Phishing and Smishing Campaigns Delivering Malware via Fake Apps and Trusted-Looking Lures
Multiple reports describe social-engineering campaigns that use trusted-looking lures (meeting invites, public-safety alerts, and official-looking documents) to drive victims to install malware or disclose credentials. Microsoft researchers reported a wave of fake Zoom/Teams/Adobe update sites reached via meeting-invite and document lures; the downloaded executables were signed with a compromised EV code-signing certificate (issued to TrustConnect Software PTY LTD) and acted as droppers for remote monitoring and management (RMM) tools, enabling persistent access. Separately, ClearSky described a suspected Russian espionage phishing operation targeting Ukraine that delivers a ZIP containing a Ukrainian-language border-crossing “permit” document, installing a loader (BadPaw) and a backdoor (MeowMeow) with file manipulation capabilities and sandbox/VM evasion; attribution was assessed as high confidence to a Russian state-aligned actor and low confidence to APT28.
Mobile-focused lures were also reported: CloudSEK detailed SMS phishing targeting Israeli civilians with a trojanized Red Alert rocket-warning app, using a multi-stage loader chain to deploy spyware with banking trojan capabilities and exfiltrate SMS, contacts, and location to attacker infrastructure—raising concerns about surveillance and erosion of trust in official alerting. Other items in the set are either broader research or consumer-oriented scam advisories: a Zimperium write-up on the Android “Massiv” IPTV-app disguise highlights overlay-based banking fraud techniques, while Kaspersky’s mobile threat landscape report provides 2025 ecosystem statistics; two OnlineThreatAlerts posts describe generic smishing patterns (Amazon “refund” and flood-warning texts) without tying to a specific, evidenced campaign or new technical findings.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
ClearSky attributes Ukraine phishing campaign to Russian state-aligned actor
In the same March 4 reporting, ClearSky said with high confidence that the Ukraine-focused malware campaign was conducted by a Russian state-aligned actor and with low confidence linked it to APT28. The report did not identify specific victims or confirm whether the operation successfully compromised targets.
ClearSky reports new BadPaw and MeowMeow malware targeting Ukraine
ClearSky disclosed a suspected Russian espionage campaign against Ukraine using phishing emails that delivered a ZIP archive with a Ukrainian-language decoy document. The infection chain installed the BadPaw loader and the MeowMeow backdoor, which included anti-analysis checks and file-manipulation capabilities.
Researchers detail spyware campaign using fake Israeli rocket-warning app
CloudSEK and Acronis described a cyberespionage campaign targeting Israelis via SMS phishing with a trojanized Red Alert/Oref Alert app. The malware harvested SMS messages, contacts, location data, and credentials, maintained persistence, and exfiltrated data to attacker-controlled infrastructure; Acronis said the activity may be linked to Arid Viper.
Acronis identifies trojanized Israeli alert app after social media reports
Acronis Threat Research Unit identified a malicious Android app on March 1, 2026, after Israeli citizens reported SMS scam messages on social media. The campaign impersonated Israel's official rocket-warning services and used shortened links to deliver spyware disguised as an emergency-alert app.
Fake meeting-update malware campaign begins using stolen EV certificate
Microsoft Defender Security Research Team said a phishing campaign began around February 2026, using fake Zoom, Microsoft Teams, and Adobe Reader update sites tied to meeting-invite lures. The attackers used a compromised Extended Validation code-signing certificate associated with TrustConnect Software PTY LTD to make the malware appear legitimate.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Spyware disguised as emergency-alert app sent to Israelis • The Register
go.theregister.com
Open sourceFake Zoom, Teams Invites Drop Malware Using Compromised Certificates
hackread.com
Open sourceTrojanized Israeli rocket warning app spread in cyberespionage campaign | brief | SC Media
scworld.com
Open sourceRussian hackers deploy new malware in phishing campaign targeting Ukraine | The Record from Recorded Future News
therecord.media
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing and social-engineering campaigns increasingly abuse trusted channels and identities to deliver malware
Multiple reports highlight a surge in **social-engineering-led initial access**, with attackers increasingly relying on trusted-looking delivery mechanisms rather than novel exploits. Microsoft-described activity impersonates *Zoom*, *Microsoft Teams*, and *Adobe Reader* updates and uses **stolen Extended Validation (EV) code-signing certificates** (including one issued to **TrustConnect Software PTY LTD**) to make malicious executables appear legitimate; lures include fake meeting invites and deceptive download sites, and payloads commonly install **RMM tooling** such as *ScreenConnect* and *MeshAgent* for persistent access, followed by additional tooling via encoded PowerShell. Separately, Moonlock reported a **ClickFix**-style operation targeting crypto/Web3 professionals via **fake venture capital personas on LinkedIn**, redirecting victims through Calendly to spoofed video-conferencing pages to induce execution of attacker-supplied commands, with infrastructure tied to multiple fake firms (e.g., *SolidBit Capital*, *MegaBit*, *Lumax Capital*) and domains attributed to a single registrant. In parallel, NCC Group’s Fox-IT assessed that **messaging platforms** (e.g., WhatsApp, Telegram, Discord, Signal, LinkedIn messaging) are increasingly used to deliver phishing links, malicious attachments, QR codes, and fake invitations while bypassing traditional email controls, and that Telegram in particular is also used to host phishing infrastructure, malware repositories, and bot-enabled fraud services. One referenced item is materially different from the above social-engineering theme: reporting on suspected **DPRK-linked intrusions** into cryptocurrency organizations describes web-app exploitation (including `CVE-2025-55182` in *React2Shell*) and the use of pre-obtained **AWS access tokens** to steal source code, private keys, and cloud secrets—an intrusion set focused on direct compromise and theft rather than the phishing/update-impersonation and messaging-platform delivery techniques described elsewhere.
Mar 21, 2026
Mobile and Messaging Scams Use Impersonation and Urgency to Steal Credentials and Data
Acronis researchers reported a deceptive Android campaign targeting Israeli users with a trojanized version of the *Red Alert* rocket-warning app distributed via SMS messages impersonating Israel’s Home Front Command. The fake app displays legitimate rocket alerts to reduce suspicion while requesting extensive permissions that enable **GPS tracking**, **SMS interception (including one-time passwords)**, contact harvesting, installed-app enumeration, and account discovery; collected data is exfiltrated to a remote server, and the operators used **certificate spoofing** to make the installation appear as if it came from Google Play. Separate consumer-focused advisories described multiple **social-engineering/phishing** lures delivered via text, email, and calendar invites: an “Amazon recall” SMS that pushes victims to a credential-harvesting site for “refunds,” an “Apple Security Alert” pop-up/text/email that attempts to drive victims to call a fraudulent support number or surrender credentials/2FA/payment details, and a trend of **fake calendar invitations** increasingly appearing in Microsoft Outlook (previously more common in Gmail) using urgent subjects (e.g., “Final Notice”) and domain-reconnaissance to personalize invites; the Outlook example noted mixed authentication signals (DMARC/SPF/DKIM pass/fail across relays), underscoring that users and defenders should treat unsolicited invites and urgent account/payment prompts as high-risk even when messages appear superficially legitimate.
Mar 23, 2026
Mobile and Web Fraud Campaigns Impersonating Public Services to Steal Data
Multiple active fraud and malware operations are abusing *trusted themes and brands* to compromise users, with a heavy emphasis on mobile-first delivery via social engineering. Zimperium reported a **targeted Android spyware** operation delivered through a fake “dating” app promoted via social media and messaging links; once installed, the app requests broad permissions (e.g., SMS, contacts, media) to enable **surveillance and data exfiltration** including messages, location, and credentials. Separately, Zimperium also described an Android campaign that **hides a RAT inside artifacts presented as legitimate AI/ML components** hosted on trusted framework infrastructure, enabling attackers to bypass basic screening and gain persistent device control (data theft, screen capture, remote command execution). In parallel, CybersecurityNews summarized two public-service impersonation campaigns tied to “traffic ticket” lures. In India, attackers are mimicking **RTO e-challan** notifications distributed via WhatsApp and other messaging platforms to push off-store Android apps that steal financial and personal data; the malware reportedly uses a **three-stage modular architecture**, dynamic remote configuration, anti-analysis, and a **custom VPN tunnel** to conceal C2 and exfiltration, while prompting victims for high-risk permissions and to disable battery optimization for persistence. In Canada, a separate operation uses **SEO poisoning** and SMS/ad lures to drive victims to **fake provincial traffic ticket payment portals** (e.g., BC, Ontario, Quebec) that harvest PII and payment card data; Unit 42 attributed the activity to a broader fraud network using a phishing kit with a “waiting room” feature and infrastructure spanning **70+ domains**, including concentration on the `45.156.87.0/24` netblock.
Mar 21, 2026