A massive phishing campaign lures users into downloading malware by exploiting fake viral video links. The attack employs sophisticated social engineering techniques, redirecting victims in India, Australia, Indonesia, Malaysia, the United States, Brazil, Argentina, China, Peru, Mexico, Spain, the United Kingdom, France, Germany, Sweden, Finland, Norway, Hungary, Italy, Vietnam, and several other countries, through multiple malicious websites before delivering the final payload.
According to researchers, the attack begins with a deceptive PDF file that tricks users into clicking on a fraudulent link labelled ‘Watch ➤ Click Here To Link (Full Viral Video Link). The PDF also features a fake video player graphic to entice victims further.
After clicking the link, visitors are taken to a suspicious site (gitb.org) that displays red flags. The page contains deceptive advertisements, false alert messages, and inappropriate content featuring adult material and gambling promotions — all typical signs of a phishing operation.
Users experience a series of redirections through various harmful web addresses before eventually arriving at a Mega.nz download that requires password access.
Once the victim downloads the ZIP file (91.78.127.175.zip, 26.7 MB), they find a password-protected .7z archive. The password for extraction is hidden inside a disguised .png file. The extracted archive contains a malicious installer file (setup.msi), which initiates the infection.
Upon execution, the malware presents a fake captcha screen to make users believe they are accessing legitimate content. Once ‘OK’ is clicked, the malware drops multiple files into the %Roaming% directory, indicating the installation of malicious components designed to compromise the victim’s system.
Experts warn users to remain cautious when encountering video links that claim to offer exclusive or leaked content. They also cautioned users to avoid clicking on suspicious links in emails, social media, or messaging apps, verify the legitimacy of file sources before downloading by checking domain credibility, use reliable antivirus solutions, and enable real-time security updates.
Recently, threat actors have been using reputable names Salesforce for phishing lures. Hackers have also used Ulbricht’s pardon to launch Telegram phishing attacks. Another phishing campaign targeted Amazon Prime customers in January. A similar campaign also happened against PayPal customers.
A few weeks back, a sophisticated phishing campaign exploited search engine results to steal the credit card information of victims.
In the News: Fake OpenAI job scam targets Bangladesh workers via Telegram
