CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Browser-locking CypherLoc scareware campaign observed in 2.8 million attacks since January 2026

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A large-scale browser-based scareware campaign named CypherLoc has targeted approximately 2.8 million users since the start of 2026, locking browsers and coercing victims into contacting fraudulent technical support lines. The attack begins via phishing emails that direct victims to malicious web pages, which only activate the full scareware payload under specific conditions to evade detection. Once triggered, CypherLoc disables browser controls, displays fake security alerts, and bombards victims with popups and audio cues to escalate panic. The scareware retrieves the user’s IP address and presents a fake login prompt, while prominently displaying a fraudulent support phone number. Victims who call the number are connected to human operators posing as Microsoft support staff, continuing the social engineering scam via live interaction.

Timeline

  1. 20.05.2026 13:00 1 articles · 9h ago

    CypherLoc scareware campaign escalates with 2.8 million attacks since January 2026

    Since January 2026, a browser-locking scareware campaign dubbed CypherLoc has impacted approximately 2.8 million users. The attack begins via phishing emails leading to malicious web pages that only activate under specific cryptographic and environmental conditions to evade detection. Upon activation, the scareware forcibly locks the browser, disables controls, and bombards victims with fake security alerts and audio cues. The operation culminates in fraudulent technical support interactions through prominently displayed phone numbers, escalating the social engineering attack via human operators posing as Microsoft support staff.

    Show sources
    Open in new tab

Information Snippets

  • Over 2.8 million CypherLoc scareware attacks have been observed since January 2026.

    First reported: 20.05.2026 13:00
    1 source, 1 article
    Show sources

  • The attack chain begins with phishing emails containing links or attachments that redirect victims to malicious web pages.

    First reported: 20.05.2026 13:00
    1 source, 1 article
    Show sources

  • Malicious code within the web pages only decrypts and activates under specific conditions: a required URL fragment hash must be present, and the page must pass cryptographic integrity checks. If conditions are not met or the page is opened in a sandbox, scanner, or test environment, the payload does not execute and the page redirects to a blank screen.

    First reported: 20.05.2026 13:00
    1 source, 1 article
    Show sources

  • Upon activation, CypherLoc forces the browser into full-screen mode, disables context menus, hides the cursor, floods the screen with overlays, and triggers a "relock" mechanism if the user attempts to regain control.

    First reported: 20.05.2026 13:00
    1 source, 1 article
    Show sources

  • The scareware generates fake security alerts with warning sounds on user clicks, slows or crashes the browser, retrieves and displays the victim’s IP address, and shows a non-functional login popup to heighten perceived urgency.

    First reported: 20.05.2026 13:00
    1 source, 1 article
    Show sources

  • A fraudulent support phone number is displayed prominently throughout the attack and presented as the sole solution to the fabricated issue. Victims who call the number are connected to human operators posing as Microsoft support staff for further social engineering.

    First reported: 20.05.2026 13:00
    1 source, 1 article
    Show sources