We opened a fake invoice and fell down a retro XWorm-shaped wormhole

Somebody forwarded an “invoice” email and asked me to check the attachment because it looked suspicious. Good instinct—it was, and what we found inside was a surprisingly old trick hiding a modern threat. What it does If the recipient had opened the attached Visual Basic Script .vbs file, it woul...

Phishing emails disguised as spam filter alerts are stealing logins

Cybercriminals are spoofing "email delivery" notifications to look like they came from spam filters inside your own organization. The goal is to lure you to a phishing site that steals login credentials—credentials that could unlock your email, cloud storage or other personal accounts. The email...

Update now: November Patch Tuesday fixes Windows zero-day exploited in the wild

These updates fix serious security issues — including one that attackers are already exploiting to take control of Windows systems. By chaining it with other attacks, they can gain full admin access, install malware, steal data, or make deeper changes you wouldn’t normally be able to undo. Run...

How Malwarebytes stops the ransomware attack that most security software can’t see

Imagine this scenario: Your protection software is running perfectly. Systems are protected, definitions are up to date, behavioral analysis is active. Then, suddenly, files across your network start getting encrypted. Backups are being deleted. Ransom notes appear across your machines. Your...

Samsung zero-day lets attackers take over your phone

A critical vulnerability has put Samsung mobile device owners at risk of sophisticated cyberattacks. On November 10, 2025, the US Cybersecurity and Infrastructure Security Agency CISA added a vulnerability, tracked as CVE-2025-21042, to its Known Exploited Vulnerabilities KEV catalog. The KEV...

How credentials get stolen in seconds, even with a script-kiddie-level phish

This attempt to phish credentials caught our attention, mostly because of its front-end simplicity. Even though this is a script-kiddie-level type of attack, we figured it was worth writing up—precisely because it’s so easy to follow what they're up to. The email is direct and to the point. Not a...

Stolen iPhones are locked tight, until scammers phish your Apple ID credentials

One of the reassuring things about owning an iPhone was knowing you could lock it if it got lost or stolen. Without your passcode, fingerprint or face to unlock it, it would be useless to anyone else. Now, though, some phone thieves have found a workaround, not by breaking Apple's security, but b...

Fantasy Hub is spyware for rent—complete with fake app kits and support

Researchers at Zimperium identified Fantasy Hub, a new Android spyware developed and sold as a subscription on Russian-language cybercrime forums. Malware-as-a-Service MaaS means cybercriminals rent out to malware to other criminals, complete with the infrastructure necessary to harvest and abuse...

Watch out for Walmart gift card scams

You’ve probably seen it before—a bright, urgent message claiming you’ve qualified for a $750 or $1000 Walmart gift card. All you have to do is answer a few questions. It looks harmless enough. But once you click, you find yourself in a maze of surveys, redirects, and "partner offers"—without ever...

A week in security (November 3 – November 9)

Last week on Malwarebytes Labs: Malwarebytes scores 100% in AV-Comparatives Stalkerware Test 2025 Fake CAPTCHA sites now have tutorial videos to help victims install malware Hackers commit highway robbery, stealing cargo and goods Android malware steals your card details and PIN to make instant A...

Malwarebytes scores 100% in AV-Comparatives Stalkerware Test 2025

The AV-Comparatives Stalkerware Test 2025 delivers a sobering look at the evolving threat posed by stalkerware on mobile devices. Despite measures from both the tech industry and platform providers, stalkerware-type apps, which are apps that can be installed covertly to spy on a victim’s private...

Fake CAPTCHA sites now have tutorial videos to help victims install malware

Early on in 2025, I described how criminals used fake CAPTCHA sites and a clipboard hijacker to provide instructions for website visitors that would effectively infect their own machines with an information stealer known as the Lumma Stealer. ClickFix is the name researchers have since given to...

Hackers commit highway robbery, stealing cargo and goods

There’s a modern-day train heist happening across America, and this time, some of the bandana-masked robbers are sitting behind screens. According to new research, a group of cybercriminals has been attacking trucking, freight, and logistics companies for months, impersonating brands and even...

Android malware steals your card details and PIN to make instant ATM withdrawals

The Polish Computer Emergency Response Team CERT Polska analyzed a new Android-based malware that uses NFC technology to perform unauthorized ATM cash withdrawals and drain victims' bank accounts. Researchers found that the malware, called NGate, lets attackers withdraw cash from ATMs Automated...

Take control of your privacy with updates on Malwarebytes for Windows

It’s getting harder to keep your Windows space truly yours, as Microsoft increasingly serves annoying ads and tracks your data across third-party apps. Pushing back against your eroding privacy has been a scattered and sometimes complicated process… but we're making it easier for you. With the...

Cyberattacks on UK water systems reveal rising risks to critical infrastructure

Digital intruders have been targeting UK drinking water systems in what seems to be a growing risk. Recorded Future News sent a request to the UK's Drinking Water Inspectorate DWI, the organization responsible for ensuring that drinking water is safe, for details on cyberattacks affecting the...

Should you let Chrome store your driver’s license and passport?

Google has rolled out a new autofill feature for Chrome that goes beyond storing just your passwords, addresses, and credit card numbers. The new "enhanced autofill" can now stash your driver's license, passport details, VIN, or license plate information. Sounds convenient, right? But just becaus...

Apple patches 50 security flaws—update now

Apple has released security updates for iPhones, iPads, Macs, Apple Watches, Apple TVs, Safari, and Xcode, fixing nearly 50 security flaws. Some of these bugs could let cybercriminals see your private data, take control of parts of your device, or break key security protections. Installing these...

“Sneaky” new Android malware takes over your phone, hiding in fake news and ID apps

Researchers at Cyfirma have investigated Android Trojans capable of stealing sensitive data from compromised devices. The malware spreads by pretending to be trusted apps—like a news reader or even digital ID apps—tricking users into downloading it by accident. In reality, it’s Android-targeting...

Sling TV turned privacy into a game you weren’t meant to win

Streaming service Sling TV has settled with the California Attorney General over allegations that it blocked users from exercising their privacy rights. The company will pay $530,000 after being accused of making it difficult for customers to opt out of its data collection practices. The Californ...

Attack of the clones: Fake ChatGPT apps are everywhere

The mobile AI gold rush has flooded app stores with lookalikes—shiny, convincing apps promising “AI image generation,” “smart chat,” or “instant productivity.” But behind the flashy logos lurks a spectrum of fake apps, from harmless copycats to outright spyware. Spoofing trusted brands like...

Would you sext ChatGPT? (Lock and Code S06E22)

This week on the Lock and Code podcast … In the final, cold winter months of the year, ChatGPT could be heating up. On October 14, OpenAI CEO Sam Altman said that the "restrictions" that his company previously placed on their flagship product, ChatGPT, would be removed, allowing, perhaps, for...

Malwarebytes aces PCMag Readers’ Choice Awards and AVLab Cybersecurity Foundation tests

Malwarebytes proudly topped three categories in PCMag’s 2025 Readers’ Choice Awards, recognized for exceptional protection and user satisfaction. We also earned the latest badge from AVLab Cybersecurity Foundation’s September “Advanced In-The-Wild Malware Test” by blocking 100% of malware samples...

A week in security (October 27 – November 2)

Last week on Malwarebytes Labs: Update Chrome now: 20 security fixes just landed How scammers use your data to create personalized tricks that work Ransomware gang claims Conduent breach: what you should watch for next Fake PayPal invoice from Geek Squad is a tech support scam Atlas browser’s...

Update Chrome now: 20 security fixes just landed

Google has released an update for its Chrome browser that includes 20 security fixes, several of which are classed as high severity. Most of these flaws were found in Chrome’s V8 engine—the part of Chrome and other Chromium-based browsers that runs JavaScript. Chrome is by far the world’s most...

How scammers use your data to create personalized tricks that work

Think of your digital footprint as your online shadow—the trail you leave behind whenever you browse, post, shop, or even appear in someone’s contact list. It’s your likes, reviews, comments, and all the little traces you didn’t mean to share. Together, they paint a picture of you—one that friend...

Ransomware gang claims Conduent breach: what you should watch for next [updated]

Update – October 30, 2025: New information confirms that Conduent’s 2024 breach has impacted over 10.5 million people, based on notifications filed with multiple state attorneys general. The largest disclosure came from the Oregon government, which reported a total of 10.5 million affected US...

Fake PayPal invoice from Geek Squad is a tech support scam

One of our employees received this suspicious email and showed it to me. Although it's a pretty straightforward attempt to lure targets into calling the scammers, it's worth writing up because it looks like it was sent out in bulk. Let's look at the red flags. Firstly, the sender address : PayPal...

Atlas browser’s Omnibox opens up new privacy and security risks

It seems that with every new agentic browser we discover yet another way to abuse one. OpenAI recently introduced a ChatGPT based AI browser called Atlas. It didn’t take researchers long to find that the combined search and prompt bar—called the Omnibox—can be exploited. By pasting a specially...

Gmail breach panic? It’s a misunderstanding, not a hack

After a misinterpretation of an interview with a security researcher, several media outlets hinted at a major Gmail breach. Reporters claimed the incident took place in April. In reality, the researcher had said there was an enormous amount of Gmail usernames and passwords circulating on the dark...

School’s AI system mistakes a bag of chips for a gun

An artificial intelligence AI detection system at Kenwood High School mistakenly flagged a student’s bag of potato chips as a gun, triggering a police response. The 16-year-old had finished eating a bag of Doritos and crumpled it up in his pocket when he was done. But the school’s AI-based gun...

Around 70 countries sign new UN Cybercrime Convention—but not everyone’s on board

Around 70 countries have signed the new United Nations UN Convention against Cybercrime—the first global treaty designed to combat cybercrime through unified international rules and cooperation. The treaty needs at least 40 UN member states to ratify it before it becomes international law. Once t...

NSFW ChatGPT? OpenAI plans “grown-up mode” for verified adults

If you've had your fill of philosophical discussions with ChatGPT, CEO Sam Altman has news for you: the service will soon be able to engage in far less highbrow conversations of the sexual kind. That's right—sexting is coming to ChatGPT. Are we really surprised? It marks a change in sentiment for...

How to set up two factor authentication (2FA) on your Instagram account

Two-factor authentication 2FA isn't foolproof, but it is one of the best ways to protect your accounts from hackers. It adds a small extra step when logging in, but that extra effort pays off. Instagram’s 2FA requires an additional code whenever you try to log in from an unrecognized device or...

Phishing scam uses fake death notices to trick LastPass users

LastPass has alerted users about a new phishing attack that claims the recipient has died. According to the message, a family member has submitted a death certificate to gain access to the recipient’s password vault. A link in the phishing email, supposedly to stop the request, leads to a fake pa...

A week in security (October 20 – October 26)

Last week on Malwarebytes Labs: Is AI moving faster than its safety net? Thousands of online stores at risk as SessionReaper attacks spread Apple may have to open its walled garden to outside app stores Meta boosts scam protection on WhatsApp and Messenger Home Depot Halloween phish gives users a...

Is AI moving faster than its safety net?

You’ve probably noticed that artificial intelligence, or AI, has been everywhere lately—news, phones, apps, even in your browser. It seems like everything suddenly wants to be “powered by AI.“ If it’s not, it’s considered old school and boring. It’s easy to get swept up in the promise: smarter...

Thousands of online stores at risk as SessionReaper attacks spread

Early September, a security researcher uncovered a new vulnerability in Magento, an open-source e-commerce platform used by thousands of online retailers, and its commercial counterpart Adobe Commerce. It sounds like something straight out of a horror movie: SessionReaper. Behind the cinematic na...

Apple may have to open its walled garden to outside app stores

The UK’s Competition and Markets Authority CMA ruled that both Google and Apple have a "strategic market status." Basically, they have a monopoly over their respective mobile platforms. As a result, Apple may soon be required to allow rival app stores on iPhones—a major shift for the smartphone...

Meta boosts scam protection on WhatsApp and Messenger

Vulnerable Facebook Messenger and WhatsApp users are getting more protection thanks to a move from the applications' owner, Meta. The company has announced more safeguards to protect users especially the elderly from scammers. The social media, publishing, and VR giant has added a new warning on...

Over 100 Chrome extensions break WhatsApp’s anti-spam rules

Recent research by Socket’s Threat Research Team uncovered a massive, coordinated campaign flooding the Chrome Web Store with 131 spamware extensions. These add-ons hijack WhatsApp Web—the browser version of WhatsApp—to automate bulk messages and skirt anti-spam controls. Spamware is software tha...

Home Depot Halloween phish gives users a fright, not a freebie

We received a timely phishing email pretending to come from Home Depot. It claimed we’d won a Gorilla Carts dump cart that’s a sort of four-wheeled wheelbarrow for anyone unfamiliar—and said it was just one click away. It wasn’t. The whole image in the email was clickable, and it hid plenty of...

Zero-click Dolby audio bug lets attackers run code on Android and Windows devices

Researchers from Google’s Project Zero discovered a medium-severity remote code execution RCE vulnerability that affects multiple platforms, including Android Samsung and Pixel devices and Windows. Remote code execution means an attacker could run programs on your device without your permission...

Windows update breaks USB support in recovery mode

We usually tell our faithful readers to install updates as soon as possible, but this time there’s an exception. Microsoft’s October security update has disabled USB mice and keyboards in the Windows Recovery Environment WinRE. WinRE is a special mode built into Windows that helps you fix problem...

You can poison AI with just 250 dodgy documents

Researchers have shown how you can corrupt an AI and make it talk gibberish by tampering with just 250 documents. The attack, which involves poisoning the data that an AI trains on, is the latest in a long line of research that has uncovered vulnerabilities in AI models. Anthropic which produces...

What does Google know about me? (Lock and Code S06E21)

This week on the Lock and Code podcast … Google is everywhere in our lives. It's reach into our data extends just as far. After investigating how much data Facebook had collected about him in his nearly 20 years with the platform, Lock and Code host David Ruiz had similar questions about the othe...

What does Google know about me? (Lock and Code S06E21)

This week on the Lock and Code podcast … Google is everywhere in our lives. It's reach into our data extends just as far. After investigating how much data Facebook had collected about him in his nearly 20 years with the platform, Lock and Code host David Ruiz had similar questions about the othe...

Chinese gangs made over $1 billion targeting Americans with scam texts

We regularly warn our readers about new scams and phishing texts. Almost everyone gets pestered with these messages. But where are all these scam texts coming from? According to an article in The Wall Street Journal: “It has become a billion-dollar, highly sophisticated business benefiting...

A week in security (October 13 – October 19)

Last week on Malwarebytes Labs: Prosper data breach puts 17 million people at risk of identity theft Under the engineering hood: Why Malwarebytes chose WordPress as its CMS Video call app Huddle01 exposed 600K+ user logs Mango discloses data breach at third-party provider Roku accused of selling...

Prosper data breach puts 17 million people at risk of identity theft

Peer-to-peer lending marketplace Prosper detected unauthorized activity on their systems on September 2, 2025. It published an FAQ page later that month to address the incident. During the incident, the attacker stole personal information belonging to Prosper customers and loan applicants. As...