CypherLoc Scareware Has Targeted Millions of Users, Researchers Warn
▼ Summary
– Since early 2026, Barracuda researchers have observed about 2.8 million attacks using CypherLoc scareware, which locks browsers and directs users to fraudulent tech support.
– The attack starts with a phishing email containing a link that loads a harmless page, but the malicious payload only activates under specific conditions to evade security tools.
– Once triggered, CypherLoc switches the browser to full-screen, disables controls, hides the cursor, and displays the user’s IP address to create panic.
– A fake security page shows a fraudulent support phone number, and when victims call, human operators posing as Microsoft support continue the scam.
– Barracuda recommends anti-phishing, browser, and endpoint protections, plus user education, to detect and block such browser-based scareware attacks.
Since the start of 2026, cybersecurity researchers at Barracuda have tracked roughly 2.8 million attacks tied to a new strain of scareware known as CypherLoc. This malicious software locks users out of their browsers and funnels them toward fraudulent tech support operations, creating a convincing but entirely fake system emergency.
The attack chain typically begins with a phishing email containing a link or attachment that leads victims to a seemingly harmless webpage. However, the full scareware payload only activates under very specific conditions. As Barracuda detailed, “The code only decrypts when the page is opened under the right conditions: when the required URL fragment hash is present and the page passes a series of cryptographic integrity checks.” If those conditions aren’t met , such as when the page is opened in a scanner, sandbox, or test environment , the malicious code refuses to run and instead redirects to a blank screen, effectively hiding the attack from security tools.
Once triggered, CypherLoc unleashes a barrage of unsettling behaviors designed to panic the user. The browser switches to full-screen mode, disables context menus, hides the cursor, and floods the screen with overlays. Any attempt to regain control triggers a “relock,” and a fake security page plays warning sounds whenever the user clicks. This extra activity can slow the browser or cause it to crash. The scareware also displays the victim’s IP address and shows a login popup that fails, escalating the sense of urgency.
“A fraudulent support phone number is prominently displayed on the screen throughout the attack and presented as the only way to fix the problem,” Barracuda noted. When victims call that number, human operators posing as Microsoft support staff take over and continue the scam through live conversation. While the exact end goal remains unclear, credential theft is a likely possibility.
Saravanan Mohankumar, manager of the threat analysis team at Barracuda, explained that “CypherLoc shows how modern scareware is shifting away from obvious malware and towards browser-based, user-driven scams that are difficult to detect and highly effective. It uses the browser itself to pressure victims into acting. By combining hidden code, delayed activation and aggressive on-screen behaviour, it creates a convincing illusion of a serious system problem while leaving very little technical trace.”
To defend against such threats, Barracuda recommends that corporate security teams implement anti-phishing protections, browser security, and endpoint defenses to detect and block suspicious script behavior. Equally important is user education, ensuring employees can recognize and resist these browser-based scare tactics.
(Source: Infosecurity Magazine)
