Windows Malware Campaigns Abusing Trusted Tools and Cloud Hosting for Stealthy Execution
Multiple Windows-focused malware campaigns were reported leveraging trusted distribution and execution paths rather than exploiting software vulnerabilities. One campaign attributed to Larva-25012 disguised proxyware as legitimate Notepad++ installers distributed via fake cracked-software portals and deceptive ads, primarily impacting South Korea. The payloads were hosted on GitHub and delivered as MSI/ZIP packages containing legitimate components plus malicious DLLs, using DLL side-loading and process injection into Windows Explorer to deploy proxyware (e.g., Infatica and DigitalPulse) for proxyjacking—monetizing victims’ internet bandwidth by reselling access through their networks.
A separate multi-stage Windows malware operation used business-themed lures and weaponized archives containing LNK shortcuts to run hidden PowerShell with execution-policy bypass, pulling an obfuscated loader from GitHub and using legitimate services (e.g., Dropbox) to blend into normal traffic. Fortinet-reported tradecraft included persistence, decoy document generation, and beaconing via the Telegram Bot API, followed by defense evasion through abuse of Defendnot to disable Microsoft Defender before dropping follow-on payloads such as ransomware, banking trojans, and surveillance tooling. Additional reporting highlighted a broader trend of attackers abusing legitimate infrastructure and admin tooling (including RMM software after credential theft) to establish persistent access, while generic “common threats” content provided no incident-specific intelligence.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Multi-stage malware escalates to surveillance, RAT deployment, and ransomware
After establishing persistence, the malware performs reconnaissance, captures screenshots, exfiltrates data, and disables administrative and recovery tools before deploying Amnesia RAT. In later stages it also deploys Hakuna Matata ransomware and WinLocker components to encrypt files and lock victims out with countdown timers.
Researchers report multi-stage Windows malware abusing Defendnot
Security researchers disclose a sophisticated Windows malware campaign delivered through business-themed lure documents and malicious LNK shortcuts that launch PowerShell to fetch an obfuscated loader from GitHub. A key evasion step abuses Defendnot to register a fake antivirus product, causing Microsoft Defender to shut down via Windows Security Center trust assumptions.
Larva-25012 evolves malware with stealthier loaders and persistence
ASEC reports the actor has shifted from earlier .NET malware to C++ and Python variants, adding DLL side-loading, process injection into Windows Explorer, Task Scheduler persistence, and PowerShell-based staging. The malware also modifies Windows Defender settings to reduce visibility and improve evasion.
Larva-25012 distributes fake Notepad++ installers for proxyjacking
A malware campaign attributed to Larva-25012 distributes malicious MSI and ZIP packages masquerading as Notepad++ installers through deceptive ads, fake download portals, and GitHub-hosted files. The operation hijacks victims' internet connections by installing proxyware such as Infatica and DigitalPulse.
Stolen credentials are used to deploy GoTo Resolve as a backdoor
In a second wave, the attackers use stolen credentials to generate legitimate RMM access tokens and deploy GoTo Resolve/LogMeIn via a signed file named "GreenVelopeCard.exe." The installation is configured for unattended remote access through attacker-controlled GoTo infrastructure, providing persistent backdoor access.
Attackers launch phishing campaign using fake Greenvelope invitations
A dual-vector phishing campaign begins with spoofed Greenvelope invitation emails that direct targets to fake login pages to steal credentials while evading secure email gateway detection. The campaign relies on harvested credentials to enable later access operations.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Proxyware Malware Disguised as Notepad++ Tool Leverages Windows Explorer Process to Hijack Systems
cybersecuritynews.com
Open sourceThe Skeleton Key: How Attackers Weaponize Trusted RMM Tools for Backdoor Access
blog.knowbe4.com
Open sourceNew Multi-Stage Windows Malware Disables Microsoft Defender Before Dropping Malicious Payloads
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malware Campaigns Using Social Engineering to Deliver Proxyware, RATs, and Ransomware
Multiple active malware campaigns are using **social engineering** and **trojanized content** to compromise Windows systems, with lures ranging from pirated software downloads to business and shipping documents. AhnLab reported a “proxyjacking” operation attributed to **Larva-25012** that distributes fake installers (notably a trojanized *Notepad++* package) via cracked-software sites; the `Setup.zip` bundle includes a legitimate `Setup.exe` plus a malicious sideloaded DLL (`TextShaping.dll`) that decrypts and installs **DPLoader** for persistent command retrieval and follow-on payload delivery. The malware also tampers with defenses by changing Microsoft Defender settings (e.g., exclusions, reduced notifications, and blocking sample submission) to reduce detection while monetizing victims’ bandwidth through installed **proxyware**. Separately, FortiGuard Labs described a Russia-focused, multi-stage intrusion chain that abuses trusted services (**GitHub** and **Dropbox**) for payload hosting and weaponizes **Defendnot** (a Windows Security Center trust-model research tool) to disable **Microsoft Defender** before deploying a ransomware payload. Fortinet also documented phishing campaigns using weaponized shipping-themed Word documents to deliver **Remcos RAT**, including fileless execution behavior and exploitation of `CVE-2017-11882` (Microsoft Equation Editor) via remotely fetched templates. These campaigns reinforce the operational risk from user-driven execution paths (pirated installers and document lures), “living off the land” techniques, and defense evasion through both policy tampering and security tooling abuse.
Mar 21, 2026
Windows Malware Campaigns Using Social Engineering and Legitimate Platforms to Deliver RATs, Stealers, and Proxyware
Multiple research reports detailed **Windows-focused malware delivery chains** that rely on social engineering and abuse of legitimate services to blend into normal enterprise traffic. FortiGuard Labs described a **multi-stage campaign targeting users in Russia** that starts with business-themed decoy documents and scripts, then escalates to security-control bypass and surveillance before deploying **Amnesia RAT** and ultimately **ransomware** with widespread file encryption. A notable technique in that intrusion is the abuse of **Defendnot** (a Windows Security Center trust-model research tool) to **disable Microsoft Defender**, while payloads are hosted modularly across public cloud services (e.g., **GitHub** for scripts and **Dropbox** for binaries) to improve resilience and complicate takedowns. Separately, ReliaQuest reported attackers using **LinkedIn private messages** to build trust with targets and deliver a **WinRAR SFX** that triggers **DLL sideloading** via a legitimate PDF reader, then establishes persistence (Registry `Run` key) and executes **Base64-encoded shellcode in-memory** to load a RAT-like payload. Trend Micro and Koi Security documented **Evelyn Stealer**, which weaponizes **malicious VS Code extensions** to drop a downloader DLL (e.g., `Lightshot.dll`), run hidden PowerShell to fetch `runtime.exe`, and inject the stealer into `grpconv.exe`, exfiltrating data (credentials, cookies, wallets, screenshots, Wi‑Fi credentials) to `server09.mentality[.]cloud` over FTP. AhnLab ASEC also reported **proxyjacking** activity in South Korea attributed to **Larva‑25012**, distributing **proxyware disguised as a Notepad++ installer** and evolving evasion (e.g., injecting into Windows Explorer and using Python-based loaders) to monetize victims’ bandwidth via unauthorized proxyware installation.
Mar 21, 2026
Multiple Malware Campaigns Abuse Phishing and Legitimate Cloud Services to Compromise Windows and Linux Systems
Reporting describes several unrelated but contemporaneous malware operations targeting both Windows and Linux environments. In Taiwan, FortiGuard Labs observed targeted phishing using tax and e-invoice lures to deliver **Winos 4.0 (ValleyRat)** and plugins, with delivery chains including malicious `.LNK` files, **DLL sideloading**, and **BYOVD** using the vulnerable driver `wsftprm.sys`, supported by rapidly rotating domains and cloud-hosted infrastructure that reduces the effectiveness of static blocklists. Separately, Cato CTRL reported a new Windows loader, **Foxveil**, that stages and retrieves shellcode via trusted platforms (**Cloudflare Pages**, **Netlify**, and **Discord attachments**) and executes payloads using techniques including **Early Bird APC injection** (often into a fake `svchost.exe`) or self-injection, while persisting via Windows services or masqueraded binaries dropped into `SysWOW64`. Additional reporting covers distinct campaigns in other regions and platforms. A LATAM-focused intrusion chain uses fake bank receipt lures (double-extension such as `.pdf.js`) to deliver **XWorm v5.6**, employing oversized/obfuscated JavaScript, WMI-based process creation (`Win32_Process`) to launch hidden PowerShell, and abuse of a hardcoded **Cloudinary** URL for staging—capabilities consistent with credential theft and enabling follow-on ransomware. Trellix analysis described a separate **Monero** cryptomining operation distributed via pirated software installers that propagates through **USB/external drives** to reach even air-gapped systems, using multi-component “watchdog” self-healing behavior and aggressive defense-evasion. On Linux, LevelBlue detailed a new **SysUpdate** variant (packed `ELF64`) that performs host reconnaissance and uses strong C2 encryption; researchers built a **Unicorn Engine**-based emulation tool to reproduce key generation/encryption routines and decrypt captured C2 traffic for investigation and detection engineering.
Mar 21, 2026