CypherLoc scam kit drives millions of browser attacks

Barracuda has identified a browser-based scam kit called CypherLoc and says it has observed about 2.8 million attacks using it since the start of 2026.

The findings suggest online fraud is shifting toward browser-based attacks that try to push users into calling fake technical support lines instead of installing conventional malware.

The scam starts with a phishing email containing a link in the message body or an attachment. When clicked, the link opens a web page that appears harmless at first glance.

Hidden code on the page activates only under certain conditions. The attack checks for a special code key and tries to confirm the visitor is not using a security scanner or test environment.

Once triggered, the page switches to an attacker-controlled full-screen display that locks the browser, disables controls and shows alarming messages designed to look like genuine security warnings.

Attackers also try to prevent victims from escaping the page. If a user attempts to inspect it, the browser may slow down or crash. Menus are disabled, the cursor is hidden and the page tries to lock itself again after any attempt to exit.

How it works

The on-screen prompts are designed to create panic. The page can play loud warning sounds, display the victim's IP address, show fake login forms that do not function and repeat error messages to increase pressure.

A phone number remains visible throughout the attack as the supposed way to fix the problem. People who call are connected to fraudsters posing as technical support staff, who then try to persuade them to hand over credentials or system access.

The approach reflects a broader change in how some online scams are carried out. Instead of relying on a malicious file or software download, the attack uses browser behaviour and social engineering to manipulate users into taking the next step themselves.

CypherLoc also aims to leave only a limited technical footprint. By delaying activation and screening for analysis tools, it is designed to avoid basic automated scrutiny before the full-screen lock tactics begin.

Security vendors have increasingly warned that phishing campaigns are combining technical evasion with psychological pressure. Here, the goal is not just to frighten the user on screen, but to move the interaction to a phone call where a scammer can continue the deception directly.

"CypherLoc shows how modern scareware is shifting away from obvious malware and towards browser-based, user-driven scams that are difficult to detect and highly effective," said Saravanan Mohankumar, manager of Barracuda's threat analysis team.

"It uses the browser itself to pressure victims into acting. By combining hidden code, delayed activation and aggressive on-screen behaviour, it creates a convincing illusion of a serious system problem while leaving very little technical trace," Mohankumar said.

Defence steps

Organisations should focus on anti-phishing measures, along with browser and endpoint protection that can detect suspicious script behaviour. User awareness also remains important, because legitimate security warnings do not display support phone numbers, lock browsers or demand immediate action through pop-up messages.

For businesses, the risk is not only that individual users may be deceived, but that employee credentials or device access could be handed to attackers during a call. That could turn a browser scam into a broader security incident.

The scale cited by Barracuda suggests the technique is already being used extensively, with about 2.8 million attacks linked to CypherLoc observed since the start of 2026.