Axios Malware-Be Aware and help requested

Last week I acquired on of those scareware Edge popups saying my Norton had expired (I've never used Norton) and a green scan bar trying to make me believe Norton was scanning my machine and finding oodles of infections. I quickly copied the URL and closed Edge. (that URL went to threatdefender.info) I ran scans with Defender, Malwarebytes, HitmanPro, Adwarecleaner but nothing was found. I added threatdefender.info to my HOSTS file

I used the "clear all cookies" button in Edge, closed and reopened Edge only to find there were 52 cookies still in Edge for Axios.com. I tried to manually remove them but they came right back when I reopened Edge. After about 30 minutes of browsing that same scareware popped up again still with a URL of threatdefender.info.

I restored a month old image thinking I would be OK....and I was for 2 days before it came back. I then found this, telling how hackers are using Axios.com to steal user credentials. ( Nothing in my Microsoft account online shows a login from anywhere but my location but I changed the windows credential password on all my devices)
Axios Abuse and Salty 2FA Kits Fuel Advanced Microsoft 365 Phishing Attacks

Since I didn't know what to do, this time I first blocked both Axios.com and threatdefender. info in the HOSTS file and then cleared cookies. Axios.com cookies stayed gone this time. I haven't gotten the scareware since.

I then found this that tells how to protect yourself against this vulnerability. It might make sense to all you advanced guys here but it did not to me. So if you can decepher it and explain in simpler terms that this old woman can understand as to what she should do, I would appreciate it. (hint, hint) @garlin @pseymour @hsehestedt and anyone else who knows IT. I have older images. Should I restore one of those?

Axios is a very popular nodejs (this is basically server-served javascript) module that attackers love using to make pop up webpage/tabs that look like a Windows application. These can just as easily spawn from a malicious ad or a compromised site. Ads are much easier since it's a legitimate delivery platform that doesn't require any "hacking". Ad platforms often don't do a good job of vetting this content.

In nearly all cases of this there isn't a risk of a malware infection directly from these scareware campaigns. Instead they rely on social engineering tactics and using human psychology to trick a user into performing some action that results in lost of money, information or installation of malware on your system.

The reliaquest.com article and your situation don't seem to match; you may be experiencing some other adware or malware problem. The article describes phishing emails sent through Microsoft Direct Send, where your credentials would be phished on the webpage. It mentions no direct software installation as part of the attack. Additionally, the axios node.js tool, available at axios-http.com, is not related to the news web domain axios.com.

I wouldn't focus remediation on the most likely unrelated node.js tool, but rather on how the news domain axios.com appears on your machine. I would first focus on cache and cookies (which you have) and extensions (you didn't mention that you did anything), and then check for possible malware (should have been resolved with image restoration) on your system.

Ha I see axios and my mind always goes to nodejs

I don't think you are wrong. It appears to be the tool used on the attacker's machines (in the ReliaQuest article). It doesn't get downloaded to the victim's machines, and it's most likely not related to this case.

Didn't want you to think I was neglecting this, @glasskuter. I don't have much to say beyond what @echo2446 said. Axios (.com) is a legit news site, and Axios (the HTTP client) is also legit, so probably nothing to worry about there, per se.

It seems a lot of people are getting the threatdefender.info popup via msn.com, which would make sense if you're seeing it with Edge. You've already blocked threatdefender with the hosts file; maybe add it to Edge's popup blocker if you want a belt and suspenders kind of approach.