According to Barracuda Research, CypherLoc – an advanced web scam that locks the victim’s browser and pressures them to call a fraudulent technical support number – uses obfuscation techniques to evade detection by security tools such as scanners and sandbox environments. Since early 2026, researchers have observed around 2.8 million attacks carried out using CypherLoc.
Everything begins with a phishing email that, according to data Barracuda Networks has accessed, contains a fraudulent link in the body of the message or in an attachment. That link redirects to a page that, at first glance, looks like any other website, but it carries a series of codes and specific protocols that serve as triggers to begin the attack process.
How the attack works
For example, if there is a special code key and the user isn’t using a security scanner or a sandboxed testing environment, the malware activates and the page goes full screen. The attacker gains full control, locks the browser, disables controls, and displays fake security alerts on the monitor, with jarring visual and audio alarms.
To frustrate any escape attempts, the page hides the cursor, disables menus, and even blocks the browser entirely if the victim tries any action to halt the attack. Psychological pressure tactics include loud warning sounds, the victim’s IP address displayed on screen, fake login forms that don’t work, and repeated error messages, all designed to induce panic and a sense of urgency.
During the entire attack, a phone number appears on screen as the sole solution to resolve the problem. Victims who call are transferred to scammers posing as legitimate technical support staff. The scammers then continue the attack using social engineering techniques, for example, to obtain credentials.
“CypherLoc demonstrates how modern scareware is moving away from obvious malware and toward browser-based, user-driven scams that are hard to detect and highly effective.”, said Saravanan Mohankumar, director of the Threat Analysis Team at Barracuda. “It uses the browser itself to pressure victims to act. By combining hidden code, delayed activation, and aggressive on-screen behavior, it creates the convincing illusion of a serious system problem while leaving very few technical traces.”
Barracuda recommends robust phishing protection, as well as browser and endpoint protection, to detect and block any suspicious script behavior. As attackers move away from traditional malware and into browser-based, user-driven attacks, organizations need controls that protect users, not just devices. CypherLoc scareware is a clear example of threats that sit at the intersection of phishing, social engineering, and technical evasion.
