From fake Proton VPN sites to gaming mods, this Windows infostealer is everywhere

April 20, 2026, 11:22 a.m.

Description

Multiple campaigns are distributing NWHStealer through diverse delivery methods including fake VPN downloads, hardware utilities, and gaming modifications. The malware collects browser data, saved passwords, and cryptocurrency wallet information. Distribution occurs via fake websites impersonating legitimate services like Proton VPN, code hosting platforms such as GitHub and GitLab, file hosting services including MediaFire and SourceForge, and links from YouTube videos. Two primary infection methods were identified: one using a free web hosting provider distributing malicious ZIP files with self-injection, and another using fake websites with DLL hijacking that injects code into RegAsm processes. The stealer targets over 25 cryptocurrency wallets and multiple browsers, using AES-CBC encryption for command-and-control communications and employing UAC bypass techniques for privilege escalation.

External References

https://otx.alienvault.com/pulse/69e27c47d37f66809a367479
https://www.malwarebytes.com/blog/threat-intel/2026/04/from-fake-proton-vpn-sites-to-gaming-mods-this-windows-infostealer-is-everywhere
Tags
infostealer
cryptocurrency theft
process injection
browser data theft
dll hijacking
uac bypass
fake websites
2026-04-15
nwhstealer
2026-04-17
cryptocurrency wallet theft
fake vpn

Date

  • Created: April 17, 2026, 6:30 p.m.
  • Published: April 17, 2026, 6:30 p.m.
  • Modified: April 20, 2026, 11:22 a.m.

Indicators

  • 2494709b8a2646640b08b1d5d75b6bfb3167540ed4acdb55ded050f6df9c53b3
  • e97cb6cbcf2583fe4d8dcabd70d3f67f6cc977fc9a8cbb42f8a2284efe24a1e3
  • https://www.onworks.net/software/windows/app-hardware-visualizer
Download all indicators here!

Attack Patterns

  • NWHStealer

Additional Informations

  • get-proton-vpn.com
  • newworld-helloworld.icu
  • vpn-proton-setup.com