Imagine this scenario: Your protection software is running perfectly. Systems are protected, definitions are up to date, behavioral analysis is active. Then, suddenly, files across your network start getting encrypted. Backups are being deleted. Ransom notes appear across your machines. Your security software shows nothing. No alerts, no detections, no blocked processes. How is this possible? 

This isn’t a hypothetical situation. It’s a real attack technique that ransomware operators are actively using to bypass even sophisticated protection systems. The attack exploits a fundamental assumption in how security software operates: that the malicious process and the files being attacked are on the same machine. When that assumption breaks down, traditional defenses fail. 

Malwarebytes ransomware protection works through multiple defensive layers. These include AI-based analysis, machine learning models, signature detection, runtime sandboxing, exploit mitigation, and web protection. Each layer stops threats at different stages. The Anti-Ransomware behavioral layer monitors actual file encryption behavior in real time. Malwarebytes continuously enhances all layers of its defense.  

This article discusses a recent innovation in our Anti-Ransomware behavioral monitoring technology. The result is a comprehensive enhancement incorporating innovations in file monitoring, network session tracking, behavioral analysis, and real-time threat correlation. 

Why traditional protection fails 

To understand why a ransomware attack over a network is so effective, we need to understand how this technology typically works. The Anti-Ransomware component sits between applications and the file system, allowing it to see every file operation before it completes. 

When a process tries to open, read, or write a file, specialized callbacks are triggered. Think of these as security checkpoints where the security driver can inspect what’s happening and decide whether to allow the operation. The software looks at patterns: Is this process rapidly encrypting many files? Is it adding suspicious extensions? Is it attempting to delete backup Copies? These behavioral indicators, when combined, signal ransomware. 

This architecture works brilliantly when the ransomware process and the files being encrypted are on the same machine. The driver sees the process, tracks its behavior over time, builds a threat profile, and can block it before significant damage occurs. 

But what happens when ransomware runs on one device and attacks files on another? For example, an attacker compromises an unprotected device, a legacy device without current protection or an unmanaged guest device, and uses it to encrypt files on protected systems through network shares. Your machine doesn’t see any suspicious programs running. It just looks like someone is accessing files over the network, which happens all the time. 

This creates a perfect hiding spot for ransomware. On the attacking device, there might be no security software installed. On your main PC where files are being encrypted, the security software sees files changing but can’t tell which program is causing it. The connection between the malicious program and your files is hidden. 

Multiple ransomware variants have adopted this technique. They use specific commands to target network folders and shared drives. These aren’t random attacks. They’re carefully designed to bypass security software through remote encryption 

These aren’t opportunistic attacks. They’re carefully engineered for bypassing traditional anti-ransomware protection through remote encryption. 

Two-part protection architecture 

Solving this problem required addressing two distinct attack vectors. Part 1 involves a local process attacking remote files, while Part 2 involves a remote process attacking local files. Each required different technical approaches. 

Part 1: Detecting local to remote attacks 

When a program tries to access files on your network or shared folders, Malwarebytes checks if it’s behaving suspiciously. If the program is rapidly changing many files and creating ransom notes, the system builds a threat score in real time. 

The key innovation is that Malwarebytes tracks local and network activity separately. A program might be safely working with files on your computer while attacking files on another device through the network. By monitoring both, we can catch ransomware without false alarms. When Malwarebytes detects ransomware behavior, it blocks the malicious program immediately, stopping the attack before your files are encrypted. 

Part 2: Detecting remote to local attacks 

The second challenge is harder: what if the ransomware is running on another device and attacking your files remotely? There’s no malicious program on your computer to block. 

Our solution tracks network connections. When files are accessed from another device on your network, Windows keeps information about which device is connecting. Malwarebytes captures this information and watches for suspicious behavior, like rapidly changing many files, adding suspicious file extensions, or creating ransom notes. When we detect an attack coming from another device, we block that specific connection from accessing your files. 

Innovation in ransomware protection 

Our implementation operates through our specialized components. This architecture is essential for both performance and security. Every file operation goes through our filter, so we need to process decisions in microseconds to avoid impacting system responsiveness. 

We implemented multiple optimization layers. First, we filter out file operations that categorically cannot be ransomware related. Opening a file for read only access is not a threat, so we skip detailed analysis. Operations that only query metadata happen constantly in Windows and can be safely ignored for ransomware detection purposes. 

For operations that require analysis, we implemented a sophisticated indicator time-to-live (TTL) system. Behavioral indicators decay over time. This prevents false positives from legitimate activities like file synchronization tools or backup software. 

The network session tracking component required deep integration with Windows networking. We extract session information by accessing internal structures that Windows uses for network file serving. Our exclusion system supports IPv4, IPv6, hostnames, and CIDR notation for network ranges. 

What makes this protection different 

Several factors distinguish the Malwarebytes approach from other solutions.

The first is comprehensiveness. Many security vendors address this partially. Remote processes attacking local files or where local processes attack remote files. An attacker who compromises a single endpoint can still encrypt the shared resources. Malwarebytes protects against both vectors. 

Second is precision. Many solutions block entire network connections or lock accounts when they detect threats. Malwarebytes is more precise. We block only the specific malicious connection. Other activities from the same device continue working normally. Only the ransomware’s access is stopped. 

Third is performance. Malwarebytes runs efficiently without slowing down your computer. 

Fourth is proven protection. This technology has been tested and deployed across many different business and home networks. It is proven to work in real world situations. 

The broader implications 

This protection does more than just stop one type of ransomware attack. It represents a new way of thinking about network-aware security. The old approach treated each device separately, but that doesn’t work when attackers use network connections to spread threats. Security solutions need to understand that attacks can come from any device on the network and target any accessible files. 

The technology we’ve built can do more than stop ransomware. The same system that tracks network connections and monitors suspicious behavior can help detect other threats, like someone trying to steal your data or access files they shouldn’t have permission to view. 

Attackers will keep evolving their methods. The attacks we’re seeing now will become more sophisticated. They might try to disguise themselves as normal computer maintenance or file management. Our protection is designed to adapt. Because it watches for suspicious patterns of behavior rather than looking for specific known attacks, it can detect new variations without needing constant updates. 

Ransomware keeps evolving, and attackers constantly find new ways to bypass security. Malwarebytes is committed to staying ahead with real innovation. This enhancement closes a critical gap that many security programs don’t address until it’s too late. 

If you’re choosing security software or reviewing your current protection, ask yourself: Does it protect against ransomware that spreads through network shares? This is becoming increasingly important as more ransomware attacks use this technique. 

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

This attempt to phish credentials caught our attention, mostly because of its front-end simplicity. Even though this is a script-kiddie-level type of attack, we figured it was worth writing up—precisely because it’s so easy to follow what they’re up to.

The email is direct and to the point. Not a lot of social engineering happening here.

“Dear ,

Pls kindly find the attached PO please send us PI once its available.”

The sender’s address belongs to a Czechoslovakian printing service (likely compromised), and the name and phone number are fake. The target is in Taiwan.

The attached .shtml file is a tidy fake login screen that doesn’t really specify which credentials they want:

The pre-filled email address in the screenshot is a fake one I added; normally it would be the target’s email.

We assume the phisher welcomes any credentials entered here, and are counting on the fact that most people reuse passwords on other sites.

Under the hood, the functionality of this attachment lies in this piece of JavaScript.

It starts with simple checks to make sure all the fields are filled out and long enough before declaring the Telegram bot that will receive the login details.

Using Telegram bots provides the phishers with several advantages:

• Stolen credentials are delivered instantly to the attacker via Telegram notifications. No need for the phisher to keep checking a database or inbox.
• Telegram is a legitimate, globally distributed messaging service, making it difficult to block.
• There’s no exposed web server or obvious phishing “drop site” that can be blocklisted or shut down.

The last line contains a credibility trick:

setTimeout(() => {window.location.assign("file:///C:/Users/USER/Downloads/Invoice_FAC_0031.pdf")}, 2000);

This tries to open a file on the user’s computer after waiting 2 seconds (2,000 milliseconds). Since this file almost certainly doesn’t exist, the browser will either block the action (especially from an email or non-local file) or show an error. Either way, it will make the login attempt look more legitimate and take the user’s mind off the fact that they just sent their credentials who knows where.

That’s really all there is to it, except for a bit of code that the dungeon-dweller forgot to remove during their copy-and-paste coding. Or they had no idea what it was for and left it in place for fear of breaking something.

I suspect the attacker originally used this code to encrypt the credentials with a hardcoded AES (Advanced Encryption Standard) key and injection vector, then send them to their server.

This attacker replaced that method with the simpler Telegram bot approach (much easier to use), but left the decryption stub because they were afraid removing it would break something.

Don’t fall for phishing attempts

Even though the sophistication level of this email was low, that does not reduce the possible impact of sending the attacker your credentials.

In phishing attempts like these, two simple rules can save you from lots of trouble.

• Don’t open unsolicited attachments
• Check if the website address in the browser matches the domain you expect to be on (e.g. adobe.com).

Other important tips to stay safe from phishing in general:

• Verify the sender: Always check if the sender’s email address matches what you would expect it to be. It’s not always conclusive but it can help you spot some attempts.
• Check through an independent channel if the sender actually sent you an attachment or a link.
• Use up-to-date security software, preferably with a web protection component.
• Keep your device and all its software updated.
• Use multi-factor authentication for every account you can.
• Use a password manager. Password managers will not auto-fill a password to a fake site, even if it looks like the real deal to you.

If you already entered credentials on a page you don’t trust, change your passwords immediately.

Pro tip: You can also upload screenshots of suspicious emails to Malwarebytes Scam Guard. It would have recognized this one as a phishing attempt.

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

A critical vulnerability has put Samsung mobile device owners at risk of sophisticated cyberattacks. On November 10, 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) added a vulnerability, tracked as CVE-2025-21042, to its Known Exploited Vulnerabilities (KEV) catalog. The KEV catalog lists vulnerabilities that are known to be exploited in the wild and sets patch deadlines for Federal Civilian Executive Branch (FCEB) agencies.

So, for many cybersecurity professionals, CISA adding this vulnerability to the list signals both urgency and confirmation of active, real-world exploitation.

CVE-2025-21042 was reportedly exploited as a remote code execution (RCE) zero-day to deploy LANDFALL spyware on Galaxy devices in the Middle East. But once that happens, other criminals tend to quickly follow with similar attacks.

The flaw itself is an out-of-bounds write vulnerability in Samsung’s image processing library. These vulnerabilities let attackers overwrite memory beyond what is intended, often leading to memory corruption, unauthorized code execution, and, as in this case, device takeover. CVE-2025-21042 allows remote attackers to execute arbitrary code—potentially gaining complete control over the victim’s phone—without user interaction. No clicks required. No warning given.

Samsung patched this issue in April 2025, but CISA’s recent warning highlights that exploits have been active in the wild for months, with attackers outpacing defenders in some cases. The stakes are high: data theft, surveillance, and compromised mobile devices being used as footholds for broader enterprise attacks.​

The exploitation playbook is as clever as it is dangerous. According to research from Unit 42, criminals (likely private-sector offensive actors operating out of the Middle East) weaponized the vulnerability to deliver LANDFALL spyware through malformed Digital Negative (DNG) image files sent via WhatsApp. DNG is an open and lossless RAW image format developed by Adobe and used by digital photographers to store uncompressed sensor data.

The attack chain works like this:

• The victim receives a booby-trapped DNG photo file.
• The file, armed with ZIP archive payloads and tailored exploit code, triggers the vulnerability in Samsung’s image codec library.
• This is a “zero-click” attack: the user doesn’t have to tap, open, or execute anything. Just processing the image is enough to compromise the device.

It’s important to know that Samsung addressed another image-library flaw, CVE-2025-21043, in September 2025, showing a growing trend: image processing flaws are becoming a favorite entry point for both espionage and cybercrime.

What should users and businesses do?

Our advice to stay safe from this type of attack is simple:

• Patch immediately. If you haven’t updated your Samsung device since April, do so. FCEB organizations have until December 1, 2025, to comply with CISA’s operational directive.
• Be wary of unsolicited messages and files, especially images received over messaging apps.
• Download apps only from trusted sources and avoid sideloading files.
• Use up-to-date real-time anti-malware solution for your devices.

Zero-days targeting mobile devices are becoming frighteningly common, but the risk can be lowered with urgent patching, awareness, and solid security controls. As LANDFALL shows, the most dangerous attacks today are often the quietest—no user action required and no obvious signs until it’s too late.

Device models targeted by LANDFALL:

Galaxy S23 Series

Galaxy S24 Series

Galaxy Z Fold4

Galaxy S22

Galaxy Z Flip4

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

One of the reassuring things about owning an iPhone was knowing you could lock it if it got lost or stolen. Without your passcode, fingerprint or face to unlock it, it would be useless to anyone else.

Now, though, some phone thieves have found a workaround, not by breaking Apple’s security, but by tricking owners into giving them the keys.

The Swiss National Cyber Security Centre (NCSC) has issued a warning about phishing scams targeting iPhone owners who’ve lost their devices.

Phishing for Apple ID credentials

When you report an iPhone as lost in Apple’s Find My app, you can set a custom lock-screen message that appears on the missing device. Many people include an email address or phone number in that message so a helpful stranger can contact them if the phone turns up.

Unfortunately, that’s the very information scammers use to reach you. A thief (or anyone who now has the phone) can see that contact detail on the screen and send you a convincing message—usually by text, iMessage, or email—claiming to have found your device.

The scam messages often include details copied from the phone itself, such as its model and color, to make it sound authentic. It also includes a link to a fake website that mimics the Find My service that Apple operates to locate lost devices. The site will ask for the victim’s Apple ID credentials.

If the victim takes the bait, the thief can use those credentials to gain full access to the phone. That enables them to wipe it, returning it to factory settings for resale.

Although the NCSC didn’t say so, an enterprising thief could get up to all kinds of other shenanigans. They might reset the user’s Apple ID to lock them out—even on a replacement device, access their photos (yes, including any risqué ones), read their emails and nose through their apps. In short, it would give them carte blanche to your digital life.

These attacks don’t have to happen immediately. The perpetrators might text months after the device has been lost, when victims might have moved on and lowered their guard.

The good news… and the bad

The warning is both good and bad news. It’s good news because it shows that criminals are apparently unable to bypass Apple’s Activation Lock protection through technical means. The Activation Lock, turned on when you activate Find My, registers a device ID on Apple’s activation servers. Even if the criminals reset your device, the activation lock will still be there. Only someone with the user’s Apple ID credentials can unlock it. It’s a version of something called Factory Reset Protection (FRP) that the US mandated under the US Smart Phone Theft Prevention Act of 2015. Android phones have similar lock functionality.

The warning is bad news because phone owners are human, and humans are often the easiest security system to defeat. Phishing schemes that target phone theft victims are big business. Back in 2017, security reporter Brian Krebs documented “phishing as a service” platforms that did it at scale, on a subscription basis. Vice found toolkits like ProKit for phishing to unlock phones on sale for around $75.

We’ve already written about how the phone theft industry operates. Police in the UK recently uncovered a network stealing up to 40,000 phones per year. Most were shipped overseas to countries including China, where they would be used as profitably as possible. Locked phones might be broken up for parts, but a phone restored to factory settings that can be activated from scratch is far more valuable.

What to do if your iPhone is stolen

Ignore any messages from “Apple” claiming your lost phone has been found. The NCSC says Apple will never text or email customers about a recovered device.

If you lose your phone, turn on Lost Mode right away in Find My to lock it and display your contact message. Use a different contact number or email (not the one linked to your Apple ID or main phone) so scammers can’t use that information to target you.

Protect your SIM, too: enable PIN protection immediately, and ask your carrier to block or replace the SIM if the phone has been stolen.

We can’t easily stop thieves stealing people’s phones, or control who sees our phones after they leave our hands. But a little forethought now can help you to stop criminals from accessing your digital life or selling your phone on in its current form if it does enter the underground supply chain.

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

Researchers at Zimperium identified Fantasy Hub, a new Android spyware developed and sold as a subscription on Russian-language cybercrime forums.

Malware-as-a-Service (MaaS) means cybercriminals rent out to malware to other criminals, complete with the infrastructure necessary to harvest and abuse stolen information. Usually, it’s up to the buyer to spread the malware, but Fantasy Hub goes a step further—it comes with full documentation, video tutorials, and a subscription model that makes it easy for even inexperienced attackers to use. Its creators provide step-by-step guides to create fake Google Play pages that imitate apps like Telegram or online banking portals, complete with realistic reviews. It’s a Remote Access Trojan (RAT) that anyone can distribute.

Distribution relies heavily on social engineering and phishing. Attackers use Fantasy Hub’s templates and tools to set up convincing fake app pages, tricking users into downloading the malicious software. A “dropper” option even lets buyers upload any Android app APK and get back a modified version with Fantasy Hub added.

These counterfeit apps look legitimate, and often request only a single permission: SMS access. But that permission unlocks much more. The SMS handler role bundles multiple powerful permissions: contacts, camera, and file access into a single authorization step, unlocking extensive control over the device’s messaging, contacts, and camera functions. Fantasy Hub is designed to bypass standard security checks and can remain concealed, making detection difficult for users.

What can it do?

Once installed, Fantasy Hub can steal SMS messages, call logs, contacts, photos, and videos. It can also intercept, reply to, and delete notifications. More dangerously, it can initiate live audio and video streams using the device’s camera and microphone without the user’s consent. It’s been found in imitation banking apps, displaying fake windows to harvest user credentials such as usernames, PINs, and passwords. As part of the handy pack provided by Fantasy Hub’s creators, attackers are given tools to tailor these phishing windows for almost any banking app they wish to target.

While individuals at at risk from this malware, the threat extends to organizations that use Bring Your Own Device (BYOD) policies or rely on mobile banking and work apps. A single infected phone could expose company data or communications.

How to stay protected

Fantasy Hub shows how easily cybercriminals can now buy and run complex spyware. But a few simple habits can help you stay safe:

• Stick to trusted sources. Download apps only from Google Play, Apple’s App Store, or the official provider. Your bank will never ask you to use another source.
• Protect your devices. Use an up-to-date real-time anti-malware solution like Malwarebytes for Android, which already detects this malware as Android/Trojan.Spy.ACRF949851CC4.
• Scrutinize permissions. Does it really need the permissions it’s requesting to do the job you want it to do? Especially if it asks for SMS or camera access.
• Unsolicited communications. Stay wary of messages, emails, or links urging you to “update” or install outside the official app stores.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

You’ve probably seen it before—a bright, urgent message claiming you’ve qualified for a $750 or $1000 Walmart gift card. All you have to do is answer a few questions. It looks harmless enough. But once you click, you find yourself in a maze of surveys, redirects, and “partner offers”—without ever actually reaching the end and claiming your prize.

This so-called “survey” is part of a lead-generation and affiliate marketing scam, designed not to reward you but to harvest your data and push you through ad funnels that make money for others, at the cost of your privacy.

What’s really going on?

It’s a scam because these pages rarely deliver any real gift card. What they’re after is your personal data.

As you move through each step, you’re asked for details like your name, email, phone number, ZIP code and even your home address. In some cases, you’re prompted to share interests such as home repair, debt help, or insurance quotes—each answer helps categorize you for targeted marketing.

Even if the page itself doesn’t steal money, that information is still valuable. It can be used to target you with more ads and offers, add you to marketing lists, or personalize follow-up contact. In other words, completing the questionnaire hands over data that can be exploited for profit—even when no gift card ever appears.

In some cases, the funnel gets even more specific. For example, if the survey asks you about home projects and you say you’re planning to replace your windows, you might be redirected to what looks like a legitimate home improvement site—often just another form asking for the same details again. The whole thing is designed to keep you filling out more forms, giving up more of your data, to more websites and affiliates.

These scams don’t aren’t just annoying time-wasters. They are harvesting your data, eroding your privacy and exposing you to wider risks. Once your details are shared, they can travel far beyond that fake survey.

Your information may:

• Be resold to advertisers and data brokers, who build detailed profiles about your habits, spending, and location.
• Lead to a surge of spam calls, texts, and phishing emails tailored to your interests.
• Feed more convincing scams down the line, since criminals can now personalize their lures using real information about you.
• End up on unregulated marketing lists that circulate for years, keeping your data in play long after you’ve closed the page.

That’s the hidden cost of a “free” gift card: each click fuels a network that profits from your identity, not your participation.

Why do people fall for it?

The hook is simple—free money and easy participation. But this fake Walmart promotion taps into three powerful psychological triggers:

1. The sense of luck: “You’ve been selected!” sounds personal and special.
2. The promise of low effort: Answering a few questions feels harmless.
3. The illusion of credibility: Walmart’s branding lends legitimacy.

These scams spread mainly through advertising and malvertising networks—pop-ups, spam emails, social media ads, or sketchy website banners that imitate real promotions.

You might spot them alongside news articles or as “sponsored links” that sound too good to be true. Some appear via push notifications or redirects, whisking you from a real website to a fake reward page in seconds.

The designs often use official logos, countdown timers, and congratulatory language to make them look like authentic brand campaigns—tricking people into lowering their guard.

It’s an easy mental shortcut: “If this was fake, it wouldn’t look so professional.” That’s what these scammers count on—the appearance of legitimacy mixed with urgency and reward.

How to protect yourself

These gift card offers aren’t just harmless internet fluff—they’re the front door to a sprawling network of data collection and affiliate profiteering. Each click, form, and redirect is designed to extract value from your attention and information, not to reward you.

Recognizing these scams early is the best defense. Here’s how to stay safe:

1. Be suspicious of online surveys promising big rewards. Legitimate promotions from major retailers rarely require long questionnaires or partner offers.
2. Never give personal information to unknown pages. If a site asks for your phone number or address for a “free prize,” it’s a red flag.
3. Use browser protection tools. Extensions like Malwarebytes Browser Guard can block known scam domains and malvertising networks before they load.
4. Check the URL carefully. Real Walmart promotions will always come from official domains (like walmart.com or survey.walmart.com), not random URLs with extra words or numbers.
5. Stay alert and skeptical. Online quizzes and reward offers are a favorite bait for scammers. When in doubt – close the tab.

We don’t just report on scams—we help detect them

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

Last week on Malwarebytes Labs:

• Malwarebytes scores 100% in AV-Comparatives Stalkerware Test 2025
• Fake CAPTCHA sites now have tutorial videos to help victims install malware
• Hackers commit highway robbery, stealing cargo and goods
• Android malware steals your card details and PIN to make instant ATM withdrawals
• Take control of your privacy with updates on Malwarebytes for Windows
• Cyberattacks on UK water systems reveal rising risks to critical infrastructure
• Should you let Chrome store your driver’s license and passport?
• Apple patches 50 security flaws—update now
• “Sneaky” new Android malware takes over your phone, hiding in fake news and ID apps
• Sling TV turned privacy into a game you weren’t meant to win
• Attack of the clones: Fake ChatGPT apps are everywhere
• Would you sext ChatGPT? (Lock and Code S06E22)
• Malwarebytes aces PCMag Readers’ Choice Awards and AVLab Cybersecurity Foundation tests

On the ThreatDown blog:

• Inside EDR-Freeze: How ThreatDown stops the attack before it spreads

Stay safe!

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

The AV-Comparatives Stalkerware Test 2025 delivers a sobering look at the evolving threat posed by stalkerware on mobile devices. Despite measures from both the tech industry and platform providers, stalkerware-type apps, which are apps that can be installed covertly to spy on a victim’s private life, remain a critical concern.

This comprehensive assessment, developed in collaboration with Electronic Frontier Foundation (EFF), evaluated 13 leading Android security solutions against 17 diverse stalkerware-type apps. Key findings show that stalkerware persists even as providers and coalitions crack down: it’s sideloaded from developer websites, designed to evade detection, and frequently stores sensitive victim data on insecure servers, often exposing it to wider risks like public data leaks.

For this test, each security app was assessed for its ability to clearly detect and report stalkerware, not just using generic labels, but with explicit warnings tailored to support possible victims.

AV-Comparatives is an independent organization offering systematic testing that checks whether security software, such as PC/Mac-based antivirus products and mobile security solutions, lives up to its promises.

Of the 13 security products tested in September 2025, only a few stood out for detection accuracy, clarity, and responsible alerting, with Malwarebytes the only one to score a 100% detection rate.

From the report:

The results show clear differences in performance between mobile security products. Malwarebytes stood out by detecting all stalkerware testcases, achieving a 100% detection rate. 

It went on to say:

Bitdefender, ESET, Kaspersky, and McAfee followed closely with 94% each, showing consistently high effectiveness. Avast, Avira, and F-Secure also performed well, identifying 88% of the test set, while Norton and Sophos achieved moderate coverage, detecting around 82%. At the lower end, G Data (65%), Google (53%), and Trend Micro (59%) missed a substantial portion of the stalkerware.

Why it matters to Malwarebytes

As one of the founding members of the Coalition Against Stalkerware, Malwarebytes sees this result as much more than a technical win. For us, the mission goes beyond simply blocking malicious software. Stalkerware-type apps are often used by abusers to systematically invade privacy and exert control. Their impact is highly personal, making reliable detection and safe reporting imperative.

Our participation in the coalition reflects a commitment to industry best practices: preventing stalkerware-type apps from being quietly installed, giving users detailed and honest threat information, and ensuring that every detection alert is crafted with survivor safety in mind. Scoring 100% in this test validates years of advocacy and development focused on the real-world needs of victims and their supporters, which goes beyond focusing on theoretical malware samples.

Ultimately, consistent leadership in stalkerware detection means standing alongside partners and survivor organizations to raise public awareness, drive safer technology, and provide every user with a clear path to reclaim their privacy. For Malwarebytes, achieving a perfect score isn’t just a mark of product quality; it’s proof of our commitment to your privacy and security.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Early on in 2025, I described how criminals used fake CAPTCHA sites and a clipboard hijacker to provide instructions for website visitors that would effectively infect their own machines with an information stealer known as the Lumma Stealer.

ClickFix is the name researchers have since given to this type of campaign—one that uses the clipboard and fake CAPTCHA sites to trick users into running malicious commands themselves.

Later, we found that the cybercriminals behind it seemed to be running some A/B tests to figure out which infection method worked best: ClickFix, or the more traditional file download that disguises malware as a useful application.

The criminals probably decided to go with ClickFix, because they soon came up with a campaign that targeted Mac users to spread the infamous Atomic Stealer.

Now, as reported by researchers from Push Security, the attackers behind ClickFix have tried to make the campaign more “user-friendly.”  The latest fake CAPTCHA pages include embedded video tutorials showing exactly how to run the malicious code.

The site automatically detects the visitor’s operating system and provides matching instructions, copying the right code for that OS straight to the clipboard—making typos less likely and infection more certain.

A countdown timer adds urgency, pressuring users to complete the “challenge” within a minute. When people rush instead of thinking things through, social engineering wins.

Unsurprisingly, most of these pages spread through SEO-poisoned Google search results, although they also circulate via email, social media, and in-app ads too.

How to stay safe

With ClickFix running rampant—and it doesn’t look like it’s going away anytime soon—it’s important to be aware, careful, and protected.

• Slow down. Don’t rush to follow instructions on a webpage or prompt, especially if it asks you to run commands on your device or copy-paste code. Attackers rely on urgency to bypass your critical thinking, so be cautious of pages urging immediate action. Sophisticated ClickFix pages add countdowns, user counters, or other pressure tactics to make you act quickly.
• Avoid running commands or scripts from untrusted sources. Never run code or commands copied from websites, emails, or messages unless you trust the source and understand the action’s purpose. Verify instructions independently. If a website tells you to execute a command or perform a technical action, check through official documentation or contact support before proceeding.
• Limit the use of copy-paste for commands. Manually typing commands instead of copy-pasting can reduce the risk of unknowingly running malicious payloads hidden in copied text.
• Secure your devices. Use an up-to-date real-time anti-malware solution with a web protection component.
• Educate yourself on evolving attack techniques. Understanding that attacks may come from unexpected vectors and evolve helps maintain vigilance. Keep reading our blog!

Pro tip: Did you know that the free Malwarebytes Browser Guard extension warns you when a website tries to copy something to your clipboard?

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

There’s a modern-day train heist happening across America, and this time, some of the bandana-masked robbers are sitting behind screens.

According to new research, a group of cybercriminals has been attacking trucking, freight, and logistics companies for months, impersonating brands and even diverting real cargo shipments to unapproved locations so that the stolen goods can be sold or shipped elsewhere.

The impact, the researchers said, extends far beyond the logistics industry:

“Such crimes can create massive disruptions to supply chains and cost companies millions, with criminals stealing everything from energy drinks to electronics. The most targeted commodities are food and beverage products.”

Although the cyberattacks were mostly seen in North America, cargo theft is a problem across the world, impacting consumers and businesses that rely on the often-overlooked network of trucks, trains, ships, planes, and people.

In these attacks, cybercriminals compromise the accounts of carrier companies that transport goods from one location to the next. By posing as legitimate carriers, they can place real bids on shipments and then redirect them to unauthorized destinations, where they or their partners will receive and steal the cargo.

Researchers found that attackers take control of these accounts in at least one of three ways.

1. Fake load boards

Attackers may post a fake order on what’s called a “load board,” a digital marketplace that connects shippers with carriers so that cargo can be assigned and accepted. But when legitimate carriers inquire about the fake load board posting, the criminals reply with an email that includes a malicious link that, when clicked, installs Remote Monitoring and Management (RMM) software. (To make the scam more convincing, the cybercriminals also compromise a “broker” account so their load board posting looks legitimate.)

Despite the sneaky install method, RMM software itself is entirely legitimate. It’s used by IT support teams to remotely fix issues for employees. But that legitimacy makes RMM software perfect for any cybercriminal campaign because it may raise fewer red flags from older antivirus tools.

Once the attackers gain access to a carrier’s account, they can also deploy malware to steal account credentials, giving them greater access to a company’s network.

2. Compromised email accounts

A second observed attack method involved hijacking an active email address and then impersonating the owner when responding to emails about cargo orders and shipments. Here, too, cybercriminals inserted malicious links into emails that eventually install RMM tools.

3. Social engineering

Finally, researchers also observed the attackers sending direct phishing emails to carriers, using classic social engineering tricks—like sending a bogus bill to lure victims into clicking malicious links.

While many of the well-tested security best practices still apply—like not clicking on links inside emails—one of the strongest defenses is to use a security product that notifies users about RMM tools (also sometimes referred to as Remote Desktop Programs) installed on their device. RMM tools are legitimate, but because of their abuses in cybercriminal campaigns, it is important that every installation is verified and tracked.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.