Recent Malware Campaigns Targeting Windows Users via Social Engineering and Fake Installers
Multiple malware campaigns have recently targeted Windows users through a variety of social engineering tactics and deceptive file distribution methods. In Korea, attackers leveraged popular webhard file-sharing services to distribute the xRAT (QuasarRAT) remote access trojan disguised as adult games. Victims were enticed to download compressed files that appeared to be legitimate games, but actually contained sophisticated malware components designed to evade detection and establish persistence on compromised systems. Meanwhile, a separate campaign in Brazil saw the Astaroth banking trojan propagate via WhatsApp, where a worm-like component harvested contact lists and automatically sent malicious ZIP files to spread the infection further. This campaign combined Python-based propagation with traditional credential-stealing modules focused on financial fraud.
Other notable campaigns included the use of fake WinRAR installers distributed through Chinese websites, which employed multi-stage payloads to select and deploy the most effective malware for each victim. Additionally, phishing attacks impersonating DocuSign lured users into downloading stealthy malware through access code-protected web pages, using obfuscated PowerShell commands and in-memory payload decryption to bypass security controls. These incidents highlight the increasing sophistication of malware delivery mechanisms, the use of trusted brands and platforms for social engineering, and the global reach of threat actors targeting Windows environments through both email and messaging applications.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
xRAT campaign targets Korean users via fake adult games
A malware campaign was identified distributing xRAT (QuasarRAT) to Windows users in Korea through webhard file-sharing services, disguising the payload as adult games. The malware used shellcode injection, disabled Windows event logging, and enabled keylogging and file theft.
Astaroth spreads in Brazil through WhatsApp worm campaign
A campaign dubbed Boto Cor-de-Rosa was observed spreading the Astaroth banking trojan in Brazil through malicious ZIP files sent automatically to victims' WhatsApp contacts. The malware combined worm-like propagation, localized Portuguese lures, and credential theft targeting banking users.
DocuSign-themed phishing campaign delivers in-memory Windows malware
A phishing campaign impersonating DocuSign was identified delivering a multi-stage loader to Windows users after victims entered an access code on a fake page. The malware used obfuscated PowerShell, in-memory .NET payload execution, and persistence via Run keys or scheduled tasks.
Fake WinRAR installer campaign distributed via Chinese lookalike sites
Researchers observed a campaign using fake WinRAR download links on various Chinese websites to distribute malware hidden behind a real WinRAR installer. The attack used layered archives and executables to conceal its payload and reduce user suspicion.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
xRAT Malware Attacking Windows Users Disguised as Adult Game
cybersecuritynews.com
Open sourceFake WinRAR downloads hide malware behind a real installer
malwarebytes.com
Open sourceNew Phishing Attack Impersonate as DocuSign Deploys Stealthy Malware on Windows Systems
cybersecuritynews.com
Open sourceAstaroth banking Trojan spreads in Brazil via WhatsApp worm
securityaffairs.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malware Campaigns Using Social Engineering to Deliver Proxyware, RATs, and Ransomware
Multiple active malware campaigns are using **social engineering** and **trojanized content** to compromise Windows systems, with lures ranging from pirated software downloads to business and shipping documents. AhnLab reported a “proxyjacking” operation attributed to **Larva-25012** that distributes fake installers (notably a trojanized *Notepad++* package) via cracked-software sites; the `Setup.zip` bundle includes a legitimate `Setup.exe` plus a malicious sideloaded DLL (`TextShaping.dll`) that decrypts and installs **DPLoader** for persistent command retrieval and follow-on payload delivery. The malware also tampers with defenses by changing Microsoft Defender settings (e.g., exclusions, reduced notifications, and blocking sample submission) to reduce detection while monetizing victims’ bandwidth through installed **proxyware**. Separately, FortiGuard Labs described a Russia-focused, multi-stage intrusion chain that abuses trusted services (**GitHub** and **Dropbox**) for payload hosting and weaponizes **Defendnot** (a Windows Security Center trust-model research tool) to disable **Microsoft Defender** before deploying a ransomware payload. Fortinet also documented phishing campaigns using weaponized shipping-themed Word documents to deliver **Remcos RAT**, including fileless execution behavior and exploitation of `CVE-2017-11882` (Microsoft Equation Editor) via remotely fetched templates. These campaigns reinforce the operational risk from user-driven execution paths (pirated installers and document lures), “living off the land” techniques, and defense evasion through both policy tampering and security tooling abuse.
Mar 21, 2026
Social-engineering malware campaigns delivering remote-access trojans and backdoors
Recent reporting highlights multiple **social-engineering-driven malware delivery** efforts that culminate in remote access and persistent compromise. In South Korea, attackers distributed **counterfeit adult games** via popular “webhard” file-sharing services; victims received a ZIP containing a decoy `Game.exe` launcher that stages additional components (`Data1.Pak`, `Data2.Pak`, `Data3.Pak`) and ultimately injects **QuasarRAT** (aka **xRAT**), enabling host profiling, keylogging, and unauthorized file transfer. The execution chain included masqueraded artifacts such as `GoogleUpdate.exe` and `WinUpdate.db`, with AES used to decrypt/extract shellcode prior to privilege escalation and RAT injection. Separately, a spear-phishing campaign weaponized news about a purported **Nicolás Maduro arrest** to deliver a **backdoor**: emails carried a ZIP with a lure executable (`Maduro to be taken to New York.exe`) alongside a malicious DLL (`kuguo.dll`) that abuses a legitimate KuGuo binary for execution. Post-run behavior included replication to `C:\ProgramData\Technology360NB`, persistence via an auto-start renamed binary (`DataTechnology.exe`), and C2 beaconing for tasking and configuration updates; researchers noted tradecraft consistent with **Mustang Panda** but said attribution was not yet confirmed. A separate research note described **GravityRAT** reemerging as a multi-platform RAT with expanded **Android** targeting (in addition to Windows/macOS), emphasizing mobile endpoints as increasingly high-value targets for data theft and persistent access, though it did not describe the same specific campaigns as the Windows-focused lures above.
Mar 21, 2026
Windows Malware Campaigns Using Social Engineering and Legitimate Platforms to Deliver RATs, Stealers, and Proxyware
Multiple research reports detailed **Windows-focused malware delivery chains** that rely on social engineering and abuse of legitimate services to blend into normal enterprise traffic. FortiGuard Labs described a **multi-stage campaign targeting users in Russia** that starts with business-themed decoy documents and scripts, then escalates to security-control bypass and surveillance before deploying **Amnesia RAT** and ultimately **ransomware** with widespread file encryption. A notable technique in that intrusion is the abuse of **Defendnot** (a Windows Security Center trust-model research tool) to **disable Microsoft Defender**, while payloads are hosted modularly across public cloud services (e.g., **GitHub** for scripts and **Dropbox** for binaries) to improve resilience and complicate takedowns. Separately, ReliaQuest reported attackers using **LinkedIn private messages** to build trust with targets and deliver a **WinRAR SFX** that triggers **DLL sideloading** via a legitimate PDF reader, then establishes persistence (Registry `Run` key) and executes **Base64-encoded shellcode in-memory** to load a RAT-like payload. Trend Micro and Koi Security documented **Evelyn Stealer**, which weaponizes **malicious VS Code extensions** to drop a downloader DLL (e.g., `Lightshot.dll`), run hidden PowerShell to fetch `runtime.exe`, and inject the stealer into `grpconv.exe`, exfiltrating data (credentials, cookies, wallets, screenshots, Wi‑Fi credentials) to `server09.mentality[.]cloud` over FTP. AhnLab ASEC also reported **proxyjacking** activity in South Korea attributed to **Larva‑25012**, distributing **proxyware disguised as a Notepad++ installer** and evolving evasion (e.g., injecting into Windows Explorer and using Python-based loaders) to monetize victims’ bandwidth via unauthorized proxyware installation.
Mar 21, 2026