From fake Proton VPN sites to gaming mods, this Windows infostealer is everywhere
NWHStealer is a Windows infostealer malware distributed through multiple campaigns leveraging fake VPN sites, hardware utilities, gaming mods, and popular code and file hosting platforms. It collects sensitive data including browser information, saved passwords, and cryptocurrency wallet details from over 25 wallet types. Infection vectors include malicious ZIP files with self-injection loaders and DLL hijacking via fake websites injecting into the RegAsm process. The malware exfiltrates stolen data to command-and-control servers using AES-CBC encryption and maintains persistence through scheduled tasks and UAC bypass techniques. Distribution domains and file hashes have been identified, but no official patch or fix is available. The threat is assessed as medium severity based on its impact and distribution methods.
AI Analysis
Technical Summary
NWHStealer is a Windows infostealer actively distributed through diverse platforms such as fake Proton VPN websites, GitHub, GitLab, MediaFire, SourceForge, and YouTube links. It targets browser data, saved passwords, and cryptocurrency wallets (over 25 types). Two main infection methods are identified: one involves malicious ZIP files hosted on free web hosting providers containing self-injection loaders; the other uses fake websites employing DLL hijacking to inject malicious code into the RegAsm process. The malware exfiltrates data encrypted with AES-CBC to command-and-control servers and maintains persistence via scheduled tasks and UAC bypass techniques. Indicators include specific malicious domains and file hashes. There is no known official patch or vendor advisory for remediation.
Potential Impact
The malware compromises user privacy and security by stealing browser data, saved passwords, and cryptocurrency wallet information, potentially leading to financial theft and unauthorized account access. Its use of multiple infection vectors and persistence mechanisms increases the risk of successful compromise. The encrypted exfiltration of data to attacker-controlled servers complicates detection and response. No known exploits in the wild beyond these campaigns have been reported.
Mitigation Recommendations
No official patch or vendor advisory is available for this threat. Mitigation should focus on user education to avoid downloading software from untrusted or fake websites, especially those impersonating legitimate services like Proton VPN. Monitoring for suspicious scheduled tasks and DLL hijacking attempts may help detect infection. Employing endpoint protection solutions capable of detecting known indicators such as the provided domains and file hashes is recommended. Regularly updating software and applying security best practices can reduce exposure to such threats.
Indicators of Compromise
- domain: get-proton-vpn.com
- domain: vpn-proton-setup.com
- domain: newworld-helloworld.icu
- hash: 5cb3b902ae5993ae4e502f1c29cfb4e0
- hash: 8ef6bcde887786d1a96497fa9aa04fd4e1eb02b0
- hash: 2494709b8a2646640b08b1d5d75b6bfb3167540ed4acdb55ded050f6df9c53b3
- hash: e97cb6cbcf2583fe4d8dcabd70d3f67f6cc977fc9a8cbb42f8a2284efe24a1e3
- url: https://www.onworks.net/software/windows/app-hardware-visualizer
From fake Proton VPN sites to gaming mods, this Windows infostealer is everywhere
Description
NWHStealer is a Windows infostealer malware distributed through multiple campaigns leveraging fake VPN sites, hardware utilities, gaming mods, and popular code and file hosting platforms. It collects sensitive data including browser information, saved passwords, and cryptocurrency wallet details from over 25 wallet types. Infection vectors include malicious ZIP files with self-injection loaders and DLL hijacking via fake websites injecting into the RegAsm process. The malware exfiltrates stolen data to command-and-control servers using AES-CBC encryption and maintains persistence through scheduled tasks and UAC bypass techniques. Distribution domains and file hashes have been identified, but no official patch or fix is available. The threat is assessed as medium severity based on its impact and distribution methods.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
NWHStealer is a Windows infostealer actively distributed through diverse platforms such as fake Proton VPN websites, GitHub, GitLab, MediaFire, SourceForge, and YouTube links. It targets browser data, saved passwords, and cryptocurrency wallets (over 25 types). Two main infection methods are identified: one involves malicious ZIP files hosted on free web hosting providers containing self-injection loaders; the other uses fake websites employing DLL hijacking to inject malicious code into the RegAsm process. The malware exfiltrates data encrypted with AES-CBC to command-and-control servers and maintains persistence via scheduled tasks and UAC bypass techniques. Indicators include specific malicious domains and file hashes. There is no known official patch or vendor advisory for remediation.
Potential Impact
The malware compromises user privacy and security by stealing browser data, saved passwords, and cryptocurrency wallet information, potentially leading to financial theft and unauthorized account access. Its use of multiple infection vectors and persistence mechanisms increases the risk of successful compromise. The encrypted exfiltration of data to attacker-controlled servers complicates detection and response. No known exploits in the wild beyond these campaigns have been reported.
Mitigation Recommendations
No official patch or vendor advisory is available for this threat. Mitigation should focus on user education to avoid downloading software from untrusted or fake websites, especially those impersonating legitimate services like Proton VPN. Monitoring for suspicious scheduled tasks and DLL hijacking attempts may help detect infection. Employing endpoint protection solutions capable of detecting known indicators such as the provided domains and file hashes is recommended. Regularly updating software and applying security best practices can reduce exposure to such threats.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://securityboulevard.com/2026/04/from-fake-proton-vpn-sites-to-gaming-mods-this-windows-infostealer-is-everywhere/"]
- Adversary
- null
- Pulse Id
- 69dfb91808e1258915184d6e
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domainget-proton-vpn.com | — | |
domainvpn-proton-setup.com | — | |
domainnewworld-helloworld.icu | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash5cb3b902ae5993ae4e502f1c29cfb4e0 | — | |
hash8ef6bcde887786d1a96497fa9aa04fd4e1eb02b0 | — | |
hash2494709b8a2646640b08b1d5d75b6bfb3167540ed4acdb55ded050f6df9c53b3 | — | |
hashe97cb6cbcf2583fe4d8dcabd70d3f67f6cc977fc9a8cbb42f8a2284efe24a1e3 | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://www.onworks.net/software/windows/app-hardware-visualizer | — |
Threat ID: 69dfcba782d89c981f834603
Added to database: 4/15/2026, 5:32:23 PM
Last enriched: 4/15/2026, 5:46:57 PM
Last updated: 4/16/2026, 6:42:23 AM
Views: 18
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.