Malware Campaign Impersonates Malwarebytes in DLL Sideloading Attack
Between January 11 and 15, 2026, security researchers uncovered an active malware campaign in which attackers posed as Malwarebytes, a legitimate cybersecurity firm, to distribute malicious files. The campaign leveraged DLL sideloading, a technique that exploits Windows’ automatic DLL loading to execute hidden malware alongside legitimate software.
Victims unknowingly downloaded fake ZIP archives mimicking Malwarebytes software, containing a legitimate executable and a malicious CoreMessaging.dll file. When executed, the legitimate program loaded the malicious DLL, initiating the infection. The campaign’s files shared a unique identifier (behash: 4acaac53c8340a8c236c91e68244e6cb), aiding detection efforts.
The attack delivered infostealers as secondary payloads, targeting:
- Login credentials and passwords
- Cryptocurrency wallet browser extensions
- Personal financial data
A second payload identifier (behash: 5ddb604194329c1f182d7ba74f6f5946) allowed researchers to track affected systems. The malicious DLLs also contained unusual metadata ("Peastaking plenipotence ductileness chilopodous codicillary" and "© 2026 Eosinophil LLC") and exported atypical function names (15Mmm95ml1RbfjH1VUyelYFCf and 2dlSKEtPzvo1mHDN4FYgv), serving as clear indicators of compromise.
While the ZIP files included benign text files (e.g., gitconfig.com.txt or Agreement_About.txt) with GitHub URLs likely for tracking these did not directly facilitate the attack. Security teams can reference VirusTotal’s public collection for a full list of malicious file hashes and hunting queries to identify and mitigate the threat.
Source: https://cyberpress.org/malwarebytes-impersonation-login-credential-theft/
Malwarebytes cybersecurity rating report: https://www.rankiteo.com/company/malwarebytes
"id": "MAL1768834644",
"linkid": "malwarebytes",
"type": "Cyber Attack",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Cybersecurity',
'name': 'Malwarebytes (impersonated)',
'type': 'Cybersecurity Firm'}],
'attack_vector': 'DLL Sideloading',
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Login credentials, passwords, '
'cryptocurrency wallet browser '
'extensions, personal financial '
'data'},
'date_detected': '2026-01-11',
'date_publicly_disclosed': '2026-01-15',
'description': 'Between January 11 and 15, 2026, security researchers '
'uncovered an active malware campaign in which attackers posed '
'as Malwarebytes, a legitimate cybersecurity firm, to '
'distribute malicious files. The campaign leveraged DLL '
'sideloading, a technique that exploits Windows’ automatic DLL '
'loading to execute hidden malware alongside legitimate '
'software. Victims unknowingly downloaded fake ZIP archives '
'mimicking Malwarebytes software, containing a legitimate '
'executable and a malicious CoreMessaging.dll file. The attack '
'delivered infostealers as secondary payloads, targeting login '
'credentials, cryptocurrency wallet browser extensions, and '
'personal financial data.',
'impact': {'data_compromised': 'Login credentials, passwords, cryptocurrency '
'wallet browser extensions, personal financial '
'data',
'identity_theft_risk': 'High'},
'initial_access_broker': {'entry_point': 'Fake ZIP archives mimicking '
'Malwarebytes software'},
'investigation_status': 'Ongoing',
'motivation': 'Data Theft',
'post_incident_analysis': {'root_causes': 'DLL sideloading vulnerability in '
'Windows, social engineering '
'(impersonation of legitimate '
'software)'},
'references': [{'source': 'VirusTotal',
'url': 'https://www.virustotal.com/gui/collection/behash:4acaac53c8340a8c236c91e68244e6cb'}],
'title': 'Malware Campaign Impersonates Malwarebytes in DLL Sideloading '
'Attack',
'type': 'Malware Campaign',
'vulnerability_exploited': 'Windows automatic DLL loading'}