Phishing Campaigns Delivering Malware via Disguised, Signed Installers and Malicious Attachments
Security researchers reported active phishing activity targeting enterprise users by impersonating routine workplace workflows (e.g., meeting invites, invoices, and document notifications) to trick recipients into running malware. One campaign used executables masquerading as Microsoft Teams, Zoom, and Adobe Acrobat Reader installers (e.g., msteams.exe, zoomworkspace.clientsetup.exe, adobereader.exe, invite.exe) that appeared trustworthy because they were digitally signed with an Extended Validation (EV) certificate issued to TrustConnect Software PTY LTD. Microsoft Defender telemetry attributed the activity to an unknown threat actor and assessed the approach as a deliberate, multi-wave effort designed to bypass user suspicion and basic security controls.
After execution, the signed malware deployed remote monitoring and management (RMM) tooling—reported examples include ScreenConnect, Tactical RMM, and Mesh Agent—to establish persistent remote access and enable follow-on actions across affected environments. Separately, reporting also highlighted phishing lures distributing malicious ISO attachments embedded in job application/resumé-themed emails, reinforcing that attackers continue to rely on socially engineered business processes (recruiting and HR workflows in particular) to deliver initial payloads and gain a foothold.
Related Entities
Affected Products
Sources
Related Stories
Phishing Campaigns Abuse Digital Invites and Fake Meeting Pages to Steal Credentials and Deploy RMM Tools
Threat actors are abusing the familiarity of **digital invitation and meeting platforms** to increase phishing success rates. Cofense reported malicious *Punchbowl/Paperless Post*-themed invitations that prompt recipients to “log in to view event details,” then redirect to phishing infrastructure offering branded sign-in options (e.g., **Microsoft, Yahoo, AOL, Google, Dropbox**) to harvest credentials. The phishing flow may solicit multiple credential sets by returning fake login errors and urging users to try alternate accounts; submitted credentials are exfiltrated to attacker-controlled domains, often leveraging newly registered domains to evade reputation-based defenses. Separately, Netskope research (reported by KnowBe4) described **fake video meeting invites** for *Zoom, Microsoft Teams, Google Meet,* and similar services that lead to spoofed “join meeting” pages showing purported coworkers already on the call. Victims are instructed to install a required “update” to join; the payload is a **digitally signed remote monitoring and management (RMM) tool** such as *Datto RMM, LogMeIn,* or *ScreenConnect*, enabling remote access and potential follow-on activity including data theft or deployment of additional malware. The use of legitimate, signed RMM software can blend into normal enterprise traffic and may bypass controls where such tools are pre-approved.
3 weeks ago
Phishing and social-engineering campaigns increasingly abuse trusted channels and identities to deliver malware
Multiple reports highlight a surge in **social-engineering-led initial access**, with attackers increasingly relying on trusted-looking delivery mechanisms rather than novel exploits. Microsoft-described activity impersonates *Zoom*, *Microsoft Teams*, and *Adobe Reader* updates and uses **stolen Extended Validation (EV) code-signing certificates** (including one issued to **TrustConnect Software PTY LTD**) to make malicious executables appear legitimate; lures include fake meeting invites and deceptive download sites, and payloads commonly install **RMM tooling** such as *ScreenConnect* and *MeshAgent* for persistent access, followed by additional tooling via encoded PowerShell. Separately, Moonlock reported a **ClickFix**-style operation targeting crypto/Web3 professionals via **fake venture capital personas on LinkedIn**, redirecting victims through Calendly to spoofed video-conferencing pages to induce execution of attacker-supplied commands, with infrastructure tied to multiple fake firms (e.g., *SolidBit Capital*, *MegaBit*, *Lumax Capital*) and domains attributed to a single registrant. In parallel, NCC Group’s Fox-IT assessed that **messaging platforms** (e.g., WhatsApp, Telegram, Discord, Signal, LinkedIn messaging) are increasingly used to deliver phishing links, malicious attachments, QR codes, and fake invitations while bypassing traditional email controls, and that Telegram in particular is also used to host phishing infrastructure, malware repositories, and bot-enabled fraud services. One referenced item is materially different from the above social-engineering theme: reporting on suspected **DPRK-linked intrusions** into cryptocurrency organizations describes web-app exploitation (including `CVE-2025-55182` in *React2Shell*) and the use of pre-obtained **AWS access tokens** to steal source code, private keys, and cloud secrets—an intrusion set focused on direct compromise and theft rather than the phishing/update-impersonation and messaging-platform delivery techniques described elsewhere.
1 weeks ago
Phishing and software impersonation campaigns delivering malware via trusted services
Microsoft reported ongoing **OAuth abuse** campaigns targeting government and public-sector organizations, where phishing emails lure users into clicking links that leverage legitimate identity-provider redirect behavior (e.g., **Microsoft Entra ID** and other OAuth providers) to send victims to attacker-controlled pages for malware delivery and potential device takeover. Lures included e-signature requests, Teams meeting recordings, Microsoft 365 password resets, and political themes; Microsoft said it disabled identified malicious OAuth applications but warned related activity persists and requires continued monitoring. Separately, researchers described multiple **deception-based malware delivery** operations that rely on impersonation of trusted brands and software rather than exploiting product vulnerabilities. One campaign spoofed **Zoom** and **Google Meet** to install the legitimate *Teramind* monitoring agent for covert surveillance, using fake landing pages and a Microsoft Store lookalike, persistence via services (including `tsvchst` and `pmon`), and traffic masking via built-in SOCKS5 proxy support; defenders were advised to check for related drivers (e.g., `tm_filter.sys`, `tmfsdrv2.sys`) and artifacts under *ProgramData*. Another campaign used a lookalike domain (`filezilla-project[.]live`) to distribute a trojanized portable **FileZilla 3.69.5** bundle that adds a malicious DLL for DLL search-order hijacking, enabling credential theft (including saved FTP credentials) and C2 activity—highlighting a broader trend of **trusted software impersonation** and search/SEO poisoning as an initial access vector.
2 weeks ago