Social-engineering malware campaigns delivering remote-access trojans and backdoors
Recent reporting highlights multiple social-engineering-driven malware delivery efforts that culminate in remote access and persistent compromise. In South Korea, attackers distributed counterfeit adult games via popular “webhard” file-sharing services; victims received a ZIP containing a decoy Game.exe launcher that stages additional components (Data1.Pak, Data2.Pak, Data3.Pak) and ultimately injects QuasarRAT (aka xRAT), enabling host profiling, keylogging, and unauthorized file transfer. The execution chain included masqueraded artifacts such as GoogleUpdate.exe and WinUpdate.db, with AES used to decrypt/extract shellcode prior to privilege escalation and RAT injection.
Separately, a spear-phishing campaign weaponized news about a purported Nicolás Maduro arrest to deliver a backdoor: emails carried a ZIP with a lure executable (Maduro to be taken to New York.exe) alongside a malicious DLL (kuguo.dll) that abuses a legitimate KuGuo binary for execution. Post-run behavior included replication to C:\ProgramData\Technology360NB, persistence via an auto-start renamed binary (DataTechnology.exe), and C2 beaconing for tasking and configuration updates; researchers noted tradecraft consistent with Mustang Panda but said attribution was not yet confirmed. A separate research note described GravityRAT reemerging as a multi-platform RAT with expanded Android targeting (in addition to Windows/macOS), emphasizing mobile endpoints as increasingly high-value targets for data theft and persistent access, though it did not describe the same specific campaigns as the Windows-focused lures above.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
AhnLab publishes technical analysis of QuasarRAT game-lure campaign
AhnLab Security Intelligence Center analyzed the South Korea campaign and documented the execution chain, including use of disguised files, AES decryption, privilege escalation, and QuasarRAT injection. The report warned users about downloading software from file-sharing sites.
Darktrace links Maduro-themed tradecraft to possible Mustang Panda activity
Researchers reported that the Maduro-themed malware campaign used tradecraft resembling activity historically associated with the China-linked APT Mustang Panda. They cautioned that the available evidence was insufficient for definitive attribution.
Maduro arrest lure used in spear-phishing malware campaign
Attackers launched a spear-phishing campaign themed around Venezuelan President Nicolás Maduro’s alleged arrest, sending ZIP archives with a lure executable and malicious DLL. The malware used DLL side-loading, copied itself into ProgramData, established autorun persistence, and connected to command-and-control infrastructure after reboot.
Counterfeit adult games used to spread QuasarRAT in South Korea
A social-engineering campaign targeted Windows users in South Korea with counterfeit adult games distributed through popular webhard file-sharing services. The fake game ZIPs contained a Game.exe launcher that dropped additional components and ultimately installed QuasarRAT, enabling system information theft, keylogging, and file transfer.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Windows Malware Campaigns Using Social Engineering and Legitimate Platforms to Deliver RATs, Stealers, and Proxyware
Multiple research reports detailed **Windows-focused malware delivery chains** that rely on social engineering and abuse of legitimate services to blend into normal enterprise traffic. FortiGuard Labs described a **multi-stage campaign targeting users in Russia** that starts with business-themed decoy documents and scripts, then escalates to security-control bypass and surveillance before deploying **Amnesia RAT** and ultimately **ransomware** with widespread file encryption. A notable technique in that intrusion is the abuse of **Defendnot** (a Windows Security Center trust-model research tool) to **disable Microsoft Defender**, while payloads are hosted modularly across public cloud services (e.g., **GitHub** for scripts and **Dropbox** for binaries) to improve resilience and complicate takedowns. Separately, ReliaQuest reported attackers using **LinkedIn private messages** to build trust with targets and deliver a **WinRAR SFX** that triggers **DLL sideloading** via a legitimate PDF reader, then establishes persistence (Registry `Run` key) and executes **Base64-encoded shellcode in-memory** to load a RAT-like payload. Trend Micro and Koi Security documented **Evelyn Stealer**, which weaponizes **malicious VS Code extensions** to drop a downloader DLL (e.g., `Lightshot.dll`), run hidden PowerShell to fetch `runtime.exe`, and inject the stealer into `grpconv.exe`, exfiltrating data (credentials, cookies, wallets, screenshots, Wi‑Fi credentials) to `server09.mentality[.]cloud` over FTP. AhnLab ASEC also reported **proxyjacking** activity in South Korea attributed to **Larva‑25012**, distributing **proxyware disguised as a Notepad++ installer** and evolving evasion (e.g., injecting into Windows Explorer and using Python-based loaders) to monetize victims’ bandwidth via unauthorized proxyware installation.
Mar 21, 2026
Recent Malware Campaigns Targeting Windows Users via Social Engineering and Fake Installers
Multiple malware campaigns have recently targeted Windows users through a variety of social engineering tactics and deceptive file distribution methods. In Korea, attackers leveraged popular webhard file-sharing services to distribute the xRAT (QuasarRAT) remote access trojan disguised as adult games. Victims were enticed to download compressed files that appeared to be legitimate games, but actually contained sophisticated malware components designed to evade detection and establish persistence on compromised systems. Meanwhile, a separate campaign in Brazil saw the Astaroth banking trojan propagate via WhatsApp, where a worm-like component harvested contact lists and automatically sent malicious ZIP files to spread the infection further. This campaign combined Python-based propagation with traditional credential-stealing modules focused on financial fraud. Other notable campaigns included the use of fake WinRAR installers distributed through Chinese websites, which employed multi-stage payloads to select and deploy the most effective malware for each victim. Additionally, phishing attacks impersonating DocuSign lured users into downloading stealthy malware through access code-protected web pages, using obfuscated PowerShell commands and in-memory payload decryption to bypass security controls. These incidents highlight the increasing sophistication of malware delivery mechanisms, the use of trusted brands and platforms for social engineering, and the global reach of threat actors targeting Windows environments through both email and messaging applications.
Mar 21, 2026
State-Linked Malware Campaigns Using Social Engineering and Trojanized Installers
Multiple reports detailed **state-linked intrusion activity** relying on social engineering and trusted delivery mechanisms to gain initial access and establish remote control. Researchers reported a suspected state-affiliated espionage operation targeting government and financial organizations in **Kazakhstan and Afghanistan**, built around a previously unreported Windows DLL implant dubbed **KazakRAT** delivered via malicious `MSI` installers and decoy documents (e.g., a fake Kazakh presidential letter and an Afghan provincial memo). The malware was described as relatively unsophisticated—unencrypted HTTP beaconing and minimal obfuscation—yet capable of host reconnaissance, file search/exfiltration, and downloading/executing additional payloads, enabling long-running access since at least 2022. Separately, Insikt Group described **North Korean** operators (tracked as **PurpleBravo**) running the “**Contagious Interview**” campaign, using fake recruiter personas and weaponized “coding tests” hosted on platforms like GitHub to trick software developers into executing malware on corporate devices, supporting software supply-chain targeting. The toolset reportedly includes **BeaverTail** (JavaScript infostealer) and newly identified RATs **PylangGhost** and **GolangGhost**. In another supply-chain style incident, Trend research and an Emurasoft advisory reported the **official EmEditor download** being tampered with to serve a trojanized `MSI` whose `CustomAction` launched PowerShell to fetch staged payloads from lookalike domains (e.g., `EmEditorjp[.]com`, `EmEditorgb[.]com`, `EmEditorde[.]com`), followed by environment fingerprinting and geofencing checks—highlighting ongoing risk from compromised public software distribution channels.
Mar 21, 2026