Hackers Use Browser-Locking CypherLoc Kit to Push Fake Microsoft Support Calls

HomeCyber Security News Hackers Use Browser-Locking CypherLoc Kit to Push Fake Microsoft Support Calls By Tushar Subhra Dutta May 25, 2026 A newly identified scareware kit called CypherLoc is locking victims’ browsers and tricking them into calling fake Microsoft support lines. The kit has been linked to roughly 2.8 million attacks since the start of 2026, making it one of the more aggressive browser-based threats observed this year. Unlike traditional malware that requires a file to be downloaded and installed, CypherLoc runs entirely inside the web browser. It begins with a phishing email that nudges the victim toward a malicious web page through an embedded link or an attachment. Once the page opens, it appears completely harmless at first. Over time, it quietly transforms into a full-screen scareware environment designed to terrify the user and keep them trapped on the page. Barracuda Research, the threat intelligence arm of Barracuda, said in a report shared with Cyber Security News that the kit combines advanced evasion techniques, aggressive browser controls, and psychological manipulation to push victims into calling fraudulent technical support phone numbers. Researchers at the firm have been tracking this kit closely since attacks began spiking earlier this year. What makes CypherLoc stand out is how well it hides from security scanners. CypherLoc Execution Flow (Source – Barracuda) Its payload is encrypted and buried inside the web page code, and it will only activate if very specific conditions are met. If those conditions are missing, the page quietly redirects to a blank screen, hiding the threat from automated analysis tools and sandboxes. The kit also fights back when someone tries to investigate it. Opening the browser’s developer tools triggers a flood of activity, including asset reloads and repeated layout recalculations, that overwhelms analysis tools and pushes the browser toward instability and system error dialogs. Browser-Locking CypherLoc Kit Once CypherLoc decrypts and activates, it takes full control of the browser. It switches to full-screen mode, disables right-click menus, hides the cursor, and covers the entire screen with overlays. Every time the user tries to regain control, the page immediately relocks, creating a strong sense of entrapment. The kit adds audio pressure on top of the visual chaos. Warning sounds play automatically whenever the user clicks anywhere or the page reloads. This extra noise makes the browser feel unstable, deepening the illusion that something is seriously wrong with the device. Encrypted JavaScript Loader (Source – Barracuda) To make things feel personal, CypherLoc retrieves and displays the victim’s real public IP address on the landing page, a psychological tactic designed to make the warning feel targeted and urgent. Fake login forms also appear, asking victims to enter usernames and passwords. These forms never process any input. Their purpose is psychological: they make the threat look legitimate, keep the victim on the page longer, and escalate panic when entering credentials fails. A fraudulent phone number, presented as the only fix, stays prominently on screen throughout. When victims call, operators posing as Microsoft support staff continue the scam through a live conversation. How CypherLoc Evades Detection The technical engine behind CypherLoc is what sets it apart from older, cruder scareware. The payload is encrypted using AES and only unlocks when a specific value is present in the URL fragment. The page also runs a series of cryptographic integrity checks before executing anything. If any check fails, the payload refuses to run and the user sees nothing suspicious. Spoofed Login Form (Source – Barracuda) After a successful decryption, the original page erases itself and replaces its content with a brand-new scareware page inside the browser. This sudden swap resets any live inspection scripts and makes the page feel dangerous rather than deliberately crafted. Security teams should maintain robust anti-phishing, browser, and endpoint protections capable of detecting suspicious script behavior. User education is equally important, since legitimate security alerts never lock browsers, display phone numbers, or demand immediate action through pop-ups. As attackers move away from traditional malware and toward browser-based manipulation, organizations need defenses focused on protecting people, not just devices. CypherLoc is a sharp reminder that fear itself can be a cybercriminal’s most effective tool. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Pardus Linux Local Privilege Escalation Flaw Allows Silent Root Access Mythos Preview Builds PoC Exploits in Automated Vulnerability Research Hackers Can Weaponize Lenovo Driver to Terminate EDR Processes Microsoft Releases Mitigation for Windows BitLocker Security Bypass 0-Day Vulnerability Android Malware Silently Subscribes Victims to Premium Services Without Consent Latest News Cyber Security Wireshark 4.6.6 Released With Fix for Dissector Crash via Malformed Packet Injection Cyber Security Hackers Compromised 34 Packages in npm, PyPI, and Crates in New Supply Chain Attack Cyber Security News Top 10 Best Malware Sandbox Tools for Security Teams in 2026 Cyber Security News PyrsistenceSniper – Tool that Detects 117 Persistence Malware Techniques on Windows, Linux, and macOS Cyber Security Nginx-poolslip Vulnerability Enables DoS and Code Execution Attacks — Patch Now!