Phishing and software impersonation campaigns delivering malware via trusted services
Microsoft reported ongoing OAuth abuse campaigns targeting government and public-sector organizations, where phishing emails lure users into clicking links that leverage legitimate identity-provider redirect behavior (e.g., Microsoft Entra ID and other OAuth providers) to send victims to attacker-controlled pages for malware delivery and potential device takeover. Lures included e-signature requests, Teams meeting recordings, Microsoft 365 password resets, and political themes; Microsoft said it disabled identified malicious OAuth applications but warned related activity persists and requires continued monitoring.
Separately, researchers described multiple deception-based malware delivery operations that rely on impersonation of trusted brands and software rather than exploiting product vulnerabilities. One campaign spoofed Zoom and Google Meet to install the legitimate Teramind monitoring agent for covert surveillance, using fake landing pages and a Microsoft Store lookalike, persistence via services (including tsvchst and pmon), and traffic masking via built-in SOCKS5 proxy support; defenders were advised to check for related drivers (e.g., tm_filter.sys, tmfsdrv2.sys) and artifacts under ProgramData. Another campaign used a lookalike domain (filezilla-project[.]live) to distribute a trojanized portable FileZilla 3.69.5 bundle that adds a malicious DLL for DLL search-order hijacking, enabling credential theft (including saved FTP credentials) and C2 activity—highlighting a broader trend of trusted software impersonation and search/SEO poisoning as an initial access vector.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Researchers publish technical analysis and detection guidance for both campaigns
Malwarebytes disclosed technical details for the fake FileZilla and Teramind campaigns, including DLL hijacking behavior, anti-analysis checks, DNS-over-HTTPS and C2 patterns, attacker-linked installer naming, persistence mechanisms, and hunting recommendations. The guidance urged users to download FileZilla only from the official site and to monitor for Teramind-related artifacts and services on Windows hosts.
Phishing campaign deploys Teramind via fake Zoom and Google Meet lures
Threat actors launched phishing campaigns spoofing Zoom and Google Meet that redirected victims to malicious landing pages posing as a Microsoft Store page. The campaign installed the legitimate Teramind monitoring software on Windows systems for covert surveillance, using persistence services and SOCKS5 proxying to mask activity.
Fake FileZilla site distributes trojanized portable archive
A lookalike website, filezilla-project[.]live, began distributing a tampered portable ZIP of FileZilla 3.69.5. The archive bundled the legitimate application with a malicious version.dll designed to execute through Windows DLL search order hijacking when FileZilla is launched.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing and social-engineering campaigns increasingly abuse trusted channels and identities to deliver malware
Multiple reports highlight a surge in **social-engineering-led initial access**, with attackers increasingly relying on trusted-looking delivery mechanisms rather than novel exploits. Microsoft-described activity impersonates *Zoom*, *Microsoft Teams*, and *Adobe Reader* updates and uses **stolen Extended Validation (EV) code-signing certificates** (including one issued to **TrustConnect Software PTY LTD**) to make malicious executables appear legitimate; lures include fake meeting invites and deceptive download sites, and payloads commonly install **RMM tooling** such as *ScreenConnect* and *MeshAgent* for persistent access, followed by additional tooling via encoded PowerShell. Separately, Moonlock reported a **ClickFix**-style operation targeting crypto/Web3 professionals via **fake venture capital personas on LinkedIn**, redirecting victims through Calendly to spoofed video-conferencing pages to induce execution of attacker-supplied commands, with infrastructure tied to multiple fake firms (e.g., *SolidBit Capital*, *MegaBit*, *Lumax Capital*) and domains attributed to a single registrant. In parallel, NCC Group’s Fox-IT assessed that **messaging platforms** (e.g., WhatsApp, Telegram, Discord, Signal, LinkedIn messaging) are increasingly used to deliver phishing links, malicious attachments, QR codes, and fake invitations while bypassing traditional email controls, and that Telegram in particular is also used to host phishing infrastructure, malware repositories, and bot-enabled fraud services. One referenced item is materially different from the above social-engineering theme: reporting on suspected **DPRK-linked intrusions** into cryptocurrency organizations describes web-app exploitation (including `CVE-2025-55182` in *React2Shell*) and the use of pre-obtained **AWS access tokens** to steal source code, private keys, and cloud secrets—an intrusion set focused on direct compromise and theft rather than the phishing/update-impersonation and messaging-platform delivery techniques described elsewhere.
Mar 21, 2026
Phishing Campaigns Delivering Malware via Disguised, Signed Installers and Malicious Attachments
Security researchers reported active phishing activity targeting enterprise users by impersonating routine workplace workflows (e.g., meeting invites, invoices, and document notifications) to trick recipients into running malware. One campaign used executables masquerading as *Microsoft Teams*, *Zoom*, and *Adobe Acrobat Reader* installers (e.g., `msteams.exe`, `zoomworkspace.clientsetup.exe`, `adobereader.exe`, `invite.exe`) that appeared trustworthy because they were **digitally signed** with an Extended Validation (EV) certificate issued to **TrustConnect Software PTY LTD**. Microsoft Defender telemetry attributed the activity to an unknown threat actor and assessed the approach as a deliberate, multi-wave effort designed to bypass user suspicion and basic security controls. After execution, the signed malware deployed **remote monitoring and management (RMM)** tooling—reported examples include **ScreenConnect**, **Tactical RMM**, and **Mesh Agent**—to establish persistent remote access and enable follow-on actions across affected environments. Separately, reporting also highlighted phishing lures distributing **malicious ISO attachments** embedded in job application/resumé-themed emails, reinforcing that attackers continue to rely on socially engineered business processes (recruiting and HR workflows in particular) to deliver initial payloads and gain a foothold.
Mar 21, 2026
Phishing Campaigns Abuse Legitimate Monitoring and Remote-Access Tools for Stealthy Takeover
Security researchers reported multiple phishing campaigns that impersonate trusted brands to trick users into installing **legitimate enterprise software** repurposed for surveillance and remote control. One campaign uses fake **Zoom** and **Google Meet** “meeting room” pages that simulate a waiting room experience (participant names, audio cues, and a persistent “network issue” message) and then pressure victims with a forced “update required” download via a countdown timer. After execution, a **modified Teramind agent** is installed in *stealth mode* (no visible icons/notifications), enabling extensive monitoring such as keystroke capture, screenshots, browsing history, and clipboard collection. A separate campaign targets cryptocurrency users by impersonating the **Yoroi Desktop Wallet** and advertising a “security upgrade” via a polished landing page hosted on a recently registered domain (`hxxps://download[.]v1desktop-yoroiwallet[.]com/`). The download chain redirects to a file-sharing service and delivers an MSI (`YoroiDesktop-installer.msi`) that does not install a wallet; instead it installs **GoTo Resolve (LogMeIn)** in **unattended** mode for silent remote access. Reported artifacts include `YoroiDesktop-installer.msi` (hash `8634AD3C6488D6A27719C5341E91EEB9`) and `unattended-updater.exe` (hash `2A2D9B03AA6185F434568F5F4C42BF49`), along with configuration values indicating enrollment into a preconfigured remote-access fleet (e.g., `CompanyId: 5504330483880245799`, `FleetTemplateName: syn-prd-ava-unattended`).
Mar 20, 2026