Virus and Spyware Removal Guides, uninstall instructions

What is Ice Breaker?

Ice Breaker is a backdoor-type malware written in Node.js. Campaigns involving this malicious program were first identified in 2022 by Security Joes. These attacks targeted the gaming and gambling industries and were particularly recognizable due to the social engineering techniques employed by the cyber criminals.

At the time of writing, the threat actors behind Ice Breaker campaigns are not identified as belonging to a specific hacker group or geographical region. However, there is evidence suggesting that these criminals are not native English speakers.

What kind of scam is "Foundation For Humanitarian Work"?

We have examined this email and determined that it is a typical inheritance scam. Usually, scammers send such emails to trick recipients into parting with their money and (or) sharing their credit card details or other sensitive information. Emails of this type should be ignored.

What kind of page is news-wemipo[.]cc?

While investigating dubious websites, our research team discovered the news-wemipo[.]cc rogue page. It pushes browser notification spam by using adult-themed clickbait. Additionally, news-wemipo[.]cc can redirect users to other (likely untrustworthy/malicious) sites.

Visitors to rogue webpages typically access them through redirects caused by sites that use questionable advertising networks.

What kind of email is "Lottolore"?

After inspecting this "Lottolore" email, we determined that it is spam. It is presented as a notification regarding a lottery prize that the recipient has won. It must be emphasized that this email is fake and it is not associated with any legitimate lotteries.

What kind of email is "DHL Express - AWB & Shipping Doc"?

After inspecting this "DHL Express - AWB & Shipping Doc" email – we determined that it is malspam (malicious spam). The scam letter is presented as a message regarding shipping documentation from DHL Express. It must be emphasized that this email is fake, and it is in no way associated with the actual DHL. The file attached to this mail is designed to infect recipients' systems with malware.

What kind of application is Images Switcher?

Our team found that the Images Switcher browser extension is an advertising-supported app after conducting a thorough examination. This extension displays intrusive advertisements. Our team discovered Images Switcher on a questionable website. Users often unknowingly download and install (or add) adware to their systems (or browsers).

What kind of malware is NEVADA?

NEVADA is the name of ransomware targeting Windows and Linux operating systems. It is written in the Rust programming language. NEVADA encrypts files, appends the ".NEVADA" extension to filenames, and drops its ransom note (the "readme.txt" file) in folders containing encrypted files.

An example of how NEVADA ransomware modifies filenames: it changes "1.jpg" to "1.jpg.NEVADA", "2.doc" to "2.doc.NEVADA", and so forth. Cybercriminals who have developed NEVADA are selling it using the RaaS (Ransomware as a service) model.

What kind of email is "Please Find Attached My CV"?

After inspecting this "Please Find Attached My CV" email, we determined that it is malspam. This spam letter is presented as a CV submission from a party interested in working for the recipient's company. The file attached to this email is designed to infect devices with the Agent Tesla malware.

What kind of page is noutzing[.]com?

While examining noutzing[.]com, our team discovered that this page displays a deceptive message. The purpose of noutzing[.]com is to trick visitors into permitting it to show notifications. Also, it may redirect to other shady websites. Users open sites like noutzing[.]com inadvertently.

What is Sunjn ransomware?

Sunjn is the name of a ransomware-type program that we discovered while inspecting new submissions to VirusTotal. This program is part of the VoidCrypt ransomware family.

After we executed a sample of Sunjn on our test machine, it encrypted files and altered their filenames. Original titles were appended with a unique ID assigned to the victim, the cyber criminals' email address, and a ".sunjn" extension. For example, a file initially named "1.jpg" appeared as "1.jpg.[MJ-ML6408927315](Sunjun3412@onionmail.org).sunjn" – following encryption.

Once the encryption process was concluded, a ransom-demanding message – "Decryption-guide.txt" – was created on the desktop.