Fake Malwarebytes ZIPs, Signed VS Code Stealers, and PDF Backdoors: How Trust, Not Zero-Days, Is Breaching Enterprises

TL;DR

• Malwarebytes Campaign Tricks Users into Downloading Fake Software via DLL Sideloading, Stealing Crypto and Credentials
• Cybercriminals Exploit Visual Studio Code Marketplace with Evelyn Stealer Extension to Steal Source Code and Cloud Tokens
• Microsoft Enforces Intune Security Policies, Blocking Business Email Access for Non-Compliant Apps Since Jan 19, 2026
• PDFSIDER APT Malware Uses DLL Side-Loading and DNS Exfiltration to Bypass Antivirus in Fortune 100 Cyberattack

🚨 Why Are People Still Downloading Fake Malwarebytes From GitHub?

Fake Malwarebytes ZIP? No, it’s not a phishing email. It’s a ZIP. A DLL. A wallet.dat. And 0.04 BTC gone. 🚨 This isn’t zero-day—it’s zero-brain. Users unzip. Windows loads. Crypto vanishes. Block SHA-256: 4acaac53... Enforce WDAC. MFA. Hardware wallets. #Cybersecurity #Malwarebytes #DLLSideloading #CryptoScam

Let’s be honest: if you’re downloading a ZIP called malwarebytes-windows-github-io-X.X.x.zip, you’re not a cybersecurity professional—you’re a human-shaped vulnerability. This campaign doesn’t exploit zero-days. It exploits trust and click-happy curiosity.

The attacker didn’t hack Malwarebytes. They didn’t even need to. They just copied the name, dropped a malicious CoreMessaging.dll beside the real CoreMessaging.exe, and waited for someone to unzip and run it. Windows loader? It loads the first DLL it finds. The malicious one. Boom. Credential harvest. Wallet.dat exfiltration. 0.04 BTC gone. Per victim. Repeatedly.

This isn’t advanced. It’s efficient. And it works because:

• People think "GitHub" means "open source" and therefore "safe."
• They don’t check publisher metadata (spoofed: "Eosinophil LLC"—a real word, zero credibility).
• They ignore that Malwarebytes, Inc. doesn’t distribute installers via GitHub.

The IOCs? Straightforward:

• SHA-256: 4acaac53c8340a8c236c91e68244e6cb
• C2: 185.62.73.44:443 | malwarebytes-download[.]net
• Strings: 15Mmm95ml1RbfjH1VUyelYFCf, 2dlSKEtPzvo1mHDN4FYgv
• File: CoreMessaging.dll not signed by Microsoft

And yes—they’re already preparing v2. Expect signed DLLs soon. Code-signing certs are cheap. WDAC? AppLocker? If you’re not whitelisting Malwarebytes binaries by publisher ("Malwarebytes, Inc.") and blocking unsigned DLLs in app directories, you’re just delaying the inevitable.

Bottom line: Your users aren’t stupid. They’re just tired. And tired people click "Extract All."

Actionables:

• Block the SHA-256 on every gateway.
• Enforce WDAC/AppLocker rules that require Microsoft-signed DLLs in Malwarebytes directories.
• Send users a screenshot of the real download page: malwarebytes.com — not GitHub. Not MediaFire. Not Mega.
• Enforce MFA. Everywhere.
• If you still let people store crypto on software wallets? You’re the problem.

This isn’t a hack. It’s a mirror. We built the system. They just walked in.

🤦‍♂️ Why Are Developers Still Installing Random Extensions From Microsoft’s Own Store?

You installed an extension from the VS Code Marketplace. It had a Microsoft signature. It looked legit. Then it stole your AWS tokens, Wi-Fi passwords, and 17 private repos. 🤦‍♂️ This isn’t hacking. It’s laziness. #Cybersecurity #VSCode #SupplyChainAttack #DevSecOps

Let’s be honest: if you’ve ever installed a VS Code extension because it had ‘10K downloads’ and a star rating that looked like it was generated by a bot named ‘Bob’, you’re part of the problem.

The Evelyn Stealer extension—yes, that’s its real name, and no, it’s not a typo—was hosted on the official Visual Studio Code Marketplace. It carried a Microsoft signature. It looked legitimate. It even updated quietly, like a good little citizen. And then, while you were busy debugging a TypeScript error, it dropped a forged Lightshot.dll into your .vscode/extensions folder, loaded it via Windows side-loading, and quietly harvested your AWS IAM tokens, Azure AD credentials, Wi-Fi passwords, and the 17 GitHub repos you didn’t want anyone to see.

This isn’t novel. It’s a playbook: exploit trust. Abuse signed binaries. Exfiltrate via FTP because someone forgot to block port 21 in 2018. Repeat across Chrome, VS Code, JetBrains, and Eclipse.

Microsoft will now ‘tighten vetting’. EDR vendors will add ‘side-load in .vscode’ detection rules. You’ll get a mandatory training module titled ‘Don’t Be the Weakest Link (Again)’. And in 30 days, attackers will move from FTP to HTTPS—because even criminals know that TLS is the new silent killer.

Here’s what actually works:

• Whitelist extensions. If it’s not on your org’s approved list, it doesn’t install. Period.
• Enforce WDAC policies. Block unsigned DLLs in %USERPROFILE%\.vscode\extensions. If Lightshot.exe loads something that isn’t Microsoft-signed, kill it.
• Monitor outbound STOR from Code.exe. If eveline.exe pops up in your SIEM, you’ve already lost. Detect it before the ZIP uploads.
• Rotate cloud tokens daily. If your AWS key is older than your last team-building retreat, you’re begging to be breached.
• Scan new marketplace uploads automatically. Use vsx-scanner. Or pay for a tool. Or keep pretending ‘reviews’ mean security.

The real tragedy? This attack didn’t exploit a zero-day. It exploited your muscle memory. You clicked ‘Install’ because the UI looked right.

So next time you install an extension? Ask yourself: Who is Bob? And why does he have access to your cloud?

💀 Microsoft Just Killed Your Email App—And You Probably Deserved It

Microsoft blocked business email for non-compliant apps on Jan 19, 2026. Your Outlook? Dead. Your Windows 11? Broken. Your help desk? Crying. SDK ≥2025.12 or App Wrapper v3. No exceptions. #Cybersecurity #MicrosoftIntune #ITPro #TechSarcasm

On January 19, 2026, Microsoft Intune didn’t just update a policy. It declared war on legacy apps. If your Outlook, Teams, or OneDrive client doesn’t have SDK ≥2025.12 or isn’t wrapped in Intune-App-Wrapper v3? Goodbye, email. No warnings. No ‘maybe next time.’ Just a hard block at the network edge.

The first 24 hours? A 68% spike in help-desk tickets. 1,200 users. 0.9% of a typical 130k-tenant. But here’s the twist: that spike didn’t come alone. It arrived with KB5073724—the January Patch Tuesday update that broke Windows 11’s hibernation, nuked Remote Desktop auth, and added 45% more tickets. So yes, your email is gone. And your computer won’t wake up. And you can’t remote in to fix it. Happy Monday.

Compliance isn’t optional. It’s mandatory. Two requirements: SDK 2025.12 or App Wrapper v3. Both must be present. Device must be enrolled. And yes, Microsoft is logging every denied request under Event ID 4625 + IntuneDeviceManagement logs. Your IT team is now a detective agency, sifting through logs while answering Slack messages from the CFO who just screamed, “I can’t open my email!”

Mitigation? Three words: recompile, wrap, communicate.

1. Rebuild legacy apps with SDK ≥2025.12. Fixes ~90% of issues.
2. Deploy Intune App Wrapper v3. It’s not magic—it’s a code layer that tells Intune, “I’m clean.”
3. Tell users the webmail URL: outlook.office.com. Yes, really. People still use it. And they’ll thank you.

Pro tip: Run Get-IntuneManagedDevice | Where {$_.AppVersion -lt "2025.12"}. It’s not glamorous. But it’s the only thing standing between chaos and a spreadsheet.

Meanwhile, Microsoft’s Secure Score? Up 12 points for the prepared. Down 5 for the procrastinators. And on March 1, 2026, they’re turning off EAS for clients <16.1. That’s another 0.4% of users—mostly Android 5.x dinosaurs—getting locked out. We’re not moving forward. We’re doing a three-step eviction.

The real irony? The policy was announced in December. Previewed in September. And yet, somehow, 1.3% of users are still unprepared. That’s not negligence. That’s corporate archaeology.

Microsoft didn’t break your workflow. You did. By clinging to apps older than your last corporate retreat. Now you get to watch your help desk drown—in a sea of your own legacy.

Stay compliant. Or stay offline.

💀 Why Your PDF Reader Is the New Cybersecurity Nightmare

Your PDF reader just became a backdoor. PDFSIDER APT used DLL side-loading + AES-256 DNS exfiltration to bypass AV in Fortune 100 firms. No binaries. No alerts. Just a 'Technical-Support QuickAssist' PDF. #CyberSecurity #APT #PDF24 #DNSExfiltration #DLLSideLoading

Let’s be clear: the PDFSIDER APT didn’t hack your firewall. It hacked your workflow. Attackers delivered a phishing PDF labeled ‘Technical-Support QuickAssist’—a name so bland it could’ve been drafted by HR. When opened, it triggered PDF24 Creator v3.x to auto-update… and silently loaded a malicious cryptbase.dll from its own install directory. Yes. Your document converter is now a backdoor.

The malware doesn’t write to disk. It lives in memory. Signature-based AV? Useless. It exfiltrates Chrome login data and cryptocurrency wallets via AES-256-GCM-encrypted DNS queries to *.c2pdfsider.net. Each query has entropy >4.2 bits—far beyond legitimate DNS noise. Over 250K such queries were logged before Resecurity HUNTER sinkholed the domain.

This isn’t novel. It’s standardized. The same DLL side-loading technique was seen in LOTUSLITE and Mustang Panda campaigns. PDF24 is installed in ~12% of Fortune 100 firms. Attackers aren’t targeting you—they’re targeting the default software stack.

Mitigation? Stop treating PDFs like harmless documents. Enforce application whitelisting. Block unsigned DLLs from non-ProgramFiles paths. Deploy DNS anomaly detection: flag labels with entropy >4 bits. Monitor for PDFSIDER-svc scheduled tasks. And for heaven’s sake, stop letting employees auto-update PDF tools without IT approval.

Prediction: By Q2 2026, Adobe Acrobat and Foxit Reader will be next. Because if you can exploit a PDF reader, why bother with zero-days?

IOCs: 3F9A…E2C4 (DLL SHA-256), c2pdfsider.net, PDFSIDER-svc.

—

If your IT team still thinks ‘antivirus is enough,’ they’re not ignoring threats—they’re just out of coffee.

In Other News

• BlackBasta Ransomware Group Leaks 200,000 Internal Messages Exposing Cybercriminal Infrastructure and Wallet Addresses
• SISA and Unnati Launch 'Cybersmart Bharat' Initiative to Train 25,000 Indian Students in Cybersecurity Skills
• StealC Malware Infrastructure Exposed via XSS Flaw, Allowing Researchers to Monitor Cybercriminals' Own Operations
• Trend Micro Deploys Trend Vision One on AWS European Sovereign Cloud to Meet NIS2 and DORA Compliance
• Ohio Introduces HB524 to Impose $50,000 Penalties on AI Developers for Harmful Content Leading to Suicide
• Microsoft Ends WhatsApp AI Provider Integration, Cutting ChatGPT and Copilot Access for Enterprise Users