Inbound Social Engineering and Malware Delivery Campaigns Targeting Crypto, Web3, and Enterprises
Multiple reports describe social-engineering-led initial access that pivots into malware execution and credential/financial theft. A documented “pig butchering” approach abuses the higher-trust dynamics of matrimonial platforms to build rapport and then steer victims toward cryptocurrency-related actions. Separately, an “inbound” recruitment lure targets Web3/crypto professionals by impersonating legitimate companies and driving candidates to install fake interview software (e.g., collaborex_setup.msi) that initiates command-and-control to infrastructure such as 179.43.159.106, with the added risk that victims often use corporate endpoints that also have personal wallets installed.
In parallel, technical reporting highlights enterprise-focused malware delivery via trojanized software and email. ValleyRAT_S2 (a C++ second-stage backdoor/RAT) is being distributed via fake Chinese-language productivity tools, cracked software, and trojanized installers, including DLL side-loading (e.g., a malicious steam_api64.dll) and C2 over custom TCP (e.g., 27.124.3.175:14852), enabling long-term control and theft of financial data. Kaspersky also reported a malicious-email wave against Russian private-sector organizations using a PDF-icon masquerade that drops a .NET downloader, installs a persistent service, and stages payloads under C:\ProgramData\Microsoft Diagnostic\Tasks before delivering an infostealer. A separate blog post discusses phishing enabled by misconfigured Microsoft 365/hybrid Exchange mail routing and weak SPF/DKIM/DMARC enforcement, allowing spoofed “internal” emails that can facilitate credential theft and BEC; while related in theme (phishing), it is not clearly tied to the same malware campaigns described elsewhere.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Fake Web3 job sites used in inverted recruitment scam
An article described an 'inbound' social-engineering tactic in which threat actors allegedly create fake or cloned Web3 companies and post attractive job openings to lure applicants. The report specifically referenced youbuidl.dev as part of this recruitment-themed deception targeting the Web3 and cryptocurrency sectors.
ValleyRAT_S2 campaign uses fake software and side-loading to steal financial data
Researchers reported a campaign distributing the ValleyRAT_S2 second-stage payload through fake Chinese-language productivity tools, cracked software, trojanized installers, spearphishing attachments, and abused update channels. The malware used DLL side-loading, persistence via Temp/AppData files and scheduled tasks, watchdog scripts, and process injection to maintain covert access and collect financial information from victims.
Malicious email campaign targets Russian private-sector organizations
A wave of phishing emails began targeting Russian private-sector organizations with attachments disguised as PDFs that were actually .NET downloader executables. The campaign used a multi-stage infection chain to install a loader, establish persistence as a Windows service, and deploy an infostealer that stole system details, screenshots, and documents for exfiltration.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Deception Scenario How Inverted Social Engineering is Redefining the Web3 Recruitment Trap | by Aris Haryanto | InfoSec Write-ups
infosecwriteups.com
Open sourceFrom Partner Search to Pig Butchering: Part 1
medium.com
Open sourceValleyRAT_S2 Attacking Organizations to Deploy Stealthy Malware and Extract Financial Details
cybersecuritynews.com
Open sourceWeb3 Developer Environments Targeted by Social Engineering Campaign Leveraging Fake Interview Software
cybersecuritynews.com
Open sourceStealthy malware masking its activity, deploying infostealer
kaspersky.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing and social-engineering campaigns increasingly abuse trusted channels and identities to deliver malware
Multiple reports highlight a surge in **social-engineering-led initial access**, with attackers increasingly relying on trusted-looking delivery mechanisms rather than novel exploits. Microsoft-described activity impersonates *Zoom*, *Microsoft Teams*, and *Adobe Reader* updates and uses **stolen Extended Validation (EV) code-signing certificates** (including one issued to **TrustConnect Software PTY LTD**) to make malicious executables appear legitimate; lures include fake meeting invites and deceptive download sites, and payloads commonly install **RMM tooling** such as *ScreenConnect* and *MeshAgent* for persistent access, followed by additional tooling via encoded PowerShell. Separately, Moonlock reported a **ClickFix**-style operation targeting crypto/Web3 professionals via **fake venture capital personas on LinkedIn**, redirecting victims through Calendly to spoofed video-conferencing pages to induce execution of attacker-supplied commands, with infrastructure tied to multiple fake firms (e.g., *SolidBit Capital*, *MegaBit*, *Lumax Capital*) and domains attributed to a single registrant. In parallel, NCC Group’s Fox-IT assessed that **messaging platforms** (e.g., WhatsApp, Telegram, Discord, Signal, LinkedIn messaging) are increasingly used to deliver phishing links, malicious attachments, QR codes, and fake invitations while bypassing traditional email controls, and that Telegram in particular is also used to host phishing infrastructure, malware repositories, and bot-enabled fraud services. One referenced item is materially different from the above social-engineering theme: reporting on suspected **DPRK-linked intrusions** into cryptocurrency organizations describes web-app exploitation (including `CVE-2025-55182` in *React2Shell*) and the use of pre-obtained **AWS access tokens** to steal source code, private keys, and cloud secrets—an intrusion set focused on direct compromise and theft rather than the phishing/update-impersonation and messaging-platform delivery techniques described elsewhere.
Mar 21, 2026
Social Engineering and Malware Campaigns Using Diverse Lures and Delivery Chains
Multiple reports describe **distinct malware and intrusion campaigns** active across enterprise, government, developer, and consumer targets, rather than a single shared incident. The activity includes vishing-led abuse of *Quick Assist* for remote access and persistence, a **.NET AOT** malware chain delivering **Rhadamanthys** and **XMRig**, renewed **Horabot** banking Trojan activity using fake CAPTCHA and `mshta`, a compromised *Open VSX* extension that fetched **BlokTrooper** payloads, and a Middle East-focused Ramadan coupon lure delivering a **RAT** with AWS S3-based exfiltration. Additional reporting covers **Operation CamelClone**, which used government-themed spear-phishing and `LNK` files to steal data with *Rclone*, and **Contagious Trader**, a cryptocurrency-focused campaign tied to malicious GitHub and npm projects. One reference stands apart as vulnerability research rather than campaign reporting: watchTowr detailed **pre-authenticated RCE chains in BMC FootPrints**, which is a separate product security disclosure and not part of the malware operations described elsewhere. Because the references cover unrelated incidents, malware families, and victim sets, the material should **not** be treated as one cohesive event. It is also **not fluff**, as the sources contain substantive threat intelligence, technical analysis, exploit research, and incident tradecraft rather than marketing or generic advice.
Mar 24, 2026
Malware Campaigns Using Social Engineering to Deliver Proxyware, RATs, and Ransomware
Multiple active malware campaigns are using **social engineering** and **trojanized content** to compromise Windows systems, with lures ranging from pirated software downloads to business and shipping documents. AhnLab reported a “proxyjacking” operation attributed to **Larva-25012** that distributes fake installers (notably a trojanized *Notepad++* package) via cracked-software sites; the `Setup.zip` bundle includes a legitimate `Setup.exe` plus a malicious sideloaded DLL (`TextShaping.dll`) that decrypts and installs **DPLoader** for persistent command retrieval and follow-on payload delivery. The malware also tampers with defenses by changing Microsoft Defender settings (e.g., exclusions, reduced notifications, and blocking sample submission) to reduce detection while monetizing victims’ bandwidth through installed **proxyware**. Separately, FortiGuard Labs described a Russia-focused, multi-stage intrusion chain that abuses trusted services (**GitHub** and **Dropbox**) for payload hosting and weaponizes **Defendnot** (a Windows Security Center trust-model research tool) to disable **Microsoft Defender** before deploying a ransomware payload. Fortinet also documented phishing campaigns using weaponized shipping-themed Word documents to deliver **Remcos RAT**, including fileless execution behavior and exploitation of `CVE-2017-11882` (Microsoft Equation Editor) via remotely fetched templates. These campaigns reinforce the operational risk from user-driven execution paths (pirated installers and document lures), “living off the land” techniques, and defense evasion through both policy tampering and security tooling abuse.
Mar 21, 2026