Multi-stage malware campaigns using fileless loaders, RATs, and evasion techniques
Multiple reports detail distinct, unrelated malware families and delivery chains rather than a single shared incident. One analysis covers NotOpenClaw, a Windows malware loader distributed via fake “OpenClaw” installers (including GitHub-hosted lures) and emphasizing VM/sandbox evasion; the sample analyzed was tagged with stealer-related indicators (e.g., VidarStealer) and was previously referenced in third-party reporting about fake OpenClaw installers deploying additional malware.
Separate research describes two different fileless/backdoor operations: HellsUchecker, a small native x64 backdoor delivered through a 10-stage chain beginning with a ClickFix fake Cloudflare CAPTCHA that tricks users into pasting an obfuscated Run command, using a LOLBin to fetch payloads over finger (TCP/79) and retrieving encrypted C2 configuration from a BNB Smart Chain smart contract ("EtherHiding"), culminating in an in-memory final payload using Hell’s Gate direct syscalls; and GhostWeaver, a fileless PowerShell RAT that selects persistence based on the installed AV product, uses TLS over TCP/25658, and relies on multiple DGA routines for delivery and C2. A separate brief reports the VOID#GEIST campaign delivering XWorm, AsyncRAT, and Xeno RAT via phishing, batch scripts from TryCloudflare domains, staged ZIP payloads, Python-based decryption/execution, and abuse of AppInstallerPythonRedirector.exe to facilitate additional RAT deployment.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Analyst identifies NotOpenClaw fake AI installer malware
An analysis of a Windows sample posing as an OpenClaw AI installer identified a Rust-based loader dubbed NotOpenClaw, featuring extensive VM and sandbox evasion plus a staged PowerShell script that weakens Windows Defender and firewall protections. After patching anti-analysis checks, the analyst observed network activity, extracted limited IOCs, and linked the sample to prior fake OpenClaw installer activity.
Researchers observe active HellsUchecker ClickFix campaign
A 10-stage malware campaign using a fake Cloudflare Turnstile ClickFix lure was reported active, chaining finger.exe, Python bootstrapping, an MSI dropper, an EtherHiding loader, and the in-memory HellsUchecker backdoor. The operation used blockchain-hosted C2 configuration, anti-analysis checks, persistence via a BAT/MSBuild polyglot and Startup link, and direct-syscall injection.
Researchers publish GhostWeaver PowerShell RAT analysis
Researchers analyzed GhostWeaver, a fileless in-memory PowerShell RAT with antivirus-aware persistence, DGA-based C2, and sandbox evasion through the MintsLoader profiler. They also connected to two live C2 servers and observed both immediately deliver identical persistence payloads, and attributed the activity to TA582/UNC4108 linked downstream of the SocGholish infection chain.
Researchers document VOID#GEIST multi-RAT malware campaign
Researchers disclosed a modular malware campaign dubbed VOID#GEIST that begins with phishing emails and weaponized batch scripts hosted on TryCloudflare domains. The intrusion chain delivers XWorm, Xeno RAT, and AsyncRAT in stages, using PowerShell persistence, Python-based decryption, and process injection to improve flexibility and resilience.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
VMs Need Not Apply: NotOpenClaw Malware Analysis | by grepStrength | Mar, 2026 | OSINT Team
osintteam.blog
Open sourceHellsUchecker: ClickFix to blockchain-backed backdoor | Derp
derp.ca
Open sourceTrio of RATs deployed in VOID#GEIST malware campaign | brief | SC Media
scworld.com
Open sourceGhostWeaver: a PowerShell RAT with its own DNS and persistence | Derp
derp.ca
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multi-stage malware delivery chains distributing XWorm and other RATs
Researchers reported evolving **multi-stage, script-heavy infection chains** used to deliver remote access trojans, including **XWorm**, **AsyncRAT**, and **Xeno RAT**. Securonix described a campaign dubbed **VOID#GEIST** that starts from phishing-delivered batch scripts fetched from *TryCloudflare* infrastructure, then chains additional batch/PowerShell stages, deploys a legitimate embedded Python runtime, decrypts shellcode, and executes it filelessly by injecting into `explorer.exe` using **Early Bird APC injection**, reducing disk artifacts and making each stage appear benign in isolation. Separately, SANS ISC documented another **XWorm** wave using an obfuscated JavaScript-to-PowerShell loader chain that drops a temporary PowerShell script (e.g., `C:\Temp\ps_...ps1`), decodes additional in-memory PowerShell, and uses a DLL exporting `ProcessHollowing` to inject the XWorm client into a .NET compiler process. The write-up included configuration and IOCs such as a C2 endpoint `204[.]10[.]160[.]190:7003`, mutex `Cqu1F0NxohroKG5U`, and multiple SHA-256 hashes for the JavaScript, PowerShell, DLL loader, and XWorm payload, indicating continued high-volume distribution with frequently changing delivery techniques.
Mar 21, 2026
Windows Malware Campaigns Using Social Engineering and Legitimate Platforms to Deliver RATs, Stealers, and Proxyware
Multiple research reports detailed **Windows-focused malware delivery chains** that rely on social engineering and abuse of legitimate services to blend into normal enterprise traffic. FortiGuard Labs described a **multi-stage campaign targeting users in Russia** that starts with business-themed decoy documents and scripts, then escalates to security-control bypass and surveillance before deploying **Amnesia RAT** and ultimately **ransomware** with widespread file encryption. A notable technique in that intrusion is the abuse of **Defendnot** (a Windows Security Center trust-model research tool) to **disable Microsoft Defender**, while payloads are hosted modularly across public cloud services (e.g., **GitHub** for scripts and **Dropbox** for binaries) to improve resilience and complicate takedowns. Separately, ReliaQuest reported attackers using **LinkedIn private messages** to build trust with targets and deliver a **WinRAR SFX** that triggers **DLL sideloading** via a legitimate PDF reader, then establishes persistence (Registry `Run` key) and executes **Base64-encoded shellcode in-memory** to load a RAT-like payload. Trend Micro and Koi Security documented **Evelyn Stealer**, which weaponizes **malicious VS Code extensions** to drop a downloader DLL (e.g., `Lightshot.dll`), run hidden PowerShell to fetch `runtime.exe`, and inject the stealer into `grpconv.exe`, exfiltrating data (credentials, cookies, wallets, screenshots, Wi‑Fi credentials) to `server09.mentality[.]cloud` over FTP. AhnLab ASEC also reported **proxyjacking** activity in South Korea attributed to **Larva‑25012**, distributing **proxyware disguised as a Notepad++ installer** and evolving evasion (e.g., injecting into Windows Explorer and using Python-based loaders) to monetize victims’ bandwidth via unauthorized proxyware installation.
Mar 21, 2026
Multiple Malware Campaigns Abuse Phishing and Legitimate Cloud Services to Compromise Windows and Linux Systems
Reporting describes several unrelated but contemporaneous malware operations targeting both Windows and Linux environments. In Taiwan, FortiGuard Labs observed targeted phishing using tax and e-invoice lures to deliver **Winos 4.0 (ValleyRat)** and plugins, with delivery chains including malicious `.LNK` files, **DLL sideloading**, and **BYOVD** using the vulnerable driver `wsftprm.sys`, supported by rapidly rotating domains and cloud-hosted infrastructure that reduces the effectiveness of static blocklists. Separately, Cato CTRL reported a new Windows loader, **Foxveil**, that stages and retrieves shellcode via trusted platforms (**Cloudflare Pages**, **Netlify**, and **Discord attachments**) and executes payloads using techniques including **Early Bird APC injection** (often into a fake `svchost.exe`) or self-injection, while persisting via Windows services or masqueraded binaries dropped into `SysWOW64`. Additional reporting covers distinct campaigns in other regions and platforms. A LATAM-focused intrusion chain uses fake bank receipt lures (double-extension such as `.pdf.js`) to deliver **XWorm v5.6**, employing oversized/obfuscated JavaScript, WMI-based process creation (`Win32_Process`) to launch hidden PowerShell, and abuse of a hardcoded **Cloudinary** URL for staging—capabilities consistent with credential theft and enabling follow-on ransomware. Trellix analysis described a separate **Monero** cryptomining operation distributed via pirated software installers that propagates through **USB/external drives** to reach even air-gapped systems, using multi-component “watchdog” self-healing behavior and aggressive defense-evasion. On Linux, LevelBlue detailed a new **SysUpdate** variant (packed `ELF64`) that performs host reconnaissance and uses strong C2 encryption; researchers built a **Unicorn Engine**-based emulation tool to reproduce key generation/encryption routines and decrypt captured C2 traffic for investigation and detection engineering.
Mar 21, 2026