Social Engineering and Phishing-Driven Intrusions Targeting Identity and Remote Access
Multiple reports highlight social engineering and phishing as primary initial-access vectors, with attackers increasingly targeting identity systems rather than exploiting software vulnerabilities. Microsoft was again the most spoofed brand in phishing during Q4 2025 (22% of observed brand-impersonation attempts), reflecting how attackers abuse trust in major identity and productivity platforms to harvest credentials; examples cited include lures mimicking Netflix account recovery, Roblox-related pages, and Spanish-language Facebook scams. Separately, an incident response case described payroll fraud achieved without malware or a network breach: an attacker impersonated employees to help desks, reset passwords, re-enrolled MFA, and registered an external email as an authentication method in Azure Active Directory, then altered direct-deposit details to redirect paychecks—underscoring how help-desk processes and MFA reset workflows can be exploited for persistence and financial theft.
Targeted campaigns also show continued evolution in delivery tradecraft for remote access. A spear-phishing operation against Argentina’s judicial sector used ZIP attachments containing a weaponized Windows shortcut (.lnk) masquerading as a PDF plus scripts and a decoy court document to deploy a Remote Access Trojan while minimizing user suspicion. In parallel, research described Pulsar RAT (a Quasar RAT derivative) emphasizing stealth via memory-only execution and HVNC, with TLS-encrypted C2 and configuration retrieval from public paste sites, alongside persistence mechanisms such as scheduled tasks and UAC-bypass techniques. Another campaign attributed to Konni APT (“Operation Poseidon”) abused Google and Naver ad redirection (e.g., ad.doubleclick[.]net, mkt.naver[.]com) to launder clicks through trusted ad infrastructure before landing victims on compromised sites hosting malware, demonstrating how open-redirect and ad-tech trust can bypass reputation-based controls.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Seqrite identifies spear-phishing campaign targeting Argentina's judicial sector
Seqrite reported a targeted phishing operation impersonating Argentine federal court communications to infect judicial-sector victims with a Rust-based RAT. The campaign used ZIP archives containing a malicious LNK, batch loader, decoy legal document, and a multi-stage downloader retrieving payloads from GitHub-hosted infrastructure.
Genians publishes Operation Poseidon report attributing campaign to Konni
Genians Security Center released a report on "Operation Poseidon," describing a campaign that abused Google and Naver ad-click redirection infrastructure to deliver malware through attacker-controlled sites. The researchers attributed the operation to Konni based on an EndRAT build-path artifact containing "Poseidon" and reused command-and-control infrastructure.
Investigation finds attacker persisted through Azure AD auth method changes
The payroll-fraud investigation determined the attacker had reset employee passwords, re-enrolled MFA devices, and added an external email address as an authentication method in Azure Active Directory. The activity blended in because the actor used legitimate credentials and valid MFA, and the incident was ultimately contained to three employee accounts.
Payroll diversion fraud discovered after employees report missing pay
An organization uncovered a payroll-diversion scheme after employees reported missing salary deposits. Investigators found the attacker had socially engineered help desk, payroll, IT, and HR processes to change direct-deposit details and reroute paychecks without breaching internal systems.
Microsoft ranked most spoofed brand in Q4 2025 phishing attacks
In Q4 2025, Microsoft accounted for 22% of observed brand-impersonation phishing attacks, making it the most spoofed brand in the reporting period. Google, Amazon, Apple, and DHL were also frequently impersonated, with the technology sector remaining the primary target set.
Malicious npm packages distribute Pulsar RAT in 2025 supply-chain campaign
A 2025 supply-chain campaign used malicious npm packages including "soldiers" and "@mediawave/lib" to distribute Pulsar RAT with multi-layer obfuscation and steganography. The activity was also linked to multi-RAT deployments via open directories alongside Quasar, NjRAT, and XWorm.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Microsoft tops list of most spoofed brands in phishing attacks | SC Media
scworld.com
Open sourceNew Spear Phishing Attack Leveraging Argentine Federal Court Rulings to Covert RAT for Remote Access
cybersecuritynews.com
Open sourcePulsar RAT Using Memory-Only Execution & HVNC to Gain Invisible Remote Access
cybersecuritynews.com
Open sourceOperation Poseidon: Konni APT Hijacks Google & Naver Ads for Malware
securityonline.info
Open sourceAttackers Redirected Employee Paychecks Without Breaching a Single System
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multi-stage phishing and supply-chain malware campaigns targeting credentials and long-term access
Multiple reports highlight active campaigns using *phishing* and *software supply-chain abuse* to steal credentials and establish persistence. eSentire described an espionage-focused operation targeting residents of India with emails impersonating the Income Tax Department, leading victims to a malicious archive that uses DLL side-loading with a legitimate signed Microsoft application, extensive anti-analysis checks, in-memory shellcode unpacking, UAC bypass, and process masquerading; the payload was identified as a **Blackmoon**-family variant that specifically attempts to disable **Avast Free Antivirus** by automating UI interactions to add exclusions. Separately, Aikido reported a malicious npm package (`ansi-universal-ui`) that deploys a multi-stage infostealer (“**G_Wagon**”) by abusing `postinstall` execution, downloading a Python runtime, running an obfuscated payload, and exfiltrating browser credentials, cloud credentials, Discord tokens, and data from 100+ cryptocurrency wallets to an Appwrite storage bucket; it also includes a Windows DLL used for browser-process injection via NT native APIs. In parallel, network-edge exploitation remains a key access vector: Risky Business reported a renewed wave of attacks against **Fortinet FortiGate** devices via a vulnerability Fortinet allegedly “patched” in December but which attackers can still exploit, enabling SSO authentication bypass (via crafted SAML), creation of new admin accounts, and theft of device configuration; mitigations include disabling the FortiCloud SSO feature (not enabled by default). Several other items are general awareness or roundup content rather than specific incident reporting: TechTarget and other blogs emphasized ongoing phishing/email risk (including relay spam abusing legitimate Zendesk instances) and password hygiene, while The Hacker News published a multi-story bulletin that includes (among other items) a spear-phishing campaign in Afghanistan delivering a FALSECUB backdoor via a GitHub-hosted ISO and LNK execution chain; Risky Business also covered Iran’s internet blackout and Starlink jamming/spoofing as a communications-control issue rather than an enterprise cyber incident.
Mar 21, 2026
Phishing and social-engineering campaigns increasingly abuse trusted channels and identities to deliver malware
Multiple reports highlight a surge in **social-engineering-led initial access**, with attackers increasingly relying on trusted-looking delivery mechanisms rather than novel exploits. Microsoft-described activity impersonates *Zoom*, *Microsoft Teams*, and *Adobe Reader* updates and uses **stolen Extended Validation (EV) code-signing certificates** (including one issued to **TrustConnect Software PTY LTD**) to make malicious executables appear legitimate; lures include fake meeting invites and deceptive download sites, and payloads commonly install **RMM tooling** such as *ScreenConnect* and *MeshAgent* for persistent access, followed by additional tooling via encoded PowerShell. Separately, Moonlock reported a **ClickFix**-style operation targeting crypto/Web3 professionals via **fake venture capital personas on LinkedIn**, redirecting victims through Calendly to spoofed video-conferencing pages to induce execution of attacker-supplied commands, with infrastructure tied to multiple fake firms (e.g., *SolidBit Capital*, *MegaBit*, *Lumax Capital*) and domains attributed to a single registrant. In parallel, NCC Group’s Fox-IT assessed that **messaging platforms** (e.g., WhatsApp, Telegram, Discord, Signal, LinkedIn messaging) are increasingly used to deliver phishing links, malicious attachments, QR codes, and fake invitations while bypassing traditional email controls, and that Telegram in particular is also used to host phishing infrastructure, malware repositories, and bot-enabled fraud services. One referenced item is materially different from the above social-engineering theme: reporting on suspected **DPRK-linked intrusions** into cryptocurrency organizations describes web-app exploitation (including `CVE-2025-55182` in *React2Shell*) and the use of pre-obtained **AWS access tokens** to steal source code, private keys, and cloud secrets—an intrusion set focused on direct compromise and theft rather than the phishing/update-impersonation and messaging-platform delivery techniques described elsewhere.
Mar 21, 2026
Inbound Social Engineering and Malware Delivery Campaigns Targeting Crypto, Web3, and Enterprises
Multiple reports describe **social-engineering-led initial access** that pivots into malware execution and credential/financial theft. A documented “pig butchering” approach abuses the higher-trust dynamics of matrimonial platforms to build rapport and then steer victims toward cryptocurrency-related actions. Separately, an “inbound” recruitment lure targets **Web3/crypto professionals** by impersonating legitimate companies and driving candidates to install fake interview software (e.g., `collaborex_setup.msi`) that initiates command-and-control to infrastructure such as `179.43.159.106`, with the added risk that victims often use corporate endpoints that also have personal wallets installed. In parallel, technical reporting highlights enterprise-focused malware delivery via trojanized software and email. **ValleyRAT_S2** (a C++ second-stage backdoor/RAT) is being distributed via fake Chinese-language productivity tools, cracked software, and trojanized installers, including **DLL side-loading** (e.g., a malicious `steam_api64.dll`) and C2 over custom TCP (e.g., `27.124.3.175:14852`), enabling long-term control and theft of financial data. Kaspersky also reported a malicious-email wave against Russian private-sector organizations using a PDF-icon masquerade that drops a .NET downloader, installs a persistent service, and stages payloads under `C:\ProgramData\Microsoft Diagnostic\Tasks` before delivering an **infostealer**. A separate blog post discusses phishing enabled by **misconfigured Microsoft 365/hybrid Exchange mail routing and weak SPF/DKIM/DMARC enforcement**, allowing spoofed “internal” emails that can facilitate credential theft and BEC; while related in theme (phishing), it is not clearly tied to the same malware campaigns described elsewhere.
Apr 12, 2026