The Proton Mac malware is back with a new—and ironic—method: Spoofing Symantec’s security blog, then amplifying it through Twitter.

The fake site contains a blog post about a supposed new version of CoinThief, a piece of malware from 2014. After going through an “analysis”, the post promotes a non-existent program called “Symantec Malware Detector”—which is, of course, the Proton malware in disguise.

It’s easy to see why consumers would be duped. Aside from the fact that the site actually has content., the fake URL is a savvy one: symantecblog[dot]com.

“The site is a good imitation of the real Symantec blog, even mirroring the same content,” said Thomas Reed, director of Mac & Mobile at Malwarebytes Labs, in an analysis. “The registration information for the domain appears, on first glance, to be legitimate, using the same name and address as the legitimate Symantec site. The email address used to register the domain is a dead giveaway, however.”

Read full news article on Infosecurity