Researchers Warn CypherLoc Scareware Has Targeted Millions of Users

Security researchers have sounded the alarm over new scareware designed to lock users’ browsers and drive them to fraudulent tech support teams. Since the start of 2026, Barracuda researchers said they have observed around 2.8 million attacks which used the scareware dubbed CypherLoc. According to the cybersecurity firm, the CypherLoc campaign usually begins with a phishing email that directs the victim to a malicious web page through a link embedded in the email or in an attachment. A harmless malicious web page is loaded, only triggering the full scareware environment if several conditions are met. “The code only decrypts when the page is opened under the right conditions: when the required URL fragment hash is present and the page passes a series of cryptographic integrity checks,” Barracuda explained in an article.  “If the hidden fragment is missing or the page is being opened in a scanner, sandbox or test environment, the malicious payload refuses to run, and the page redirects to a blank screen. This hides the attack from security tools.” Read more on scareware: Fake Obituary Sites Send Grievers to Porn and Scareware Pages What follows is a series of actions designed to discomfort the user: The browser switches to full-screen mode, disabling context menus, hiding the cursor, and flooding the screen with overlays Any attempt to regain control triggers a “relock” A fake security page plays warning sounds whenever the user clicks This extra activity might slow the browser or cause it to crash CypherLoc retrieves and displays the user’s IP address A login popup is show to the user which escalates the sense of panic when it doesn’t work “A fraudulent support phone number is prominently displayed on the screen throughout the attack and presented as the only way to fix the problem,” Barracuda continued. “When victims call the number, human operators posing as Microsoft support staff take over and continue the scam via a live conversation.” It’s not immediately clear what the end goal is, although credential theft is one option. How to Tackle Scareware “CypherLoc shows how modern scareware is shifting away from obvious malware and towards browser-based, user-driven scams that are difficult to detect and highly effective,” said  Saravanan Mohankumar, manager, threat analysis team at Barracuda. “It uses the browser itself to pressure victims into acting. By combining hidden code, delayed activation and aggressive on-screen behaviour, it creates a convincing illusion of a serious system problem while leaving very little technical trace.” Barracuda recommended that corporate security teams put in place anti-phishing, browser and endpoint protections to detect and block suspicious script behavior. And to ensure users are educated about such threats.