Stealthy Malware Campaigns Abuse Windows and Office Features for Initial Access and Evasion
Multiple early-2026 campaigns highlight increasingly low-noise initial access and living-off-the-land execution on Windows endpoints. CyStack reported activity attributed to APT-Q-27 (GoldenEyeDog) targeting financial institutions via a corporate support workflow: a user clicked a malicious link delivered through a Zendesk ticket, leading to download of an executable masquerading as an image/.pif file (aided by Windows’ hidden-extension defaults). The malware was signed with a revoked certificate that still appeared trusted due to a valid timestamp, and its modular backdoor/C2 infrastructure overlapped with prior APT-Q-27 activity, enabling stealthy persistence and control without triggering common endpoint alerts.
Separately, Securonix described the Dead#Vax multistage campaign using phishing links to VHD files hosted on IPFS, where mounting/opening the VHD triggers Windows Script Files, obfuscated batch, and PowerShell loaders to support encrypted data theft and conceal execution logic, culminating in AsyncRAT deployment for credential theft, surveillance, and follow-on intrusion. In another targeted operation, Zscaler ThreatLabz linked Operation Neusploit to APT28, exploiting CVE-2026-21509 (Microsoft Office/365 OLE bypass) via crafted RTF documents to drop payloads including MiniDoor (Outlook-focused collection and mailbox manipulation, including exfiltration to attacker-controlled email accounts) and PixyNetLoader (reported to use steganography). A separate “ThreatsDay” bulletin is a multi-story roundup and does not provide additional, specific corroboration on these same campaigns beyond mentioning adjacent themes (e.g., AsyncRAT/C2) in a broader news digest.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
APT-Q-27 targeting corporate environments is reported
A report published on 6 February 2026 stated that APT-Q-27 was conducting stealthy attacks against corporate environments designed to avoid triggering alerts. No further technical or chronological details were provided in the reference synopsis.
Securonix discloses Dead#Vax multistage malware campaign
Securonix analysts reported a sophisticated Windows-focused campaign dubbed Dead#Vax that used phishing emails, IPFS-hosted VHD files, Windows Script Files, batch scripts, and PowerShell loaders. The intrusion chain culminated in AsyncRAT deployment for credential theft, surveillance, data exfiltration, and follow-on compromise.
Lab52 reports phishing campaign abusing renamed MSBuild and .csproj files
In February 2026, a campaign reported by Lab52 used phishing emails to deliver a renamed MSBuild executable and a malicious .csproj project file, causing MSBuild to load the project, fetch additional payloads from external infrastructure, and execute them. The intrusion chain also used DLL sideloading with a legitimate signed executable and a malicious DLL to achieve final malware execution.
Operation Neusploit exploitation continues after patch release
Zscaler observed exploitation of CVE-2026-21509 continuing through at least 29 January 2026 despite Microsoft's emergency patch. The campaign's second-stage activity included steganography, anti-analysis checks, and deployment of a Covenant Grunt implant using Filen for command-and-control and data movement.
Zscaler uncovers Operation Neusploit targeting Eastern Europe
Zscaler ThreatLabz identified a targeted campaign dubbed Operation Neusploit in January 2026 aimed at users in Ukraine, Slovakia, and Romania. The operation used localized lure documents and malicious RTF files to exploit CVE-2026-21509 and deliver malware including MiniDoor and PixyNetLoader.
Microsoft issues emergency patch for CVE-2026-21509
Microsoft released an emergency patch for the critical Microsoft Office/365 OLE vulnerability CVE-2026-21509, which could be triggered by opening a crafted file. The flaw was later linked to targeted malware attacks in Operation Neusploit.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
LOLBins - Analyzing attack techniques with MSBuild - ASEC
asec.ahnlab.com
Open sourceAPT-Q-27 Targeting Corporate Environments in Stealthy Attack Without Triggering Alerts
cybersecuritynews.com
Open sourceWindows targeted by advanced multistage Dead#Vax malware campaign | SC Media
scworld.com
Open sourceOp Neusploit: Russian APT28 Uses Microsoft Office Flaw in Malware Attacks
hackread.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple APT and malware campaigns abusing phishing, cloud services, and signed binaries
Reporting across multiple research teams described a surge of distinct, ongoing intrusion campaigns rather than a single unified incident. **Check Point** reported on **Silver Dragon**, a Chinese-aligned activity cluster assessed as operating under the broader **APT41** umbrella, targeting organizations in **Southeast Asia and Europe** (notably government) via exploitation of public-facing servers and phishing, then deploying **Cobalt Strike**, **DNS tunneling**, and a new Google Drive–based backdoor (**GearDoor**) alongside custom tools (**SSHcmd** and **SliverScreen**) for remote access and screen capture. **Microsoft** detailed separate February 2026 phishing campaigns by an unknown actor that used meeting/invoice-style lures and **EV code-signed** malware (certificate issued to **TrustConnect Software PTY LTD**) masquerading as common workplace apps (e.g., `msteams.exe`, `adobereader.exe`, `zoomworkspace.clientsetup.exe`) to install legitimate **RMM** tooling (**ScreenConnect**, **Tactical RMM**, **Mesh Agent**) for persistent access and lateral movement. Other reporting highlighted additional, unrelated campaigns and tradecraft: **ClearSky** described a Russian-aligned operation targeting **Ukraine** using a phishing-delivered ZIP/HTA chain that drops a .NET loader (**BadPaw**) and backdoor (**MeowMeow**) with **.NET Reactor** obfuscation, parameter-gated execution, and sandbox/tooling checks (with low-confidence linkage to **APT28**). **Cofense**-reported activity (via SC Media) showed phishing that weaponizes **Windows File Explorer + WebDAV** using URL/LNK shortcuts to pull payloads (notably **AsyncRAT**, **XWorm**, **DcRAT**) and infrastructure including **Cloudflare Tunnel** domains hosting WebDAV servers. **Cisco Talos**-reported **Dohdoor** activity (UAT-10027) targeted US **education and healthcare**, using PowerShell→batch→DLL sideloading via legitimate executables (e.g., `Fondue.exe`, `mblctr.exe`, `ScreenClippingHost.exe`) and **DNS-over-HTTPS** to Cloudflare for C2 discovery and tunneling. Separately, **Zscaler** reported **ScarCruft**’s *Ruby Jumper* campaign using **Zoho WorkDrive** for C2 and removable media components to reach air-gapped systems, while another Zscaler report analyzed **Dust Specter** targeting Iraqi government officials with password-protected RAR delivery and modular implants. **Qianxin XLab** assessed sanctioned infrastructure provider **Funnull** resurfacing to support scam/criminal supply chains and potential **MacCMS**-related supply-chain activity, and **F5 Labs** summarized **APT42**’s **TAMECAT** PowerShell backdoor focused on Edge/Chrome credential theft with C2 over Telegram/Discord/HTTPS and specific file/hash indicators. (A separate Help Net Security item on a Microsoft Defender onboarding tool is product/administrative news and not part of the threat-campaign reporting.)
Mar 21, 2026
Weekly Cyber Threat Roundups Highlight Linux Fileless Malware, Office Zero-Day Exploitation, and Multiple Breach Claims
Multiple weekly threat roundups and research posts reported a mix of active exploitation, new malware tradecraft, and breach claims. Ukraine’s CERT reported **APT28** rapidly weaponized a Microsoft Office zero-day (**CVE-2026-21509**) within roughly a day of Microsoft’s disclosure, using spearphishing emails with malicious DOC lures to deliver **Covenant** backdoors against Ukrainian government targets and EU-related entities. Separately, researchers described **ShadowHS**, a stealthy **fileless Linux** post-exploitation framework that runs in-memory (e.g., via `memfd`-style execution), uses encrypted multi-stage loading (AES-256-CBC), fingerprints defensive tooling (including major EDR agents), and retains operator-driven capabilities such as credential theft, lateral movement, and covert tunneling for exfiltration. Other reporting highlighted incident and exposure claims and defensive takeaways. Check Point described a **supply-chain compromise** affecting *eScan* (MicroWorld Technologies) in which malicious updates were pushed through the legitimate updater, prompting an emergency shutdown of global update services; it also noted **Crunchbase** confirmed a breach affecting **2M+ records** claimed by **ShinyHunters**, and cited extortion/leak claims involving **Qilin** (Tulsa International Airport) and **WorldLeaks** (Nike). Google’s legal/technical disruption of the **IPIDEA** residential proxy network was also cited as reducing available proxy nodes by millions and cutting off C2 domains used to route attacker traffic. Additional coverage described a phishing chain using a fake DHL invoice to abuse a signed Java utility via **DLL sideloading** (malicious `jli.dll`) and **process hollowing** into `AddInProcess32.exe` to run **Phantom Stealer**; detection-engineering updates emphasized new rules for Windows defense-evasion (e.g., tampering with Credential Guard/HVCI, disabling AMSI and the vulnerable driver blocklist) and expanded Kubernetes and Linux post-exploitation detections.
Mar 21, 2026
Windows Malware Campaigns Using Social Engineering and Legitimate Platforms to Deliver RATs, Stealers, and Proxyware
Multiple research reports detailed **Windows-focused malware delivery chains** that rely on social engineering and abuse of legitimate services to blend into normal enterprise traffic. FortiGuard Labs described a **multi-stage campaign targeting users in Russia** that starts with business-themed decoy documents and scripts, then escalates to security-control bypass and surveillance before deploying **Amnesia RAT** and ultimately **ransomware** with widespread file encryption. A notable technique in that intrusion is the abuse of **Defendnot** (a Windows Security Center trust-model research tool) to **disable Microsoft Defender**, while payloads are hosted modularly across public cloud services (e.g., **GitHub** for scripts and **Dropbox** for binaries) to improve resilience and complicate takedowns. Separately, ReliaQuest reported attackers using **LinkedIn private messages** to build trust with targets and deliver a **WinRAR SFX** that triggers **DLL sideloading** via a legitimate PDF reader, then establishes persistence (Registry `Run` key) and executes **Base64-encoded shellcode in-memory** to load a RAT-like payload. Trend Micro and Koi Security documented **Evelyn Stealer**, which weaponizes **malicious VS Code extensions** to drop a downloader DLL (e.g., `Lightshot.dll`), run hidden PowerShell to fetch `runtime.exe`, and inject the stealer into `grpconv.exe`, exfiltrating data (credentials, cookies, wallets, screenshots, Wi‑Fi credentials) to `server09.mentality[.]cloud` over FTP. AhnLab ASEC also reported **proxyjacking** activity in South Korea attributed to **Larva‑25012**, distributing **proxyware disguised as a Notepad++ installer** and evolving evasion (e.g., injecting into Windows Explorer and using Python-based loaders) to monetize victims’ bandwidth via unauthorized proxyware installation.
Mar 21, 2026