Multiple malware campaigns using compromised websites and phishing lures to deliver RATs and stealers
Threat actors are using compromised or spoofed websites to trick victims into executing malware, with lures ranging from fake browser updates to counterfeit security-software download pages. Recorded Future’s Insikt Group reported that financially motivated GrayCharlie (overlapping with SmartApeSG) compromised multiple U.S. law-firm WordPress sites—potentially via a shared IT/marketing provider—and injected externally hosted JavaScript that redirected visitors to bogus update pages or fake CAPTCHA flows. Victims were prompted to run a PowerShell command via the Windows Run dialog, leading to NetSupport RAT installation and follow-on delivery of Stealc and SectopRAT; the operation’s infrastructure was noted as being supported by MivoCloud and HZ Hosting Ltd.
Separately, Malwarebytes-linked reporting described a typosquatting campaign impersonating the Huorong antivirus site (huoronga[.]com vs. huorong.cn) to distribute ValleyRAT (built on the Winos4.0 framework), attributed to the Chinese-speaking Silver Fox APT; the payload was routed through an intermediary domain and hosted on Cloudflare R2, with a ZIP masquerading as Huorong (BR火绒445[.]zip). In a different region and access vector, Group-IB reported Iran-linked MuddyWater running Operation Olalampo against MENA targets using phishing emails with malicious Office documents/macros to deploy new tooling including GhostFetch (dropping GhostBackDoor) and CHAR (a Rust backdoor controlled via a Telegram bot), plus variants using HTTP_VIP to deploy AnyDesk; the campaign also leveraged recently disclosed vulnerabilities on public-facing servers for initial access.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
GrayCharlie campaign deploys NetSupport RAT and follow-on malware
Victims of the law firm website campaign were tricked into running a PowerShell command via the Windows Run dialog, leading to installation of NetSupport RAT. The RAT was then used for surveillance, file operations, and delivery of additional payloads including Stealc and SectopRAT.
GrayCharlie compromises U.S. law firm WordPress sites for malware delivery
A financially motivated operation tracked as GrayCharlie, overlapping with SmartApeSG, compromised WordPress websites belonging to U.S. law firms in a supply-chain-style campaign. The attackers injected links to externally hosted JavaScript that redirected visitors to fake browser update pages and fake CAPTCHA lures.
Malwarebytes links ValleyRAT campaign to Silver Fox APT and publishes IOCs
Malwarebytes attributed the fake Huorong download campaign to the Chinese-speaking Silver Fox APT and detailed ValleyRAT's behavior, including Windows Defender exclusions, a scheduled task named "Batteries," registry-stored configuration, and C2 communications to 161.248.87[.]250 over TCP 443. The report also published domains, hashes, file paths, and registry keys to support detection and response.
Attackers launch fake Huorong antivirus sites to spread ValleyRAT
Attackers created typosquatted clones of the Huorong Security antivirus website to trick users into downloading ValleyRAT, a remote access trojan built on the Winos4.0 framework. The infection chain routed download clicks through a redirect domain and served the payload from Cloudflare R2 storage using social engineering rather than a zero-day exploit.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malware campaigns abusing trusted software channels (browser extensions, developer tools, and Google Ads) to deliver RATs and stealers
Multiple active malware campaigns are abusing *trusted distribution channels*—including Chrome/Edge extensions, Visual Studio Code extensions, and Google Ads/redirection infrastructure—to trick users into executing payloads that deliver **remote access trojans (RATs)** or **information stealers**. Huntress reported a malvertising-driven fake ad blocker extension, **NexShield**, that intentionally forces Chrome/Edge into a crash/DoS state by looping `chrome.runtime` port connections; on restart it displays a fake “security warning” and uses a **ClickFix-style** social engineering flow (“CrashFix”) to push users to paste and run clipboard-copied commands that trigger an obfuscated PowerShell download-and-execute chain, ultimately deploying the Python-based **ModeloRAT** in corporate environments. Separately, Trend Micro described **Evelyn Stealer** delivered via a trojanized **Visual Studio Code extension** that drops a malicious `Lightshot.dll` side-loaded by legitimate *Lightshot* (`Lightshot.exe`), then runs staged PowerShell and payload retrieval to steal browser credentials, cookies, crypto wallets, VPN/Wi‑Fi data, files, and screenshots before exfiltrating to an attacker-controlled FTP server—posing elevated risk when developer workstations are compromised. South Korea-focused activity also features prominently across several reports, with multiple delivery vectors leading to RAT deployment. ASEC documented **Remcos RAT** distributed via fake installers masquerading as *VeraCrypt* and via gambling-related “lookup” tools, using multi-stage obfuscated **VBS/PowerShell** chains and enabling credential theft, keylogging, and device surveillance (webcam/mic). Genians attributed “**Operation Poseidon**” to the **Konni APT**, describing spear-phishing that abuses Google’s advertising/tracking redirection (e.g., `ad.doubleclick.net` parameters) to make malicious links appear legitimate, redirecting victims to compromised WordPress infrastructure hosting ZIPs with LNK files that launch AutoIt-based loaders to run an **EndRAT** variant in memory. Nextron Systems reported widespread trojanized “free converter” apps promoted via malicious Google ads and lookalike converter sites (e.g., `ez2convertapp[.]com`, `convertyfileapp[.]com`), with some payloads signed using abused/rotating code-signing certificates (e.g., BLUE TAKIN LTD, TAU CENTAURI LTD, SPARROW TIDE LTD) to evade trust checks while installing persistent backdoors.
Mar 21, 2026
Malware Delivery via Deceptive Lures: Malvertising, Fake Recruitment Repos, and Phishing Dropping RATs
Multiple reports detail **social-engineering-driven malware delivery** that results in **remote access trojans (RATs)** and credential theft. Infoblox described observing an affiliate push-notification ad network after exploiting misconfigured DNS delegations (“**Sitting Ducks**”/lame name server delegation) to take over abandoned threat-actor domains, allowing collection of **~57M logs** over two weeks and visibility into widespread **scams and brand impersonation** delivered via push ads. Nextron Systems separately reported recurring **malvertising** chains where “free converter” tools (e.g., document/image converters) downloaded from ads on legitimate sites function as advertised while covertly installing **persistent RATs**, with common artifacts such as Windows **Mark-of-the-Web** (`ZoneId=3`) indicating internet origin. Other activity in the set reflects different initial-access lures but the same general outcome—RAT-style access and data theft. Fortinet analyzed a **phishing** campaign using a fake Vietnam shipping document: a Word attachment leads to an RTF stage that exploits an RTF-related vulnerability, then uses **VBScript/PowerShell** to load a **fileless .NET module**, ultimately downloading and injecting a **Remcos** variant (including process hollowing) to provide full remote control. Separately, reporting on North Korea’s **“Contagious Interview”** campaign described fake recruiter outreach (e.g., via LinkedIn) that tricks developers into opening malicious code repositories; execution can be triggered via a hidden **VS Code `tasks` configuration**, server-side logic hooks, or a malicious npm dependency to steal credentials/crypto wallets and establish persistence—this is thematically similar (social engineering leading to remote access) but is a distinct operation from the malvertising/push-ad and Remcos phishing activity.
Mar 21, 2026Email and typosquatting campaigns delivering RAT malware via trojanized installers and malicious JPEG payloads
Multiple active malware delivery campaigns are using social engineering and trusted-looking artifacts to install **remote access trojans (RATs)**. One campaign impersonates the popular Chinese antivirus *Huorong Security* via a typosquatted domain `huoronga[.]com`, routing downloads through an intermediary domain and serving a trojanized NSIS installer from Cloudflare R2; the payload is **ValleyRAT**, described as built on the **Winos4.0** framework and attributed to the Chinese-speaking **Silver Fox** threat group. The infection chain is designed to look legitimate end-to-end (convincing website, normal installer UX) while deploying a full-featured backdoor with stealth and injection capabilities. Separately, email-borne campaigns are abusing attachments and “benign” file types to smuggle malware. Fortinet-reported activity uses phishing lures (e.g., payment or bank-document themes) with Excel attachments exploiting `CVE-2018-0802` to launch scripts that download a JPEG containing embedded **XWorm 7.2**, then uses **process hollowing** (e.g., into `Msbuild.exe`) and connects to a C2 at `berlin101.com` over port `6000` with AES encryption. SANS ISC also documented a similar “malicious JPEG” technique observed in the wild, where a large, heavily obfuscated JScript attachment (delivered in a GZIP wrapper) attempts persistence by copying itself to the Startup folder and participates in a chain that ultimately leverages payloads embedded in JPEGs; the message spoofing failed DMARC/SPF checks, which would likely lead to quarantine in many environments.
Mar 21, 2026