Email and typosquatting campaigns delivering RAT malware via trojanized installers and malicious JPEG payloads
Multiple active malware delivery campaigns are using social engineering and trusted-looking artifacts to install remote access trojans (RATs). One campaign impersonates the popular Chinese antivirus Huorong Security via a typosquatted domain huoronga[.]com, routing downloads through an intermediary domain and serving a trojanized NSIS installer from Cloudflare R2; the payload is ValleyRAT, described as built on the Winos4.0 framework and attributed to the Chinese-speaking Silver Fox threat group. The infection chain is designed to look legitimate end-to-end (convincing website, normal installer UX) while deploying a full-featured backdoor with stealth and injection capabilities.
Separately, email-borne campaigns are abusing attachments and “benign” file types to smuggle malware. Fortinet-reported activity uses phishing lures (e.g., payment or bank-document themes) with Excel attachments exploiting CVE-2018-0802 to launch scripts that download a JPEG containing embedded XWorm 7.2, then uses process hollowing (e.g., into Msbuild.exe) and connects to a C2 at berlin101.com over port 6000 with AES encryption. SANS ISC also documented a similar “malicious JPEG” technique observed in the wild, where a large, heavily obfuscated JScript attachment (delivered in a GZIP wrapper) attempts persistence by copying itself to the Startup folder and participates in a chain that ultimately leverages payloads embedded in JPEGs; the message spoofing failed DMARC/SPF checks, which would likely lead to quarantine in many environments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
SANS analyzes JPEG-based malware chain likely ending in Remcos RAT
SANS ISC documented a campaign in which a spoofed email delivered an obfuscated JScript file that launched PowerShell, downloaded an image with an embedded payload, and ultimately led to a second-stage executable identified by VirusTotal as likely Remcos RAT. The analysis also noted the second-stage URL was still active at the time of writing.
Fortinet reports phishing campaign delivering XWorm via Excel exploit
Fortinet FortiGuard Labs disclosed a campaign using business-themed phishing emails and Excel attachments exploiting CVE-2018-0802 to infect Windows systems with XWorm. The infection chain downloaded a JPEG containing the payload and used process hollowing into Msbuild.exe before connecting to C2 infrastructure.
Silver Fox uses fake Huorong site to distribute ValleyRAT
A typosquatted lookalike of the Huorong Security website was used to deliver a trojanized installer that deployed ValleyRAT via DLL sideloading, with the campaign attributed to the Chinese-speaking Silver Fox APT group.
XWorm 7.2 appears on Telegram marketplaces
A more advanced XWorm version labeled 7.2 was observed being advertised or sold on Telegram marketplaces, lowering the barrier to use by additional threat actors.
Researchers observe surge in ValleyRAT-related samples
Telemetry showed roughly 6,000 ValleyRAT-related samples collected from November 2024 through November 2025, indicating significant growth in activity and broader use of the malware family.
ValleyRAT builder source code leaks on GitHub
A builder for ValleyRAT was leaked on GitHub, an event later cited as a factor suggesting the malware could be adopted beyond a single operator.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
XWorm malware campaign leverages business-themed for PC infections | SC Media
scworld.com
Open sourceFake Huorong security site infects users with ValleyRAT | Malwarebytes
malwarebytes.com
Open sourceHackers Use Excel Exploit to Hide XWorm 7.2 in JPEG Files, Hijack PCs
hackread.com
Open sourceAnother day, another malicious JPEG - SANS ISC
isc.sans.edu
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple malware campaigns using compromised websites and phishing lures to deliver RATs and stealers
Threat actors are using **compromised or spoofed websites** to trick victims into executing malware, with lures ranging from fake browser updates to counterfeit security-software download pages. Recorded Future’s Insikt Group reported that financially motivated **GrayCharlie** (overlapping with **SmartApeSG**) compromised multiple U.S. law-firm WordPress sites—potentially via a shared IT/marketing provider—and injected externally hosted JavaScript that redirected visitors to **bogus update pages** or **fake CAPTCHA** flows. Victims were prompted to run a PowerShell command via the Windows Run dialog, leading to **NetSupport RAT** installation and follow-on delivery of **Stealc** and **SectopRAT**; the operation’s infrastructure was noted as being supported by **MivoCloud** and **HZ Hosting Ltd.** Separately, Malwarebytes-linked reporting described a **typosquatting** campaign impersonating the Huorong antivirus site (`huoronga[.]com` vs. `huorong.cn`) to distribute **ValleyRAT** (built on the **Winos4.0** framework), attributed to the Chinese-speaking **Silver Fox APT**; the payload was routed through an intermediary domain and hosted on **Cloudflare R2**, with a ZIP masquerading as Huorong (`BR火绒445[.]zip`). In a different region and access vector, Group-IB reported Iran-linked **MuddyWater** running **Operation Olalampo** against MENA targets using **phishing emails** with malicious Office documents/macros to deploy new tooling including **GhostFetch** (dropping **GhostBackDoor**) and **CHAR** (a Rust backdoor controlled via a **Telegram bot**), plus variants using **HTTP_VIP** to deploy *AnyDesk*; the campaign also leveraged recently disclosed vulnerabilities on public-facing servers for initial access.
Mar 21, 2026
Malware Delivery via Deceptive Lures: Malvertising, Fake Recruitment Repos, and Phishing Dropping RATs
Multiple reports detail **social-engineering-driven malware delivery** that results in **remote access trojans (RATs)** and credential theft. Infoblox described observing an affiliate push-notification ad network after exploiting misconfigured DNS delegations (“**Sitting Ducks**”/lame name server delegation) to take over abandoned threat-actor domains, allowing collection of **~57M logs** over two weeks and visibility into widespread **scams and brand impersonation** delivered via push ads. Nextron Systems separately reported recurring **malvertising** chains where “free converter” tools (e.g., document/image converters) downloaded from ads on legitimate sites function as advertised while covertly installing **persistent RATs**, with common artifacts such as Windows **Mark-of-the-Web** (`ZoneId=3`) indicating internet origin. Other activity in the set reflects different initial-access lures but the same general outcome—RAT-style access and data theft. Fortinet analyzed a **phishing** campaign using a fake Vietnam shipping document: a Word attachment leads to an RTF stage that exploits an RTF-related vulnerability, then uses **VBScript/PowerShell** to load a **fileless .NET module**, ultimately downloading and injecting a **Remcos** variant (including process hollowing) to provide full remote control. Separately, reporting on North Korea’s **“Contagious Interview”** campaign described fake recruiter outreach (e.g., via LinkedIn) that tricks developers into opening malicious code repositories; execution can be triggered via a hidden **VS Code `tasks` configuration**, server-side logic hooks, or a malicious npm dependency to steal credentials/crypto wallets and establish persistence—this is thematically similar (social engineering leading to remote access) but is a distinct operation from the malvertising/push-ad and Remcos phishing activity.
Mar 21, 2026
Multiple RAT Delivery Campaigns Using Phishing and Trojanized Software
Security researchers reported several unrelated **remote access trojan (RAT)** delivery campaigns using different initial access vectors and lures. Seqrite Labs described “**Operation Covert Access**,” a spear‑phishing operation targeting Argentina’s judiciary with a ZIP attachment containing a convincing court-resolution decoy; execution is triggered by a malicious `LNK` masquerading as a PDF, which launches hidden PowerShell to fetch additional stages from a GitHub repository, culminating in a custom **Rust-based RAT** that attempts to blend in by renaming itself (e.g., `msedge_proxy.exe`). Separately, AhnLab Security Intelligence Center reported South Korea-focused activity distributing **RemcosRAT** through illegal online gambling-related tools and trojanized *VeraCrypt* installers, using embedded malicious VBS scripts and a multi-stage chain that ultimately deploys a RAT capable of surveillance and data theft (e.g., keylogging, screenshot/webcam/mic capture, credential/data harvesting). Another campaign documented by ReliaQuest abused **LinkedIn private messages** to deliver a bundled legitimate application alongside a malicious DLL for **DLL sideloading**, enabling RAT deployment under the guise of a trusted process; the reporting emphasized that social platforms can serve as effective phishing channels beyond email and that the technique is portable to other commonly used business messaging platforms.
Mar 21, 2026