Phishing and social-engineering campaigns increasingly abuse trusted channels and identities to deliver malware
Multiple reports highlight a surge in social-engineering-led initial access, with attackers increasingly relying on trusted-looking delivery mechanisms rather than novel exploits. Microsoft-described activity impersonates Zoom, Microsoft Teams, and Adobe Reader updates and uses stolen Extended Validation (EV) code-signing certificates (including one issued to TrustConnect Software PTY LTD) to make malicious executables appear legitimate; lures include fake meeting invites and deceptive download sites, and payloads commonly install RMM tooling such as ScreenConnect and MeshAgent for persistent access, followed by additional tooling via encoded PowerShell. Separately, Moonlock reported a ClickFix-style operation targeting crypto/Web3 professionals via fake venture capital personas on LinkedIn, redirecting victims through Calendly to spoofed video-conferencing pages to induce execution of attacker-supplied commands, with infrastructure tied to multiple fake firms (e.g., SolidBit Capital, MegaBit, Lumax Capital) and domains attributed to a single registrant.
In parallel, NCC Group’s Fox-IT assessed that messaging platforms (e.g., WhatsApp, Telegram, Discord, Signal, LinkedIn messaging) are increasingly used to deliver phishing links, malicious attachments, QR codes, and fake invitations while bypassing traditional email controls, and that Telegram in particular is also used to host phishing infrastructure, malware repositories, and bot-enabled fraud services. One referenced item is materially different from the above social-engineering theme: reporting on suspected DPRK-linked intrusions into cryptocurrency organizations describes web-app exploitation (including CVE-2025-55182 in React2Shell) and the use of pre-obtained AWS access tokens to steal source code, private keys, and cloud secrets—an intrusion set focused on direct compromise and theft rather than the phishing/update-impersonation and messaging-platform delivery techniques described elsewhere.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Microsoft discloses details of signed-malware phishing activity
Microsoft reported that the February 2026 phishing campaign used fake meeting invitations, deceptive download sites, and signed payloads that installed remote monitoring and management tools such as ScreenConnect and MeshAgent. The company said the activity also used encoded PowerShell to fetch additional tooling, underscoring that code-signing trust alone is insufficient.
Fox-IT reports growing abuse of messaging platforms for phishing
NCC Group's Fox-IT reported that attackers are increasingly using platforms such as WhatsApp, Telegram, Discord, Signal, LinkedIn, and integrated messaging services for phishing, payload delivery, and coordination. The report also highlighted Telegram's role as infrastructure for phishing pages, malware hosting, stolen data, and bot-driven criminal services.
Researchers link ClickFix infrastructure to rotating fake VC fronts
Moonlock linked the campaign's malicious domains to a single registrant, identified as Anatolli Bigdasch in Boston, and found additional fake fronts including MegaBit and Lumax Capital. The findings showed the operators were rotating investor identities and decoy sites as exposure increased.
Phishing campaign with signed fake software updates begins
A phishing campaign began in February 2026 targeting office workers with fake software update installers for applications such as Zoom, Microsoft Teams, and Adobe Reader. The attackers used stolen or compromised digital certificates so the malicious executables appeared trustworthy and could bypass some security controls.
ClickFix campaign targeting crypto and Web3 professionals is first tracked
In early 2026, researchers first tracked a coordinated campaign targeting cryptocurrency and Web3 professionals through LinkedIn social engineering and fake venture capital personas. The operation used a ClickFix lure chain involving a fake investor identity, Calendly scheduling, and spoofed video-conferencing pages to trick victims into running attacker-supplied commands.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
New phishing attacks exploit stolen digital certificates for malicious software | brief | SC Media
scworld.com
Open sourceClickFix Campaign Uses Fake VCs on LinkedIn to Deliver Malware to Crypto and Web3 Professionals
cybersecuritynews.com
Open sourceThreat Actors Abuse Messaging Platforms to Launch Phishing Attacks
blog.knowbe4.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Inbound Social Engineering and Malware Delivery Campaigns Targeting Crypto, Web3, and Enterprises
Multiple reports describe **social-engineering-led initial access** that pivots into malware execution and credential/financial theft. A documented “pig butchering” approach abuses the higher-trust dynamics of matrimonial platforms to build rapport and then steer victims toward cryptocurrency-related actions. Separately, an “inbound” recruitment lure targets **Web3/crypto professionals** by impersonating legitimate companies and driving candidates to install fake interview software (e.g., `collaborex_setup.msi`) that initiates command-and-control to infrastructure such as `179.43.159.106`, with the added risk that victims often use corporate endpoints that also have personal wallets installed. In parallel, technical reporting highlights enterprise-focused malware delivery via trojanized software and email. **ValleyRAT_S2** (a C++ second-stage backdoor/RAT) is being distributed via fake Chinese-language productivity tools, cracked software, and trojanized installers, including **DLL side-loading** (e.g., a malicious `steam_api64.dll`) and C2 over custom TCP (e.g., `27.124.3.175:14852`), enabling long-term control and theft of financial data. Kaspersky also reported a malicious-email wave against Russian private-sector organizations using a PDF-icon masquerade that drops a .NET downloader, installs a persistent service, and stages payloads under `C:\ProgramData\Microsoft Diagnostic\Tasks` before delivering an **infostealer**. A separate blog post discusses phishing enabled by **misconfigured Microsoft 365/hybrid Exchange mail routing and weak SPF/DKIM/DMARC enforcement**, allowing spoofed “internal” emails that can facilitate credential theft and BEC; while related in theme (phishing), it is not clearly tied to the same malware campaigns described elsewhere.
Apr 12, 2026
Social Engineering and Phishing-Driven Intrusions Targeting Identity and Remote Access
Multiple reports highlight **social engineering and phishing** as primary initial-access vectors, with attackers increasingly targeting **identity systems** rather than exploiting software vulnerabilities. Microsoft was again the most spoofed brand in phishing during Q4 2025 (22% of observed brand-impersonation attempts), reflecting how attackers abuse trust in major identity and productivity platforms to harvest credentials; examples cited include lures mimicking Netflix account recovery, Roblox-related pages, and Spanish-language Facebook scams. Separately, an incident response case described payroll fraud achieved without malware or a network breach: an attacker impersonated employees to help desks, reset passwords, re-enrolled MFA, and registered an external email as an authentication method in **Azure Active Directory**, then altered direct-deposit details to redirect paychecks—underscoring how **help-desk processes and MFA reset workflows** can be exploited for persistence and financial theft. Targeted campaigns also show continued evolution in delivery tradecraft for **remote access**. A spear-phishing operation against Argentina’s judicial sector used ZIP attachments containing a weaponized Windows shortcut (`.lnk`) masquerading as a PDF plus scripts and a decoy court document to deploy a **Remote Access Trojan** while minimizing user suspicion. In parallel, research described **Pulsar RAT** (a Quasar RAT derivative) emphasizing stealth via **memory-only execution** and **HVNC**, with TLS-encrypted C2 and configuration retrieval from public paste sites, alongside persistence mechanisms such as scheduled tasks and UAC-bypass techniques. Another campaign attributed to **Konni APT** (“Operation Poseidon”) abused **Google and Naver ad redirection** (e.g., `ad.doubleclick[.]net`, `mkt.naver[.]com`) to launder clicks through trusted ad infrastructure before landing victims on compromised sites hosting malware, demonstrating how open-redirect and ad-tech trust can bypass reputation-based controls.
Mar 21, 2026
Phishing and Smishing Campaigns Delivering Malware via Fake Apps and Trusted-Looking Lures
Multiple reports describe **social-engineering campaigns** that use trusted-looking lures (meeting invites, public-safety alerts, and official-looking documents) to drive victims to install malware or disclose credentials. Microsoft researchers reported a wave of **fake Zoom/Teams/Adobe update sites** reached via meeting-invite and document lures; the downloaded executables were signed with a **compromised EV code-signing certificate** (issued to *TrustConnect Software PTY LTD*) and acted as droppers for **remote monitoring and management (RMM) tools**, enabling persistent access. Separately, ClearSky described a suspected **Russian espionage** phishing operation targeting Ukraine that delivers a ZIP containing a Ukrainian-language border-crossing “permit” document, installing a loader (**BadPaw**) and a backdoor (**MeowMeow**) with file manipulation capabilities and sandbox/VM evasion; attribution was assessed as high confidence to a Russian state-aligned actor and low confidence to **APT28**. Mobile-focused lures were also reported: CloudSEK detailed **SMS phishing** targeting Israeli civilians with a trojanized **Red Alert** rocket-warning app, using a multi-stage loader chain to deploy spyware with **banking trojan** capabilities and exfiltrate **SMS, contacts, and location** to attacker infrastructure—raising concerns about surveillance and erosion of trust in official alerting. Other items in the set are either broader research or consumer-oriented scam advisories: a Zimperium write-up on the Android **“Massiv”** IPTV-app disguise highlights overlay-based banking fraud techniques, while Kaspersky’s mobile threat landscape report provides 2025 ecosystem statistics; two OnlineThreatAlerts posts describe generic **smishing** patterns (Amazon “refund” and flood-warning texts) without tying to a specific, evidenced campaign or new technical findings.
Mar 21, 2026