Phishing and Trojanized Installers Deliver Remote Access Trojans via Multi-Stage, Evasion-Focused Infection Chains
Multiple active malware campaigns are delivering remote access trojans (RATs) using deceptive lures and multi-stage execution chains designed to evade endpoint defenses. Malwarebytes reported a campaign dubbed DEAD#VAX that distributes a file masquerading as a “PDF” but actually delivered as a virtual hard disk (.vhd) hosted via IPFS; when opened, Windows mounts the VHD and the victim is tricked into launching a Windows Script File (.wsf) that ultimately deploys AsyncRAT. The chain includes anti-analysis checks and process injection into Microsoft-signed binaries such as RuntimeBroker.exe, OneDrive.exe, taskhostw.exe, and sihost.exe, enabling hands-on-keyboard remote control while minimizing obvious on-disk artifacts.
Separately, reporting described DesckVB RAT v2.9, a modular .NET RAT using an obfuscated WSH JavaScript stager followed by PowerShell-based anti-analysis checks and an in-memory (“fileless”) loader, emphasizing persistence and a plugin-based architecture for post-compromise capabilities. Another campaign distributes ValleyRAT disguised as a legitimate LINE installer, targeting Chinese-speaking users; it attempts to weaken defenses by using PowerShell to add broad Windows Defender exclusions, performs sandbox checks (e.g., mutex/file-locking behaviors), and uses advanced injection (reported as PoolParty Variant 7 via Windows I/O completion ports) to hide within trusted processes while stealing credentials and maintaining C2 communications.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
DEAD#VAX uses in-memory AsyncRAT injection into signed Windows processes
The DEAD#VAX infection chain performed anti-analysis checks and injected AsyncRAT shellcode into legitimate Microsoft-signed processes including RuntimeBroker.exe, OneDrive.exe, taskhostw.exe, and sihost.exe. This fileless approach enabled remote access, credential theft, surveillance, and potential lateral movement while reducing forensic artifacts.
DEAD#VAX phishing campaign delivers AsyncRAT via fake PDF VHD files
A phishing campaign dubbed DEAD#VAX used VHD files disguised as PDF invoices or purchase orders and hosted lures on IPFS. When opened, Windows mounted the VHD and exposed a malicious WSF script that executed instead of displaying a document.
DesckVB RAT analysis reveals plugin-based post-compromise capabilities
Technical analysis showed DesckVB RAT uses a modular plugin architecture delivered over a custom TCP protocol, allowing operators to add capabilities after compromise. Documented plugins included keylogging, webcam streaming through DirectShow, and antivirus or security product enumeration.
DesckVB RAT v2.9 observed in active campaigns in early 2026
Researchers observed DesckVB RAT v2.9 being used in active campaigns, employing a multi-stage infection chain that starts with an obfuscated WSH JavaScript stager and transitions to PowerShell and a fileless .NET loader. The malware was designed for persistence and evasion while minimizing disk artifacts.
Researchers detail ValleyRAT's PoolParty injection and persistence methods
Cybereason reported that this ValleyRAT variant used PoolParty Variant 7 injection via Windows I/O completion ports to hide inside trusted processes such as Explorer.exe and UserAccountBroker.exe. The malware also scanned for security products, used UserAccountBroker.exe as a watchdog, and persisted through scheduled tasks created over RPC.
ValleyRAT campaign uses fake LINE installer to target Chinese-speaking users
Threat actors distributed the ValleyRAT backdoor disguised as a legitimate LINE messaging app installer, primarily targeting Chinese-speaking users. The malware used a multi-stage loading chain, attempted to weaken Windows Defender with broad exclusions, and established persistence for surveillance and credential theft.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Open the wrong “PDF” and attackers gain remote access to your PC | Malwarebytes
malwarebytes.com
Open sourceNew DesckVB RAT with Multi-stage Infection Chain and Plugin-Based Architecture
cybersecuritynews.com
Open sourceValleyRAT Mimic as LINE Installer Attacking Users to Steal Login Details
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple Remote Access Trojan Campaigns Target Windows and Android via Phishing, App Stores, and Social Platforms
Threat researchers reported several unrelated **RAT-focused malware campaigns** using different delivery channels and evasion techniques. **DEAD#VAX** was described as a Windows phishing operation that delivers **AsyncRAT** via purchase-order lures, abusing **IPFS-hosted VHD** files disguised as PDFs; the mounted VHD drops a multi-stage chain using **WSF**, heavily obfuscated batch scripts, and PowerShell loaders to decrypt and execute x64 shellcode **in memory** by injecting into trusted Windows processes, minimizing on-disk artifacts. Separately, analysis of **Pulsar RAT** activity described persistence via the per-user Run key (`HKCU\Software\Microsoft\Windows\CurrentVersion\Run`), an obfuscated batch dropper in *AppData*, PowerShell-based staging, and **Donut-generated shellcode** injection into processes such as `explorer.exe`, with anti-analysis features and data theft (credentials, wallets, tokens) exfiltrated via **Discord webhooks**. On Android, two distinct campaigns were highlighted. **Anatsa** banking malware was found distributed through **Google Play** in a trojanized “document reader” app that exceeded **50,000 downloads** before detection; the initial app acts as a loader that retrieves the full banking trojan and supports credential theft and C2-driven actions, with reporting attributing discovery and tracking to **Zscaler ThreatLabz**. **Arsink RAT** was reported spreading primarily via **Telegram/Discord** and file-sharing sites (e.g., MediaFire) through fake “mod/pro” apps impersonating major brands; research attributed to **Zimperium** cited **~45,000** victim IPs across **143 countries**, **1,216** malicious APKs, and **317** Firebase Realtime Database C2 endpoints, with capabilities including SMS/OTP theft, call log and contact harvesting, location tracking, and microphone audio capture.
Mar 21, 2026
Multiple RAT Delivery Campaigns Using Phishing and Trojanized Software
Security researchers reported several unrelated **remote access trojan (RAT)** delivery campaigns using different initial access vectors and lures. Seqrite Labs described “**Operation Covert Access**,” a spear‑phishing operation targeting Argentina’s judiciary with a ZIP attachment containing a convincing court-resolution decoy; execution is triggered by a malicious `LNK` masquerading as a PDF, which launches hidden PowerShell to fetch additional stages from a GitHub repository, culminating in a custom **Rust-based RAT** that attempts to blend in by renaming itself (e.g., `msedge_proxy.exe`). Separately, AhnLab Security Intelligence Center reported South Korea-focused activity distributing **RemcosRAT** through illegal online gambling-related tools and trojanized *VeraCrypt* installers, using embedded malicious VBS scripts and a multi-stage chain that ultimately deploys a RAT capable of surveillance and data theft (e.g., keylogging, screenshot/webcam/mic capture, credential/data harvesting). Another campaign documented by ReliaQuest abused **LinkedIn private messages** to deliver a bundled legitimate application alongside a malicious DLL for **DLL sideloading**, enabling RAT deployment under the guise of a trusted process; the reporting emphasized that social platforms can serve as effective phishing channels beyond email and that the technique is portable to other commonly used business messaging platforms.
Mar 21, 2026
Windows Malware Campaigns Using Social Engineering and Legitimate Platforms to Deliver RATs, Stealers, and Proxyware
Multiple research reports detailed **Windows-focused malware delivery chains** that rely on social engineering and abuse of legitimate services to blend into normal enterprise traffic. FortiGuard Labs described a **multi-stage campaign targeting users in Russia** that starts with business-themed decoy documents and scripts, then escalates to security-control bypass and surveillance before deploying **Amnesia RAT** and ultimately **ransomware** with widespread file encryption. A notable technique in that intrusion is the abuse of **Defendnot** (a Windows Security Center trust-model research tool) to **disable Microsoft Defender**, while payloads are hosted modularly across public cloud services (e.g., **GitHub** for scripts and **Dropbox** for binaries) to improve resilience and complicate takedowns. Separately, ReliaQuest reported attackers using **LinkedIn private messages** to build trust with targets and deliver a **WinRAR SFX** that triggers **DLL sideloading** via a legitimate PDF reader, then establishes persistence (Registry `Run` key) and executes **Base64-encoded shellcode in-memory** to load a RAT-like payload. Trend Micro and Koi Security documented **Evelyn Stealer**, which weaponizes **malicious VS Code extensions** to drop a downloader DLL (e.g., `Lightshot.dll`), run hidden PowerShell to fetch `runtime.exe`, and inject the stealer into `grpconv.exe`, exfiltrating data (credentials, cookies, wallets, screenshots, Wi‑Fi credentials) to `server09.mentality[.]cloud` over FTP. AhnLab ASEC also reported **proxyjacking** activity in South Korea attributed to **Larva‑25012**, distributing **proxyware disguised as a Notepad++ installer** and evolving evasion (e.g., injecting into Windows Explorer and using Python-based loaders) to monetize victims’ bandwidth via unauthorized proxyware installation.
Mar 21, 2026