Diverse Cyber Threat Campaigns Targeting Organizations and Developers
Multiple advanced persistent threat (APT) groups and cybercriminal actors have launched sophisticated campaigns targeting organizations, IT professionals, and software developers using a variety of tactics and malware. Notable incidents include the deployment of malicious Visual Studio Code extensions containing Rust-based implants that mimic legitimate extensions to evade detection, as well as the use of public blockchain and cloud services for command-and-control (C2) communications. Other campaigns involve the distribution of trojanized installers for popular software, such as Telegram, to deliver ValleyRat malware, and the mass publication of malicious npm packages by North Korean actors to spread updated OtterCookie malware, which is capable of credential theft, remote access, and data exfiltration.
Additional threats include targeted spear-phishing campaigns like "Operation Hanoi Thief," which uses pseudo-polyglot documents to compromise Vietnamese IT and HR professionals, and the Tomiris APT group’s adoption of new multi-language implants leveraging public messaging platforms for C2. Meanwhile, large-scale phishing campaigns are using seasonal lures to trick users into installing remote management tools, potentially for initial access brokering. These incidents highlight the increasing sophistication and diversity of attack vectors, the blending of legitimate and malicious infrastructure, and the persistent targeting of both organizations and individuals in the technology sector.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Malicious VS Code extension found using Rust implants and blockchain C2
Researchers discovered a malicious Visual Studio Code extension impersonating 'Material Icon Theme' that contained Rust implants for Windows and macOS. The implants retrieved command-and-control instructions from a Solana wallet and used fallback C2 via Google Calendar events with hidden Unicode characters.
Researchers attribute ValleyRat installer campaign to Silver Fox
Nextron documented an active multi-stage Windows malware campaign delivered through trojanized installers for Telegram, Chrome, WinSCP, and Microsoft Teams. The operation was attributed to the China-aligned Silver Fox group based on tradecraft overlaps including archive-based staging, DLL sideloading, abuse of Chinese security products, and BYOVD techniques.
Operation Hanoi Thief targets Vietnamese IT and recruitment professionals
SEQRITE identified a spear-phishing campaign targeting Vietnamese IT workers and recruitment teams using ZIP attachments with a malicious LNK and a fake resume file. The infection chain delivered the LOTUSHARVEST C++ DLL stealer via DLL sideloading and abused LOLBINs such as ftp.exe and DeviceCredentialDeployment.exe for execution and evasion.
North Korean actors add 197 malicious npm packages in Contagious Interview campaign
In the month before the report, North Korean threat actors behind the Contagious Interview campaign published 197 malicious npm packages that were downloaded more than 31,000 times. The packages delivered an updated OtterCookie malware variant used in fake job interview and assessment lures to profile systems and steal credentials, documents, and cryptocurrency-related data.
Fake party-invite phishing campaign becomes active with rotating RMM tools
Since October 2025, a large-scale phishing campaign has used fake party invitations, invoices, tax notices, and meeting requests to trick victims into installing remote management and monitoring tools. Symantec reported the actor expanded beyond ScreenConnect to tools such as LogMeIn Resolve and Naverisk, often deploying them sequentially to prolong access and evade detection.
Tomiris launches early-2025 campaign against diplomatic and government targets
In early 2025, the Tomiris APT group began a campaign targeting foreign ministries, intergovernmental organizations, and government entities, mainly in Russia and Central Asia. Initial access relied on spear-phishing emails with password-protected archives, followed by deployment of custom implants and frameworks including Havoc and AdaptixC2.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Analysis of the Rust implants found in the malicious VS Code extension
nextron-systems.com
Open sourceThor vs. Silver Fox - Uncovering and Defeating a Sophisticated ValleyRat Campaign - Nextron Systems
nextron-systems.com
Open sourcePhishing Campaign Uses Fake Party Invites to Deliver Remote Access Tools
blog.knowbe4.com
Open sourceTomiris wreaks Havoc: New tools and techniques of the APT group
securelist.com
Open sourceNorth Korean Hackers Deploy 197 npm Packages to Spread Updated OtterCookie Malware
thehackernews.com
Open sourceOperation Hanoi Thief: Threat Actor targets Vietnamese IT professionals and recruitment teams.
seqrite.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Diverse Cybercriminal Campaigns and Tactics Targeting Organizations
Multiple cybercriminal operations have been reported, each employing distinct tactics to compromise organizations and individuals. These include a large-scale business email compromise (BEC) campaign dubbed 'Scripted Sparrow,' which orchestrated a global siege involving three million emails, and a sophisticated loader attack using fake purchase orders to target manufacturing giants in Italy, Finland, and Saudi Arabia. Another campaign, referred to as 'The Payroll Trap,' leverages fake CAPTCHA pages in a quishing (QR code phishing) scheme to hijack employee paychecks. Additionally, a phishing campaign impersonating ADP was observed, where threat actors used convincing emails and counterfeit login pages to steal employee credentials and personal data. Further, the cybercriminal ecosystem is seeing notable developments, such as the unmasking of 'Fly,' the secret architect behind the infamous Russian Market, and the formation of an alliance between Qilin, DragonForce, and a declining LockBit ransomware group. These stories highlight the evolving landscape of cybercrime, with actors employing both technical deception and strategic partnerships to maximize their impact against a range of targets worldwide.
Mar 21, 2026
Recent Ransomware and Malware Campaigns Targeting Organizations and Individuals
A surge in sophisticated cyberattacks has been observed, with threat actors employing a variety of tactics to compromise organizations and individuals. Notable incidents include the use of the BYOVD (Bring Your Own Vulnerable Driver) technique to deploy DeadLock ransomware, as well as targeted campaigns leveraging phishing emails with HR-related lures to distribute Remcos RAT malware. Additionally, attackers are exploiting popular movie torrents to spread Agent Tesla via layered PowerShell scripts, and Android users in Spain are being targeted by the DroidLock ransomware, which can hijack devices and demand ransom through full-screen overlays. These campaigns demonstrate a trend toward multi-stage infection chains, abuse of legitimate tools and drivers, and the use of social engineering to increase the likelihood of successful compromise. Other significant developments include the targeting of Canadian organizations by the STAC6565/Gold Blade group using QWCrypt ransomware, and the emergence of new threat actor tactics such as disabling endpoint detection and response (EDR) systems to facilitate ransomware deployment. The threat landscape is further complicated by the activities of groups like Scattered Lapsus$ Hunters, who use social engineering and typosquatted domains to compromise Zendesk users, and the exposure of internal dynamics within ransomware groups like BlackBasta, revealing operational stress and internal mistrust. These incidents underscore the evolving nature of cyber threats, the blending of espionage and financial motives, and the increasing sophistication of both technical and social attack vectors.
Mar 21, 2026
Multi-stage phishing and supply-chain malware campaigns targeting credentials and long-term access
Multiple reports highlight active campaigns using *phishing* and *software supply-chain abuse* to steal credentials and establish persistence. eSentire described an espionage-focused operation targeting residents of India with emails impersonating the Income Tax Department, leading victims to a malicious archive that uses DLL side-loading with a legitimate signed Microsoft application, extensive anti-analysis checks, in-memory shellcode unpacking, UAC bypass, and process masquerading; the payload was identified as a **Blackmoon**-family variant that specifically attempts to disable **Avast Free Antivirus** by automating UI interactions to add exclusions. Separately, Aikido reported a malicious npm package (`ansi-universal-ui`) that deploys a multi-stage infostealer (“**G_Wagon**”) by abusing `postinstall` execution, downloading a Python runtime, running an obfuscated payload, and exfiltrating browser credentials, cloud credentials, Discord tokens, and data from 100+ cryptocurrency wallets to an Appwrite storage bucket; it also includes a Windows DLL used for browser-process injection via NT native APIs. In parallel, network-edge exploitation remains a key access vector: Risky Business reported a renewed wave of attacks against **Fortinet FortiGate** devices via a vulnerability Fortinet allegedly “patched” in December but which attackers can still exploit, enabling SSO authentication bypass (via crafted SAML), creation of new admin accounts, and theft of device configuration; mitigations include disabling the FortiCloud SSO feature (not enabled by default). Several other items are general awareness or roundup content rather than specific incident reporting: TechTarget and other blogs emphasized ongoing phishing/email risk (including relay spam abusing legitimate Zendesk instances) and password hygiene, while The Hacker News published a multi-story bulletin that includes (among other items) a spear-phishing campaign in Afghanistan delivering a FALSECUB backdoor via a GitHub-hosted ISO and LNK execution chain; Risky Business also covered Iran’s internet blackout and Starlink jamming/spoofing as a communications-control issue rather than an enterprise cyber incident.
Mar 21, 2026