From fake Proton VPN sites to gaming mods, this Windows infostealer is everywhere
Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A Windows infostealer known as NWHStealer is spreading through fake VPN download pages, bundled hardware utilities, mining tools, and compromised gaming mods. The malware is typically delivered in malicious ZIP archives that rely on self-injection, DLL hijacking, and process hollowing, with RegAsm frequently used as the target process. Once executed, NWHStealer steals browser credentials, collects cryptocurrency wallet data, and exfiltrates the stolen information through encrypted command-and-control channels.
Investigation
Researchers identified two primary delivery methods. In one, malicious ZIP archives hosted on a free web-hosting platform launched the stealer through self-injection. In the other, fake Proton VPN websites delivered a DLL-based loader that abused DLL hijacking. The loader then decrypted embedded resources, hollowed out a RegAsm process, and finally executed NWHStealer in memory or injected it directly into browser-related processes.
Mitigation
Users should avoid downloading software from untrusted sources, including unofficial GitHub releases, suspicious SourceForge pages, and links shared through YouTube descriptions. Organizations should verify digital signatures before execution, use endpoint security tools that block known malicious URLs, and watch for suspicious scheduled tasks or hidden directories created within user profile paths.
Response
Defenders should hunt for known NWHStealer DLL names, RegAsm process injection activity, hidden folders under LOCALAPPDATA, and scheduled tasks that launch binaries disguised as legitimate system files. The identified command-and-control domains and Telegram dead-drop link should be blocked immediately. Any affected systems should be isolated and investigated through full forensic analysis.
"graph TB %% Class Definitions classDef action fill:#ffcccc classDef tool fill:#c2c2f0 classDef process fill:#c2f0c2 classDef malware fill:#ffd966 %% Nodes initial_access["<b>Action</b> – <b>T1204.002 User Execution</b>: Victim downloads malicious ZIP from a fake VPN or hardware utility site and runs it."] class initial_access action malicious_zip["<b>Malware</b> – <b>Name</b>: Malicious ZIP archive<br/><b>Obfuscation</b>: T1027.015 Compression"] class malicious_zip malware powershell_loader["<b>Process</b> – <b>Name</b>: PowerShell loader<br/><b>Technique</b>: T1059.001 Command and Scripting Interpreter"] class powershell_loader process defender_exclusion["<b>Action</b> – <b>T1564.012 Hide Artifacts</b>: Adds its folders to Windows Defender exclusion list."] class defender_exclusion action impair_defenses["<b>Action</b> – <b>T1562 Impair Defenses</b>: Modifies security settings via PowerShell to evade detection."] class impair_defenses action cmstp_tool["<b>Tool</b> – <b>Name</b>: cmstp.exe<br/><b>Technique</b>: T1218.003 System Binary Proxy Execution"] class cmstp_tool tool uac_bypass["<b>Action</b> – <b>T1548.002 Bypass UAC</b>: Uses CMSTP with a crafted INF file to gain elevated rights."] class uac_bypass action regasm_tool["<b>Tool</b> – <b>Name</b>: regasm.exe<br/><b>Technique</b>: T1218.009 System Binary Proxy Execution"] class regasm_tool tool process_hollowing["<b>Action</b> – <b>Process Hollowing</b>: Creates Regasm process and hollowes it via NT APIs."] class process_hollowing action dll_hijack["<b>Action</b> – <b>T1574.001 DLL Hijacking</b>: Deploys malicious iviewers.dll that is loaded by legitimate executables."] class dll_hijack action persistence["<b>Action</b> – <b>T1546 Event Triggered Execution</b> & <b>T1547 Boot or Logon Autostart</b>: Schedules tasks to run the payload at user logon with elevated privileges."] class persistence action cred_browser["<b>Action</b> – <b>T1555.003 Credentials from Web Browsers</b>: Harvests passwords and cookies from multiple browsers."] class cred_browser action cred_cookie["<b>Action</b> – <b>T1539 Steal Web Session Cookie</b>: Extracts session cookies for web services."] class cred_cookie action browser_discovery["<b>Action</b> – <b>T1217 Browser Information Discovery</b>: Enumerates browser profiles, extensions and settings."] class browser_discovery action c2_dead_drop["<b>Action</b> – <b>T1102.001 Web Service Dead Drop Resolver</b>: Retrieves additional C2 information from a Telegram deadu2011drop channel."] class c2_dead_drop action c2_bidirectional["<b>Action</b> – <b>T1102.002 Web Service Bidirectional Communication</b>: Communicates with C2 over encrypted HTTP."] class c2_bidirectional action %% Connections initial_access –>|delivers| malicious_zip malicious_zip –>|executes| powershell_loader powershell_loader –>|creates hidden directories and adds exclusions| defender_exclusion powershell_loader –>|modifies security settings| impair_defenses powershell_loader –>|invokes| cmstp_tool cmstp_tool –>|enables| uac_bypass uac_bypass –>|launches| regasm_tool regasm_tool –>|performs| process_hollowing process_hollowing –>|drops| dll_hijack dll_hijack –>|facilitates| persistence persistence –>|provides foothold for| cred_browser cred_browser –>|collects| cred_cookie cred_browser –>|collects| browser_discovery cred_cookie –>|used for| c2_dead_drop browser_discovery –>|supplies information to| c2_dead_drop c2_dead_drop –>|communicates via| c2_bidirectional "
Attack Flow
Detections
Possible WindowsCodecs DLL Side Loading Via Calc (via image_load)
View
Possible Telegram Abuse As Command And Control Channel (via dns_query)
View
Suspicious Command and Control by Unusual Top Level Domain (TLD) DNS Request (via dns)
View
IOCs (HashSha256) to detect: From fake Proton VPN sites to gaming mods, this Windows infostealer is everywhere
View