NWHStealer Spreads via Fake Proton VPN Sites and Gaming Mods

Security researchers at Malwarebytes have documented multiple ongoing campaigns distributing NWHStealer, an infostealer targeting browser credentials and cryptocurrency wallets through an aggressive multi-channel distribution strategy. The malware spreads via fake Proton VPN websites, trojanized gaming mods, GitHub and GitLab downloads, and links promoted in YouTube videos.

The campaigns demonstrate how attackers chain multiple distribution vectors to maximize reach—compromising trusted software channels while simultaneously targeting users searching for free VPNs or game cheats.

Distribution Methods

NWHStealer operators don't rely on a single delivery mechanism. The campaigns use:

Fake VPN Sites — Counterfeit websites impersonating Proton VPN serve trojanized installers. Users searching for free VPN software encounter these sites through search ads or poisoned search results.

Gaming Modifications — Malicious game mods and cheat tools uploaded to file hosting services (MediaFire, SourceForge) and code platforms (GitHub, GitLab) bundle the stealer alongside what appear to be legitimate gaming tools.

YouTube Promotion — Video descriptions link to "download tutorials" that ultimately serve the malware. This tactic targets users seeking pirated software or game cheats who may already expect to disable antivirus for installation.

Free Web Hosting — Attackers leverage free hosting providers to distribute malicious ZIP archives containing self-injection loaders.

The multi-vector approach mirrors what we saw in the recent CPUID supply chain compromise where attackers distributed STX RAT through trojanized system utilities.

What NWHStealer Steals

Once executed, NWHStealer targets three primary data categories:

Cryptocurrency Wallets — The stealer enumerates more than 25 folders and registry keys associated with cryptocurrency wallets, including popular desktop clients and browser extensions. Wallet private keys and seed phrases get extracted for immediate fund theft.

Browser Data — NWHStealer harvests saved passwords, autofill data, cookies, and browsing history from multiple browsers: Edge, Chrome, Opera, 360 Browser, K-Melon, Brave, Chromium, and Chromodo.

Session Tokens — Stolen cookies and session data enable account takeover without passwords—attackers can import sessions directly into their own browsers.

Infection Techniques

Malwarebytes identified two primary infection chains:

1. ZIP-based Loaders — Malicious archives from free web hosting contain self-injection executables that establish persistence before downloading the main stealer payload

2. DLL Hijacking — Fake installers use DLL sideloading to inject malicious code into the legitimate Windows process RegAsm.exe, evading security tools that whitelist Microsoft binaries

The DLL hijacking approach provides stealth by running malicious code within a trusted process context—a technique increasingly common among infostealers targeting Windows.

Why This Campaign Works

The distribution strategy exploits several user behaviors:

Users searching for free VPN software are often cost-conscious and willing to download from unofficial sources. Gaming communities frequently share mods through file hosting services where malware blends in with legitimate files. YouTube tutorials carry implied trust from view counts and engagement.

Combined, these vectors catch users who might otherwise avoid obvious phishing attempts. Someone downloading a Proton VPN installer from what looks like an official site isn't expecting to receive malware.

Protecting Yourself

1. Download VPN software only from official sites — For Proton VPN, that's protonvpn.com
2. Avoid game mods from unverified sources — Legitimate mod communities maintain curated repositories
3. Be skeptical of YouTube download links — Video descriptions can be edited after a video gains trust
4. Use hardware wallets — Keep significant cryptocurrency holdings offline
5. Enable MFA everywhere — Stolen passwords become less useful with additional authentication factors

For broader guidance on avoiding malware, see our malware defense guide.

Connection to Broader Infostealer Trends

NWHStealer joins an expanding ecosystem of infostealers targeting cryptocurrency users. The 25+ wallet targets and multi-browser support indicate a mature malware operation likely operated as a service.

This tracks with the Omnistealer campaign we covered yesterday, where attackers are increasingly combining credential theft with cryptocurrency targeting—maximizing the financial return from each infection.

The gaming mod distribution vector is particularly concerning for enterprise environments. Employees installing personal software on work machines can introduce infostealers that harvest corporate credentials alongside personal data.