Phishing and software impersonation campaigns delivering malware via trusted services
Microsoft reported ongoing OAuth abuse campaigns targeting government and public-sector organizations, where phishing emails lure users into clicking links that leverage legitimate identity-provider redirect behavior (e.g., Microsoft Entra ID and other OAuth providers) to send victims to attacker-controlled pages for malware delivery and potential device takeover. Lures included e-signature requests, Teams meeting recordings, Microsoft 365 password resets, and political themes; Microsoft said it disabled identified malicious OAuth applications but warned related activity persists and requires continued monitoring.
Separately, researchers described multiple deception-based malware delivery operations that rely on impersonation of trusted brands and software rather than exploiting product vulnerabilities. One campaign spoofed Zoom and Google Meet to install the legitimate Teramind monitoring agent for covert surveillance, using fake landing pages and a Microsoft Store lookalike, persistence via services (including tsvchst and pmon), and traffic masking via built-in SOCKS5 proxy support; defenders were advised to check for related drivers (e.g., tm_filter.sys, tmfsdrv2.sys) and artifacts under ProgramData. Another campaign used a lookalike domain (filezilla-project[.]live) to distribute a trojanized portable FileZilla 3.69.5 bundle that adds a malicious DLL for DLL search-order hijacking, enabling credential theft (including saved FTP credentials) and C2 activity—highlighting a broader trend of trusted software impersonation and search/SEO poisoning as an initial access vector.
Related Entities
Affected Products
Sources
Related Stories
Phishing and social-engineering campaigns increasingly abuse trusted channels and identities to deliver malware
Multiple reports highlight a surge in **social-engineering-led initial access**, with attackers increasingly relying on trusted-looking delivery mechanisms rather than novel exploits. Microsoft-described activity impersonates *Zoom*, *Microsoft Teams*, and *Adobe Reader* updates and uses **stolen Extended Validation (EV) code-signing certificates** (including one issued to **TrustConnect Software PTY LTD**) to make malicious executables appear legitimate; lures include fake meeting invites and deceptive download sites, and payloads commonly install **RMM tooling** such as *ScreenConnect* and *MeshAgent* for persistent access, followed by additional tooling via encoded PowerShell. Separately, Moonlock reported a **ClickFix**-style operation targeting crypto/Web3 professionals via **fake venture capital personas on LinkedIn**, redirecting victims through Calendly to spoofed video-conferencing pages to induce execution of attacker-supplied commands, with infrastructure tied to multiple fake firms (e.g., *SolidBit Capital*, *MegaBit*, *Lumax Capital*) and domains attributed to a single registrant. In parallel, NCC Group’s Fox-IT assessed that **messaging platforms** (e.g., WhatsApp, Telegram, Discord, Signal, LinkedIn messaging) are increasingly used to deliver phishing links, malicious attachments, QR codes, and fake invitations while bypassing traditional email controls, and that Telegram in particular is also used to host phishing infrastructure, malware repositories, and bot-enabled fraud services. One referenced item is materially different from the above social-engineering theme: reporting on suspected **DPRK-linked intrusions** into cryptocurrency organizations describes web-app exploitation (including `CVE-2025-55182` in *React2Shell*) and the use of pre-obtained **AWS access tokens** to steal source code, private keys, and cloud secrets—an intrusion set focused on direct compromise and theft rather than the phishing/update-impersonation and messaging-platform delivery techniques described elsewhere.
1 weeks ago
Phishing Campaigns Delivering Malware via Disguised, Signed Installers and Malicious Attachments
Security researchers reported active phishing activity targeting enterprise users by impersonating routine workplace workflows (e.g., meeting invites, invoices, and document notifications) to trick recipients into running malware. One campaign used executables masquerading as *Microsoft Teams*, *Zoom*, and *Adobe Acrobat Reader* installers (e.g., `msteams.exe`, `zoomworkspace.clientsetup.exe`, `adobereader.exe`, `invite.exe`) that appeared trustworthy because they were **digitally signed** with an Extended Validation (EV) certificate issued to **TrustConnect Software PTY LTD**. Microsoft Defender telemetry attributed the activity to an unknown threat actor and assessed the approach as a deliberate, multi-wave effort designed to bypass user suspicion and basic security controls. After execution, the signed malware deployed **remote monitoring and management (RMM)** tooling—reported examples include **ScreenConnect**, **Tactical RMM**, and **Mesh Agent**—to establish persistent remote access and enable follow-on actions across affected environments. Separately, reporting also highlighted phishing lures distributing **malicious ISO attachments** embedded in job application/resumé-themed emails, reinforcing that attackers continue to rely on socially engineered business processes (recruiting and HR workflows in particular) to deliver initial payloads and gain a foothold.
5 days ago
Phishing Campaigns Abuse Legitimate Monitoring and Remote-Access Tools for Stealthy Takeover
Security researchers reported multiple phishing campaigns that impersonate trusted brands to trick users into installing **legitimate enterprise software** repurposed for surveillance and remote control. One campaign uses fake **Zoom** and **Google Meet** “meeting room” pages that simulate a waiting room experience (participant names, audio cues, and a persistent “network issue” message) and then pressure victims with a forced “update required” download via a countdown timer. After execution, a **modified Teramind agent** is installed in *stealth mode* (no visible icons/notifications), enabling extensive monitoring such as keystroke capture, screenshots, browsing history, and clipboard collection. A separate campaign targets cryptocurrency users by impersonating the **Yoroi Desktop Wallet** and advertising a “security upgrade” via a polished landing page hosted on a recently registered domain (`hxxps://download[.]v1desktop-yoroiwallet[.]com/`). The download chain redirects to a file-sharing service and delivers an MSI (`YoroiDesktop-installer.msi`) that does not install a wallet; instead it installs **GoTo Resolve (LogMeIn)** in **unattended** mode for silent remote access. Reported artifacts include `YoroiDesktop-installer.msi` (hash `8634AD3C6488D6A27719C5341E91EEB9`) and `unattended-updater.exe` (hash `2A2D9B03AA6185F434568F5F4C42BF49`), along with configuration values indicating enrollment into a preconfigured remote-access fleet (e.g., `CompanyId: 5504330483880245799`, `FleetTemplateName: syn-prd-ava-unattended`).
2 weeks ago