Since the start of 2026, Barracuda researchers said they have observed around 2.8 million attacks which used the scareware dubbed CypherLoc.
Scale and timing: tens of millions of encounters, millions of attacks
Barracuda’s tally — approximately 2.8 million observed attacks since January 2026 — frames CypherLoc not as a rare nuisance but as a broadly deployed campaign. The firm describes the activity as a coordinated effort that begins with phishing messages directing victims to a malicious web page. That initial click is the hinge on which the rest of the campaign turns: without it, the attack cannot proceed.
How CypherLoc is delivered and how it evades detection
The campaign typically starts with a phishing email that sends a victim to a webpage via an embedded link or attachment. The malicious page appears harmless at first; Barracuda explains the code “only decrypts when the page is opened under the right conditions: when the required URL fragment hash is present and the page passes a series of cryptographic integrity checks.”
Crucially, Barracuda says the payload is designed to refuse to run in scanners, sandboxes or test environments. “If the hidden fragment is missing or the page is being opened in a scanner, sandbox or test environment, the malicious payload refuses to run, and the page redirects to a blank screen. This hides the attack from security tools.” That delayed, condition-driven activation reduces the forensics left behind and complicates automated detection.
On-screen behavior: browser lock, panic cues, and social engineering
When the malicious code does run, it produces a relentless, browser-based scam intended to intimidate the user into calling for help. Barracuda lays out the sequence: the browser is forced into full-screen mode, context menus are disabled, the cursor is hidden and overlays flood the screen. Any user attempt to regain control can trigger a “relock.”
- The fake security page plays warning sounds whenever the user clicks.
- Increased activity can slow or crash the browser.
- CypherLoc retrieves and displays the user’s IP address.
- A login popup appears and heightens panic when it fails to work.
- A fraudulent support phone number is prominently displayed on the screen throughout the attack and presented as the only way to fix the problem.
Barracuda reports that when victims call the displayed number, “human operators posing as Microsoft support staff take over and continue the scam via a live conversation.” The company also notes that while the campaign’s final objective is not definitively known, “credential theft is one option.”
Recommendations Barracuda gives to organizations
Barracuda’s advice centers on prevention and education. The firm recommends corporate security teams implement anti-phishing controls, browser and endpoint protections that can detect and block suspicious script behavior, and user education programs to reduce the likelihood that a clicked link will lead to a live attack. Those steps are intended to interrupt the campaign at two choke points: the initial phishing delivery and the browser-based execution.
What corporate security teams, end users, and adversaries are likely to do
Corporate security teams will be watching for signs of script-based, delayed-activation payloads and should prioritize anti-phishing tooling and browser- and endpoint-level script monitoring, as Barracuda suggests. End users and helpdesk managers need rapid, actionable awareness that a browser fullscreen lock and a displayed phone number are likely signs of a scam, not Microsoft-sanctioned support. Adversaries behind the campaign can rely on human operators and social-engineering scripts to extract value even when technical compromise (malware installation) is limited, so they may continue to favor browser-based scare tactics that leave few technical traces.
CypherLoc illustrates a shift: the browser itself is the battleground and social engineering the weapon. Barracuda’s findings leave one concrete question unresolved by the public report — beyond suspected credential theft, what is the campaign’s measured return for its operators? — but they do make another point unmistakable: education, phishing defenses and smarter script-visibility controls are the immediate levers organizations can pull to blunt the attack.




