Multiple RAT Delivery Campaigns Using Phishing and Trojanized Software
Security researchers reported several unrelated remote access trojan (RAT) delivery campaigns using different initial access vectors and lures. Seqrite Labs described “Operation Covert Access,” a spear‑phishing operation targeting Argentina’s judiciary with a ZIP attachment containing a convincing court-resolution decoy; execution is triggered by a malicious LNK masquerading as a PDF, which launches hidden PowerShell to fetch additional stages from a GitHub repository, culminating in a custom Rust-based RAT that attempts to blend in by renaming itself (e.g., msedge_proxy.exe).
Separately, AhnLab Security Intelligence Center reported South Korea-focused activity distributing RemcosRAT through illegal online gambling-related tools and trojanized VeraCrypt installers, using embedded malicious VBS scripts and a multi-stage chain that ultimately deploys a RAT capable of surveillance and data theft (e.g., keylogging, screenshot/webcam/mic capture, credential/data harvesting). Another campaign documented by ReliaQuest abused LinkedIn private messages to deliver a bundled legitimate application alongside a malicious DLL for DLL sideloading, enabling RAT deployment under the guise of a trusted process; the reporting emphasized that social platforms can serve as effective phishing channels beyond email and that the technique is portable to other commonly used business messaging platforms.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Seqrite Labs reveals 'Operation Covert Access' targeting Argentina's judiciary
Seqrite Labs reported a cyber-espionage campaign against Argentina's judicial and legal institutions that used court-themed spear-phishing emails with ZIP archives containing malicious LNK files. The attack chain fetched payloads from GitHub and ultimately installed a custom Rust-based RAT with anti-analysis, persistence, file theft, and privilege-elevation capabilities.
ReliaQuest reports LinkedIn DM phishing campaign using DLL sideloading
ReliaQuest disclosed a phishing campaign that used private LinkedIn messages, including recruiter and job-themed lures, to deliver a file bundle that enabled DLL sideloading and deployment of a remote access trojan. The activity highlighted attackers shifting initial access from email to LinkedIn to evade email-focused defenses.
AhnLab uncovers Remcos RAT campaign targeting South Korean users
AhnLab Security Intelligence Center reported intrusions delivering Remcos RAT to South Korean users through fake illegal gambling-related tools distributed via Telegram and web browsers, as well as trojanized VeraCrypt installers. The campaign used malicious VBS scripts and a multi-stage infection chain to decrypt and deploy the RAT.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Operation Covert Access: Rust RAT Infiltrates Argentina's Judiciary
securityonline.info
Open sourceNew Remcos RAT campaign aimed at South Korea uncovered | SC Media
scworld.com
Open sourcePhishing campaign exploits LinkedIn messages via DLL sideloading | SC Media
scworld.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malware Delivery via Deceptive Lures: Malvertising, Fake Recruitment Repos, and Phishing Dropping RATs
Multiple reports detail **social-engineering-driven malware delivery** that results in **remote access trojans (RATs)** and credential theft. Infoblox described observing an affiliate push-notification ad network after exploiting misconfigured DNS delegations (“**Sitting Ducks**”/lame name server delegation) to take over abandoned threat-actor domains, allowing collection of **~57M logs** over two weeks and visibility into widespread **scams and brand impersonation** delivered via push ads. Nextron Systems separately reported recurring **malvertising** chains where “free converter” tools (e.g., document/image converters) downloaded from ads on legitimate sites function as advertised while covertly installing **persistent RATs**, with common artifacts such as Windows **Mark-of-the-Web** (`ZoneId=3`) indicating internet origin. Other activity in the set reflects different initial-access lures but the same general outcome—RAT-style access and data theft. Fortinet analyzed a **phishing** campaign using a fake Vietnam shipping document: a Word attachment leads to an RTF stage that exploits an RTF-related vulnerability, then uses **VBScript/PowerShell** to load a **fileless .NET module**, ultimately downloading and injecting a **Remcos** variant (including process hollowing) to provide full remote control. Separately, reporting on North Korea’s **“Contagious Interview”** campaign described fake recruiter outreach (e.g., via LinkedIn) that tricks developers into opening malicious code repositories; execution can be triggered via a hidden **VS Code `tasks` configuration**, server-side logic hooks, or a malicious npm dependency to steal credentials/crypto wallets and establish persistence—this is thematically similar (social engineering leading to remote access) but is a distinct operation from the malvertising/push-ad and Remcos phishing activity.
Mar 21, 2026
Windows Malware Campaigns Using Social Engineering and Legitimate Platforms to Deliver RATs, Stealers, and Proxyware
Multiple research reports detailed **Windows-focused malware delivery chains** that rely on social engineering and abuse of legitimate services to blend into normal enterprise traffic. FortiGuard Labs described a **multi-stage campaign targeting users in Russia** that starts with business-themed decoy documents and scripts, then escalates to security-control bypass and surveillance before deploying **Amnesia RAT** and ultimately **ransomware** with widespread file encryption. A notable technique in that intrusion is the abuse of **Defendnot** (a Windows Security Center trust-model research tool) to **disable Microsoft Defender**, while payloads are hosted modularly across public cloud services (e.g., **GitHub** for scripts and **Dropbox** for binaries) to improve resilience and complicate takedowns. Separately, ReliaQuest reported attackers using **LinkedIn private messages** to build trust with targets and deliver a **WinRAR SFX** that triggers **DLL sideloading** via a legitimate PDF reader, then establishes persistence (Registry `Run` key) and executes **Base64-encoded shellcode in-memory** to load a RAT-like payload. Trend Micro and Koi Security documented **Evelyn Stealer**, which weaponizes **malicious VS Code extensions** to drop a downloader DLL (e.g., `Lightshot.dll`), run hidden PowerShell to fetch `runtime.exe`, and inject the stealer into `grpconv.exe`, exfiltrating data (credentials, cookies, wallets, screenshots, Wi‑Fi credentials) to `server09.mentality[.]cloud` over FTP. AhnLab ASEC also reported **proxyjacking** activity in South Korea attributed to **Larva‑25012**, distributing **proxyware disguised as a Notepad++ installer** and evolving evasion (e.g., injecting into Windows Explorer and using Python-based loaders) to monetize victims’ bandwidth via unauthorized proxyware installation.
Mar 21, 2026
Malware Campaigns Using Social Engineering to Deliver Proxyware, RATs, and Ransomware
Multiple active malware campaigns are using **social engineering** and **trojanized content** to compromise Windows systems, with lures ranging from pirated software downloads to business and shipping documents. AhnLab reported a “proxyjacking” operation attributed to **Larva-25012** that distributes fake installers (notably a trojanized *Notepad++* package) via cracked-software sites; the `Setup.zip` bundle includes a legitimate `Setup.exe` plus a malicious sideloaded DLL (`TextShaping.dll`) that decrypts and installs **DPLoader** for persistent command retrieval and follow-on payload delivery. The malware also tampers with defenses by changing Microsoft Defender settings (e.g., exclusions, reduced notifications, and blocking sample submission) to reduce detection while monetizing victims’ bandwidth through installed **proxyware**. Separately, FortiGuard Labs described a Russia-focused, multi-stage intrusion chain that abuses trusted services (**GitHub** and **Dropbox**) for payload hosting and weaponizes **Defendnot** (a Windows Security Center trust-model research tool) to disable **Microsoft Defender** before deploying a ransomware payload. Fortinet also documented phishing campaigns using weaponized shipping-themed Word documents to deliver **Remcos RAT**, including fileless execution behavior and exploitation of `CVE-2017-11882` (Microsoft Equation Editor) via remotely fetched templates. These campaigns reinforce the operational risk from user-driven execution paths (pirated installers and document lures), “living off the land” techniques, and defense evasion through both policy tampering and security tooling abuse.
Mar 21, 2026