Malware Delivery via Deceptive Distribution and Evasion Techniques
Threat researchers reported multiple active campaigns focused on stealthy malware delivery by abusing trusted execution paths and deceptive distribution. Trellix described attackers using DLL side-loading against a legitimate, signed ahost.exe binary associated with the c-ares ecosystem (commonly seen with GitKraken Desktop) by placing a malicious libcares-2.dll alongside the executable to trigger search-order hijacking and execute attacker code. The activity was linked to delivery of commodity malware families including Agent Tesla, Formbook, Remcos RAT, Quasar RAT, DCRat, XWorm, Vidar Stealer, Lumma Stealer, CryptBot, and others, with targeting observed across business functions (finance, procurement, supply chain, administration) and lures in multiple languages, suggesting regionally focused operations.
Separately, Malwarebytes documented a fake RustDesk download site (rustdesk[.]work) that installs legitimate RustDesk while silently deploying a persistent backdoor framework (Winos4.0) via a trojanized installer (e.g., rustdesk-1.4.4-x86_64.exe), relying on user deception rather than exploiting a software vulnerability. Sucuri detailed a WordPress compromise where attackers modified index.php to perform selective content injection/SEO cloaking, using IP-verified logic with hardcoded Google ASN CIDR ranges to serve malicious content to Googlebot while showing normal content to human visitors and site owners—an evasion technique that can facilitate downstream malware distribution while reducing the chance of detection.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Sector targeting and payload details emerge in DLL side-loading campaign
Further reporting said the DLL side-loading activity primarily targeted employees in oil and gas and import/export organizations, with lures aimed at business functions such as finance and procurement. Observed payloads included Agent Tesla, XWorm, DCRat, Remcos RAT, Vidar Stealer, Lumma Stealer, Formbook, and CryptBot.
Trend Micro describes multi-stage AsyncRAT phishing chain
Trend Micro reported a separate phishing chain, previously documented by Forcepoint X-Labs, that used Dropbox-delivered ZIP archives and TryCloudflare tunnels or WebDAV to stage scripts, install a Python environment, persist via the startup folder, and inject AsyncRAT into explorer.exe while displaying a decoy PDF. This added new technical detail on an ongoing multi-stage malware delivery method.
Trellix reports rise in Facebook BitB credential-phishing
Trellix also disclosed a surge in Facebook credential-phishing campaigns using the Browser-in-the-Browser technique, often beginning with phishing emails and leading victims to fake Meta CAPTCHA pages and counterfeit login pop-ups hosted on platforms such as Netlify or Vercel. The activity highlighted broader abuse of trusted web services in phishing operations.
Trellix discloses c-ares DLL side-loading malware campaign
Trellix reported an active campaign abusing DLL side-loading through a legitimate signed GitKraken binary, ahost.exe, by placing a malicious libcares-2.dll beside it to hijack DLL loading. The technique was used to evade defenses and deliver multiple commodity trojans and stealers.
Winos4.0 backdoor activity and IOCs are documented
Researchers detailed the RustDesk-themed infection chain, including in-memory staging via logger.exe and Libserver.exe, anti-analysis behavior, encrypted registry-stored configuration, and command-and-control traffic to 207.56.13[.]76 over TCP port 5666. The report also published file hashes and network indicators of compromise for detection and response.
Typosquatted RustDesk site distributes trojanized installer
A malware campaign used the typosquatted domain rustdesk[.]work to impersonate the legitimate RustDesk project and trick users into downloading a trojanized installer. The installer delivered a real, functional RustDesk client while covertly deploying the Winos4.0 (WinosStager) backdoor for persistent remote access.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Multiple payloads deployed via c-ares DLL side-loading exploit | SC Media
scworld.com
Open sourceHackers Exploit c-ares DLL Side-Loading to Bypass Security and Deploy Malware
thehackernews.com
Open sourceHow real software downloads can hide remote backdoors | Malwarebytes
malwarebytes.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Windows Malware Campaigns Using Social Engineering and Legitimate Platforms to Deliver RATs, Stealers, and Proxyware
Multiple research reports detailed **Windows-focused malware delivery chains** that rely on social engineering and abuse of legitimate services to blend into normal enterprise traffic. FortiGuard Labs described a **multi-stage campaign targeting users in Russia** that starts with business-themed decoy documents and scripts, then escalates to security-control bypass and surveillance before deploying **Amnesia RAT** and ultimately **ransomware** with widespread file encryption. A notable technique in that intrusion is the abuse of **Defendnot** (a Windows Security Center trust-model research tool) to **disable Microsoft Defender**, while payloads are hosted modularly across public cloud services (e.g., **GitHub** for scripts and **Dropbox** for binaries) to improve resilience and complicate takedowns. Separately, ReliaQuest reported attackers using **LinkedIn private messages** to build trust with targets and deliver a **WinRAR SFX** that triggers **DLL sideloading** via a legitimate PDF reader, then establishes persistence (Registry `Run` key) and executes **Base64-encoded shellcode in-memory** to load a RAT-like payload. Trend Micro and Koi Security documented **Evelyn Stealer**, which weaponizes **malicious VS Code extensions** to drop a downloader DLL (e.g., `Lightshot.dll`), run hidden PowerShell to fetch `runtime.exe`, and inject the stealer into `grpconv.exe`, exfiltrating data (credentials, cookies, wallets, screenshots, Wi‑Fi credentials) to `server09.mentality[.]cloud` over FTP. AhnLab ASEC also reported **proxyjacking** activity in South Korea attributed to **Larva‑25012**, distributing **proxyware disguised as a Notepad++ installer** and evolving evasion (e.g., injecting into Windows Explorer and using Python-based loaders) to monetize victims’ bandwidth via unauthorized proxyware installation.
Mar 21, 2026
Malware Campaigns Using Social Engineering to Deliver Proxyware, RATs, and Ransomware
Multiple active malware campaigns are using **social engineering** and **trojanized content** to compromise Windows systems, with lures ranging from pirated software downloads to business and shipping documents. AhnLab reported a “proxyjacking” operation attributed to **Larva-25012** that distributes fake installers (notably a trojanized *Notepad++* package) via cracked-software sites; the `Setup.zip` bundle includes a legitimate `Setup.exe` plus a malicious sideloaded DLL (`TextShaping.dll`) that decrypts and installs **DPLoader** for persistent command retrieval and follow-on payload delivery. The malware also tampers with defenses by changing Microsoft Defender settings (e.g., exclusions, reduced notifications, and blocking sample submission) to reduce detection while monetizing victims’ bandwidth through installed **proxyware**. Separately, FortiGuard Labs described a Russia-focused, multi-stage intrusion chain that abuses trusted services (**GitHub** and **Dropbox**) for payload hosting and weaponizes **Defendnot** (a Windows Security Center trust-model research tool) to disable **Microsoft Defender** before deploying a ransomware payload. Fortinet also documented phishing campaigns using weaponized shipping-themed Word documents to deliver **Remcos RAT**, including fileless execution behavior and exploitation of `CVE-2017-11882` (Microsoft Equation Editor) via remotely fetched templates. These campaigns reinforce the operational risk from user-driven execution paths (pirated installers and document lures), “living off the land” techniques, and defense evasion through both policy tampering and security tooling abuse.
Mar 21, 2026
Windows Malware Campaigns Abusing Trusted Tools and Cloud Hosting for Stealthy Execution
Multiple Windows-focused malware campaigns were reported leveraging *trusted distribution and execution paths* rather than exploiting software vulnerabilities. One campaign attributed to **Larva-25012** disguised proxyware as legitimate *Notepad++* installers distributed via fake cracked-software portals and deceptive ads, primarily impacting South Korea. The payloads were hosted on GitHub and delivered as MSI/ZIP packages containing legitimate components plus malicious DLLs, using **DLL side-loading** and process injection into **Windows Explorer** to deploy proxyware (e.g., **Infatica** and **DigitalPulse**) for **proxyjacking**—monetizing victims’ internet bandwidth by reselling access through their networks. A separate multi-stage Windows malware operation used business-themed lures and weaponized archives containing **LNK** shortcuts to run hidden **PowerShell** with execution-policy bypass, pulling an obfuscated loader from GitHub and using legitimate services (e.g., **Dropbox**) to blend into normal traffic. Fortinet-reported tradecraft included persistence, decoy document generation, and beaconing via the **Telegram Bot API**, followed by defense evasion through abuse of **Defendnot** to disable Microsoft Defender before dropping follow-on payloads such as ransomware, banking trojans, and surveillance tooling. Additional reporting highlighted a broader trend of attackers abusing legitimate infrastructure and admin tooling (including **RMM** software after credential theft) to establish persistent access, while generic “common threats” content provided no incident-specific intelligence.
Mar 21, 2026