Social-engineering malware campaigns delivering remote-access trojans and backdoors
Recent reporting highlights multiple social-engineering-driven malware delivery efforts that culminate in remote access and persistent compromise. In South Korea, attackers distributed counterfeit adult games via popular “webhard” file-sharing services; victims received a ZIP containing a decoy Game.exe launcher that stages additional components (Data1.Pak, Data2.Pak, Data3.Pak) and ultimately injects QuasarRAT (aka xRAT), enabling host profiling, keylogging, and unauthorized file transfer. The execution chain included masqueraded artifacts such as GoogleUpdate.exe and WinUpdate.db, with AES used to decrypt/extract shellcode prior to privilege escalation and RAT injection.
Separately, a spear-phishing campaign weaponized news about a purported Nicolás Maduro arrest to deliver a backdoor: emails carried a ZIP with a lure executable (Maduro to be taken to New York.exe) alongside a malicious DLL (kuguo.dll) that abuses a legitimate KuGuo binary for execution. Post-run behavior included replication to C:\ProgramData\Technology360NB, persistence via an auto-start renamed binary (DataTechnology.exe), and C2 beaconing for tasking and configuration updates; researchers noted tradecraft consistent with Mustang Panda but said attribution was not yet confirmed. A separate research note described GravityRAT reemerging as a multi-platform RAT with expanded Android targeting (in addition to Windows/macOS), emphasizing mobile endpoints as increasingly high-value targets for data theft and persistent access, though it did not describe the same specific campaigns as the Windows-focused lures above.
Related Entities
Threat Actors
Malware
Organizations
Affected Products
Sources
Related Stories
Windows Malware Campaigns Using Social Engineering and Legitimate Platforms to Deliver RATs, Stealers, and Proxyware
Multiple research reports detailed **Windows-focused malware delivery chains** that rely on social engineering and abuse of legitimate services to blend into normal enterprise traffic. FortiGuard Labs described a **multi-stage campaign targeting users in Russia** that starts with business-themed decoy documents and scripts, then escalates to security-control bypass and surveillance before deploying **Amnesia RAT** and ultimately **ransomware** with widespread file encryption. A notable technique in that intrusion is the abuse of **Defendnot** (a Windows Security Center trust-model research tool) to **disable Microsoft Defender**, while payloads are hosted modularly across public cloud services (e.g., **GitHub** for scripts and **Dropbox** for binaries) to improve resilience and complicate takedowns. Separately, ReliaQuest reported attackers using **LinkedIn private messages** to build trust with targets and deliver a **WinRAR SFX** that triggers **DLL sideloading** via a legitimate PDF reader, then establishes persistence (Registry `Run` key) and executes **Base64-encoded shellcode in-memory** to load a RAT-like payload. Trend Micro and Koi Security documented **Evelyn Stealer**, which weaponizes **malicious VS Code extensions** to drop a downloader DLL (e.g., `Lightshot.dll`), run hidden PowerShell to fetch `runtime.exe`, and inject the stealer into `grpconv.exe`, exfiltrating data (credentials, cookies, wallets, screenshots, Wi‑Fi credentials) to `server09.mentality[.]cloud` over FTP. AhnLab ASEC also reported **proxyjacking** activity in South Korea attributed to **Larva‑25012**, distributing **proxyware disguised as a Notepad++ installer** and evolving evasion (e.g., injecting into Windows Explorer and using Python-based loaders) to monetize victims’ bandwidth via unauthorized proxyware installation.
1 months ago
Recent Malware Campaigns Targeting Windows Users via Social Engineering and Fake Installers
Multiple malware campaigns have recently targeted Windows users through a variety of social engineering tactics and deceptive file distribution methods. In Korea, attackers leveraged popular webhard file-sharing services to distribute the xRAT (QuasarRAT) remote access trojan disguised as adult games. Victims were enticed to download compressed files that appeared to be legitimate games, but actually contained sophisticated malware components designed to evade detection and establish persistence on compromised systems. Meanwhile, a separate campaign in Brazil saw the Astaroth banking trojan propagate via WhatsApp, where a worm-like component harvested contact lists and automatically sent malicious ZIP files to spread the infection further. This campaign combined Python-based propagation with traditional credential-stealing modules focused on financial fraud. Other notable campaigns included the use of fake WinRAR installers distributed through Chinese websites, which employed multi-stage payloads to select and deploy the most effective malware for each victim. Additionally, phishing attacks impersonating DocuSign lured users into downloading stealthy malware through access code-protected web pages, using obfuscated PowerShell commands and in-memory payload decryption to bypass security controls. These incidents highlight the increasing sophistication of malware delivery mechanisms, the use of trusted brands and platforms for social engineering, and the global reach of threat actors targeting Windows environments through both email and messaging applications.
2 months ago
State-Linked Malware Campaigns Using Social Engineering and Trojanized Installers
Multiple reports detailed **state-linked intrusion activity** relying on social engineering and trusted delivery mechanisms to gain initial access and establish remote control. Researchers reported a suspected state-affiliated espionage operation targeting government and financial organizations in **Kazakhstan and Afghanistan**, built around a previously unreported Windows DLL implant dubbed **KazakRAT** delivered via malicious `MSI` installers and decoy documents (e.g., a fake Kazakh presidential letter and an Afghan provincial memo). The malware was described as relatively unsophisticated—unencrypted HTTP beaconing and minimal obfuscation—yet capable of host reconnaissance, file search/exfiltration, and downloading/executing additional payloads, enabling long-running access since at least 2022. Separately, Insikt Group described **North Korean** operators (tracked as **PurpleBravo**) running the “**Contagious Interview**” campaign, using fake recruiter personas and weaponized “coding tests” hosted on platforms like GitHub to trick software developers into executing malware on corporate devices, supporting software supply-chain targeting. The toolset reportedly includes **BeaverTail** (JavaScript infostealer) and newly identified RATs **PylangGhost** and **GolangGhost**. In another supply-chain style incident, Trend research and an Emurasoft advisory reported the **official EmEditor download** being tampered with to serve a trojanized `MSI` whose `CustomAction` launched PowerShell to fetch staged payloads from lookalike domains (e.g., `EmEditorjp[.]com`, `EmEditorgb[.]com`, `EmEditorde[.]com`), followed by environment fingerprinting and geofencing checks—highlighting ongoing risk from compromised public software distribution channels.
1 months ago