Proton VPN Impersonation Exposes NWHStealer: A Sophisticated Malware Campaign
Multiple ongoing malware campaigns are deploying the sophisticated information-stealing trojan, designated as NWHStealer, via deceptive VPN installer packages, gaming modifications, and system utility tools.
Unlike conventional phishing campaigns, these attacks exploit user trust in well-established software ecosystems. Threat actors disguise malicious payloads as authentic installers for utilities including Proton VPN, OhmGraphite, Sidebar Diagnostics, Pachtop, and HardwareVisualizer.
The malicious files are distributed across various platforms, including counterfeit lookalike domains, GitHub, GitLab, MediaFire, and SourceForge, often linked through gaming or cybersecurity-focused YouTube video content.
Upon execution, NWHStealer infiltrates target systems through process injection into legitimate Windows processes, such as RegAsm.exe, Microsoft’s Assembly Registration Tool.
Researchers have identified a widespread operational campaign that employs convincingly crafted fake websites, developer platforms, and YouTube channels to deceive users into downloading and executing the malware.
Depending on the variant, the malware employs self-injection techniques, dynamic-link library (DLL) hijacking, or MSI-based loading mechanisms to stealthily deploy the final payload.
Case 1: Free Hosting Service as Malware
One notable discovery involved a malicious campaign exploiting onworks[.]net, a recognized free web hosting service that enables users to run in-browser virtual machines.

Threat actors leveraged this platform to host malicious ZIP archives masquerading as legitimate utilities. Downloaded files such as OhmGraphite-0.36.1.zip, Sidebar Diagnostics-3.6.5.zip, and HardwareVisualizer_1.3.1.zip contained embedded executable components containing malicious loaders.
The loaders incorporate anti-analysis code, custom AES-CBC decryption routines, and Windows API calls to resolve system functions through dynamic resolution via LoadLibraryA and GetProcAddress.
Upon decryption, these payloads load subsequent stages directly into memory, circumventing traditional endpoint security mechanisms.

In associated samples, threat actors replaced legitimate files with WinRAR executables containing malicious DLLs, such as WindowsCodecs.dll, to hijack trusted system processes.
Case 2: Fake Proton VPN Sites Delivering Malware
A subsequent wave of attacks involved counterfeit Proton VPN websites, characterized by realistic user interfaces and bundled ZIP archives that mimic official installation packages.
These archives contained malicious dynamic-link libraries (DLLs), such as iviewers.dll, TextShaping.dll, and CrashRpt1403.dll, which initiate process hollowing within legitimate binary files like RegAsm.
The malware subsequently decrypts embedded resources, loads secondary payloads, and ultimately executes NWHStealer within memory.

Researchers further associated this campaign with compromised YouTube channels hosting AI-generated tutorial videos that demonstrate the fake installation process, directing viewers to designated download links.
No official affiliation exists between these sites or videos and Proton VPN; the company has been notified of the impersonation.
Upon activation, NWHStealer systematically enumerates browser data, extracts stored credentials, and targets more than 25 directories associated with cryptocurrency wallet applications.
The malware operates across primary web browsers, including Chrome, Edge, Brave, Opera, and Chromium-based variants, by injecting a dynamic-link library (DLL) into browser processes to decrypt and exfiltrate stored data.
Encrypted data is transmitted to the command-and-control (C2) infrastructure utilizing the Advanced Encryption Standard with Cipher Block Chaining (AES-CBC) mode. In instances where the primary server becomes unreachable, the malware employs a Telegram-based dead drop mechanism to retrieve an alternative C2 address.

The DLL is injected into browser processes, including msedge.exe, firefox.exe, and chrome.exe. This dynamically linked library extracts and decrypts browser data prior to transmission to the command-and-control (C2) server.
Additionally, the malware executes PowerShell commands to disable Windows Defender, create hidden directories, and establish scheduled tasks for persistent presence. Privilege escalation is achieved through a recognized CMSTP User Account Control (UAC) bypass method.
How to Stay Safe
Threat actors associated with NWHStealer exploit software that users already trust, contributing to the effectiveness of these threats. To mitigate risk, users should implement the following measures:
- Always download software exclusively from official vendor websites.
- Exercise caution with software hosted on platforms such as GitHub, SourceForge, or general file-sharing sites.
- Verify file digital signatures and publisher metadata.
- Avoid clicking on YouTube links that promote free or “modded” versions of software.
- Utilize security add-ons such as Malwarebytes Browser Guard to block potentially malicious websites.
The increasing complexity of NWHStealer’s distribution methodology highlights that even seemingly legitimate software sources may require rigorous verification to confirm authenticity.