firmware to prevent illegal streaming. Your access can disappear overnight because it depends on illegal channels.
• Malware: These sticks, and the unofficial apps that run on them, often contain malware—commonly in the form of spyware.

BeStreamWise warns specifically about “modded Amazon Fire TV Sticks.” Reporting around the campaign notes that around two in five illegal streamers have fallen prey to fraud, likely linked to compromised hardware or the risky apps and websites that come with illegal streaming.

According to BeStreamWise, citing Dynata research:

“1 in 3 (32%) people who illegally stream in the UK say they, or someone they know, have been a victim of fraud, scams, or identity theft as a result.”

Victims lost an average of almost £1,700 (about $2,230) each. You could pay for a lot of legitimate streaming services with that. But it’s not just money that’s at stake. In January, The Sun warned all Fire TV Stick owners about an app that was allegedly “stealing identities,” showing how easily unsafe apps can end up on modified devices.

And if it’s not the USB device that steals your data or money, then it might be the website you use to access illegal streams. FACT highlights research from Webroot showing that:

“Of 50 illegal streaming sites analysed, every single one contained some form of malicious content – from sophisticated scams to extreme and explicit content.”

So, from all this we can conclude that illegal streaming is not the victimless crime that many assume it is. It creates victims on all sides: media networks lose revenue and illegal users can lose far more than they bargained for.

How to stay safe

The obvious advice here is to stay away from illegal streaming and be careful about the USB devices you plug into your computer or TV. When you think about it, you’re buying something from someone breaking the law, and hoping they’ll treat your data honestly.

There are a few additional precautions you can take though:

• Disable auto-run or autoplay features on your computer before inserting a USB stick. This stops programs on the USB from launching automatically.
• Mount the USB device in read-only mode if your operating system supports it (especially on Linux). This prevents any unwanted actions.
• Use an up-to-date anti-malware solution to scan the  external drive with a Custom scan. 

If you have already used a USB device or visited a website that you don’t trust:

• Update your anti-malware solution.
• Disconnect from the internet to prevent any further data being sent.
• Run a full system scan for malware.
• Monitor your accounts for unusual activity.
• Change passwords and/or enable multifactor authentication (MFA/2FA) on the important ones.

We don’t just report on threats—we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.

Cybercriminals are using browser push notifications to deliver malware and phishing attacks.

Researchers at BlackFog described how a new command-and-control platform, called Matrix Push C2, uses browser push notifications to reach potential victims.

When we warned back in 2019 that browser push notifications were a feature just waiting to be abused, we noted that the Notifications API allows a website or app to send notifications that are displayed outside the page at the system level. This means it lets web apps send information to a user even when they’re idle or running in the background.

Here’s a common example of a browser push notification:

This makes it harder for users to know where the notifications come from. In this case, the responsible app is the browser and users are tricked into allowing them by the usual “notification permission prompt” that you see on almost every other website.

But malicious prompts aren’t always as straightforward as legitimate ones. As we explained in our earlier post, attackers use deceptive designs, like fake video players that claim you must click “Allow” to continue watching.

In reality, clicking “Allow” gives the site permission to send notifications, and often redirects you to more scam pages.

Granting browser push notifications on the wrong website gives attackers the ability to push out fake error messages or security alerts that look frighteningly real. They can make them look as if they came from the operating system (OS) or a trusted software application, including the titles, layout, and icons. There are pre-formatted notifications available for MetaMask, Netflix, Cloudflare, PayPal, TikTok, and more.

Criminals can adjust settings that make their messages appear trustworthy or cause panic. The Command and Control (C2) panel provides the attacker with granular control over how these push notifications appear.

But that’s not all. According to the researchers, this panel provides the attacker with a high level of monitoring:

“One of the most prominent features of Matrix Push C2 is its active clients panel, which gives the attacker detailed information on each victim in real time. As soon as a browser is enlisted (by accepting the push notification subscription), it reports data back to the C2.”

It allows attackers to see which notifications have been shown and which ones victims have interacted with. Overall, this allows them to see which campaigns work best on which users.

Matrix Push C2 also includes shortcut-link management, with a built-in URL shortening service that attackers can use to create custom links for their campaign, leaving users clueless about the true destination. Until they click.

Ultimately, the end goal is often data theft or monetizing access, for example, by draining cryptocurrency wallets, or stealing personal information.

How to find and remove unwanted notification permissions

A general tip that works across most browsers: If a push notification has a gear icon, clicking it will take you to the browser’s notification settings, where you can block the site that sent it. If that doesn’t work or you need more control, check the browser-specific instructions below.

Chrome

To completely turn off notifications, even from extensions:

• Click the three dots button in the upper right-hand corner of the Chrome menu to enter the Settings menu.
• Select Privacy and Security.
• Click Site settings.
• Select Notifications.
• By default, the option is set to Sites can ask to send notifications. Change to Don’t allow sites to send notifications if you want to block everything.

For more granular control, use Customized behaviors.

• Selecting Remove will delete the item from the list. It will ask permission to show notifications again if you visit their site.
• Selecting Block prevents permission prompts entirely, moved them to the block list.

• You can also check Block new requests asking to allow notifications at the bottom.

In the same menu, you can also set listed items to Block or Allow by using the drop-down menu behind each item.

Opera

Opera’s settings are very similar to Chrome’s:

• Open the menu by clicking the O in the upper left-hand corner.
• Go to Settings (on Windows)/Preferences (on Mac).
• Click Advanced, then Privacy & security.
• Under Content settings (desktop)/Site settings (Android) select Notifications.

On desktop, Opera behaves the same as Chrome. On Android, you can remove items individually or in bulk.

Edge

Edge is basically the same as Chrome as well:

• Open Edge and click the three dots (…) in the top-right corner, then select Settings.
• In the left-hand menu, click on Privacy, search, and services.
• Under Sites permissions > All permissions, click on Notifications.
• Turn on Quiet notifications requests to block all new notification requests. 

• Use Customized behaviors for more granular control.

Safari

To disable web push notifications in Safari, go to Safari > Settings > Websites > Notifications in the menu bar, select the website from the list, and change its setting to Deny. To stop all future requests, uncheck the box that says Allow websites to ask for permission to send notifications in the same window. 

For Mac users

1. Go to Safari > Settings > Websites > Notifications.
2. Select a site and change its setting to Deny or Remove.
3. To stop all future prompts, uncheck Allow websites to ask for permission to send notifications.

For iPhone/iPad users

1. Open Settings.
2. Tap Notifications.
3. Scroll to Application Notifications and select Safari.
4. You’ll see a list of sites with permission.
5. Toggle any site to off to block its notifications.

We don’t just report on threats—we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.

Black Friday is supposed to be chaotic, sure, but not this chaotic.

While monitoring malvertising patterns ahead of the holiday rush, I uncovered one of the most widespread and polished Black Friday scam campaigns circulating online right now.

It’s not a niche problem. Our own research shows that 40% of people have been targeted by malvertising, and more than 1 in 10 have fallen victim, a trend that shows up again and again in holiday-season fraud patterns. Read more in our 2025 holiday scam overview.

Through malicious ads hidden on legitimate websites, users are silently redirected into an endless loop of fake “Survey Reward” pages impersonating dozens of major brands.

What looked like a single suspicious redirect quickly turned into something much bigger. One domain led to five more. Five led to twenty. And as the pattern took shape, the scale became impossible to ignore: more than 100 unique domains, all using the same fraud template, each swapping in different branding depending on which company they wanted to impersonate.

This is an industrialized malvertising operation built specifically for the Black Friday window.

The brands being impersonated

The attackers deliberately selected big-name, high-trust brands with strong holiday-season appeal. Across the campaign, I observed impersonations of:

• Walmart
• Home Depot
• Lowe’s
• Louis Vuitton
• CVS Pharmacy
• AARP
• Coca-Cola
• UnitedHealth Group
• Dick’s Sporting Goods
• YETI
• LEGO
• Ulta Beauty
• Tourneau / Bucherer
• McCormick
• Harry & David
• WORX
• Northern Tool
• POP MART
• Lovehoney
• Petco
• Petsmart
• Uncharted Supply Co.
• Starlink (especially the trending Starlink Mini Kit)
• Lululemon / “lalubu”-style athletic apparel imitators

These choices are calculated. If people are shopping for a LEGO Titanic set, a YETI bundle, a Lululemon-style hoodie pack, or the highly hyped Starlink Mini Kit, scammers know exactly what bait will get clicks.

In other words: They weaponize whatever is trending.

How the scam works

1. A malicious ad kicks off an invisible redirect chain

A user clicks a seemingly harmless ad—or in some cases, simply scrolls past it—and is immediately funneled through multiple redirect hops. None of this is visible or obvious. By the time the page settles, the user lands somewhere they never intended to go.

2. A polished “Survey About [Brand]” page appears

Every fake site is built on the same template:

• Brand name and logo at the top
• A fake timestamp (“Survey – November X, 2025 ”)
• A simple, centered reward box
• A countdown timer to create urgency
• A blurred background meant to evoke the brand’s store or product environment

It looks clean, consistent, and surprisingly professional.

3. The reward depends on which brand is being impersonated

Some examples of “rewards” I found in my investigation:

• Starlink Mini Kit
• YETI Ultimate Gear Bundle
• LEGO Falcon Exclusive / Titanic set
• Lululemon-style athletic packs
• McCormick 50-piece spice kit
• Coca-Cola mini-fridge combo
• Petco / Petsmart “Dog Mystery Box”
• Louis Vuitton Horizon suitcase
• Home Depot tool bundles
• AARP health monitoring kit
• WORX cordless blower
• Walmart holiday candy mega-pack

Each reward is desirable, seasonal, realistic, and perfectly aligned with current shopping trends. This is social engineering disguised as a giveaway. I wrote about the psychology behind this sort of scam in my article about Walmart gift card scams.

4. The “survey” primes the victim

The survey questions are generic and identical across all sites. They are there purely to build commitment and make the user feel like they’re earning the reward.

After the survey, the system claims:

• Only 1 reward left
• Offer expires in 6 minutes
• A small processing/shipping fee applies

Scarcity and urgency push fast decisions.

5. The final step: a “shipping fee” checkout

Users are funneled into a credit card form requesting:

• Full name
• Address
• Email
• Phone
• Complete credit card details, including CVV

The shipping fees typically range from $6.99 to $11.94. They’re just low enough to feel harmless, and worth the small spend to win a larger prize.

Some variants add persuasive nudges like:

“Receive $2.41 OFF when paying with Mastercard.”

While it’s a small detail, it mimics many legitimate checkout flows.

Once attackers obtain personal and payment data through these forms, they are free to use it in any way they choose. That might be unauthorized charges, resale, or inclusion in further fraud. The structure and scale of the operation strongly suggest that this data collection is the primary goal.

Why this scam works so well

Several psychological levers converge here:

• People expect unusually good deals on Black Friday
• Big brands lower skepticism
• Timers create urgency
• “Shipping only” sounds risk-free
• Products match current hype cycles
• The templates look modern and legitimate

Unlike the crude, typo-filled phishing of a decade ago, these scams are part of a polished fraud machine built around holiday shopping behavior.

Technical patterns across the scam network

Across investigations, the sites shared:

• Identical HTML and CSS structure
• The same JavaScript countdown logic
• Nearly identical reward descriptions
• Repeated “Out of stock soon / 1 left” mechanics
• Swappable brand banners
• Blurred backgrounds masking reuse
• High-volume domain rotation
• Multi-hop redirects originating from malicious ads

It’s clear these domains come from a single organized operation, not a random assortment of lone scammers.

Final thoughts

Black Friday always brings incredible deals, but it also brings incredible opportunities for scammers. This year’s “free gift” campaign stands out not just for its size, but for its timing, polish, and trend-driven bait.

It exploits, excitement, brand trust, holiday urgency, and the expectation of “too good to be true” deals suddenly becoming true.

Staying cautious and skeptical is the first line of defense against “free reward” scams that only want your shipping details, your identity, and your card information.

And for an added layer of protection against malicious redirects and scam domains like the ones uncovered in this campaign, users can benefit from keeping tools such as Malwarebytes Browser Guard enabled in their browser.

Stay safe out there this holiday season.

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

Last week on Malwarebytes Labs:

• AI teddy bear for kids responds with sexual content and advice about weapons
• Fake calendar invites are spreading. Here’s how to remove them and prevent more
• Budget Samsung phones shipped with unremovable spyware, say researchers
• What the Flock is happening with license plate readers?
• Holiday scams 2025: These common shopping habits make you the easiest target
• [Correction] Gmail can read your emails and attachments to power “smart features”
• Mac users warned about new DigitStealer information stealer
• Attackers are using “Sneaky 2FA” to create fake sign-in windows that look real
• Sharenting: are you leaving your kids’ digital footprints for scammers to find?
• Chrome zero-day under active attack: visiting the wrong site could hijack your browser
• Thieves order a tasty takeout of names and addresses from DoorDash
• Why it matters when your online order is drop-shipped
• The price of ChatGPT’s erotic chat? $20/month and your identity
• Your coworker is tired of AI “workslop” (Lock and Code S06E23)
• Scammers are sending bogus copyright warnings to steal your X login

Stay safe!

We don’t just report on threats—we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.

In testing, FoloToy’s AI teddy bear jumped from friendly chat to sexual topics and unsafe household advice. It shows how easily artificial intelligence can cross serious boundaries. It’s a fair moment to ask whether AI-powered stuffed animals are appropriate for children.

It’s easy to get swept up in the excitement of artificial intelligence, especially when it’s packaged as a plush teddy bear promising

“warmth, fun, and a little extra curiosity.”

But the recent controversy surrounding the Kumma bear is a reminder to slow down and ask harder questions about putting AI into toys for kids.

FoloToy, a Singapore-based toy company, marketed the $99 bear as the ultimate “friend for both kids and adults,” leveraging powerful conversational AI to deliver interactive stories and playful banter. The website described Kumma as intelligent and safe. Behind the scenes, the bear used OpenAI’s language model to generate its conversational responses. Unfortunately, reality didn’t match the sales pitch.

According to a report from the US PIRG Education Fund, Kumma quickly veered into wildly inappropriate territory during researcher tests. Conversations escalated from innocent to sexual within minutes. The bear didn’t just respond to explicit prompts, which would have been more or less understandable. Researchers said it introduced graphic sexual concepts on its own, including BDSM-related topics, explained “knots for beginners,” and referenced roleplay scenarios involving children and adults. In some conversations, Kumma also probed for personal details or offered advice involving dangerous objects in the home.

It’s unclear whether the toy’s supposed safeguards against inappropriate content were missing or simply didn’t work. While children are unlikely to introduce BDSM as a topic to their teddy bear, the researchers warned just how low the bar was for Kumma to cross serious boundaries.

The fallout was swift. FoloToy suspended sales of Kumma and other AI-enabled toys, while OpenAI revoked the developer’s access for policy violations. But as PIRG researchers note, that response was reactive. Plenty of AI toys remain unregulated, and the risks aren’t limited to one product.

Which proves our point: AI does not automatically make something better. When companies rush out “smart” features without real safety checks, the risks fall on the people using them—especially children, who can’t recognize dangerous content when they see it.

Tips for staying safe with AI toys and gadgets

You’ll see “AI-powered” on almost everything right now, but there are ways to make safer choices.

• Always research: Check for third-party safety reviews before buying any AI-enabled product marketed for kids.
• Test first, supervise always: Interact with the device yourself before giving it to children. Monitor usage for odd or risky responses.
• Use parental controls: If available, enable all content filters and privacy protections.
• Report problems: If devices show inappropriate content, report to manufacturers and consumer protection groups.
• Check communications: Find out what the device collects, who it shares data with, and what it uses the information for.

But above all, remember that not all “smart” is safe. Sometimes, plush, simple, and old-fashioned really is better.

AI may be everywhere, but designers and buyers alike need to put safety, privacy, and common sense ahead of the technological wow-factor.

We don’t just report on data privacy—we help you remove your personal information

Cybersecurity risks should never spread beyond a headline. With Malwarebytes Personal Data Remover, you can scan to find out which sites are exposing your personal information, and then delete that sensitive data from the internet.

We’re seeing a surge in phishing calendar invites that users can’t delete, or that keep coming back because they sync across devices. The good news is you can remove them and block future spam by changing a few settings.

Most of these unwanted calendar entries are there for phishing purposes. Most of them warn you about a “impending payment” but the difference is in the subject and the action they want the target to take.

Sometimes they want you to call a number:

And sometimes they invite you to an actual meeting:

We haven’t followed up on these scams, but when attackers want you to call them or join a meeting, the end goal is almost always financial. They might use a tech support scam approach and ask you to install a Remote Monitoring and Management tool, sell you an overpriced product, or simply ask for your banking details.

The sources are usually distributed as email attachments or as download links in messaging apps.

How to remove fake entries from your calendar

This blog focuses on how to remove these unwanted entries. One of the obstacles is that calendars often sync across devices.

Outlook Calendar

If you use Outlook:

• Delete without interacting: Avoid clicking any links or opening attachments in the invite. If available, use the “Do not send a response” option when deleting to prevent confirming that your email is active.
• Block the sender: Right-click the event and select the option to report the sender as junk or spam to help prevent future invites from that email address.
• Adjust calendar settings: Access your Outlook settings and disable the option to automatically add events from email. This setting matters because even if the invite lands in your spam folder, auto-adding invites will still put the event on your calendar.
  
• Report the invite: Report the spam invitation to Microsoft as phishing or junk.
• Verify billing issues through official channels: If you have concerns about your account, go directly to the company’s official website or support, not the information in the invite.

Gmail Calendar

To disable automatic calendar additions:

• Open Google Calendar.
• Click the gear icon and select Settings in the upper right part of the screen.
  
• Under Event settings, change Add invitations to my calendar to either Only if the sender is known or When I respond to the invitation email. (The default setting is From everyone, which will add any invite to your calendar.)
• Uncheck Show events automatically created by Gmail if you want to stop Gmail from adding to your calendar on its own.

Android Calendar

To prevent unknown senders from adding invites:

• Open the Calendar app.
• Tap Menu > Settings.
• Tap General > Adding invitations > Add invitations to my calendar.
• Select Only if the sender is known.

For help reviewing which apps have access to your Android Calendar, refer to the support page.

Mac Calendars

To control how events get added to your Calendar on a Mac:

• Go to Apple menu > System Settings > Privacy & Security.
• Click Calendars.
• Turn calendar access on or off for each app in the list.
• If you allow access, click Options to choose whether the app has full access or can only add events.

iPhone and iPad Calendar

The controls are similar to macOS, but you may also want to remove additional calendars:

• Open Settings.
• Tap Calendar > Accounts > Subscribed Calendars.
• Select any unwanted calendars and tap the Delete Account option.

Additional calendars

Which brings me to my next point. Check both the Outlook Calendar and the mobile Calendar app for Additional Calendars or subscribed URLs and Delete/Unsubscribe. This will stop the attacker from being able to add even more events to your Calendar. And looking in both places will be helpful in case of synchronization issues.

Several victims reported that after removing an event, they just came back. This is almost always due to synchronization. Make sure you remove the unwanted calendar or event everywhere it exists.

Tracking down the source can be tricky, but it may help prevent the next wave of calendar spam.

How to prevent calendar spam

We’ve covered some of this already, but the main precautions are:

• Turn off auto‑add or auto‑processing so invites stay as emails until you accept them.
• Restrict calendar permissions so only trusted people and apps can add events.
• In shared or resource calendars, remove public or anonymous access and limit who can create or edit items.
• Use an up-to-date real-time anti-malware solution with a web protection component to block known malicious domains.
• Don’t engage with unsolicited events. Don’t click links, open attachments, or reply to suspicious calendar events such as “investment,” “invoice,” “bonus payout,” “urgent meeting”—just delete the event.
• Enable multi-factor authentication (MFA) on your accounts so attackers who compromise credentials can’t abuse the account itself to send or auto‑accept invitations.

Pro tip: If you’re not sure whether an event is a scam, you can feed the message to Malwarebytes Scam Guard. It’ll help you decide what to do next.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A controversy over data-gathering software secretly installed on Samsung phones has erupted again after a new accusatory post appeared on X last week.

In the post on the social media site, cybersecurity newsletter International Cyber Digest warned about a secretive application called AppCloud that Samsung had allegedly put on its phones. The software was, it said,

“unremovable Israeli spyware.”

This all harks back to May, when digital rights group SMEX published an open letter to Samsung. It accused the company of installing AppCloud on its Galaxy A and M series devices, although stopped short of calling it spyware, opting for the slightly more diplomatic “bloatware”.

The application, apparently installed on phones in West Asia and North Africa, did more than just take up storage space, though.According to SMEX, it collected sensitive information, including biometric data and IP addresses.

SMEX’s analysis says the software, developed by Israeli company ironSource, is deeply integrated into the device’s operating system. You need root access to remove it, and doing so voids the warranty.

Samsung has partnered with ironSource since 2022, carrying the its Aura toolkit for telecoms companies and device maker in more than 30 markets, including Europe. The pair expanded the partnership in November 2022—the same month that US company Unity Technologies (that makes the Unity game engine) completed its $4.4bn acquisition of ironSource. That expansion made ironSource

“Samsung’s sole partner on newly released A-series and M-series mobile devices in over 50 markets across MENA – strengthening Aura’s footprint in the region.”

SMEX’s investigation of ironSource’s products points to software called Install Core. It cites our own research of this software, which is touted as an advertising technology platform, but can install other products without the user’s permission.

AppCloud wasn’t listed on the Unity/Ironsource website this February when SMEX wrote its in-depth analysis. It still isn’t. It also doesn’t appear on the phone’s home screen. It runs quietly in the background, meaning there’s no privacy policy to read and no consent screen to click, says SMEX.

Screenshots shared online suggest AppCloud can access network connections, download files at will, and prevent phones from sleeping. However, this does highlight one important aspect of this software: While you might not be able to start it from your home screen or easily remove it, you can disable it in your application list. Be warned, though; it has a habit of popping up again after system updates, say users.

Not Samsung’s first privacy controversy

This isn’t Samsung’s first controversy around user privacy. Back in 2015, it was criticized for warning users that some smart TVs could listen to conversations and share them with third parties.

Neither is it the first time that budget phone users have had to endure pre-installed software that they might not have wanted. In 2020, we reported on malware that was pre-installed on budget phones made available via the US Lifeline program.

In fact, there have been many cases of pre-installed software on phones that are identifiable as either malware or potentially unwanted programs. In 2019, Maddie Stone, a security researcher for Google’s Project Zero, explained how this software makes its way onto phones before they reach the shelves. Sometimes, phone vendors will put malware onto their devices after being told that it’s legitimate software, she warned. This can result in botnets like Chamois, which was built on pre-installed malware purporting to be from an SDK.

One answer to this problem is to buy a higher-end phone, but you shouldn’t have to pay more to get basic privacy. Budget users should expect the same level of privacy as anyone else. We wrote a guide to removing bloatware— it’s from 2017, but the advice is still relevant.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.