CypherLoc Scareware Campaign Hit Nearly 3 Million Users, Barracuda Warns
A massive scareware campaign dubbed CypherLoc has targeted an estimated 2.8 million users since early 2026, using phishing emails and browser-locking techniques to push fake tech support scams.
Security researchers at Barracuda Networks have uncovered a large-scale scareware operation called CypherLoc that has targeted nearly three million users since the beginning of 2026. The campaign relies on a sophisticated chain of phishing emails, evasive code, and aggressive browser manipulation to pressure victims into contacting fraudulent tech support services.
The attack chain begins with a phishing email containing a link or attachment that directs the victim to what initially appears to be a harmless web page. However, the malicious code is encrypted and only decrypts under precise conditions. According to Barracuda, "the code only decrypts when the page is opened under the right conditions: when the required URL fragment hash is present and the page passes a series of cryptographic integrity checks." If the page is loaded in a sandbox, scanner, or test environment — or if the correct fragment is missing — the payload refuses to execute and redirects to a blank screen, effectively evading many automated security tools.
Once triggered, CypherLoc takes aggressive control of the victim's browser. It switches to full-screen mode, disables context menus, hides the cursor, and floods the screen with overlays. Any attempt to close or navigate away triggers a "relock" that prevents the user from regaining control. The page also displays a fake security alert showing the user's actual IP address to increase the illusion of a legitimate system scan. A fraudulent support phone number is prominently displayed as the only way to resolve the supposed problem.
When victims call the number, they are connected to human operators posing as Microsoft support staff. These scammers then attempt to extract payment for unnecessary services or steal credentials and other sensitive information. Barracuda noted that the added activity of CypherLoc overlays can slow or crash the victim's browser, compounding the sense of panic and urgency.
Barracuda's researchers estimated that approximately 2.8 million attacks have been observed using CypherLoc since the start of 2026. The campaign's scale and technical sophistication highlight a broader trend of scareware moving from traditional malware toward browser-based social engineering. "CypherLoc shows how modern scareware is shifting away from obvious malware and towards browser-based, user-driven scams that are difficult to detect and highly effective," said Saravanan Mohankumar, manager of the threat analysis team at Barracuda.
The technical evasion techniques — including delayed activation from encrypted payloads and environment checks — make CypherLoc particularly challenging for automated defenses to detect. The campaign's reliance on phishing as the initial vector also suggests that traditional email security measures are essential but not sufficient.
Barracuda recommends that organizations deploy anti-phishing protections, browser security tools, and endpoint detection capable of flagging suspicious script behavior. User awareness and training remain critical, as the final step in the scam requires the victim to voluntarily place a call. No CVE identifiers have been associated with CypherLoc because the attack does not exploit a software vulnerability; it is purely a social engineering and abuse-of-functionality campaign.