Social-Engineering Malware Campaigns Targeting End Users via Browser Stores and Fake Installers
Multiple active social-engineering-driven malware operations are targeting end users through trusted distribution channels. One campaign, dubbed GhostPoster, distributed 17 malicious browser extensions across Chrome, Firefox, and Edge with 840,000+ installs, using legitimate-sounding names (e.g., “Google Translate in Right Click,” “Youtube Download,” “Ads Block Ultimate”) and evading store reviews for years. The extensions used steganography to hide code in PNGs, then extracted payloads to contact attacker infrastructure, enabling credential/data theft, tracking, affiliate-link hijacking, script injection, and HTTP header manipulation to weaken protections.
Separately, threat actors are impersonating Malwarebytes via trojanized ZIP “installers” (e.g., malwarebytes-windows-github-io-X.X.X.zip) and using DLL sideloading—pairing a legitimate EXE with a malicious CoreMessaging.dll—to execute infostealers; reporting highlighted a campaign fingerprint via behash 4acaac53c8340a8c236c91e68244e6cb and distinctive DLL strings used for infrastructure mapping. A different operation identified by CloudSEK involves “RedLineCyber” masquerading as an affiliate of “RedLine Solutions” to build credibility inside private Discord communities and deliver a Python-based clipboard hijacker (often Pro.exe / peeek.exe) aimed at cryptocurrency wallet theft, relying on long-term grooming of high-value targets rather than broad phishing.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Researchers disclose fake Malwarebytes DLL sideloading infostealer campaign
Researchers publicly disclosed the fake Malwarebytes campaign, detailing its use of DLL sideloading, behavioral fingerprints, and secondary-stage stealer detections. They said the payloads targeted browser data, cryptocurrency assets, and MFA-related information.
CloudSEK reports RedLineCyber Discord clipper campaign
CloudSEK publicly reported that RedLineCyber was impersonating an affiliate of RedLine Solutions to distribute Python-based clipboard hijacker malware through Discord. The malware replaced copied cryptocurrency wallet addresses with attacker-controlled ones and targeted assets including Bitcoin, Ethereum, Solana, Dogecoin, Litecoin, and Tron.
Researchers report GhostPoster campaign tied to 17 malicious extensions
Researchers said the GhostPoster campaign involved 17 malicious browser extensions with more than 840,000 installs across Chrome, Firefox, and Edge. LayerX Security, building on an initial finding by Koi Security, linked the extensions through shared infrastructure and described the activity as a coordinated financially motivated operation.
Researchers link fake Malwarebytes lures to broader fake installer infrastructure
During analysis of the January 2026 activity, researchers used a behavioral hash, unusual DLL metadata, and benign-looking text files in the archives to pivot to related infrastructure. This connected the operation to additional fake installers themed as Logitech G Hub, OpenIV, and Asus Armoury Crate.
Fake Malwarebytes installer campaign is observed
Researchers observed a malware campaign between January 11 and January 15, 2026 that impersonated Malwarebytes installers using ZIP archives named in a malwarebytes-windows-github-io-X.X.X.zip pattern. The archives used DLL sideloading by bundling a legitimate executable with a malicious CoreMessaging.dll to launch infostealer payloads.
CloudSEK identifies RedLineCyber through HUMINT
CloudSEK's STRIKE team identified a cybercrime actor it calls RedLineCyber in December 2025. The actor was observed infiltrating private Discord communities tied to gaming, gambling, and streaming to socially engineer cryptocurrency users and influencers.
GhostPoster browser extension campaign begins operating in official stores
A coordinated malicious extension operation later dubbed GhostPoster was active across the Chrome, Firefox, and Microsoft Edge stores, with some extensions persisting undetected for up to five years. The campaign used legitimate-looking extension names and evasion techniques such as steganography, delayed execution, and runtime-decoded payloads.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
17 New Malicious Chrome GhostPoster Extensions with 840,000+ Installs Steals User Data
cybersecuritynews.com
Open sourceFake Malwarebytes Campaign Exploits DLL Sideloading to Drop Infostealers
securityonline.info
Open sourceThe Fake "RedLine": Imposter Malware Hijacks Crypto Wallets on Discord
securityonline.info
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malware Campaigns Using Social Engineering to Deliver Proxyware, RATs, and Ransomware
Multiple active malware campaigns are using **social engineering** and **trojanized content** to compromise Windows systems, with lures ranging from pirated software downloads to business and shipping documents. AhnLab reported a “proxyjacking” operation attributed to **Larva-25012** that distributes fake installers (notably a trojanized *Notepad++* package) via cracked-software sites; the `Setup.zip` bundle includes a legitimate `Setup.exe` plus a malicious sideloaded DLL (`TextShaping.dll`) that decrypts and installs **DPLoader** for persistent command retrieval and follow-on payload delivery. The malware also tampers with defenses by changing Microsoft Defender settings (e.g., exclusions, reduced notifications, and blocking sample submission) to reduce detection while monetizing victims’ bandwidth through installed **proxyware**. Separately, FortiGuard Labs described a Russia-focused, multi-stage intrusion chain that abuses trusted services (**GitHub** and **Dropbox**) for payload hosting and weaponizes **Defendnot** (a Windows Security Center trust-model research tool) to disable **Microsoft Defender** before deploying a ransomware payload. Fortinet also documented phishing campaigns using weaponized shipping-themed Word documents to deliver **Remcos RAT**, including fileless execution behavior and exploitation of `CVE-2017-11882` (Microsoft Equation Editor) via remotely fetched templates. These campaigns reinforce the operational risk from user-driven execution paths (pirated installers and document lures), “living off the land” techniques, and defense evasion through both policy tampering and security tooling abuse.
Mar 21, 2026
Social-engineering malware delivery via trusted installation and download paths
Security researchers reported two active/feasible malware-delivery patterns that abuse user trust in “normal” software acquisition flows rather than exploiting a specific browser or OS vulnerability. LayerX demonstrated a proof-of-concept Chrome add-on (*Totally Innocent Extension*) that can **silently modify executables as they are downloaded**—including from legitimate vendor sites—by appending attacker-controlled code without breaking the original application or requiring additional extension permissions, enabling follow-on outcomes such as persistence, lateral movement, and data theft. The researchers said the technique highlights gaps in browser extension security controls; Google and Mozilla did not acknowledge it as a product issue, with Google indicating social-engineering-driven intrusions fall outside its browser threat model. Separately, Push Security documented **InstallFix**, a new variant of the ClickFix social-engineering technique, where attackers clone installation pages for popular CLI tools and replace the install steps with malicious “copy/paste” commands (e.g., `curl`-to-shell patterns) that fetch payloads from attacker infrastructure. A noted example used a cloned *Claude Code* (Anthropic) CLI install page that preserved legitimate branding and redirected most links back to the real site, while only the macOS/Windows install instructions delivered malware; the pages were promoted via **Google Ads malvertising** for searches like “Claude Code install,” increasing the likelihood of developer and non-developer victims executing the malicious commands.
Mar 21, 2026
Credential-Theft Malware Campaigns Targeting Windows via Social Engineering and Trusted Services
Multiple reports describe **active malware campaigns targeting Windows users** with a focus on **credential, session, and wallet theft** delivered through social engineering and abuse of legitimate services. **CharlieKirk Grabber**, a Python infostealer packaged with *PyInstaller*, is distributed via phishing, cracked software, cheats, and social-media lures; it kills browser processes (via `TASKKILL`) to access credential stores, collects passwords/cookies/autofill/Wi‑Fi data, zips the loot, uploads it to *GoFile*, and relays the download link to operators via **Discord webhooks** or **Telegram bots**. Separately, attackers are buying **Facebook ads** impersonating Microsoft to drive victims to cloned Windows 11 download pages on lookalike domains (e.g., `ms-25h2-update[.]pro`), delivering a malicious installer that steals saved passwords, browser sessions, and **cryptocurrency wallet** data; the campaign uses **geofencing/sandbox evasion** to show benign content to data-center IPs while serving malware to likely end users. Other contemporaneous activity highlights broader Windows-targeted intrusion tradecraft and adjacent threats. FortiGuard Labs reported **Winos 4.0 (ValleyRat)** phishing campaigns in Taiwan using tax and e-invoice lures, with delivery chains including malicious **LNK** downloaders, **DLL sideloading**, and **BYOVD** using the vulnerable driver `wsftprm.sys`, supported by rapidly rotating domains and cloud hosting. In LATAM, a fake bank-receipt lure delivers **XWorm v5.6** via a `.pdf.js` double-extension WSH dropper that uses junk-padding and Unicode obfuscation, then reconstructs and runs PowerShell (spawned via WMI) and abuses trusted hosting (e.g., Cloudinary) for later stages—enabling credential theft and potential ransomware follow-on. Additional reporting covered a USB-propagating **Monero cryptomining** operation capable of crossing air-gapped environments, a new Linux **SysUpdate** variant with encrypted C2 traffic (and a Unicorn Engine-based decryption approach developed during DFIR), and the **Foxveil** loader abusing **Cloudflare Pages, Netlify, and Discord** to stage shellcode and persist via services or *SysWOW64* masquerading—these are separate threats but reinforce the trend of attackers blending into trusted infrastructure and common user workflows.
Mar 21, 2026