A big malware campaign is using fake software downloads to spread crypto miners, info-stealers, remote access tools, and other harmful software. In January 2026, McAfee Labs found 443 harmful ZIP files that pretended to be popular tools that people often look for online. The lures were all kinds of things, like AI image generators, voice changers, stock trading tools, game mods, hacks, drivers, VPNs, emulators, and even fake decryptors.
The campaign is designed to grow. McAfee found more than 100 active delivery URLs, many of which were hosted on well-known file-hosting sites and platforms like Discord, SourceForge, MediaFire, FOSSHub, and mydofiles[.]com. That wide distribution helps attackers get to as many victims as possible while looking like normal download traffic.
How the infection spreads When a user downloads a ZIP file that looks like it has a useful program in it, the attack usually starts. The main executable inside often looks like a real program, but it actually loads a harmful file called WinUpdateHelper.dll. McAfee found 48 different versions of this DLL during the campaign and said it has been keeping an eye on related activity since December 2024.
When the malware starts up, it shows a fake message saying that important files are missing. The user is then sent to a page that hosts files and is tricked into downloading software that has nothing to do with it. This step is a distraction. The DLL has already contacted a command-and-control server and run a malicious PowerShell script in the background.
Attack Vector (Source: McAfee) That script can either install coin miners or get other payloads, like SalatStealer or Mesh Agent. According to McAfee, the mining has been going after cryptocurrencies like Ravencoin, Zephyr, Monero, Bitcoin Gold, Ergo, and Clore. In some cases, the malware uses both the CPU and the GPU to make the most money.
Signs of malware that is "vibe-coded" The style of the PowerShell code is one thing that stands out. Researchers found comments that explained things and sections that were well-organized, which strongly suggest that some parts were made using large language models. Researchers call it "vibe coding" when comments in some scripts sound more like developer instructions than polished attacker code. Geographical Prevalence (Source: mcafee) The campaign also uses tricks to stop people from analyzing.
Some payload servers only accept requests made with PowerShell, and download links may only work for about 60 seconds. The malware also stays on the computer by using a service name that sounds safe, like "Microsoft Console Host," and by adding Windows Defender exclusions to hide files that are dropped in C:\ProgramData. Command Prompt giving the wrong information (Source: mcafee) McAfee said that hardcoded Bitcoin wallet data let researchers find more than $4,500 in wallets linked to the operation, which received a total of more than $11,000.
The real amount is probably higher because a lot of the mining is for coins that are focused on privacy and are harder to track. The campaign shows how simple it is to make and share malware.
Attackers can set up low-effort, high-volume operations that go after everyday users on a large scale with AI-assisted code writing, cheap hosting, and software that people already know how to use.
