‘Frozen screen’ scams are evolving into advanced stealthy attacks hitting millions, says Barracuda Research
New CypherLoc scareware kit locks browsers, blocks controls and pressures victims into calling fake support
CypherLoc is an advanced web-based scam that locks a victim’s browser and pressures them into calling a fraudulent tech support number. New findings from Barracuda Research show the attack uses stealth techniques to avoid detection by security tools such as scanners and sandboxes. Since the start of 2026, researchers have observed around 2.8 million attacks using CypherLoc.
How the attack works
The attack typically begins with a phishing email containing a link, either in the message or an attachment. The link opens a page that appears normal at first.
The attack code is hidden in the web page and only activates if specific conditions are met. For example, if a special code key is present and the user is not using a security scanner or test environment. Once triggered, the page switches to an attacker controlled full screen that locks the browser, disables control and displays fake and alarming security warnings.
The attackers try to block any escape attempts. The page slows down or crashes the browser if inspected. It hides the cursor and disables menus, re-locking itself if the user tries to exit.
Psychological pressure tactics include loud warning sounds, the victim’s IP address published on screen, fake login forms that don’t work and repeated error messages – all designed to create panic and a sense of urgency.
Throughout the attack, a phone number is shown on screen as the only solution to fix the problem. Victims who call are connected to scammers posing as legitimate tech support. The scammers then continue the attack through social engineering, for example to capture credentials.
“CypherLoc shows how modern scareware is shifting away from obvious malware and towards browser-based, user-driven scams that are difficult to detect and highly effective,” said Saravanan Mohankumar, Manager, Threat Analysis Team at Barracuda. “It uses the browser itself to pressure victims into acting. By combining hidden code, delayed activation and aggressive on-screen behaviour, it creates a convincing illusion of a serious system problem while leaving very little technical trace.”
Rsearchers recommend robust anti-phishing, browser and endpoint protection to detect and block any suspicious script behaviour. User education is equally important, because legitimate security alerts do not display phone numbers, do not lock browsers, and do not demand immediate action via pop‑ups.