Phishing Campaigns Delivering Malware via Disguised, Signed Installers and Malicious Attachments
Security researchers reported active phishing activity targeting enterprise users by impersonating routine workplace workflows (e.g., meeting invites, invoices, and document notifications) to trick recipients into running malware. One campaign used executables masquerading as Microsoft Teams, Zoom, and Adobe Acrobat Reader installers (e.g., msteams.exe, zoomworkspace.clientsetup.exe, adobereader.exe, invite.exe) that appeared trustworthy because they were digitally signed with an Extended Validation (EV) certificate issued to TrustConnect Software PTY LTD. Microsoft Defender telemetry attributed the activity to an unknown threat actor and assessed the approach as a deliberate, multi-wave effort designed to bypass user suspicion and basic security controls.
After execution, the signed malware deployed remote monitoring and management (RMM) tooling—reported examples include ScreenConnect, Tactical RMM, and Mesh Agent—to establish persistent remote access and enable follow-on actions across affected environments. Separately, reporting also highlighted phishing lures distributing malicious ISO attachments embedded in job application/resumé-themed emails, reinforcing that attackers continue to rely on socially engineered business processes (recruiting and HR workflows in particular) to deliver initial payloads and gain a foothold.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
CISA warns Ivanti EPM and Cisco SD-WAN flaws are under active exploitation
CISA warned that vulnerabilities affecting Ivanti Endpoint Manager Mobile and Cisco SD-WAN were being actively exploited in the wild. The notice marked a new official alert about live exploitation activity targeting those products.
Aryaka reports phishing emails with malicious resumé ISO attachments
Aryaka reported an active phishing tactic in which emails posing as job resumés were being circulated with malicious ISO file attachments. The report identified the campaign as an ongoing social-engineering-based malware delivery method.
Microsoft Defender Experts identify and attribute the campaign
Microsoft Defender Experts detected the activity through Defender telemetry and attributed it to an unknown threat actor. The findings highlighted the campaign's abuse of legitimate RMM software for stealthy remote access, lateral movement, data theft, and follow-on payload delivery.
Malware signed with EV certificate and used to deploy RMM backdoors
The malicious executables were digitally signed with an Extended Validation certificate issued to TrustConnect Software PTY LTD, helping them appear legitimate. After execution, the malware established persistence, contacted trustconnectsoftware[.]com, and used PowerShell to install legitimate RMM tools including ScreenConnect, Tactical RMM, and Mesh Agent.
Phishing campaign begins using fake Teams, Zoom, and Adobe installers
A phishing campaign active since February 2026 began targeting enterprise users with emails themed as meeting invites, invoices, and financial documents. The lures directed victims to malware disguised as installers for Microsoft Teams, Zoom, and Adobe Acrobat Reader.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Phishing Campaigns Abuse Digital Invites and Fake Meeting Pages to Steal Credentials and Deploy RMM Tools
Threat actors are abusing the familiarity of **digital invitation and meeting platforms** to increase phishing success rates. Cofense reported malicious *Punchbowl/Paperless Post*-themed invitations that prompt recipients to “log in to view event details,” then redirect to phishing infrastructure offering branded sign-in options (e.g., **Microsoft, Yahoo, AOL, Google, Dropbox**) to harvest credentials. The phishing flow may solicit multiple credential sets by returning fake login errors and urging users to try alternate accounts; submitted credentials are exfiltrated to attacker-controlled domains, often leveraging newly registered domains to evade reputation-based defenses. Separately, Netskope research (reported by KnowBe4) described **fake video meeting invites** for *Zoom, Microsoft Teams, Google Meet,* and similar services that lead to spoofed “join meeting” pages showing purported coworkers already on the call. Victims are instructed to install a required “update” to join; the payload is a **digitally signed remote monitoring and management (RMM) tool** such as *Datto RMM, LogMeIn,* or *ScreenConnect*, enabling remote access and potential follow-on activity including data theft or deployment of additional malware. The use of legitimate, signed RMM software can blend into normal enterprise traffic and may bypass controls where such tools are pre-approved.
Mar 26, 2026
Phishing and social-engineering campaigns increasingly abuse trusted channels and identities to deliver malware
Multiple reports highlight a surge in **social-engineering-led initial access**, with attackers increasingly relying on trusted-looking delivery mechanisms rather than novel exploits. Microsoft-described activity impersonates *Zoom*, *Microsoft Teams*, and *Adobe Reader* updates and uses **stolen Extended Validation (EV) code-signing certificates** (including one issued to **TrustConnect Software PTY LTD**) to make malicious executables appear legitimate; lures include fake meeting invites and deceptive download sites, and payloads commonly install **RMM tooling** such as *ScreenConnect* and *MeshAgent* for persistent access, followed by additional tooling via encoded PowerShell. Separately, Moonlock reported a **ClickFix**-style operation targeting crypto/Web3 professionals via **fake venture capital personas on LinkedIn**, redirecting victims through Calendly to spoofed video-conferencing pages to induce execution of attacker-supplied commands, with infrastructure tied to multiple fake firms (e.g., *SolidBit Capital*, *MegaBit*, *Lumax Capital*) and domains attributed to a single registrant. In parallel, NCC Group’s Fox-IT assessed that **messaging platforms** (e.g., WhatsApp, Telegram, Discord, Signal, LinkedIn messaging) are increasingly used to deliver phishing links, malicious attachments, QR codes, and fake invitations while bypassing traditional email controls, and that Telegram in particular is also used to host phishing infrastructure, malware repositories, and bot-enabled fraud services. One referenced item is materially different from the above social-engineering theme: reporting on suspected **DPRK-linked intrusions** into cryptocurrency organizations describes web-app exploitation (including `CVE-2025-55182` in *React2Shell*) and the use of pre-obtained **AWS access tokens** to steal source code, private keys, and cloud secrets—an intrusion set focused on direct compromise and theft rather than the phishing/update-impersonation and messaging-platform delivery techniques described elsewhere.
Mar 21, 2026
Phishing and software impersonation campaigns delivering malware via trusted services
Microsoft reported ongoing **OAuth abuse** campaigns targeting government and public-sector organizations, where phishing emails lure users into clicking links that leverage legitimate identity-provider redirect behavior (e.g., **Microsoft Entra ID** and other OAuth providers) to send victims to attacker-controlled pages for malware delivery and potential device takeover. Lures included e-signature requests, Teams meeting recordings, Microsoft 365 password resets, and political themes; Microsoft said it disabled identified malicious OAuth applications but warned related activity persists and requires continued monitoring. Separately, researchers described multiple **deception-based malware delivery** operations that rely on impersonation of trusted brands and software rather than exploiting product vulnerabilities. One campaign spoofed **Zoom** and **Google Meet** to install the legitimate *Teramind* monitoring agent for covert surveillance, using fake landing pages and a Microsoft Store lookalike, persistence via services (including `tsvchst` and `pmon`), and traffic masking via built-in SOCKS5 proxy support; defenders were advised to check for related drivers (e.g., `tm_filter.sys`, `tmfsdrv2.sys`) and artifacts under *ProgramData*. Another campaign used a lookalike domain (`filezilla-project[.]live`) to distribute a trojanized portable **FileZilla 3.69.5** bundle that adds a malicious DLL for DLL search-order hijacking, enabling credential theft (including saved FTP credentials) and C2 activity—highlighting a broader trend of **trusted software impersonation** and search/SEO poisoning as an initial access vector.
Mar 21, 2026