Microsoft has uncovered a fresh wave of malware campaigns that block web users from surfing the internet using bogus threat alert messages.

Antivirus researcher at Microsoft Daniel Chipiristeanu discovered the campaigns while investigating rogue antivirus infection rates.

"Lately we're seeing a dropping trend in the telemetry for some of the once most-prevalent rogue [antivirus] families, such as Win32/Winwebsec, Win32/OneScan, Win32/FakeXPA, Win32/FakePAV," he said in a blog post.

"However, since the big malware ‘players' are having more trouble in taking advantage of users paying for fake security products, and are moving away from this kind of social engineering, we are seeing other players willing to fill the gap."

Chipiristeanu highlighted one of the campaigns as particularly malicious, as it uses fake antivirus malware to hamper its victims' ability to browse the internet.

"In the past we've regularly seen rogues use the hosts file [sic] to block access to a legitimate security product's websites to deny users protection against the threat," read the post.

"Rogue:Win32/Defru has a different and simpler approach on how to trick the user and monetise on it. Basically, it prevents the user from using the internet by showing a fake scan when using different websites."

He added that the bogus threat page includes a scam alert masquerading as a message from an antivirus vendor requesting the victim pay to have their system cleaned.

"An unsuspecting user, after receiving this warning more than a few times when browsing, might be inclined to click ‘Pay Now'. This will lead them to a payment portal called ‘Payeer' ( that will display payment information," read the post. "But of course, even if the user pays, the system will not be cleaned."