Malware Campaigns Using Fake Installers and Multi-Stage Loaders to Steal Credentials and Enable Remote Control
Multiple active malware campaigns are using trojanized installers and social engineering—rather than software vulnerabilities—to gain initial access and then deploy credential theft or remote-control capabilities. Intel 471 reported a new Android banking trojan dubbed FvncBot targeting Polish mobile banking users by impersonating an mBank “security” app; the dropper prompts installation of an additional “Play” component and then abuses Android Accessibility Services for persistence and control, enabling keylogging, screen capture, and hidden VNC-style remote interaction to facilitate fraudulent transactions.
Separately, Cyderes described an ongoing, large-scale piracy-channel campaign where cracked game installers hide behind a legitimate-looking Ren’Py launcher tracked as RenEngine, which decrypts and launches subsequent stages and introduces HijackLoader via techniques including DLL side-loading and module stomping; observed final payloads include ACR Stealer (and in some cases Vidar) to exfiltrate browser credentials, cookies, and crypto wallet data. Cybereason detailed a different installer-themed operation in Chinese-speaking communities delivering ValleyRat/Winos 4.0 attributed to Silver Fox APT, notable for using the rare “PoolParty Variant 7” process injection (abusing Windows I/O completion ports and ZwSetIoCompletion() after duplicating a handle from Explorer.exe) plus a strengthened watchdog mechanism via injection into Explorer.exe and UserAccountBroker.exe to maintain persistence.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
RenEngine loader multi-stage execution chain publicly reported
A report published on February 6, 2026 described the RenEngine loader as using a stealthy multi-stage execution chain to bypass security controls. No further incident timing or victim details were provided in the reference.
Intel471 discloses technical details of the new FvncBot malware
Intel471 reported that FvncBot appears to have an original codebase rather than being derived from leaked banking trojan source code, suggesting a new developer group. The disclosure detailed its use of Accessibility Services, hidden VNC, keystroke logging, screen capture, WebSocket-based command and control, and data exfiltration capabilities.
Researchers reveal ValleyRat's use of PoolParty Variant 7 injection
The Silver Fox-linked ValleyRat campaign was found to use the rare PoolParty Variant 7 process-injection technique, abusing Windows I/O Completion Ports and Explorer.exe handles to run code inside trusted processes. Researchers also noted a watchdog persistence mechanism and attempts to disrupt Qihoo 360 security products.
Cybereason reports Silver Fox campaign delivering ValleyRat via trojanized installers
Cybereason Security Services reported a campaign targeting Chinese-speaking users with trojanized software installers, including a fake LINE installer that delivered the ValleyRat (Winos 4.0) remote access trojan. The activity was assessed as linked to the Silver Fox APT.
FvncBot banking trojan campaign observed targeting Polish Android users
On November 25, 2025, researchers observed a malicious Android app masquerading as an mBank security tool and targeting mobile banking customers in Poland. The app served as a loader for the newly identified FvncBot trojan and used social engineering to get victims to install an additional component for persistence and evasion.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
New FvncBot Attacking Android Users by Exploiting Accessibility Services
cybersecuritynews.com
Open sourceRenEngine Loader Using Stealthy Multi‑Stage Execution Chain to Bypass Security Controls
cybersecuritynews.com
Open sourceStealth Injection: Silver Fox APT Upgrades "ValleyRat" with Rare PoolParty Tech
securityonline.info
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Credential-Theft Malware Campaigns Targeting Windows via Social Engineering and Trusted Services
Multiple reports describe **active malware campaigns targeting Windows users** with a focus on **credential, session, and wallet theft** delivered through social engineering and abuse of legitimate services. **CharlieKirk Grabber**, a Python infostealer packaged with *PyInstaller*, is distributed via phishing, cracked software, cheats, and social-media lures; it kills browser processes (via `TASKKILL`) to access credential stores, collects passwords/cookies/autofill/Wi‑Fi data, zips the loot, uploads it to *GoFile*, and relays the download link to operators via **Discord webhooks** or **Telegram bots**. Separately, attackers are buying **Facebook ads** impersonating Microsoft to drive victims to cloned Windows 11 download pages on lookalike domains (e.g., `ms-25h2-update[.]pro`), delivering a malicious installer that steals saved passwords, browser sessions, and **cryptocurrency wallet** data; the campaign uses **geofencing/sandbox evasion** to show benign content to data-center IPs while serving malware to likely end users. Other contemporaneous activity highlights broader Windows-targeted intrusion tradecraft and adjacent threats. FortiGuard Labs reported **Winos 4.0 (ValleyRat)** phishing campaigns in Taiwan using tax and e-invoice lures, with delivery chains including malicious **LNK** downloaders, **DLL sideloading**, and **BYOVD** using the vulnerable driver `wsftprm.sys`, supported by rapidly rotating domains and cloud hosting. In LATAM, a fake bank-receipt lure delivers **XWorm v5.6** via a `.pdf.js` double-extension WSH dropper that uses junk-padding and Unicode obfuscation, then reconstructs and runs PowerShell (spawned via WMI) and abuses trusted hosting (e.g., Cloudinary) for later stages—enabling credential theft and potential ransomware follow-on. Additional reporting covered a USB-propagating **Monero cryptomining** operation capable of crossing air-gapped environments, a new Linux **SysUpdate** variant with encrypted C2 traffic (and a Unicorn Engine-based decryption approach developed during DFIR), and the **Foxveil** loader abusing **Cloudflare Pages, Netlify, and Discord** to stage shellcode and persist via services or *SysWOW64* masquerading—these are separate threats but reinforce the trend of attackers blending into trusted infrastructure and common user workflows.
Mar 21, 2026
Windows Malware Campaigns Using Social Engineering and Legitimate Platforms to Deliver RATs, Stealers, and Proxyware
Multiple research reports detailed **Windows-focused malware delivery chains** that rely on social engineering and abuse of legitimate services to blend into normal enterprise traffic. FortiGuard Labs described a **multi-stage campaign targeting users in Russia** that starts with business-themed decoy documents and scripts, then escalates to security-control bypass and surveillance before deploying **Amnesia RAT** and ultimately **ransomware** with widespread file encryption. A notable technique in that intrusion is the abuse of **Defendnot** (a Windows Security Center trust-model research tool) to **disable Microsoft Defender**, while payloads are hosted modularly across public cloud services (e.g., **GitHub** for scripts and **Dropbox** for binaries) to improve resilience and complicate takedowns. Separately, ReliaQuest reported attackers using **LinkedIn private messages** to build trust with targets and deliver a **WinRAR SFX** that triggers **DLL sideloading** via a legitimate PDF reader, then establishes persistence (Registry `Run` key) and executes **Base64-encoded shellcode in-memory** to load a RAT-like payload. Trend Micro and Koi Security documented **Evelyn Stealer**, which weaponizes **malicious VS Code extensions** to drop a downloader DLL (e.g., `Lightshot.dll`), run hidden PowerShell to fetch `runtime.exe`, and inject the stealer into `grpconv.exe`, exfiltrating data (credentials, cookies, wallets, screenshots, Wi‑Fi credentials) to `server09.mentality[.]cloud` over FTP. AhnLab ASEC also reported **proxyjacking** activity in South Korea attributed to **Larva‑25012**, distributing **proxyware disguised as a Notepad++ installer** and evolving evasion (e.g., injecting into Windows Explorer and using Python-based loaders) to monetize victims’ bandwidth via unauthorized proxyware installation.
Mar 21, 2026
Malware Campaigns Using Social Engineering to Deliver Proxyware, RATs, and Ransomware
Multiple active malware campaigns are using **social engineering** and **trojanized content** to compromise Windows systems, with lures ranging from pirated software downloads to business and shipping documents. AhnLab reported a “proxyjacking” operation attributed to **Larva-25012** that distributes fake installers (notably a trojanized *Notepad++* package) via cracked-software sites; the `Setup.zip` bundle includes a legitimate `Setup.exe` plus a malicious sideloaded DLL (`TextShaping.dll`) that decrypts and installs **DPLoader** for persistent command retrieval and follow-on payload delivery. The malware also tampers with defenses by changing Microsoft Defender settings (e.g., exclusions, reduced notifications, and blocking sample submission) to reduce detection while monetizing victims’ bandwidth through installed **proxyware**. Separately, FortiGuard Labs described a Russia-focused, multi-stage intrusion chain that abuses trusted services (**GitHub** and **Dropbox**) for payload hosting and weaponizes **Defendnot** (a Windows Security Center trust-model research tool) to disable **Microsoft Defender** before deploying a ransomware payload. Fortinet also documented phishing campaigns using weaponized shipping-themed Word documents to deliver **Remcos RAT**, including fileless execution behavior and exploitation of `CVE-2017-11882` (Microsoft Equation Editor) via remotely fetched templates. These campaigns reinforce the operational risk from user-driven execution paths (pirated installers and document lures), “living off the land” techniques, and defense evasion through both policy tampering and security tooling abuse.
Mar 21, 2026