Malware Campaign Impersonates Malwarebytes in DLL Sideloading Attack Between January 11 and 15, 2026, security researchers uncovered an active malware campaign in which attackers posed as Malwarebytes, a legitimate cybersecurity firm, to distribute malicious files. The campaign leveraged DLL sideloading, a technique that exploits Windows’ automatic DLL loading to execute hidden malware alongside legitimate software. Victims unknowingly downloaded fake ZIP archives mimicking Malwarebytes software, containing a legitimate executable and a malicious CoreMessaging.dll file. When executed, the legitimate program loaded the malicious DLL, initiating the infection. The campaign’s files shared a unique identifier (behash: 4acaac53c8340a8c236c91e68244e6cb), aiding detection efforts. The attack delivered infostealers as secondary payloads, targeting: - Login credentials and passwords - Cryptocurrency wallet browser extensions - Personal financial data A second payload identifier (behash: 5ddb604194329c1f182d7ba74f6f5946) allowed researchers to track affected systems. The malicious DLLs also contained unusual metadata ("Peastaking plenipotence ductileness chilopodous codicillary" and "© 2026 Eosinophil LLC") and exported atypical function names (15Mmm95ml1RbfjH1VUyelYFCf and 2dlSKEtPzvo1mHDN4FYgv), serving as clear indicators of compromise. While the ZIP files included benign text files (e.g., gitconfig.com.txt or Agreement_About.txt) with GitHub URLs likely for tracking these did not directly facilitate the attack. Security teams can reference VirusTotal’s public collection for a full list of malicious file hashes and hunting queries to identify and mitigate the threat.

Malwarebytes was targeted in a sophisticated phishing attack where scammers attempted to steal an employee’s 1Password credentials via a deceptive email impersonating 1Password’s Watchtower breach alert system. The phishing email, sent from watchtower@eightninety[.]com, directed victims to a fraudulent domain (onepass-word[.]com) disguised as a legitimate password reset page. While the attack was thwarted by Mandrillapp (Mailchimp’s email service) blocking the phishing URL shortly after deployment, early victims risked exposing their entire password vault, granting attackers access to all stored logins—potentially leading to account takeovers, identity theft, or lateral breaches into corporate systems. The incident mirrors a prior campaign reported by Hoax-Slayer (September 2025), suggesting a recurring threat. No confirmation of successful credential theft was disclosed, but the attack highlights vulnerabilities in employee awareness and third-party email services used for redirects. The compromised credentials could have enabled deeper infiltration into Malwarebytes’ infrastructure or partner networks if exploited.

Mobile Scams Surge: Nearly Half of Users Face Daily Threats, Report Finds A new report from Malwarebytes reveals that 44% of mobile users encounter scams or threats daily, with 66% struggling to distinguish legitimate communications from fraudulent ones. The Tap, Swipe, Scam study, based on a survey of 1,300 adults across the US, UK, Austria, Germany, and Switzerland, highlights the growing risk of mobile-based attacks—both for individuals and enterprises, particularly those allowing BYOD (Bring Your Own Device) policies. Key Findings: - Highest exposure rates were in the US (51%) and UK (49%). - 36% of respondents admitted to falling victim to a scam, while 36% reported malware infections. - Primary attack vectors included email (65%), phone calls (53%), SMS (50%), social media (47%), and messaging apps (40%). - Social engineering (53%) was the most common threat, with 19% of users falling victim. - Extortion schemes affected 17%, including ransomware (25%), sextortion (24%), and deepfake scams (20%). 18% reported virtual kidnapping attempts. The report also underscores the psychological impact of these attacks, with 75% of victims experiencing emotional harm—46% citing mental health issues and 25% facing blackmail or harassment. Broader Trends: - Mobile phishing ("mishing") has surged, with 82% of phishing sites now targeting mobile devices, per a Zimperium study from September 2024. - August 2024 saw a peak of over 1,000 mobile phishing attacks per day, reflecting the rapid evolution of cybercriminal tactics. Malwarebytes’ David Ruiz emphasized the personal and technical dimensions of mobile threats, noting that AI and deepfake technologies are amplifying risks. The report calls for better user empowerment to combat scams, though it stops short of prescriptive advice.

Mass Instagram Password Reset Emails Spark Data Breach Concerns On January 8, 2025, Instagram users worldwide began receiving unsolicited password reset emails from the platform’s official domain ([email protected]). The messages, which appeared legitimate—complete with proper formatting and verification marks—triggered widespread confusion, as no users had initiated the resets. Reports flooded social media platforms, including Reddit and X, with users questioning whether the emails were part of a targeted attack, a technical error, or evidence of a larger breach. Some users found the reset notifications missing from their Instagram security logs, while others received identical emails after manually changing their passwords—a sign the domain was authentic. Speculation ranged from a phishing campaign to a misconfigured system trigger, with one Reddit user in email marketing suggesting a possible "legacy system" error. The incident gained further urgency after Malwarebytes revealed on January 9 that hackers had stolen data from 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, and email addresses. The stolen data, now circulating on the dark web, could enable cybercriminals to impersonate brands or launch credential-stuffing attacks. The timing of the password reset emails aligns with the breach, raising concerns that the two events may be connected. Meta, Instagram’s parent company, has yet to issue a public statement. The global scale of the reset emails—affecting users across multiple time zones—suggests a systemic issue rather than isolated incidents. As of now, the cause remains unconfirmed, though the overlap with the reported breach has intensified scrutiny.

Malwarebytes' security systems faced an attack by the RansomHub ransomware gang, who leveraged Kaspersky's TDSSKiller tool to disable endpoint detection and response (EDR) services. This tactic, directed at the Malwarebytes Anti-Malware Service, was part of the attackers' strategy to undermine defense mechanisms and facilitate ransomware deployment. Additionally, the LaZagne tool was used for extracting and likely exfiltrating credentials. While the extent of the breach has not been publicized, the usage of legitimate tools allowed the attackers to bypass security measures, indicating a sophisticated approach and underscoring the challenges organizations face in protecting against such illicit activities by ransomware operators.