Multiple Remote Access Trojan Campaigns Target Windows and Android via Phishing, App Stores, and Social Platforms
Threat researchers reported several unrelated RAT-focused malware campaigns using different delivery channels and evasion techniques. DEAD#VAX was described as a Windows phishing operation that delivers AsyncRAT via purchase-order lures, abusing IPFS-hosted VHD files disguised as PDFs; the mounted VHD drops a multi-stage chain using WSF, heavily obfuscated batch scripts, and PowerShell loaders to decrypt and execute x64 shellcode in memory by injecting into trusted Windows processes, minimizing on-disk artifacts. Separately, analysis of Pulsar RAT activity described persistence via the per-user Run key (HKCU\Software\Microsoft\Windows\CurrentVersion\Run), an obfuscated batch dropper in AppData, PowerShell-based staging, and Donut-generated shellcode injection into processes such as explorer.exe, with anti-analysis features and data theft (credentials, wallets, tokens) exfiltrated via Discord webhooks.
On Android, two distinct campaigns were highlighted. Anatsa banking malware was found distributed through Google Play in a trojanized “document reader” app that exceeded 50,000 downloads before detection; the initial app acts as a loader that retrieves the full banking trojan and supports credential theft and C2-driven actions, with reporting attributing discovery and tracking to Zscaler ThreatLabz. Arsink RAT was reported spreading primarily via Telegram/Discord and file-sharing sites (e.g., MediaFire) through fake “mod/pro” apps impersonating major brands; research attributed to Zimperium cited ~45,000 victim IPs across 143 countries, 1,216 malicious APKs, and 317 Firebase Realtime Database C2 endpoints, with capabilities including SMS/OTP theft, call log and contact harvesting, location tracking, and microphone audio capture.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Researchers disclose DEAD#VAX phishing campaign delivering AsyncRAT
Threat hunters revealed the DEAD#VAX campaign, which used phishing emails with IPFS-hosted VHD files disguised as PDF purchase orders to infect Windows users. The multi-stage chain relied on obfuscated scripts, in-memory shellcode execution, process injection into Microsoft-signed binaries, and scheduled-task persistence to deploy AsyncRAT while avoiding traditional detection.
Malicious Google Play app spreads Anatsa to 50,000+ users
Researchers found Anatsa banking malware being distributed through a seemingly benign document reader app on Google Play, where it accumulated more than 50,000 downloads before detection. The app acted as an installer that later fetched the full banking trojan, which used overlays and credential logging to steal banking data and session tokens.
Pulsar RAT attack wave targets Windows systems
Analysts reported a new wave of Windows attacks using Pulsar RAT, which persists via the per-user Run registry key and uses PowerShell-based, in-memory execution to evade detection. The malware injects into legitimate processes, steals credentials and other sensitive data, and exfiltrates ZIP-compressed data through Discord webhooks and Telegram bots.
Arsink RAT campaign expands across Android devices worldwide
Over several months before February 2026, Arsink RAT spread through social engineering on Telegram, Discord, and file-sharing sites while masquerading as modified versions of popular apps. Zimperium identified 45,000 unique victim IPs in 143 countries, 1,216 malicious APKs, and 317 Firebase Realtime Database command-and-control endpoints tied to the campaign.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
DEAD#VAX Malware Campaign Deploys AsyncRAT via IPFS-Hosted VHD Phishing Files
thehackernews.com
Open sourceMalicious App on The Google Play with 50K+ Downloads Deploy Anatsa Banking Malware
cybersecuritynews.com
Open sourcePulsar RAT Attacking Windows Systems via Per-user Run Registry Key and Exfiltrates Sensitive Details
cybersecuritynews.com
Open sourceArsink Rat Attacking Android Devices to Exfiltrate Sensitive Data and Enable Remote Access
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Mobile and RAT Malware Campaigns Targeting Asia and Banking Users
Reporting over the past week highlighted multiple active malware campaigns, including a **second-stage ValleyRAT payload (ValleyRAT_S2)** targeting organizations in **China, Hong Kong, Taiwan, and Southeast Asia**. The ValleyRAT_S2 stage was reported to spread via **counterfeit productivity apps, cracked software, Chinese-language utilities, and phishing attachments**, using **DLL side-loading** and library name mimicry to evade defenses. Post-install activity includes **system reconnaissance**, persistence via **Steam event–masquerading callbacks**, staging in `%TEMP%`, and capabilities such as **keystroke logging** and **local data exfiltration**. Separately, researchers described an evolving **Android banking/RAT threat dubbed deVixor**, with **700+ samples** observed since **October 2025**, distributed through **fraudulent websites impersonating automotive brands** to trick users into installing a malicious APK. The operation reportedly uses **Telegram-based infrastructure** for management and updates, with a dual-channel architecture where **Firebase** delivers attacker commands and a separate **C2** receives stolen data; SMS-based techniques are used to harvest banking-related information. A vendor report also warned that **GravityRAT** has reemerged as a **multi-platform RAT** (Windows/macOS/Android) with expanded mobile data theft and persistence capabilities, underscoring increased targeting of smartphones for sensitive file and backup exfiltration.
Mar 21, 2026
Multiple RAT Delivery Campaigns Using Phishing and Trojanized Software
Security researchers reported several unrelated **remote access trojan (RAT)** delivery campaigns using different initial access vectors and lures. Seqrite Labs described “**Operation Covert Access**,” a spear‑phishing operation targeting Argentina’s judiciary with a ZIP attachment containing a convincing court-resolution decoy; execution is triggered by a malicious `LNK` masquerading as a PDF, which launches hidden PowerShell to fetch additional stages from a GitHub repository, culminating in a custom **Rust-based RAT** that attempts to blend in by renaming itself (e.g., `msedge_proxy.exe`). Separately, AhnLab Security Intelligence Center reported South Korea-focused activity distributing **RemcosRAT** through illegal online gambling-related tools and trojanized *VeraCrypt* installers, using embedded malicious VBS scripts and a multi-stage chain that ultimately deploys a RAT capable of surveillance and data theft (e.g., keylogging, screenshot/webcam/mic capture, credential/data harvesting). Another campaign documented by ReliaQuest abused **LinkedIn private messages** to deliver a bundled legitimate application alongside a malicious DLL for **DLL sideloading**, enabling RAT deployment under the guise of a trusted process; the reporting emphasized that social platforms can serve as effective phishing channels beyond email and that the technique is portable to other commonly used business messaging platforms.
Mar 21, 2026
Phishing and Trojanized Installers Deliver Remote Access Trojans via Multi-Stage, Evasion-Focused Infection Chains
Multiple active malware campaigns are delivering **remote access trojans (RATs)** using deceptive lures and multi-stage execution chains designed to evade endpoint defenses. Malwarebytes reported a campaign dubbed **DEAD#VAX** that distributes a file masquerading as a “PDF” but actually delivered as a **virtual hard disk (`.vhd`)** hosted via **IPFS**; when opened, Windows mounts the VHD and the victim is tricked into launching a **Windows Script File (`.wsf`)** that ultimately deploys **AsyncRAT**. The chain includes anti-analysis checks and **process injection** into Microsoft-signed binaries such as `RuntimeBroker.exe`, `OneDrive.exe`, `taskhostw.exe`, and `sihost.exe`, enabling hands-on-keyboard remote control while minimizing obvious on-disk artifacts. Separately, reporting described **DesckVB RAT v2.9**, a modular **.NET** RAT using an obfuscated **WSH JavaScript** stager followed by **PowerShell**-based anti-analysis checks and an in-memory (“fileless”) loader, emphasizing persistence and a plugin-based architecture for post-compromise capabilities. Another campaign distributes **ValleyRAT** disguised as a legitimate *LINE* installer, targeting **Chinese-speaking users**; it attempts to weaken defenses by using PowerShell to add broad **Windows Defender exclusions**, performs sandbox checks (e.g., mutex/file-locking behaviors), and uses advanced injection (reported as **PoolParty Variant 7** via Windows I/O completion ports) to hide within trusted processes while stealing credentials and maintaining C2 communications.
Mar 21, 2026