From fake Proton VPN sites to gaming mods, this Windows infostealer is everywhere
NWHStealer is a Windows infostealer malware actively distributed through multiple platforms including fake Proton VPN websites, code and file hosting services, and YouTube links. It steals browser data, saved passwords, and information from over 25 cryptocurrency wallets. The malware uses two main infection methods: malicious ZIP files with self-injection loaders hosted on free web hosting providers, and fake websites employing DLL hijacking to inject code into the RegAsm process. It exfiltrates stolen data encrypted with AES-CBC to attacker-controlled servers and maintains persistence via scheduled tasks and UAC bypass techniques. There is no known official patch or vendor advisory for this threat. Indicators include specific malicious domains and file hashes.
AI Analysis
Technical Summary
NWHStealer is a Windows-based infostealer distributed through diverse vectors such as fake VPN download sites impersonating Proton VPN, code hosting platforms (GitHub, GitLab), file hosting services (MediaFire, SourceForge), and YouTube links. It targets sensitive user data including browser credentials, saved passwords, and cryptocurrency wallet information from over 25 wallet types. Infection occurs primarily via two methods: (1) malicious ZIP files containing self-injection loaders hosted on free web hosting providers, and (2) fake websites using DLL hijacking to inject malicious code into the RegAsm process. The malware exfiltrates data encrypted with AES-CBC to command-and-control servers and achieves persistence through scheduled tasks and UAC bypass techniques. No official patches or vendor advisories have been published for this malware. Detection can leverage known indicators such as malicious domains and file hashes.
Potential Impact
The malware compromises user privacy and security by stealing browser data, saved passwords, and cryptocurrency wallet information, which can lead to financial theft and unauthorized access to accounts. Its multiple infection vectors and persistence mechanisms increase the likelihood of successful compromise. The use of AES-CBC encryption for data exfiltration complicates detection and response efforts. There are no known exploits in the wild beyond the described campaigns.
Mitigation Recommendations
No official patch or vendor advisory is currently available for NWHStealer. Mitigation should focus on user awareness to avoid downloading software from untrusted or fake websites, especially those impersonating legitimate services like Proton VPN. Monitoring for suspicious scheduled tasks and DLL hijacking activity may help detect infections. Employ endpoint protection solutions capable of detecting known indicators such as the provided malicious domains and file hashes. Maintaining updated software and following security best practices can reduce exposure to this threat.
Indicators of Compromise
- domain: get-proton-vpn.com
- domain: vpn-proton-setup.com
- domain: newworld-helloworld.icu
- hash: 5cb3b902ae5993ae4e502f1c29cfb4e0
- hash: 8ef6bcde887786d1a96497fa9aa04fd4e1eb02b0
- hash: 2494709b8a2646640b08b1d5d75b6bfb3167540ed4acdb55ded050f6df9c53b3
- hash: e97cb6cbcf2583fe4d8dcabd70d3f67f6cc977fc9a8cbb42f8a2284efe24a1e3
- url: https://www.onworks.net/software/windows/app-hardware-visualizer
From fake Proton VPN sites to gaming mods, this Windows infostealer is everywhere
Description
NWHStealer is a Windows infostealer malware actively distributed through multiple platforms including fake Proton VPN websites, code and file hosting services, and YouTube links. It steals browser data, saved passwords, and information from over 25 cryptocurrency wallets. The malware uses two main infection methods: malicious ZIP files with self-injection loaders hosted on free web hosting providers, and fake websites employing DLL hijacking to inject code into the RegAsm process. It exfiltrates stolen data encrypted with AES-CBC to attacker-controlled servers and maintains persistence via scheduled tasks and UAC bypass techniques. There is no known official patch or vendor advisory for this threat. Indicators include specific malicious domains and file hashes.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
NWHStealer is a Windows-based infostealer distributed through diverse vectors such as fake VPN download sites impersonating Proton VPN, code hosting platforms (GitHub, GitLab), file hosting services (MediaFire, SourceForge), and YouTube links. It targets sensitive user data including browser credentials, saved passwords, and cryptocurrency wallet information from over 25 wallet types. Infection occurs primarily via two methods: (1) malicious ZIP files containing self-injection loaders hosted on free web hosting providers, and (2) fake websites using DLL hijacking to inject malicious code into the RegAsm process. The malware exfiltrates data encrypted with AES-CBC to command-and-control servers and achieves persistence through scheduled tasks and UAC bypass techniques. No official patches or vendor advisories have been published for this malware. Detection can leverage known indicators such as malicious domains and file hashes.
Potential Impact
The malware compromises user privacy and security by stealing browser data, saved passwords, and cryptocurrency wallet information, which can lead to financial theft and unauthorized access to accounts. Its multiple infection vectors and persistence mechanisms increase the likelihood of successful compromise. The use of AES-CBC encryption for data exfiltration complicates detection and response efforts. There are no known exploits in the wild beyond the described campaigns.
Mitigation Recommendations
No official patch or vendor advisory is currently available for NWHStealer. Mitigation should focus on user awareness to avoid downloading software from untrusted or fake websites, especially those impersonating legitimate services like Proton VPN. Monitoring for suspicious scheduled tasks and DLL hijacking activity may help detect infections. Employ endpoint protection solutions capable of detecting known indicators such as the provided malicious domains and file hashes. Maintaining updated software and following security best practices can reduce exposure to this threat.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://securityboulevard.com/2026/04/from-fake-proton-vpn-sites-to-gaming-mods-this-windows-infostealer-is-everywhere/"]
- Adversary
- null
- Pulse Id
- 69dfb91808e1258915184d6e
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainget-proton-vpn.com | — | |
domainvpn-proton-setup.com | — | |
domainnewworld-helloworld.icu | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash5cb3b902ae5993ae4e502f1c29cfb4e0 | — | |
hash8ef6bcde887786d1a96497fa9aa04fd4e1eb02b0 | — | |
hash2494709b8a2646640b08b1d5d75b6bfb3167540ed4acdb55ded050f6df9c53b3 | — | |
hashe97cb6cbcf2583fe4d8dcabd70d3f67f6cc977fc9a8cbb42f8a2284efe24a1e3 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://www.onworks.net/software/windows/app-hardware-visualizer | — |
Threat ID: 69dfcba782d89c981f834603
Added to database: 4/15/2026, 5:32:23 PM
Last enriched: 4/22/2026, 10:26:04 PM
Last updated: 5/31/2026, 10:57:09 AM
Views: 207
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.