IT News

This week on the Lock and Code podcast…

Insurance pricing in America makes a lot of sense so long as you’re one of the insurance companies. Drivers are charged more for traveling long distances, having low credit, owning a two-seater instead of a four, being on the receiving end of a car crash, and—increasingly—for any number of non-determinative data points that insurance companies use to assume higher risk.

It’s a pricing model that most people find distasteful, but it’s also a pricing model that could become the norm if companies across the world begin implementing something called “surveillance pricing.”

Surveillance pricing is the term used to describe companies charging people different prices for the exact same goods. That 50-inch TV could be $800 for one person and $700 for someone else, even though the same model was bought from the same retail location on the exact same day. Or, airline tickets could be more expensive because they were purchased from a more expensive device—like a Mac laptop—and the company selling the airline ticket has decided that people with pricier computers can afford pricier tickets.

Surveillance pricing is only possible because companies can collect enormous arrays of data about their consumers and then use that data to charge individual prices. A test prep company was once caught charging customers more if they lived in a neighborhood with a higher concentration of Asians, and a retail company was caught charging customers more if they were looking at prices on the company’s app while physically located in a store’s parking lot.

This matter of data privacy isn’t some invisible invasion online, and it isn’t some esoteric framework of ad targeting, this is you paying the most that a company believes you will, for everything you buy.

And it’s happening right now.

Today, on the Lock and Code podcast with host David Ruiz, we speak with Consumer Watchdog Tech Privacy Advocate Justin Kloczko about where surveillance pricing is happening, what data is being used to determine prices, and why the practice is so nefarious.  

“It’s not like we’re all walking into a Starbucks and we’re seeing 12 different prices for a venti mocha latte,” said Kloczko, who recently authored a report on the same subject. “If that were the case, it’d be mayhem. There’d be a revolution.”

Instead, Kloczko said:

“Because we’re all buried in our own devices—and this is really happening on e-commerce websites and online, on your iPad, on your phone—you’re kind of siloed in your own world and companies can get away with this.”

Tune in today for the full conversation.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Listen up—Malwarebytes doesn’t just talk cybersecurity, we provide it.

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being with our exclusive offer for Malwarebytes Premium for Lock and Code listeners.

Last week on Malwarebytes Labs:

• Healthcare security lapses keep piling up
• SecTopRAT bundled in Chrome installer distributed via Google Ads
• Google Docs used by infostealer ACRStealer as part of attack
• DeepSeek found to be sharing user data with TikTok parent company ByteDance
• Malwarebytes introduces native ARM support for Windows devices
• Google now allows digital fingerprinting of its users
• Macs targeted by infostealers in new era of cyberthreats
• Hard drives containing sensitive medical data found in flea market

Stay safe!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Healthcare is one of the sectors that has the most sensitive information about us. At the same time it’s one of the worst at keeping them secret.

Because of its access and storage of our personal health information (PHI) and other personally identifiable information (PII), the healthcare sector should be one of the most secure ones, but due to lack of funding and other resources, it is not.

One of the most impactful data breaches last year was of Change HealthCare, which impacted an estimated 190 million people.

In recent news, security researcher Jeremiah Fowler, who specializes in finding unprotected databases, uncovered a non-password-protected database that contained over 1.6 million records belonging to DM Clinical Research.

DM Clinical Research is a Texas-based clinical trial network that conducts studies in 30 research centers across the US. The company connects patients with physicians to conduct studies for new or alternative medicines, providing clinical trials as a treatment option to patients.

Although the records belonged to DM Clinical Research, it is not known if the database was owned and managed directly by them or by a third-party contractor. It is also not known how long the database was exposed before Fowler discovered it or if anyone else gained access to it.

The unprotected database contained 1,674,218 records which included names, dates of birth, phone numbers, email addresses, vaccination statuses (including specific vaccines received), current medications, and other health conditions that the survey recipients may have.

Insurance companies have shown that their interest in buying specific medical information, like prescriptions that identify medical conditions—such as HIV, cancer, or psychiatric disorders. And data brokers that can get a hold of that type of information will gladly sell it to them.

Cybercriminals can use PHI against affected individuals to phish or extort them. But a breach can also have dire financial consequences for the healthcare organization in question.

As Health Net Federal Services (HNFS) and its parent company, Centene Corporation found out. HNFS allegedly failed to implement the required cybersecurity measures while administering health benefits for American military service members and their families. To make things worse, the Defense Health Agency of the US Department of Defense accused HNFS of falsely attesting compliance on at least three occasions.

HNFS denies all the allegations and maintains that no data breaches or loss of servicemember information occurred, but they still agreed to pay $11,253,400 to settle the allegations.

Protecting yourself after a data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

• Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
• Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
• Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
• Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify the identity of anyone who contacts you using a different communication channel.
• Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
• Consider not storing your card details. It’s definitely more convenient to get sites to remember your card details for you, but we highly recommend not storing that information on websites.
• Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

Check your digital footprint

Malwarebytes has a new free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.

Criminals are once again abusing Google Ads to trick users into downloading malware. Ironically, this time the bait is a malicious ad for Google Chrome, the world’s most popular browser.

Victims who click the ad land on a fraudulent Google Sites page designed as a intermediary portal, similar to what we saw earlier this year with the massive Google accounts phishing campaign.

The final redirect eventually downloads a large executable disguised as Google Chrome which does install the aforementioned but also surreptitiously drops a malware payload known as SecTopRAT.

We have reported this incident to Google, but at the time of writing the fake Google Sites page is still up and running.

Distribution: Ad and Google Sites combo

We identified a suspicious ad when searching for “download google chrome“. If you look at the URL embedded in the sponsored result, you will notice it shows “https://sites.google.com“, which is Google’s free website builder.

While most pages hosted on there are legitimate, it’s good to remember that they are user generated and that abuse is a part of any open platform. It’s also a way for criminals to cleverly appear as legitimate when building fake ads.

Malware payload

Once a user double clicks on GoogleChrome.exe the fake Chrome installer connects to hxxps[://]launchapps[.]site/getCode[.]php and retrieves the necessary instructions. Below, we can see how it requests to run as administrator in order to perform certain actions that require this access level.

A PowerShell command adds an exclusion path to the %appdata%Roaming directory so that Windows Defender does not trigger when the malware payload is extracted.

An encrypted data stream is downloaded from hxxps[://]launchapps[.]site/3[.]php?uuid={}_uuid and then decrypted:

The executable named decrypted.exe (PDB path: D:awix4wix4buildburnReleasex64burn.pdb) is then dropped to %AppData%RoamingBackupWin and unpacks the final payload, waterfox.exe. Side note: it has the same name and icon as the Waterfox browser (an open-source fork of the Firefox web browser).

The malicious code is then injected into the legitimate MSBuild.exe process which communicates with the attackers’ command and control infrastructure at the following IP: 45.141.84[.]208. From this, we identify the malware payload as SecTopRAT, a remote access Trojan with stealer capabilities.

Lastly, to make sure victims are completely fooled, it finishes by downloading and installing the legitimate Chrome browser. From the installation script, we see other campaigns the same threat actors are running in parallel for fake Notion and Grammarly installers.

Conclusion

Downloading and installing software provides an opportunity for threat actors as long as they are able to compromise the delivery chain. Search ads provide that entry point by leveraging the trust users have in their search engine. It is somewhat ironic but also damning when malicious ads impersonate the same platform that allows them in the first place.

The fake Chrome installer we reviewed in this blog post cleverly retrieved its malicious payload dynamically from a remote site and only decrypted it after making sure Windows Defender would not be able to scan it. The ruse was complete when the actual legitimate Google Chrome installer was downloaded and installed.

Malwarebytes users were already protected from this attack, with Browser Guard blocking the malicious ad and Premium Security Antivirus detecting the dropped payload.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

Indicators of Compromise

Google Sites

sites[.]google[.]com/view/gfbtechd/

Fake Chrome download

chrome[.]browser[.]com[.]de
chrome[.]browser[.]com[.]de/GoogleChrome.exe
48fdfbe23eef7eddff071d3eda1bc654b94cf86036ca1cca9c73b0175e168a55

Payload host

launchapps[.]site

decrypted.exe

f0977c293f94492921452921181d79e8790f34939429924063e77e120ebd23d7

waterfox.exe

0f9b2870c4be5ebacb936000ff41f8075ec88d6535161a93df8e6cfea2d8db54

C2

hxxps[://]pastebin[.]com/raw/eB8bmiVA
45.141.84[.]208

An infostealer known as ACRStealer is using legitimate platforms like Google Docs and Steam as part of an attack, according to researchers.

ACRStealer is often distributed via the tried and tested method of download as cracks and keygens, which are used in software piracy. The infostealer has been around since mid-2024 (as a beta test), but it’s only really taken off in 2025. ACRStealer is capable of:

• Identifying which antivirus solution is on a device
• Stealing crypto wallets and login credentials
• Stealing browser information
• Harvesting File Transfer Protocol (FTP) credentials
• Reading all text files

With that kind of information, cybercriminals can go after your cryptocurrency and other funds. With the capture of usernames and passwords from web browsers, attackers can access your accounts, including email, social media, and financial services.

They may even gather enough personal data to be used for identity theft or sold on the dark web.

What stands out in the recently-found ACRStealer variants is the way they communicate with the command and control (C2) server—a computer which is used to send commands to systems compromised by malware and receive stolen data from a target network. Rather than hard-coding the IP address in the malware, they chose to use a method called Dead Drop Resolver (DDR), where the malware contacts a legitimate platform like Google Docs or Steam to read what the C2 domain is.

This is good for the cybercriminals as it means they can easily change the domain if one gets discontinued, seized, or blocked. All they need to do is update the Google Doc.

And outgoing calls to docs.google.com will not easily trigger an alarm, so it helps in staying under the radar.

Stay safe from the ACRStealer

Like many other information stealers, ARCStealer is operated under the Malware-as-a-Service (MaaS) model, where criminals rent out the malware and the infrastructure to other criminals. That makes it hard to know exactly how to defend yourself.

However, there are some things you can do:

• Stay away from websites offering cracks and keygens
• Download software from the official publisher wherever possible
• Don’t click on links in unsolicited communications (email, texts, DMs, etc)
• Don’t open unverified attachments
• Use multi-factor authentication (MFA) wherever you can, so even if cybercriminals steal your login details they won’t be able to get into your account
• Use an active and up-to-date anti-malware solution.

Malwarebytes recognizes new variants of ACRStealer by behavior, which will result in the detection name of Malware.AI.{ID-number}.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

A couple of weeks ago we reported on the concerns surrounding data collection and security at DeepSeek, the Chinese AI company which recently made headlines for shaking up the industry after seemingly appearing from nowhere to become top of the app download charts.

Now South Korea’s Personal Information Protection Commission (PIPC) says it has uncovered evidence that DeepSeek has secretly been sharing data with ByteDance, the parent company of popular social media app TikTok.

PIPC said that DeepSeek—an app with over one million downloads at the time of writin—automatically transmitted information to ByteDance servers every time users accessed the app, doing so without disclosure or explicit consent. PIPC told South Korea’s Yonhap News Agency that it was “yet to confirm what data was transferred and to what extent.”

In response to the investigation, South Korea has removed DeepSeek from app stores, advised users against sharing personal information through the app, and is considering strengthening regulations on foreign companies in the country.

TikTok and parent company ByteDance have faced significant controversy themselves in the past; coming under ongoing scrutiny for mishandling customer data, being labelled an “unacceptable security risk” by the FCC, and being reprimanded for misusing children’s data. These ongoing data protection issues prompted the US to initially instigate a ban on TikTok from January 18 before a presidential executive order issued by the new administration restored service and delayed the enforcement of the ban for an additional 75 days.

Although perhaps unsurprisingly, this controversy again raises serious questions and concerns about the crossover between the data-harvesting and sharing practices employed by emerging AI technologies and data protection, an especially critical issue as the use of AI accelerates and begins to play an ever more prominent and constant role in our everyday experiences of technology and media.

It also further illustrates the necessity for proper inquiry into these practices and may indicate an urgent need for transparent and comprehensive international regulations on data privacy, with some nations like Italy and Australia already leading the way in taking action against AI applications like DeepSeek over these issues.

What can you do?

• Avoid sharing personal information: Never input sensitive or personal data into generative AI apps.
• Select AI apps carefully: Choose generative AI apps with caution, prioritizing reputable ones that value user privacy and security.
• Disable chat saving: Turn off chat history to minimize the storage of your conversations.
• Manage app permissions: Review the app’s requested permissions carefully. Only grant them permission to access things they absolutely need.
• Review privacy policies: Understand how your data will be used and stored by the app.

We don’t just report on privacy—we offer you the option to use it.

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

This content is password protected. To view it please enter your password below:

Password:

In the ongoing saga that is Google’s struggle to replace tracking cookies, we have entered a new phase. But whether that’s good news is another matter.

For years, Google has been saying it will phase out the third-party tracking cookies that power much of its advertising business online, proposing new ideas that would allegedly preserve user privacy while still providing businesses with steady revenue streams.

But it’s not been straight forward for Google. As we reported in July, 2024, the tech giant said that due to feedback from authorities and other stakeholders in advertising, Google was looking at a new path forward in finding the balance between privacy and an ad-supported internet.

The announcement read:

“Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing.”

It’s not hard to see why this is scary. Apple’s App Tracking Transparency (ATT) feature caused a significant upset in the mobile advertising industry. When introduced in April 2021, it allowed users to opt out of being tracked across apps and websites. This led to an estimated 96% of US users choosing to opt out of tracking. With three billion Chrome users around the world, that might easily be an advertiser’s worst nightmare.

Google promised to kill tracking cookies by introducing a one-time global prompt upgrade that would present users with the choice of being tracked or not. By third-party cookies that is.

But ahead of fulfilling that promise, Google has introduced digital fingerprinting. Digital fingerprinting is like creating a unique digital ID for you or your device based on various pieces of information collected when you browse the internet, like:

• Operating System (OS): Windows, Android, iOS, etc.
• Browser type and version
• IP address
• Installed browser plugins
• Time zone
• Language settings
• …and so on.

With all these pieces of information, it’s possible to create a unique fingerprint by which websites can recognize you, even if you clear your cookies. They will even be able to make an informed guess if you visit the same site with a different browser.

Google itself, at one point, said that fingerprinting was undesirable:

“Unlike cookies, users cannot clear their fingerprint and therefore cannot control how their information is collected. We think this subverts user choice and is wrong.”

But, per Google’s announcement on December 19, 2024, organizations that use its advertising products can use fingerprinting techniques from last Sunday, February 16, 2025. Well, as far as Google is concerned that is.

The UK information commissioner’s office (ICO) reminded businesses they do not have free rein to use fingerprinting as they please. Like all advertising technology, it must be lawfully and transparently deployed – and if it is not, the ICO will act.

But the OK from Google is likely the start of an intermediate period where we will be bothered with both fingerprinting and third-party cookies until the advertising industry has had the time to transition.

What can I do?

Countering fingerprinting is a lot harder than keeping cookies at a minimum. But there are some things you can do to make it harder to get your fingerprint taken.

• However hard it may be, the time may have come to consider switching to a browser that provides built-in features to resist fingerprinting
• Or look for anti-fingerprinting tools in the form of browser extensions
• Use a VPN that can mask your IP address and location, which are very significant pieces of information for fingerprinting
• Keep your browser updated, so your old version will not give away your data
• Disabling JavaScript can break a website’s functionality, but it also significantly reduces the data websites can gather about you.

We don’t just write about privacy, we can help you improve yours. Try Malwarebytes Privacy VPN.

For the last four years, Malwarebytes has been protecting ARM-based machines running on Apple’s M-series processors. Now, we’ve expanded our protection range to include ARM-based Windows machines such as Copilot+ PCs, including Microsoft Surface Pro, Lenovo Yoga Slim and ThinkPad, and Dell Inspiron, among others. 

ARM-based chips offer advantages such as improved performance, longer battery life, lower costs, and advanced features like on-device AI processing. 

And with ARM processors gaining popularity in the PC market—projections suggest that they could have 25% market share by 2027—there is no doubt that malware creators will expand their reach into this area. 

Malwarebytes helps you get ahead of these threats. With active protection layers that defend against system vulnerabilities, malicious links, and more, Malwarebytes has you covered across your devices. 

Where can I get it? 

Go to the Malwarebytes website and hit the Free Download button to try it yourself, or click the button below. Our installer will automatically detect if you have an ARM device.

We recommend Windows 11 or higher for this installation, because Windows 11 has been optimized to run on ARM processors. 

The latest, major threats to Mac computers can steal passwords and credit card details with delicate precision, targeting victims across the internet based on their device, location, and operating system.

These are the dangers of “infostealers,” which have long plagued Windows devices but, in the past two years, have become a serious threat for Mac owners. And in 2024, one malicious program in particular is responsible for the lion’s share of infostealer activity—racking up 70% of known infostealer detections on Mac.

These findings come from the 2025 State of Malware report. While many of the threats detailed in the report target companies and businesses, this latest wave of infostealers makes no distinction between Mac computers in an office and Mac computers at home. Unlike ransomware, which is deployed against large businesses that cybercriminals hope can pay hefty ransoms, infostealers can deliver illicit gains no matter the target.

With the right cybersecurity practices, everyday Mac users can stay safe from these emerging threats.

The threat of infostealers

“Infostealers” are a type of malware that do exactly as they say—they steal information from people’s devices. But the variety of information that these pieces of malware can steal makes them particularly dangerous.

With stolen credit card details, hackers can attempt fraudulent purchases online. With stolen passwords, the impact is even broader; hackers could wire funds from a breached online banking account into their own, or masquerade as someone on social media to ask friends and family for money. Some infostealers don’t even require an additional step—they can take cryptocurrency directly from a victim’s online accounts. 

But there is another threat to infostealers that comes from their recent history. They are wildly adaptable.

In 2016, Malwarebytes first discovered an infostealer called TrickBot that, when implanted on a person’s device, would steal online banking credentials. But over time, the developers behind TrickBot began adding alarming new features, including the capabilities to steal Outlook credentials, disable Windows Defender, and even to download and deliver additional, separate malware onto infected devices.

By 2018, TrickBot was the largest threat to businesses.

Now, in 2025, another infostealer is raising red flags all across cyberspace, and this time, it isn’t interested in Windows devices.

The next Mac malware

Malware is “malicious software,” and just like legitimate software, malware has to be developed for specific operating systems. That means that, for instance, ransomware that works on a Windows laptop doesn’t automatically work on a Mac laptop, and likewise, a phishing app developed for Android devices doesn’t work on iPhones.

For years, then, a great deal of malware activity has focused on Windows devices. The common cybercriminal calculus was that, if there were more Windows users in the world, there was more reason to target those users with cyberattacks.

During this time, most Mac threats were bothersome pieces of malware that would hijack a victim’s web browser to deliver annoying ads and wayward links. But as Mac computers have become standard within businesses—and as demand for Windows computers has waned—cybercriminals have readjusted their thinking.

In 2023, a new infostealer on Mac called Atomic Stealer (AMOS) made its debut, and since its launch, it has not only showcased new features—much like TrickBot—it has also been gussied up with some of the markings of a legitimate business.  

For instance, AMOS can be “licensed” out to other cybercriminals, much like how genuine companies offer their own software for a monthly subscription price. For AMOS, that price was initially $1,000 a month, and with that access, cybercriminals didn’t just buy a productivity tool or communications app, they bought access to an information stealer that can crack into Mac computers to steal a variety of sensitive information.

By January 2024, AMOS had increased its price to $3,000 a month. The developers ran a holiday promotion—seriously—and even released an AMOS update that would better obfuscate the infostealer from being detected by cybersecurity software.

But in the world of cybercrime, malware features only mean so much. Another important piece of cybercrime is getting malware onto a device to begin with. And in 2023, malware delivery evolved hand-in-hand with Mac infostealers.

Rather than trying to deliver malware through clumsy email attachments, cybercriminals have recently turned to “malicious advertising” or “malvertising.” This means that cybercriminals will create bogus versions of websites that will rank highly during regular Google searches, tempting victims into clicking the first, ad-supported link they see online, and unknowingly reaching a website controlled entirely by cybercriminals.

On these websites, cybercriminals advertise a piece of high-demand software and trick users into a download. But instead of receiving the desired software, victims receive, in these cases, infostealers.

This one-two punch of malvertising and advanced infostealers paved the way last year for the next, big Mac threat, called Poseidon.

As we warned in the State of Malware report:

“Poseidon boasts that it can steal cryptocurrency from over 160 different wallets, and passwords from web browsers, the Bitwarden and KeePassXC password managers, the FileZilla file transfer app, and VPN configurations including Fortinet and OpenVPN.”

Poseidon is the most active infostealer on Mac today, and it accounted for 70% of all infostealer detections on Mac in the final months of 2024, an impressive feat considering the malware barely launched last summer.

Interestingly, Poseidon is just another “fork” of AMOS, meaning that another hacker took AMOS, built upon it, and released it in the wild. Already, Malwarebytes has uncovered consumer-targeted campaigns to infect Mac owners with Poseidon, including a malvertising website disguising Poseidon behind a download for a buzzy new web browser called Arc.

Poseidon represents a sea change in Mac malware, and with the type of advanced targeting that cybercriminals can achieve through malvertising—hackers can target malicious ads based on a potential victim’s location, operating system, software, and search terms—Mac users must be on watch.

How to stay safe

In 2025, Mac users don’t need to just watch out for infostealers. They also have to watch out for malvertising in general, as cybercriminals use the malware delivery method for all sorts of threats online.

Here’s how you can stay safe:

• Use cybersecurity software that offers always-on protection against Mac malware including infostealers, adware, and the rare instances of ransomware.
• Use Malwarebytes Browser Guard to securely browse the web and to be notified when visiting known, malicious websites that are in control of cybercriminals.
• Beware the first, ad-supported result on Google searches and other search engines. Cybercriminals have successfully placed their own, malicious ads in these top rankings to trick victims into downloading malware.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.