Phishing and Social Engineering Campaigns Leveraging Trusted Channels and China-Linked Tradecraft
Multiple reports highlight social engineering-driven compromise rather than exploitation of software vulnerabilities, with attackers relying on trusted-looking communications and infrastructure to bypass defenses. One campaign described by X-Labs uses a “clean” initial business email (often passing SPF/DKIM/DMARC) that contains no direct malicious link, instead delivering a PDF attachment that leads victims through a multi-stage document chain. The chain leverages reputable cloud services—including Vercel Blob—to host intermediary PDFs that redirect to a Dropbox-impersonation credential-harvesting page, and then uses a Telegram bot as a collection point for stolen credentials, complicating detection and takedown.
Separately, researchers reported a targeted operation attributed to China-linked Mustang Panda (aka HoneyMyte) against government officials and diplomats, using fake diplomatic briefing documents themed as U.S./international policy updates to induce execution and install surveillance tooling, including PlugX (noted as a DOPLUGS variant). In parallel, U.S. reporting described HUMINT-style recruitment approaches tied primarily to China, where adversaries pose as recruiters/consulting firms on email and job platforms to elicit or purchase sensitive information from current/former U.S. government personnel—an espionage pathway that is adjacent to, but distinct from, the phishing/malware activity described in the other reporting.
Related Entities
Threat Actors
Malware
Organizations
Sources
Related Stories
Phishing and social-engineering campaigns increasingly abuse trusted channels and identities to deliver malware
Multiple reports highlight a surge in **social-engineering-led initial access**, with attackers increasingly relying on trusted-looking delivery mechanisms rather than novel exploits. Microsoft-described activity impersonates *Zoom*, *Microsoft Teams*, and *Adobe Reader* updates and uses **stolen Extended Validation (EV) code-signing certificates** (including one issued to **TrustConnect Software PTY LTD**) to make malicious executables appear legitimate; lures include fake meeting invites and deceptive download sites, and payloads commonly install **RMM tooling** such as *ScreenConnect* and *MeshAgent* for persistent access, followed by additional tooling via encoded PowerShell. Separately, Moonlock reported a **ClickFix**-style operation targeting crypto/Web3 professionals via **fake venture capital personas on LinkedIn**, redirecting victims through Calendly to spoofed video-conferencing pages to induce execution of attacker-supplied commands, with infrastructure tied to multiple fake firms (e.g., *SolidBit Capital*, *MegaBit*, *Lumax Capital*) and domains attributed to a single registrant. In parallel, NCC Group’s Fox-IT assessed that **messaging platforms** (e.g., WhatsApp, Telegram, Discord, Signal, LinkedIn messaging) are increasingly used to deliver phishing links, malicious attachments, QR codes, and fake invitations while bypassing traditional email controls, and that Telegram in particular is also used to host phishing infrastructure, malware repositories, and bot-enabled fraud services. One referenced item is materially different from the above social-engineering theme: reporting on suspected **DPRK-linked intrusions** into cryptocurrency organizations describes web-app exploitation (including `CVE-2025-55182` in *React2Shell*) and the use of pre-obtained **AWS access tokens** to steal source code, private keys, and cloud secrets—an intrusion set focused on direct compromise and theft rather than the phishing/update-impersonation and messaging-platform delivery techniques described elsewhere.
1 weeks ago
Inbound Social Engineering and Malware Delivery Campaigns Targeting Crypto, Web3, and Enterprises
Multiple reports describe **social-engineering-led initial access** that pivots into malware execution and credential/financial theft. A documented “pig butchering” approach abuses the higher-trust dynamics of matrimonial platforms to build rapport and then steer victims toward cryptocurrency-related actions. Separately, an “inbound” recruitment lure targets **Web3/crypto professionals** by impersonating legitimate companies and driving candidates to install fake interview software (e.g., `collaborex_setup.msi`) that initiates command-and-control to infrastructure such as `179.43.159.106`, with the added risk that victims often use corporate endpoints that also have personal wallets installed. In parallel, technical reporting highlights enterprise-focused malware delivery via trojanized software and email. **ValleyRAT_S2** (a C++ second-stage backdoor/RAT) is being distributed via fake Chinese-language productivity tools, cracked software, and trojanized installers, including **DLL side-loading** (e.g., a malicious `steam_api64.dll`) and C2 over custom TCP (e.g., `27.124.3.175:14852`), enabling long-term control and theft of financial data. Kaspersky also reported a malicious-email wave against Russian private-sector organizations using a PDF-icon masquerade that drops a .NET downloader, installs a persistent service, and stages payloads under `C:\ProgramData\Microsoft Diagnostic\Tasks` before delivering an **infostealer**. A separate blog post discusses phishing enabled by **misconfigured Microsoft 365/hybrid Exchange mail routing and weak SPF/DKIM/DMARC enforcement**, allowing spoofed “internal” emails that can facilitate credential theft and BEC; while related in theme (phishing), it is not clearly tied to the same malware campaigns described elsewhere.
2 months ago
Social Engineering and Phishing-Driven Intrusions Targeting Identity and Remote Access
Multiple reports highlight **social engineering and phishing** as primary initial-access vectors, with attackers increasingly targeting **identity systems** rather than exploiting software vulnerabilities. Microsoft was again the most spoofed brand in phishing during Q4 2025 (22% of observed brand-impersonation attempts), reflecting how attackers abuse trust in major identity and productivity platforms to harvest credentials; examples cited include lures mimicking Netflix account recovery, Roblox-related pages, and Spanish-language Facebook scams. Separately, an incident response case described payroll fraud achieved without malware or a network breach: an attacker impersonated employees to help desks, reset passwords, re-enrolled MFA, and registered an external email as an authentication method in **Azure Active Directory**, then altered direct-deposit details to redirect paychecks—underscoring how **help-desk processes and MFA reset workflows** can be exploited for persistence and financial theft. Targeted campaigns also show continued evolution in delivery tradecraft for **remote access**. A spear-phishing operation against Argentina’s judicial sector used ZIP attachments containing a weaponized Windows shortcut (`.lnk`) masquerading as a PDF plus scripts and a decoy court document to deploy a **Remote Access Trojan** while minimizing user suspicion. In parallel, research described **Pulsar RAT** (a Quasar RAT derivative) emphasizing stealth via **memory-only execution** and **HVNC**, with TLS-encrypted C2 and configuration retrieval from public paste sites, alongside persistence mechanisms such as scheduled tasks and UAC-bypass techniques. Another campaign attributed to **Konni APT** (“Operation Poseidon”) abused **Google and Naver ad redirection** (e.g., `ad.doubleclick[.]net`, `mkt.naver[.]com`) to launder clicks through trusted ad infrastructure before landing victims on compromised sites hosting malware, demonstrating how open-redirect and ad-tech trust can bypass reputation-based controls.
1 months ago