Cybercriminals are spoofing “email delivery” notifications to look like they came from spam filters inside your own organization. The goal is to lure you to a phishing site that steals login credentials—credentials that could unlock your email, cloud storage or other personal accounts.

The email claims that, due to an upgrade in the Secure Message system, some pending messages didn’t make it to your inbox and are ready to be moved there now.

“Email Delivery Reports: Incoming Pending Messages

We have recently upgraded our Secure Message system, and there are pending messages that have not been delivered to your Inbox.

Failure Delivery Messages

Email Delivery Reports For  info@seychellesapartment.com

   Status :                         Subject:                      Date:            Time:

{A couple of message titles that are very generic and common as not to raise any suspicion}

Move To Inbox (button)

Note     : The messages will be delivered within 1-2 hours after you receive a confirmation Mail Notice. If this message lands in your spam folder, please move it to your inbox folder

Mail Encrypted by {spoofed domain} © All Rights Reserved. | If you do not wish to receive this message    Unsubscribe. (link)”

Both the “Move to Inbox” button and the unsubscribe link abuse a cbssports[.]com redirect to reach the real phishing site located on the domain mdbgo[.]io, which was blocked by Malwarebytes.

Researchers at Unit42 warned about this type of phishing campaign, so we decided to take a closer look.

The links pass the spoofed email address as a base64-encoded string to the phishing site. Going to that site, we were served this fake login screen with the target’s domain already filled in—making it look personalized and legitimate:

Contrary to Unit42’s findings, we found that this version of the attack is more sophisticated and likely evolving quickly. The phishing site’s code is heavily obfuscated, and credentials are harvested through a websocket.

A websocket keeps an open channel between your browser and the website’s server—like a phone call that never hangs up. This lets the browser and server send messages instantly back and forth, in both directions, without needing to reload the page. Cybercriminals love using websockets because they receive your details the instant you type them into a phishing site, and can even send prompts for additional information, such as two-factor authentication (2FA) codes.

This means that if you enter your email and password on such a site, attackers could instantly take control of your email, access cloud-stored files, reset other passwords, and impersonate you across services.

How to stay safe from phishing emails

In phishing attempts like these, two simple rules can save you from lots of trouble.

• Don’t open unsolicited attachments
• Always check the website address in the browser before signing in. Make sure it matches the site you expect to be on.

Other important tips to stay safe from phishing in general:

• Verify the sender. Always check if the sender’s email address matches what you would expect it to be. It’s not always conclusive, but it can help you spot some attempts.
• Double-check requests through another channel if you receive an attachment or a link you weren’t expecting.
• Use up-to-date security software, preferably with a web protection component.
• Keep your device and all its software updated.
• Use multi-factor authentication (MFA) for every account you can.
• Use a password manager. Password managers will not auto-fill a password to a fake site, even if it looks like the real deal to you.

If you already entered credentials on a page you don’t trust, change your passwords immediately.

Pro tip: The free Malwarebytes Browser Guard extension would have stopped this attack as well:

Indicators of Compromise (IOCs)

• several subdomains of mdbgo[.]io
• xxx-three-theta.vercel[.]app
• client1.inftrimool[.]xyz
• psee[.]io
• veluntra-technology-productivity-boost-cold-pine-8f29.ellenplum9.workers[.]dev
• lotusbridge.ru[.]com
• shain-log4rtf.surge[.]sh

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

These updates fix serious security issues — including one that attackers are already exploiting to take control of Windows systems. By chaining it with other attacks, they can gain full admin access, install malware, steal data, or make deeper changes you wouldn’t normally be able to undo. Run Windows Update today, restart your PC, and check you’re up to date.

What’s been fixed

Microsoft releases important security updates on the second Tuesday of every month—known as “Patch Tuesday.” This month’s patches fix critical flaws in Windows 10, Windows 11, Windows Server, Office, and related services.

Particularly noteworthy are some critical Remote Code Execution (RCE) bugs in Microsoft Graphics and Office that can allow attackers to run malicious code just by convincing someone to open a booby-trapped file or document.

A “zero-day” is a software flaw that attackers are already exploiting before a fix is available. The name comes from the fact that defenders have zero days to protect themselves—attackers can strike before patches are released. In this month’s update, Microsoft fixed one such vulnerability: CVE-2025-62215, a Windows Kernel Elevation of Privilege (EoP) flaw.

It lets an attacker who already has local access to a device gain higher, admin-level permissions by exploiting what’s known as a “race condition.” A race condition vulnerability happens when different programs or processes try to use the same resource at the same time without proper coordination. During that brief window of confusion, attackers can slip through and exploit the system.

Attackers need to combine this vulnerability with other attack methods. Once they’ve compromised a system, they use this vulnerability to escalate privileges and gain admin-level rights.

Another critical vulnerability worth noting is CVE-2025-60724, which comes with a CVSS score of 9.8 out of 10. It’s a heap-based buffer overflow in the GDI+ Microsoft Graphics Component, which allows an unauthorized attacker to run malicious code over a network.

A buffer overflow happens when software writes more data to memory than it can handle, potentially overwriting other areas and injecting malicious code. In the case of CVE-2025-60724, Microsoft warns that attackers could exploit the flaw by convincing a victim to download and open a document that contains a specially crafted metafile. In more advanced attacks, the same vulnerability could be triggered remotely by uploading a malicious file to a vulnerable web service.

How to apply fixes and check you’re protected

These updates fix security problems and keep your Windows PC protected. Here’s how to make sure you’re up to date:

1. Open Settings

• Click the Start button (the Windows logo at the bottom left of your screen).
• Click on Settings (it looks like a little gear).

2. Go to Windows Update

• In the Settings window, select Windows Update (usually at the bottom of the menu on the left).

3. Check for Updates

• Click the button that says Check for updates.
• Windows will search for the latest Patch Tuesday updates for November 2025.

If you have selected automatic updates earlier, you may see this:

• Which means all you have to do is restart your system and you’re done updating.
• If not, continue with the below.

4. Download and Install

• If updates are found, they’ll start downloading right away. Once complete, you’ll see a button that says Install or Restart now.
• Click Install if needed and follow any prompts. Your computer will usually need a restart to finish the update. If it does, click Restart now.

5. Double-check you’re up to date

• After restarting, go back to Windows Update and check again. If it says You’re up to date, you’re all set!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Imagine this scenario: Your protection software is running perfectly. Systems are protected, definitions are up to date, behavioral analysis is active. Then, suddenly, files across your network start getting encrypted. Backups are being deleted. Ransom notes appear across your machines. Your security software shows nothing. No alerts, no detections, no blocked processes. How is this possible? 

This isn’t a hypothetical situation. It’s a real attack technique that ransomware operators are actively using to bypass even sophisticated protection systems. The attack exploits a fundamental assumption in how security software operates: that the malicious process and the files being attacked are on the same machine. When that assumption breaks down, traditional defenses fail. 

Malwarebytes ransomware protection works through multiple defensive layers. These include AI-based analysis, machine learning models, signature detection, runtime sandboxing, exploit mitigation, and web protection. Each layer stops threats at different stages. The Anti-Ransomware behavioral layer monitors actual file encryption behavior in real time. Malwarebytes continuously enhances all layers of its defense.  

This article discusses a recent innovation in our Anti-Ransomware behavioral monitoring technology. The result is a comprehensive enhancement incorporating innovations in file monitoring, network session tracking, behavioral analysis, and real-time threat correlation. 

Why traditional protection fails 

To understand why a ransomware attack over a network is so effective, we need to understand how this technology typically works. The Anti-Ransomware component sits between applications and the file system, allowing it to see every file operation before it completes. 

When a process tries to open, read, or write a file, specialized callbacks are triggered. Think of these as security checkpoints where the security driver can inspect what’s happening and decide whether to allow the operation. The software looks at patterns: Is this process rapidly encrypting many files? Is it adding suspicious extensions? Is it attempting to delete backup Copies? These behavioral indicators, when combined, signal ransomware. 

This architecture works brilliantly when the ransomware process and the files being encrypted are on the same machine. The driver sees the process, tracks its behavior over time, builds a threat profile, and can block it before significant damage occurs. 

But what happens when ransomware runs on one device and attacks files on another? For example, an attacker compromises an unprotected device, a legacy device without current protection or an unmanaged guest device, and uses it to encrypt files on protected systems through network shares. Your machine doesn’t see any suspicious programs running. It just looks like someone is accessing files over the network, which happens all the time. 

This creates a perfect hiding spot for ransomware. On the attacking device, there might be no security software installed. On your main PC where files are being encrypted, the security software sees files changing but can’t tell which program is causing it. The connection between the malicious program and your files is hidden. 

Multiple ransomware variants have adopted this technique. They use specific commands to target network folders and shared drives. These aren’t random attacks. They’re carefully designed to bypass security software through remote encryption 

These aren’t opportunistic attacks. They’re carefully engineered for bypassing traditional anti-ransomware protection through remote encryption. 

Two-part protection architecture 

Solving this problem required addressing two distinct attack vectors. Part 1 involves a local process attacking remote files, while Part 2 involves a remote process attacking local files. Each required different technical approaches. 

Part 1: Detecting local to remote attacks 

When a program tries to access files on your network or shared folders, Malwarebytes checks if it’s behaving suspiciously. If the program is rapidly changing many files and creating ransom notes, the system builds a threat score in real time. 

The key innovation is that Malwarebytes tracks local and network activity separately. A program might be safely working with files on your computer while attacking files on another device through the network. By monitoring both, we can catch ransomware without false alarms. When Malwarebytes detects ransomware behavior, it blocks the malicious program immediately, stopping the attack before your files are encrypted. 

Part 2: Detecting remote to local attacks 

The second challenge is harder: what if the ransomware is running on another device and attacking your files remotely? There’s no malicious program on your computer to block. 

Our solution tracks network connections. When files are accessed from another device on your network, Windows keeps information about which device is connecting. Malwarebytes captures this information and watches for suspicious behavior, like rapidly changing many files, adding suspicious file extensions, or creating ransom notes. When we detect an attack coming from another device, we block that specific connection from accessing your files. 

Innovation in ransomware protection 

Our implementation operates through our specialized components. This architecture is essential for both performance and security. Every file operation goes through our filter, so we need to process decisions in microseconds to avoid impacting system responsiveness. 

We implemented multiple optimization layers. First, we filter out file operations that categorically cannot be ransomware related. Opening a file for read only access is not a threat, so we skip detailed analysis. Operations that only query metadata happen constantly in Windows and can be safely ignored for ransomware detection purposes. 

For operations that require analysis, we implemented a sophisticated indicator time-to-live (TTL) system. Behavioral indicators decay over time. This prevents false positives from legitimate activities like file synchronization tools or backup software. 

The network session tracking component required deep integration with Windows networking. We extract session information by accessing internal structures that Windows uses for network file serving. Our exclusion system supports IPv4, IPv6, hostnames, and CIDR notation for network ranges. 

What makes this protection different 

Several factors distinguish the Malwarebytes approach from other solutions.

The first is comprehensiveness. Many security vendors address this partially. Remote processes attacking local files or where local processes attack remote files. An attacker who compromises a single endpoint can still encrypt the shared resources. Malwarebytes protects against both vectors. 

Second is precision. Many solutions block entire network connections or lock accounts when they detect threats. Malwarebytes is more precise. We block only the specific malicious connection. Other activities from the same device continue working normally. Only the ransomware’s access is stopped. 

Third is performance. Malwarebytes runs efficiently without slowing down your computer. 

Fourth is proven protection. This technology has been tested and deployed across many different business and home networks. It is proven to work in real world situations. 

The broader implications 

This protection does more than just stop one type of ransomware attack. It represents a new way of thinking about network-aware security. The old approach treated each device separately, but that doesn’t work when attackers use network connections to spread threats. Security solutions need to understand that attacks can come from any device on the network and target any accessible files. 

The technology we’ve built can do more than stop ransomware. The same system that tracks network connections and monitors suspicious behavior can help detect other threats, like someone trying to steal your data or access files they shouldn’t have permission to view. 

Attackers will keep evolving their methods. The attacks we’re seeing now will become more sophisticated. They might try to disguise themselves as normal computer maintenance or file management. Our protection is designed to adapt. Because it watches for suspicious patterns of behavior rather than looking for specific known attacks, it can detect new variations without needing constant updates. 

Ransomware keeps evolving, and attackers constantly find new ways to bypass security. Malwarebytes is committed to staying ahead with real innovation. This enhancement closes a critical gap that many security programs don’t address until it’s too late. 

If you’re choosing security software or reviewing your current protection, ask yourself: Does it protect against ransomware that spreads through network shares? This is becoming increasingly important as more ransomware attacks use this technique. 

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

This attempt to phish credentials caught our attention, mostly because of its front-end simplicity. Even though this is a script-kiddie-level type of attack, we figured it was worth writing up—precisely because it’s so easy to follow what they’re up to.

The email is direct and to the point. Not a lot of social engineering happening here.

“Dear ,

Pls kindly find the attached PO please send us PI once its available.”

The sender’s address belongs to a Czechoslovakian printing service (likely compromised), and the name and phone number are fake. The target is in Taiwan.

The attached .shtml file is a tidy fake login screen that doesn’t really specify which credentials they want:

The pre-filled email address in the screenshot is a fake one I added; normally it would be the target’s email.

We assume the phisher welcomes any credentials entered here, and are counting on the fact that most people reuse passwords on other sites.

Under the hood, the functionality of this attachment lies in this piece of JavaScript.

It starts with simple checks to make sure all the fields are filled out and long enough before declaring the Telegram bot that will receive the login details.

Using Telegram bots provides the phishers with several advantages:

• Stolen credentials are delivered instantly to the attacker via Telegram notifications. No need for the phisher to keep checking a database or inbox.
• Telegram is a legitimate, globally distributed messaging service, making it difficult to block.
• There’s no exposed web server or obvious phishing “drop site” that can be blocklisted or shut down.

The last line contains a credibility trick:

setTimeout(() => {window.location.assign("file:///C:/Users/USER/Downloads/Invoice_FAC_0031.pdf")}, 2000);

This tries to open a file on the user’s computer after waiting 2 seconds (2,000 milliseconds). Since this file almost certainly doesn’t exist, the browser will either block the action (especially from an email or non-local file) or show an error. Either way, it will make the login attempt look more legitimate and take the user’s mind off the fact that they just sent their credentials who knows where.

That’s really all there is to it, except for a bit of code that the dungeon-dweller forgot to remove during their copy-and-paste coding. Or they had no idea what it was for and left it in place for fear of breaking something.

I suspect the attacker originally used this code to encrypt the credentials with a hardcoded AES (Advanced Encryption Standard) key and injection vector, then send them to their server.

This attacker replaced that method with the simpler Telegram bot approach (much easier to use), but left the decryption stub because they were afraid removing it would break something.

Don’t fall for phishing attempts

Even though the sophistication level of this email was low, that does not reduce the possible impact of sending the attacker your credentials.

In phishing attempts like these, two simple rules can save you from lots of trouble.

• Don’t open unsolicited attachments
• Check if the website address in the browser matches the domain you expect to be on (e.g. adobe.com).

Other important tips to stay safe from phishing in general:

• Verify the sender: Always check if the sender’s email address matches what you would expect it to be. It’s not always conclusive but it can help you spot some attempts.
• Check through an independent channel if the sender actually sent you an attachment or a link.
• Use up-to-date security software, preferably with a web protection component.
• Keep your device and all its software updated.
• Use multi-factor authentication for every account you can.
• Use a password manager. Password managers will not auto-fill a password to a fake site, even if it looks like the real deal to you.

If you already entered credentials on a page you don’t trust, change your passwords immediately.

Pro tip: You can also upload screenshots of suspicious emails to Malwarebytes Scam Guard. It would have recognized this one as a phishing attempt.

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

A critical vulnerability has put Samsung mobile device owners at risk of sophisticated cyberattacks. On November 10, 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) added a vulnerability, tracked as CVE-2025-21042, to its Known Exploited Vulnerabilities (KEV) catalog. The KEV catalog lists vulnerabilities that are known to be exploited in the wild and sets patch deadlines for Federal Civilian Executive Branch (FCEB) agencies.

So, for many cybersecurity professionals, CISA adding this vulnerability to the list signals both urgency and confirmation of active, real-world exploitation.

CVE-2025-21042 was reportedly exploited as a remote code execution (RCE) zero-day to deploy LANDFALL spyware on Galaxy devices in the Middle East. But once that happens, other criminals tend to quickly follow with similar attacks.

The flaw itself is an out-of-bounds write vulnerability in Samsung’s image processing library. These vulnerabilities let attackers overwrite memory beyond what is intended, often leading to memory corruption, unauthorized code execution, and, as in this case, device takeover. CVE-2025-21042 allows remote attackers to execute arbitrary code—potentially gaining complete control over the victim’s phone—without user interaction. No clicks required. No warning given.

Samsung patched this issue in April 2025, but CISA’s recent warning highlights that exploits have been active in the wild for months, with attackers outpacing defenders in some cases. The stakes are high: data theft, surveillance, and compromised mobile devices being used as footholds for broader enterprise attacks.​

The exploitation playbook is as clever as it is dangerous. According to research from Unit 42, criminals (likely private-sector offensive actors operating out of the Middle East) weaponized the vulnerability to deliver LANDFALL spyware through malformed Digital Negative (DNG) image files sent via WhatsApp. DNG is an open and lossless RAW image format developed by Adobe and used by digital photographers to store uncompressed sensor data.

The attack chain works like this:

• The victim receives a booby-trapped DNG photo file.
• The file, armed with ZIP archive payloads and tailored exploit code, triggers the vulnerability in Samsung’s image codec library.
• This is a “zero-click” attack: the user doesn’t have to tap, open, or execute anything. Just processing the image is enough to compromise the device.

It’s important to know that Samsung addressed another image-library flaw, CVE-2025-21043, in September 2025, showing a growing trend: image processing flaws are becoming a favorite entry point for both espionage and cybercrime.

What should users and businesses do?

Our advice to stay safe from this type of attack is simple:

• Patch immediately. If you haven’t updated your Samsung device since April, do so. FCEB organizations have until December 1, 2025, to comply with CISA’s operational directive.
• Be wary of unsolicited messages and files, especially images received over messaging apps.
• Download apps only from trusted sources and avoid sideloading files.
• Use up-to-date real-time anti-malware solution for your devices.

Zero-days targeting mobile devices are becoming frighteningly common, but the risk can be lowered with urgent patching, awareness, and solid security controls. As LANDFALL shows, the most dangerous attacks today are often the quietest—no user action required and no obvious signs until it’s too late.

Device models targeted by LANDFALL:

Galaxy S23 Series

Galaxy S24 Series

Galaxy Z Fold4

Galaxy S22

Galaxy Z Flip4

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

One of the reassuring things about owning an iPhone was knowing you could lock it if it got lost or stolen. Without your passcode, fingerprint or face to unlock it, it would be useless to anyone else.

Now, though, some phone thieves have found a workaround, not by breaking Apple’s security, but by tricking owners into giving them the keys.

The Swiss National Cyber Security Centre (NCSC) has issued a warning about phishing scams targeting iPhone owners who’ve lost their devices.

Phishing for Apple ID credentials

When you report an iPhone as lost in Apple’s Find My app, you can set a custom lock-screen message that appears on the missing device. Many people include an email address or phone number in that message so a helpful stranger can contact them if the phone turns up.

Unfortunately, that’s the very information scammers use to reach you. A thief (or anyone who now has the phone) can see that contact detail on the screen and send you a convincing message—usually by text, iMessage, or email—claiming to have found your device.

The scam messages often include details copied from the phone itself, such as its model and color, to make it sound authentic. It also includes a link to a fake website that mimics the Find My service that Apple operates to locate lost devices. The site will ask for the victim’s Apple ID credentials.

If the victim takes the bait, the thief can use those credentials to gain full access to the phone. That enables them to wipe it, returning it to factory settings for resale.

Although the NCSC didn’t say so, an enterprising thief could get up to all kinds of other shenanigans. They might reset the user’s Apple ID to lock them out—even on a replacement device, access their photos (yes, including any risqué ones), read their emails and nose through their apps. In short, it would give them carte blanche to your digital life.

These attacks don’t have to happen immediately. The perpetrators might text months after the device has been lost, when victims might have moved on and lowered their guard.

The good news… and the bad

The warning is both good and bad news. It’s good news because it shows that criminals are apparently unable to bypass Apple’s Activation Lock protection through technical means. The Activation Lock, turned on when you activate Find My, registers a device ID on Apple’s activation servers. Even if the criminals reset your device, the activation lock will still be there. Only someone with the user’s Apple ID credentials can unlock it. It’s a version of something called Factory Reset Protection (FRP) that the US mandated under the US Smart Phone Theft Prevention Act of 2015. Android phones have similar lock functionality.

The warning is bad news because phone owners are human, and humans are often the easiest security system to defeat. Phishing schemes that target phone theft victims are big business. Back in 2017, security reporter Brian Krebs documented “phishing as a service” platforms that did it at scale, on a subscription basis. Vice found toolkits like ProKit for phishing to unlock phones on sale for around $75.

We’ve already written about how the phone theft industry operates. Police in the UK recently uncovered a network stealing up to 40,000 phones per year. Most were shipped overseas to countries including China, where they would be used as profitably as possible. Locked phones might be broken up for parts, but a phone restored to factory settings that can be activated from scratch is far more valuable.

What to do if your iPhone is stolen

Ignore any messages from “Apple” claiming your lost phone has been found. The NCSC says Apple will never text or email customers about a recovered device.

If you lose your phone, turn on Lost Mode right away in Find My to lock it and display your contact message. Use a different contact number or email (not the one linked to your Apple ID or main phone) so scammers can’t use that information to target you.

Protect your SIM, too: enable PIN protection immediately, and ask your carrier to block or replace the SIM if the phone has been stolen.

We can’t easily stop thieves stealing people’s phones, or control who sees our phones after they leave our hands. But a little forethought now can help you to stop criminals from accessing your digital life or selling your phone on in its current form if it does enter the underground supply chain.

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

Researchers at Zimperium identified Fantasy Hub, a new Android spyware developed and sold as a subscription on Russian-language cybercrime forums.

Malware-as-a-Service (MaaS) means cybercriminals rent out to malware to other criminals, complete with the infrastructure necessary to harvest and abuse stolen information. Usually, it’s up to the buyer to spread the malware, but Fantasy Hub goes a step further—it comes with full documentation, video tutorials, and a subscription model that makes it easy for even inexperienced attackers to use. Its creators provide step-by-step guides to create fake Google Play pages that imitate apps like Telegram or online banking portals, complete with realistic reviews. It’s a Remote Access Trojan (RAT) that anyone can distribute.

Distribution relies heavily on social engineering and phishing. Attackers use Fantasy Hub’s templates and tools to set up convincing fake app pages, tricking users into downloading the malicious software. A “dropper” option even lets buyers upload any Android app APK and get back a modified version with Fantasy Hub added.

These counterfeit apps look legitimate, and often request only a single permission: SMS access. But that permission unlocks much more. The SMS handler role bundles multiple powerful permissions: contacts, camera, and file access into a single authorization step, unlocking extensive control over the device’s messaging, contacts, and camera functions. Fantasy Hub is designed to bypass standard security checks and can remain concealed, making detection difficult for users.

What can it do?

Once installed, Fantasy Hub can steal SMS messages, call logs, contacts, photos, and videos. It can also intercept, reply to, and delete notifications. More dangerously, it can initiate live audio and video streams using the device’s camera and microphone without the user’s consent. It’s been found in imitation banking apps, displaying fake windows to harvest user credentials such as usernames, PINs, and passwords. As part of the handy pack provided by Fantasy Hub’s creators, attackers are given tools to tailor these phishing windows for almost any banking app they wish to target.

While individuals at at risk from this malware, the threat extends to organizations that use Bring Your Own Device (BYOD) policies or rely on mobile banking and work apps. A single infected phone could expose company data or communications.

How to stay protected

Fantasy Hub shows how easily cybercriminals can now buy and run complex spyware. But a few simple habits can help you stay safe:

• Stick to trusted sources. Download apps only from Google Play, Apple’s App Store, or the official provider. Your bank will never ask you to use another source.
• Protect your devices. Use an up-to-date real-time anti-malware solution like Malwarebytes for Android, which already detects this malware as Android/Trojan.Spy.ACRF949851CC4.
• Scrutinize permissions. Does it really need the permissions it’s requesting to do the job you want it to do? Especially if it asks for SMS or camera access.
• Unsolicited communications. Stay wary of messages, emails, or links urging you to “update” or install outside the official app stores.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

You’ve probably seen it before—a bright, urgent message claiming you’ve qualified for a $750 or $1000 Walmart gift card. All you have to do is answer a few questions. It looks harmless enough. But once you click, you find yourself in a maze of surveys, redirects, and “partner offers”—without ever actually reaching the end and claiming your prize.

This so-called “survey” is part of a lead-generation and affiliate marketing scam, designed not to reward you but to harvest your data and push you through ad funnels that make money for others, at the cost of your privacy.

What’s really going on?

It’s a scam because these pages rarely deliver any real gift card. What they’re after is your personal data.

As you move through each step, you’re asked for details like your name, email, phone number, ZIP code and even your home address. In some cases, you’re prompted to share interests such as home repair, debt help, or insurance quotes—each answer helps categorize you for targeted marketing.

Even if the page itself doesn’t steal money, that information is still valuable. It can be used to target you with more ads and offers, add you to marketing lists, or personalize follow-up contact. In other words, completing the questionnaire hands over data that can be exploited for profit—even when no gift card ever appears.

In some cases, the funnel gets even more specific. For example, if the survey asks you about home projects and you say you’re planning to replace your windows, you might be redirected to what looks like a legitimate home improvement site—often just another form asking for the same details again. The whole thing is designed to keep you filling out more forms, giving up more of your data, to more websites and affiliates.

These scams don’t aren’t just annoying time-wasters. They are harvesting your data, eroding your privacy and exposing you to wider risks. Once your details are shared, they can travel far beyond that fake survey.

Your information may:

• Be resold to advertisers and data brokers, who build detailed profiles about your habits, spending, and location.
• Lead to a surge of spam calls, texts, and phishing emails tailored to your interests.
• Feed more convincing scams down the line, since criminals can now personalize their lures using real information about you.
• End up on unregulated marketing lists that circulate for years, keeping your data in play long after you’ve closed the page.

That’s the hidden cost of a “free” gift card: each click fuels a network that profits from your identity, not your participation.

Why do people fall for it?

The hook is simple—free money and easy participation. But this fake Walmart promotion taps into three powerful psychological triggers:

1. The sense of luck: “You’ve been selected!” sounds personal and special.
2. The promise of low effort: Answering a few questions feels harmless.
3. The illusion of credibility: Walmart’s branding lends legitimacy.

These scams spread mainly through advertising and malvertising networks—pop-ups, spam emails, social media ads, or sketchy website banners that imitate real promotions.

You might spot them alongside news articles or as “sponsored links” that sound too good to be true. Some appear via push notifications or redirects, whisking you from a real website to a fake reward page in seconds.

The designs often use official logos, countdown timers, and congratulatory language to make them look like authentic brand campaigns—tricking people into lowering their guard.

It’s an easy mental shortcut: “If this was fake, it wouldn’t look so professional.” That’s what these scammers count on—the appearance of legitimacy mixed with urgency and reward.

How to protect yourself

These gift card offers aren’t just harmless internet fluff—they’re the front door to a sprawling network of data collection and affiliate profiteering. Each click, form, and redirect is designed to extract value from your attention and information, not to reward you.

Recognizing these scams early is the best defense. Here’s how to stay safe:

1. Be suspicious of online surveys promising big rewards. Legitimate promotions from major retailers rarely require long questionnaires or partner offers.
2. Never give personal information to unknown pages. If a site asks for your phone number or address for a “free prize,” it’s a red flag.
3. Use browser protection tools. Extensions like Malwarebytes Browser Guard can block known scam domains and malvertising networks before they load.
4. Check the URL carefully. Real Walmart promotions will always come from official domains (like walmart.com or survey.walmart.com), not random URLs with extra words or numbers.
5. Stay alert and skeptical. Online quizzes and reward offers are a favorite bait for scammers. When in doubt – close the tab.

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

Last week on Malwarebytes Labs:

• Malwarebytes scores 100% in AV-Comparatives Stalkerware Test 2025
• Fake CAPTCHA sites now have tutorial videos to help victims install malware
• Hackers commit highway robbery, stealing cargo and goods
• Android malware steals your card details and PIN to make instant ATM withdrawals
• Take control of your privacy with updates on Malwarebytes for Windows
• Cyberattacks on UK water systems reveal rising risks to critical infrastructure
• Should you let Chrome store your driver’s license and passport?
• Apple patches 50 security flaws—update now
• “Sneaky” new Android malware takes over your phone, hiding in fake news and ID apps
• Sling TV turned privacy into a game you weren’t meant to win
• Attack of the clones: Fake ChatGPT apps are everywhere
• Would you sext ChatGPT? (Lock and Code S06E22)
• Malwarebytes aces PCMag Readers’ Choice Awards and AVLab Cybersecurity Foundation tests

On the ThreatDown blog:

• Inside EDR-Freeze: How ThreatDown stops the attack before it spreads

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

The AV-Comparatives Stalkerware Test 2025 delivers a sobering look at the evolving threat posed by stalkerware on mobile devices. Despite measures from both the tech industry and platform providers, stalkerware-type apps, which are apps that can be installed covertly to spy on a victim’s private life, remain a critical concern.

This comprehensive assessment, developed in collaboration with Electronic Frontier Foundation (EFF), evaluated 13 leading Android security solutions against 17 diverse stalkerware-type apps. Key findings show that stalkerware persists even as providers and coalitions crack down: it’s sideloaded from developer websites, designed to evade detection, and frequently stores sensitive victim data on insecure servers, often exposing it to wider risks like public data leaks.

For this test, each security app was assessed for its ability to clearly detect and report stalkerware, not just using generic labels, but with explicit warnings tailored to support possible victims.

AV-Comparatives is an independent organization offering systematic testing that checks whether security software, such as PC/Mac-based antivirus products and mobile security solutions, lives up to its promises.

Of the 13 security products tested in September 2025, only a few stood out for detection accuracy, clarity, and responsible alerting, with Malwarebytes the only one to score a 100% detection rate.

From the report:

The results show clear differences in performance between mobile security products. Malwarebytes stood out by detecting all stalkerware testcases, achieving a 100% detection rate. 

It went on to say:

Bitdefender, ESET, Kaspersky, and McAfee followed closely with 94% each, showing consistently high effectiveness. Avast, Avira, and F-Secure also performed well, identifying 88% of the test set, while Norton and Sophos achieved moderate coverage, detecting around 82%. At the lower end, G Data (65%), Google (53%), and Trend Micro (59%) missed a substantial portion of the stalkerware.

Why it matters to Malwarebytes

As one of the founding members of the Coalition Against Stalkerware, Malwarebytes sees this result as much more than a technical win. For us, the mission goes beyond simply blocking malicious software. Stalkerware-type apps are often used by abusers to systematically invade privacy and exert control. Their impact is highly personal, making reliable detection and safe reporting imperative.

Our participation in the coalition reflects a commitment to industry best practices: preventing stalkerware-type apps from being quietly installed, giving users detailed and honest threat information, and ensuring that every detection alert is crafted with survivor safety in mind. Scoring 100% in this test validates years of advocacy and development focused on the real-world needs of victims and their supporters, which goes beyond focusing on theoretical malware samples.

Ultimately, consistent leadership in stalkerware detection means standing alongside partners and survivor organizations to raise public awareness, drive safer technology, and provide every user with a clear path to reclaim their privacy. For Malwarebytes, achieving a perfect score isn’t just a mark of product quality; it’s proof of our commitment to your privacy and security.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.