Online shoppers at risk as Magecart skimming hits major payment networks

Researchers have been tracking a Magecart campaign that targets several major payment providers, including American Express, Diners Club, Discover, and Mastercard. Magecart is an umbrella term for criminal groups that specialize in stealing payment data from online checkout pages using malicious...

How real software downloads can hide remote backdoors

It starts with a simple search. You need to set up remote access to a colleague’s computer. You do a Google search for “RustDesk download,” click one of the top results, and land on a polished website with documentation, downloads, and familiar branding. You install the software, launch it, and...

Data broker fined after selling Alzheimer’s patient info and millions of sensitive profiles

California's privacy regulator has fined a Texas data broker $45,000 and banned it from selling Californians' personal information after it sold Alzheimer patients' data. Texan company Rickenbacher Data LLC, which does business as Datamasters, bought and resold the names, addresses, phone numbers...

Why iPhone users should update and restart their devices now

If you were still questioning whether iOS 26+ is for you, now is the time to make that call. Why? On December 12, 2025, Apple patched two WebKit zero‑day vulnerabilities linked to mercenary spyware and is now effectively pushing iPhone 11 and newer users toward iOS 26+, because that’s where the...

Received an Instagram password reset email? Here’s what you need to know

Last week, many Instagram users began receiving unsolicited emails from the platform that warned about a password reset request. The message said: “Hi username, We got a request to reset your Instagram password. If you ignore this message, your password will not be changed. If you didn’t request ...

Regulators around the world are scrutinizing Grok over sexual deepfakes

Grok’s failure to block sexualized images of minors has turned a single “isolated lapse” into a global regulatory stress test for xAI’s ambitions. The response from lawmakers and regulators suggests this will not be solved with a quick apology and a hotfix. Last week we reported on Grok's apology...

Celebrating reviews and recognitions for Malwarebytes in 2025

Independent recognition matters in cybersecurity, and it matters a lot to us. It shows how security products perform when they’re tested against in-the-wild threats, using lab environments designed to reflect what people actually face in the real world. In 2025, Malwarebytes earned awards and...

A week in security (January 5 – January 11)

Last week on Malwarebytes Labs: pcTattletale founder pleads guilty as US cracks down on stalkerware Are we ready for ChatGPT Health? CISA warns of active attacks on HPE OneView and legacy PowerPoint Lego’s Smart Bricks explained: what they do, and what they don’t Fake WinRAR downloads hide malwar...

Enshittification is ruining everything online (Lock and Code S07E01)

This week on the Lock and Code podcast … There's a bizarre thing happening online right now where everything is getting worse. Your Google results have become so bad that you’ve likely typed what you’re looking for, plus the word “Reddit,” so you can find discussion from actual humans. If you...

pcTattletale founder pleads guilty as US cracks down on stalkerware

Reportedly, pcTattletale founder Bryan Fleming has pleaded guilty in US federal court to computer hacking, unlawfully selling and advertising spyware, and conspiracy. This is good news not just because we despise stalkerware like pcTattletale, but because it is only the second US federal...

Are we ready for ChatGPT Health?

How comfortable are you with sharing your medical history with an AI? I’m certainly not. OpenAI’s announcement about its new ChatGPT Health program prompted discussions about data privacy and how the company plans to keep the information users submit safe. ChatGPT Health is a dedicated “health...

CISA warns of active attacks on HPE OneView and legacy PowerPoint

The US Cybersecurity and Infrastructure Security Agency CISA added both a newly discovered flaw and a much older one to its catalog of Known Exploited Vulnerabilities KEV. The KEV catalog gives Federal Civilian Executive Branch FCEB agencies a list of vulnerabilities that are known to be exploite...

Lego’s Smart Bricks explained: what they do, and what they don’t

Lego just made what it claims is its most important product release since it introduced minifigures in 1978. No, it's not yet another brand franchise. It's a computer in a brick. Called the Smart Brick , it's part of a broader system called Smart Play that Lego hopes will revolutionize your child...

Fake WinRAR downloads hide malware behind a real installer

A member of our web research team pointed me to a fake WinRAR installer that was linked from various Chinese websites. When these links start to show up, that’s usually a good indicator of a new campaign. So, I downloaded the file and started an analysis, which turned out to be something of a...

One million customers on alert as extortion group claims massive Brightspeed data haul

US fiber broadband company Brightspeed is investigating claims by the Crimson Collective extortion group that it stole sensitive data belonging to more than 1 million residential customers, including extensive personally identifiable information PII, as well as account and billing details...

Phishing campaign abuses Google Cloud services to steal Microsoft 365 logins

Attackers are sending very convincing fake “Google” emails that slip past spam filters, route victims through several trusted Google-owned services, and ultimately lead to a look-alike Microsoft 365 sign-in page designed to harvest usernames and passwords. Researchers found that cybercriminals us...

Disney fined $10m for mislabeling kids’ YouTube videos and violating privacy law

Disney will pay a $10m settlement over allegations that it violated kids' privacy rights, the Federal Trade Commission FTC said this week. The agreement, first proposed in September 2025, resolves a dispute over Disney's labeling of child-targeted content on YouTube. The thousands of YouTube vide...

ALPRs are recording your daily drive (Lock and Code S06E26)

This week on the Lock and Code podcast … There's an entire surveillance network popping up across the United States that has likely already captured your information, all for the non-suspicion of driving a car. Automated License Plate Readers, or ALPRs, are AI-powered cameras that scan and store ...

Grok apologizes for creating image of young girls in “sexualized attire”

Another AI system designed to be powerful and engaging ends up illustrating how guardrails routinely fail when development speed and feature races outrun safety controls. In a post on X, AI chatbot Grok confirmed that it generated an image of young girls in “sexualized attire.” The potential...

A week in security (December 29 – January 4)

Last week on Malwarebytes Labs: How AI made scams more convincing in 2025 In 2025, age checks started locking people out of the internet 2025 exposed the risks we ignored while rushing AI Malware in 2025 spread far beyond Windows PCs Stay safe! We don 't just report on privacy—we offer you the...

How AI made scams more convincing in 2025

This blog is part of a series where we highlight new or fast-evolving threats in consumer security. This one focuses on howAI is being used to design more realistic campaigns, accelerate social engineering, and how AI agents can be used to target individuals. Most cybercriminals stick with what...

In 2025, age checks started locking people out of the internet

If 2024 was the year lawmakers talked about online age verification, 2025 was the year they actually flipped the switch.​ In 2025, across parts of Europe and the US, age checks for certain websites especially pornography turned long‑running child‑protection debates into real‑world access controls...

2025 exposed the risks we ignored while rushing AI

This blog is part of a series where we highlight new or fast-evolving threats in the consumer security landscape. This one looks at how the rapid rise ofArtificial Intelligence AI is putting users at risk. In 2025 we saw an ever-accelerating race between AI providers to push out new features. We...

Malware in 2025 spread far beyond Windows PCs

This blog is part of a series highlighting new and concerning trends we noticed over the last year. Trends matter because they almost always provide a good indication of what 's coming next. If there’s one thing that became very clear in 2025, it’s that malware is no longer focused on Windows...

A week in security (December 22 – December 28)

Last week on Malwarebytes Labs: Pornhub tells users to expect sextortion emails after data exposure Hacktivists claim near-total Spotify music scrape Stay safe! We don 't just report on threats—we help safeguard your entire digital identity Cybersecurity risks should never spread beyond a headlin...

Hacktivists claim near-total Spotify music scrape

Hacktivist group Anna’s Archive claims to have scraped almost all of Spotify’s catalog and is now seeding it via BitTorrent, effectively turning a streaming platform into a roughly 300 TB pirate “preservation archive.” On its blog, the group states: “A while ago, we discovered a way to scrape...

Pornhub tells users to expect sextortion emails after data exposure

After a recent data breach that affected Pornhub Premium members, Pornhub has updated its online statement to warn users about potential direct contact from cybercriminals. “We are aware that the individuals responsible for this incident have threatened to contact impacted Pornhub Premium users...

A week in security (December 15 – December 21)

Last week on Malwarebytes Labs: CISA warns ASUS Live Update backdoor is still exploitable, seven years on The ghosts of WhatsApp: How GhostPairing hijacks accounts Chrome extension slurps up AI chats after users installed it for privacy Two Chrome flaws could be triggered by simply browsing the...

CISA warns ASUS Live Update backdoor is still exploitable, seven years on

Recently, the Cybersecurity and Infrastructure Security Agency CISA added along with two others a vulnerability in ASUS Live Update to its catalog of Known Exploited Vulnerabilities KEV. The KEV catalog lists vulnerabilities that are known to be exploited in the wild and sets patch deadlines for...

The ghosts of WhatsApp: How GhostPairing hijacks accounts

Researchers have found an active campaign aimed at taking over WhatsApp accounts. They've called this attack GhostPairing because it tricks the victim into completing WhatsApp’s own device-pairing flow, silently adding the attacker’s browser as an invisible linked device on the account. Ghost of...

Chrome extension slurps up AI chats after users installed it for privacy

This case highlights a growing grey area in consumer privacy: data collection that is technically disclosed, but so far outside user expectations that most people would never knowingly agree to it. The next time you tell an AI chat assistant your deepest secrets, think twice; you never know who o...

Two Chrome flaws could be triggered by simply browsing the web: Update now

Google issued an extra patch addressing two security vulnerabilities in Chrome, both of which can be triggered remotely by an attacker when a user visits a specially crafted, malicious web page. Chrome is by far the world’s most popular browser, with an estimated 3.4 billion users. That makes it ...

Inside a purchase order PDF phishing campaign

A PDF named "NEW Purchase Order 52177236.pdf" turned out to be a phishing lure. So we analyzed the phishing script behind it. A customer contacted me when Malwarebytes blocked the link inside a “purchase order” email they had received. Malwarebytes blocked this ionoscloud.com subdomain When I...

SoundCloud, Pornhub, and 700Credit all reported data breaches, but the similarities end there

Comparing data breaches is like comparing apples and oranges. They differ on many levels. To news media, the size of the brand, how many users were impacted, and how it was done often dominate the headlines. For victims, what really matters is the type of information stolen. And for the...

Android mobile adware surges in second half of 2025

Android users spent 2025 walking a tighter rope than ever, with malware, data‑stealing apps, and SMS‑borne scams all climbing sharply while attackers refined their business models around mobile data and access. Looking back, we may view 2025 as the year when one-off scams were replaced on the sco...

Photo booth flaw exposes people’s private pictures online

Photo booths are great. You press a button and get instant results. The same can’t be said, allegedly, for the security practices of at least one company operating them. A security researcher spent weeks trying to warn a photo booth operator about a vulnerability in its system. The flaw reportedl...

Photo booth flaw exposes people’s private pictures online

Photo booths are great. You press a button and get instant results. The same can’t be said, allegedly, for the security practices of at least one company operating them. A security researcher spent weeks trying to warn a photo booth operator about a vulnerability in its system. The flaw reportedl...

Google is discontinuing its dark web report: why it matters

Google has announced that early next year they are discontinuing the dark web report, which was meant to monitor breach data that’s circulating on the dark web. The news raised some eyebrows, but Google says it’s ending the feature because feedback showed the reports didn’t provide “helpful next...

Pig butchering is the next “humanitarian global crisis” (Lock and Code S06E25)

This week on the Lock and Code podcast … This is the story of the world's worst scam and how it is being used to fuel entire underground economies that have the power to rival nation-states across the globe. This is the story of "pig butchering." "Pig butchering" is a violent term that is used to...

PayPal closes loophole that let scammers send real emails with fake purchase notices

After an investigation by BleepingComputer, PayPal closed a loophole that allowed scammers to send emails from the legitimate [email protected] email address. Following reports from people who received emails claiming an automatic payment had been cancelled, BleepingComputer found that...

A week in security (December 8 – December 14)

Last week on Malwarebytes Labs: The US digital doxxing of H-1B applicants is a massive privacy misstep Google ads funnel Mac users to poisoned AI chats that spread the AMOS infostealer How private is your VPN? DroidLock malware locks you out of your Android device and demands ransom Malwarebytes...

The US digital doxxing of H-1B applicants is a massive privacy misstep

Technology professionals hoping to come and work in the US face a new privacy concern. Starting December 15, skilled workers on H-1B visas and their families must flip their social media profiles to public before their consular interviews. It’s a deeply risky move from a security and privacy...

Google ads funnel Mac users to poisoned AI chats that spread the AMOS infostealer

Researchers have found evidence that AI conversations were inserted in Google search results to mislead macOS users into installing the Atomic macOS Stealer AMOS. Both Grok and ChatGPT were found to have been abused in these attacks. Forensic investigation of an AMOS alert showed the infection...

How private is your VPN?

When you're shopping around for a Virtual Private Network VPN you'll find yourself in a sea of promises like "military-grade encryption!" and "total anonymity!" You can’t scroll two inches without someone waving around these fancy terms. But not all VPNs can be trusted. Some VPNs genuinely protec...

DroidLock malware locks you out of your Android device and demands ransom

Researchers have analyzed a new threat campaign actively targeting Android users. The malware, named DroidLock, takes over a device and then holds it for ransom. The campaign to date has primarily targeted Spanish-speaking users, but researchers warn it could spread. DroidLock is delivered via...

Malwarebytes for Mac now has smarter, deeper scans

Say hello to the upgraded Malwarebytes for Mac —now with more robust protection, more control, and the same trusted defense you count on every day. We’ve given our Mac scan engine a serious intelligence boost, so it thinks faster and digs deeper. The new enhanced scan searches across more of your...

[Updated] Another Chrome zero-day under attack: update now

Google issued an extra patch for a security vulnerability in Chrome that is being actively exploited, and it's urging users to update. The patch fixes three flaws in Chrome, and for one of them Google says an exploit already exists in the wild. Chrome is by far the world’s most popular browser,...

December Patch Tuesday fixes three zero-days, including one that hijacks Windows devices

These updates from Microsoft fix serious security issues, including three that attackers are already exploiting to take control of Windows systems. In total, the security update resolves 57 Microsoft security vulnerabilities. Microsoft isn't releasing new features for Windows 10 anymore, so Windo...

GhostFrame phishing kit fuels widespread attacks against millions

GhostFrame is a new phishing-as-a-service PhaaS kit, tracked since September 2025, that has already powered more than a million phishing attacks. Threat analysts spotted a series of phishing attacks featuring tools and techniques they hadn't seen before. A few months later, they had linked over a...

Prompt injection is a problem that may never be fixed, warns NCSC

Prompt injection is shaping up to be one of the most stubborn problems in AI security, and the UK’s National Cyber Security Centre NCSC has warned that it may never be “fixed” in the way SQL injection was. Two years ago, the NCSC said prompt injection might turn out to be the “SQL injection of th...