Credential-Theft Malware Campaigns Targeting Windows via Social Engineering and Trusted Services
Multiple reports describe active malware campaigns targeting Windows users with a focus on credential, session, and wallet theft delivered through social engineering and abuse of legitimate services. CharlieKirk Grabber, a Python infostealer packaged with PyInstaller, is distributed via phishing, cracked software, cheats, and social-media lures; it kills browser processes (via TASKKILL) to access credential stores, collects passwords/cookies/autofill/Wi‑Fi data, zips the loot, uploads it to GoFile, and relays the download link to operators via Discord webhooks or Telegram bots. Separately, attackers are buying Facebook ads impersonating Microsoft to drive victims to cloned Windows 11 download pages on lookalike domains (e.g., ms-25h2-update[.]pro), delivering a malicious installer that steals saved passwords, browser sessions, and cryptocurrency wallet data; the campaign uses geofencing/sandbox evasion to show benign content to data-center IPs while serving malware to likely end users.
Other contemporaneous activity highlights broader Windows-targeted intrusion tradecraft and adjacent threats. FortiGuard Labs reported Winos 4.0 (ValleyRat) phishing campaigns in Taiwan using tax and e-invoice lures, with delivery chains including malicious LNK downloaders, DLL sideloading, and BYOVD using the vulnerable driver wsftprm.sys, supported by rapidly rotating domains and cloud hosting. In LATAM, a fake bank-receipt lure delivers XWorm v5.6 via a .pdf.js double-extension WSH dropper that uses junk-padding and Unicode obfuscation, then reconstructs and runs PowerShell (spawned via WMI) and abuses trusted hosting (e.g., Cloudinary) for later stages—enabling credential theft and potential ransomware follow-on. Additional reporting covered a USB-propagating Monero cryptomining operation capable of crossing air-gapped environments, a new Linux SysUpdate variant with encrypted C2 traffic (and a Unicorn Engine-based decryption approach developed during DFIR), and the Foxveil loader abusing Cloudflare Pages, Netlify, and Discord to stage shellcode and persist via services or SysWOW64 masquerading—these are separate threats but reinforce the trend of attackers blending into trusted infrastructure and common user workflows.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Technical details and IOCs published for CharlieKirk Grabber
The report described CharlieKirk Grabber's use of PyInstaller packaging, browser process termination, Defender exclusions, built-in Windows utilities, GoFile exfiltration, and encrypted HTTPS communications. It also published IOCs, MITRE ATT&CK mappings, and defensive guidance for monitoring and hardening.
Cyfirma identifies CharlieKirk Grabber infostealer targeting Windows
Cyfirma reported a newly identified Python-based infostealer called CharlieKirk Grabber that targets Windows systems for rapid theft of stored credentials, browser cookies, session data, and Wi-Fi credentials. The malware is builder-based and can be configured to use Discord webhooks or Telegram bots for command-and-control.
Parallel ad infrastructure tracks victims and adds campaign redundancy
The operators used Facebook Pixel "Lead" events to track conversions and maintained multiple ad campaigns and domains so the operation could continue if one path was disrupted.
Malicious Windows 11 installer hosted on GitHub delivers infostealer
The fake download delivered a 75 MB Inno Setup-based file named ms-update32.exe hosted on GitHub. When run, it dropped an Electron-based component, executed obfuscated PowerShell, established persistence in the registry, and stole browser credentials, session data, and cryptocurrency wallet information.
Attackers run Facebook ads for fake Windows 11 downloads
A campaign used paid Facebook ads impersonating Microsoft to direct users to lookalike Windows 11 download pages on domains referencing "25H2." Real users were served a malicious installer, while researchers and data-center traffic were redirected to benign sites through geofencing and sandbox evasion.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
CharlieKirk Grabber Stealer Attacking Windows Systems to Exfiltrate Login Credentials
cybersecuritynews.com
Open sourceFacebook ads spread fake Windows 11 downloads that steal passwords and crypto wallets | Malwarebytes
malwarebytes.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple Malware Campaigns Abuse Phishing and Legitimate Cloud Services to Compromise Windows and Linux Systems
Reporting describes several unrelated but contemporaneous malware operations targeting both Windows and Linux environments. In Taiwan, FortiGuard Labs observed targeted phishing using tax and e-invoice lures to deliver **Winos 4.0 (ValleyRat)** and plugins, with delivery chains including malicious `.LNK` files, **DLL sideloading**, and **BYOVD** using the vulnerable driver `wsftprm.sys`, supported by rapidly rotating domains and cloud-hosted infrastructure that reduces the effectiveness of static blocklists. Separately, Cato CTRL reported a new Windows loader, **Foxveil**, that stages and retrieves shellcode via trusted platforms (**Cloudflare Pages**, **Netlify**, and **Discord attachments**) and executes payloads using techniques including **Early Bird APC injection** (often into a fake `svchost.exe`) or self-injection, while persisting via Windows services or masqueraded binaries dropped into `SysWOW64`. Additional reporting covers distinct campaigns in other regions and platforms. A LATAM-focused intrusion chain uses fake bank receipt lures (double-extension such as `.pdf.js`) to deliver **XWorm v5.6**, employing oversized/obfuscated JavaScript, WMI-based process creation (`Win32_Process`) to launch hidden PowerShell, and abuse of a hardcoded **Cloudinary** URL for staging—capabilities consistent with credential theft and enabling follow-on ransomware. Trellix analysis described a separate **Monero** cryptomining operation distributed via pirated software installers that propagates through **USB/external drives** to reach even air-gapped systems, using multi-component “watchdog” self-healing behavior and aggressive defense-evasion. On Linux, LevelBlue detailed a new **SysUpdate** variant (packed `ELF64`) that performs host reconnaissance and uses strong C2 encryption; researchers built a **Unicorn Engine**-based emulation tool to reproduce key generation/encryption routines and decrypt captured C2 traffic for investigation and detection engineering.
Mar 21, 2026
Malware Campaigns Using Fake Installers and Multi-Stage Loaders to Steal Credentials and Enable Remote Control
Multiple active malware campaigns are using **trojanized installers** and social engineering—rather than software vulnerabilities—to gain initial access and then deploy credential theft or remote-control capabilities. Intel 471 reported a new Android banking trojan dubbed **FvncBot** targeting Polish mobile banking users by impersonating an *mBank* “security” app; the dropper prompts installation of an additional “Play” component and then abuses **Android Accessibility Services** for persistence and control, enabling **keylogging**, **screen capture**, and hidden **VNC-style remote interaction** to facilitate fraudulent transactions. Separately, Cyderes described an ongoing, large-scale piracy-channel campaign where cracked game installers hide behind a legitimate-looking **Ren’Py** launcher tracked as **RenEngine**, which decrypts and launches subsequent stages and introduces **HijackLoader** via techniques including **DLL side-loading** and module stomping; observed final payloads include **ACR Stealer** (and in some cases **Vidar**) to exfiltrate browser credentials, cookies, and crypto wallet data. Cybereason detailed a different installer-themed operation in Chinese-speaking communities delivering **ValleyRat/Winos 4.0** attributed to **Silver Fox APT**, notable for using the rare **“PoolParty Variant 7”** process injection (abusing Windows I/O completion ports and `ZwSetIoCompletion()` after duplicating a handle from `Explorer.exe`) plus a strengthened watchdog mechanism via injection into `Explorer.exe` and `UserAccountBroker.exe` to maintain persistence.
Mar 21, 2026
Windows Malware Campaigns Using Social Engineering and Legitimate Platforms to Deliver RATs, Stealers, and Proxyware
Multiple research reports detailed **Windows-focused malware delivery chains** that rely on social engineering and abuse of legitimate services to blend into normal enterprise traffic. FortiGuard Labs described a **multi-stage campaign targeting users in Russia** that starts with business-themed decoy documents and scripts, then escalates to security-control bypass and surveillance before deploying **Amnesia RAT** and ultimately **ransomware** with widespread file encryption. A notable technique in that intrusion is the abuse of **Defendnot** (a Windows Security Center trust-model research tool) to **disable Microsoft Defender**, while payloads are hosted modularly across public cloud services (e.g., **GitHub** for scripts and **Dropbox** for binaries) to improve resilience and complicate takedowns. Separately, ReliaQuest reported attackers using **LinkedIn private messages** to build trust with targets and deliver a **WinRAR SFX** that triggers **DLL sideloading** via a legitimate PDF reader, then establishes persistence (Registry `Run` key) and executes **Base64-encoded shellcode in-memory** to load a RAT-like payload. Trend Micro and Koi Security documented **Evelyn Stealer**, which weaponizes **malicious VS Code extensions** to drop a downloader DLL (e.g., `Lightshot.dll`), run hidden PowerShell to fetch `runtime.exe`, and inject the stealer into `grpconv.exe`, exfiltrating data (credentials, cookies, wallets, screenshots, Wi‑Fi credentials) to `server09.mentality[.]cloud` over FTP. AhnLab ASEC also reported **proxyjacking** activity in South Korea attributed to **Larva‑25012**, distributing **proxyware disguised as a Notepad++ installer** and evolving evasion (e.g., injecting into Windows Explorer and using Python-based loaders) to monetize victims’ bandwidth via unauthorized proxyware installation.
Mar 21, 2026