Recent Ransomware and Malware Campaigns Targeting Organizations and Individuals
A surge in sophisticated cyberattacks has been observed, with threat actors employing a variety of tactics to compromise organizations and individuals. Notable incidents include the use of the BYOVD (Bring Your Own Vulnerable Driver) technique to deploy DeadLock ransomware, as well as targeted campaigns leveraging phishing emails with HR-related lures to distribute Remcos RAT malware. Additionally, attackers are exploiting popular movie torrents to spread Agent Tesla via layered PowerShell scripts, and Android users in Spain are being targeted by the DroidLock ransomware, which can hijack devices and demand ransom through full-screen overlays. These campaigns demonstrate a trend toward multi-stage infection chains, abuse of legitimate tools and drivers, and the use of social engineering to increase the likelihood of successful compromise.
Other significant developments include the targeting of Canadian organizations by the STAC6565/Gold Blade group using QWCrypt ransomware, and the emergence of new threat actor tactics such as disabling endpoint detection and response (EDR) systems to facilitate ransomware deployment. The threat landscape is further complicated by the activities of groups like Scattered Lapsus$ Hunters, who use social engineering and typosquatted domains to compromise Zendesk users, and the exposure of internal dynamics within ransomware groups like BlackBasta, revealing operational stress and internal mistrust. These incidents underscore the evolving nature of cyber threats, the blending of espionage and financial motives, and the increasing sophistication of both technical and social attack vectors.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
CSO highlights BlackBasta leak and BlackLock recruitment as cybercrime case studies
CSO Online published case studies describing the BlackBasta internal chat leak as evidence of leadership conflict and operational dysfunction, and BlackLock's recruitment of traffers on Russian-language forums and Telegram as a sign of outsourced initial access in ransomware operations. The article framed these developments as examples of increasingly modular and specialized cybercrime ecosystems.
Bitdefender uncovers fake movie torrent campaign spreading Agent Tesla
Bitdefender researchers uncovered a campaign using a fake torrent for Leonardo DiCaprio's film 'One Battle After Another' to deliver Agent Tesla through a layered, fileless PowerShell chain. The attack hid malicious code in subtitle and image files, used legitimate Windows tools, and created a scheduled task for persistence.
Researchers detail STAC6565's shift to QWCrypt ransomware
Security researchers reported that STAC6565, overlapping with Gold Blade, had evolved from phishing-led commercial espionage into selective QWCrypt ransomware deployment. The campaign used weaponized resumes, custom tools such as RedLoader and Terminator, BYOVD attacks, sideloading, hypervisor targeting, and delayed encryption in some cases to monetize stolen data first.
Researchers observe layoff-themed phishing delivering Remcos RAT
Seqrite Labs reported a phishing campaign using fake internal HR layoff notices and a disguised RAR attachment to install Remcos RAT. The malware established persistence through the Run key and enabled keylogging, screenshot capture, clipboard monitoring, and C2 communication.
Actor uses new BYOVD loader in DeadLock ransomware intrusions
Talos observed a financially motivated actor deploying DeadLock ransomware in Windows environments using a previously unknown loader and a BYOVD technique exploiting Baidu Antivirus driver flaw CVE-2024-51324 to kill EDR processes. The intrusions also involved compromised accounts, RDP enablement, AnyDesk installation, discovery, lateral movement, and anti-forensics before encryption.
Scattered Lapsus$ Hunters targets Zendesk users with typosquatting and fake tickets
KnowBe4 reported that Scattered Lapsus$ Hunters was actively targeting organizations using Zendesk by registering more than 40 lookalike domains and hosting phishing pages such as fake SSO portals. The group also submitted fraudulent tickets to real Zendesk portals in an effort to infect help-desk staff with remote access trojans and steal data for extortion.
DeadLock ransomware becomes active
Cisco Talos said the DeadLock ransomware operation has been active since at least July 2025. The malware appends a .dlock extension, changes file icons and wallpaper, and directs victims to negotiate over Session messenger rather than a leak site.
Microsoft patches two Windows flaws reportedly disclosed by EncryptHub
Microsoft patched two Windows vulnerabilities in March 2025 that CSO Online says were responsibly disclosed by the actor known as EncryptHub. The case was highlighted as an example of a hybrid cybercriminal persona involved in both malicious activity and vulnerability reporting.
STAC6565 begins focused campaign against Canadian organizations
A financially motivated threat cluster tracked as STAC6565 began a concentrated intrusion campaign in February 2024, primarily targeting organizations in Canada, with additional victims in the U.S., Australia, and the U.K. The activity affected sectors including services, manufacturing, retail, technology, NGOs, and transportation.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Behind the breaches: Case studies that reveal adversary motives and modus operandi
csoonline.com
Open sourceFake Leonardo DiCaprio Movie Torrent Drops Agent Tesla Through Layered PowerShell Chain
bitdefender.com
Open sourceNew BYOVD loader behind DeadLock ransomware attack
blog.talosintelligence.com
Open sourceDeceptive Layoff-Themed HR Email Distributes Remcos RAT Malware
seqrite.com
Open sourceSTAC6565 Targets Canada in 80% of Attacks as Gold Blade Deploys QWCrypt Ransomware
thehackernews.com
Open sourceNotorious Cybercrime Group is Now Targeting Zendesk Users
blog.knowbe4.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ransomware and initial-access tradecraft evolves with new evasion and extortion techniques
Reporting and research published in mid-January 2026 highlights continued **high ransomware activity** and rapid evolution in initial-access and evasion tradecraft. A Symantec/Carbon Black Threat Hunter Team study cited by *Help Net Security* reports ransomware actors claimed **4,737 attacks in 2025**, with only brief slowdowns after major disruptions; the abrupt April 2025 shutdown of **RansomHub** was followed by affiliates quickly shifting to other operations, while **LockBit** failed to recover after late-2024 law-enforcement action. The same reporting notes a broader shift toward **extortion models that don’t rely on encryption**, emphasizing data theft and coercion as groups diversify pressure tactics. Multiple technical reports describe how attackers are improving delivery and resilience. *BleepingComputer* says **Gootloader** now uses heavily malformed ZIP files—concatenating **500–1,000** ZIP archives and manipulating ZIP structures (e.g., truncated `EOCD`)—to crash or defeat common analysis tools while still extracting via Windows’ default utility, supporting its role as an initial-access vector often preceding ransomware. *The Register* reports **DeadLock** ransomware uses **Polygon smart contracts** to frequently rotate proxy infrastructure for victim communications (via an HTML wrapper pointing victims to the *Session* messenger), complicating blocking and takedown efforts; Group-IB notes DeadLock also departs from typical double-extortion by lacking a public data-leak site and instead threatening underground data sales. Separately, Microsoft-observed phishing described by *KnowBe4* shows threat actors exploiting **email routing/spoofing misconfigurations** to make phishing appear internal (often leveraging **Tycoon2FA**), while ReliaQuest’s trend report and a separate write-up on **CastleLoader** describe human-driven initial access (spearphishing/drive-by) and social-engineering lures such as **ClickFix** being used to stage loaders and follow-on payloads—underscoring that access-broker and loader ecosystems continue to feed ransomware and broader intrusion activity.
Mar 21, 2026
Recent Ransomware Threats Targeting Organizations and Critical Sectors
Several new ransomware groups and campaigns have emerged, demonstrating increased sophistication and targeting a range of organizations globally. The SafePay group has established itself as a major threat by operating as a centralized, closed ransomware operation, eschewing the typical Ransomware-as-a-Service (RaaS) model. SafePay employs double extortion tactics, exfiltrating sensitive data before encrypting systems, and leverages rapid attack chains that often move from initial access to full encryption within 24 hours. Their methods include exploiting compromised credentials, misconfigured firewalls, and deploying backdoors for persistence, with a focus on operational security to avoid law enforcement detection. Other notable threats include the CrazyHunter ransomware, which has aggressively targeted healthcare organizations in Taiwan using advanced evasion techniques and multi-stage attacks that exploit Active Directory and propagate via Group Policy Objects. Meanwhile, the Ransomhouse group, operated by Jolly Scorpius, has upgraded its capabilities with a dual-key encryption system and automated attacks on VMware ESXi hypervisors, particularly focusing on German enterprises. These campaigns highlight a trend toward more targeted, technically advanced ransomware operations that prioritize both data theft and rapid system disruption, posing significant risks to critical infrastructure and sensitive industries.
Mar 21, 2026
Multiple Ransomware and Malware Campaigns Resurface with Enhanced Capabilities
Several distinct malware and ransomware campaigns have resurfaced with new variants and advanced features, targeting organizations globally. The XWorm remote access trojan (RAT) has re-emerged in its version 6.0, now featuring a modular architecture that includes a ransomware plugin and advanced evasion techniques. This new version of XWorm is designed to bypass security defenses more effectively, increasing the risk of successful intrusions and data encryption. Meanwhile, the WARMCOOKIE malware has also returned after a previous takedown, now equipped with stealth handlers and utilizing expired command-and-control (C2) certificates to evade detection. The use of expired certificates is a novel tactic that complicates network monitoring and threat hunting efforts. In a separate development, the Russian-speaking Lunar Spider cybercriminal group has launched a new wave of ransomware attacks, leveraging the Latrodectus V2 loader to deliver their payloads. This loader is known for its sophisticated delivery mechanisms and ability to bypass traditional security controls. The Lunar Spider group’s campaign demonstrates a continued evolution in ransomware delivery, with a focus on maximizing infection rates and minimizing detection. Concurrently, ransomware groups Qilin and Gunra have been actively targeting South Korean organizations, with Qilin listing nine asset management firms and an engineering services company as victims, and Gunra compromising a gas manufacturing and supply company. These attacks highlight a trend of ransomware operators focusing on critical infrastructure and financial sectors in South Korea. The resurgence of these malware and ransomware families underscores the persistent threat posed by cybercriminal groups who continuously adapt their tools and techniques. Security researchers have observed that the modularity and stealth features in these new variants make them more challenging to detect and remediate. Organizations are advised to update their threat intelligence feeds and enhance monitoring for indicators of compromise associated with XWorm, WARMCOOKIE, and Latrodectus. The use of expired C2 certificates and advanced evasion tactics signals a shift in attacker methodologies, requiring defenders to adapt their detection strategies. The targeting of multiple sectors, including finance, engineering, and energy, demonstrates the broad scope of current ransomware campaigns. Incident response teams should be prepared for multi-stage attacks that leverage loaders like Latrodectus to deploy ransomware. The ongoing activity from groups such as Lunar Spider, Qilin, and Gunra indicates a high level of coordination and resourcefulness among threat actors. The rapid re-emergence of previously disrupted malware families suggests that takedown efforts may only provide temporary relief. Security teams should prioritize patching, network segmentation, and user awareness training to mitigate the risk of infection. Collaboration with threat intelligence providers can offer early warning of emerging threats and support proactive defense measures. The evolving landscape of ransomware and malware campaigns requires continuous vigilance and adaptation by defenders.
Mar 21, 2026