Social Engineering and Malware Campaigns Using Diverse Lures and Delivery Chains
Multiple reports describe distinct malware and intrusion campaigns active across enterprise, government, developer, and consumer targets, rather than a single shared incident. The activity includes vishing-led abuse of Quick Assist for remote access and persistence, a .NET AOT malware chain delivering Rhadamanthys and XMRig, renewed Horabot banking Trojan activity using fake CAPTCHA and mshta, a compromised Open VSX extension that fetched BlokTrooper payloads, and a Middle East-focused Ramadan coupon lure delivering a RAT with AWS S3-based exfiltration. Additional reporting covers Operation CamelClone, which used government-themed spear-phishing and LNK files to steal data with Rclone, and Contagious Trader, a cryptocurrency-focused campaign tied to malicious GitHub and npm projects.
One reference stands apart as vulnerability research rather than campaign reporting: watchTowr detailed pre-authenticated RCE chains in BMC FootPrints, which is a separate product security disclosure and not part of the malware operations described elsewhere. Because the references cover unrelated incidents, malware families, and victim sets, the material should not be treated as one cohesive event. It is also not fluff, as the sources contain substantive threat intelligence, technical analysis, exploit research, and incident tradecraft rather than marketing or generic advice.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
12 events from the most recent confirmed update back to the earliest known activity.
Horabot resurgence in Mexico reported publicly
A follow-on report highlighted Horabot's re-emergence in Mexico, summarizing the multi-stage phishing chain, email worm behavior, and the scale of infections previously uncovered by researchers. The report reinforced that the campaign had been active since May 2025 and heavily targeted Mexican users.
Blackpoint details Quick Assist vishing intrusion tied to Tsundere Netto
Blackpoint Security described an intrusion in which a threat actor impersonated IT support over voice calls and convinced a user to grant access through Microsoft Quick Assist. After access, the operator staged payloads, used Node.js and Deno for modular follow-on malware, and activity was linked with high confidence to the Tsundere Netto botnet.
Aikido reports compromised fast-draft Open VSX releases
Aikido disclosed that multiple fast-draft extension versions published to Open VSX were malicious, while other versions appeared clean, suggesting a compromised publisher account or stolen publishing token. The second-stage payload deployed the BlokTrooper framework, including a Socket.IO RAT, browser and wallet theft, document exfiltration, and clipboard monitoring across Windows, macOS, and Linux.
Securelist publishes technical analysis and detections for Horabot
Securelist documented the active Horabot campaign's fake CAPTCHA lure, mshta-based execution chain, Delphi banking trojan payload, and PowerShell email spreader. The report also released YARA rules, a Suricata signature, hunting guidance, and indicators of compromise for detection.
CloudSEK uncovers Ramadan coupon malware campaign in the Middle East
CloudSEK reported a socially engineered campaign using fake Ramadan discount offers and a malicious document impersonating AlCoupon to target Windows users in the Middle East. The infection chain used a hidden VBA macro and C# loader to deploy the Ftu4You RAT, with exfiltration routed through AWS S3 presigned URLs.
Researchers report .NET AOT malware delivering Rhadamanthys and XMRig
Howler Cell identified a multi-stage malware campaign using .NET Ahead-of-Time compilation to hinder analysis and evade detection. The chain used a ZIP-delivered loader to fetch additional payloads, including the Rhadamanthys infostealer and an XMRig miner, while a host-scoring system screened out sandbox environments.
Contagious Trader campaign weaponizes crypto bot repos and npm packages
A large campaign dubbed Contagious Trader used malicious GitHub cryptocurrency trading bot repositories and 37 npm packages to steal private keys, sensitive files, and establish persistence, including SSH backdoors on some Linux systems. The activity was attributed with high confidence to North Korean operators based on overlaps with Lazarus-linked tradecraft and infrastructure patterns.
CamelClone espionage campaign targets government and diplomatic entities
Operation CamelClone targeted government, defense, and diplomatic organizations in Algeria, Mongolia, Ukraine, and Kuwait with spear-phishing ZIP archives disguised as official correspondence. The infection chain used LNK files, hidden PowerShell, the HOPPINGANT JavaScript loader, and Rclone to steal documents and Telegram Desktop session data via public file-sharing sites and MEGA.
BlokTrooper issue disclosed to fast-draft maintainer
Researchers disclosed the malicious fast-draft Open VSX extension activity to the maintainer via GitHub issue #565. The issue was opened on March 12, 2026 and remained unanswered at the time of reporting.
CamelClone operators create MEGA accounts for exfiltration
Researchers identified four MEGA accounts linked to Operation CamelClone that were created in February and March 2026. The accounts were used as part of the campaign's cloud-based exfiltration and staging infrastructure.
Huntress links fake tech support intrusions to customized Havoc implants
Huntress documented a February 2026 intrusion cluster affecting five partner organizations in which attackers used spam emails and fake IT support calls to obtain QuickAssist or RMM access, harvest credentials through a fake Outlook Antispam Control Panel, and deploy customized Havoc Demon payloads via DLL sideloading. The operators moved to nine additional endpoints within about eleven hours and used modified Havoc features, including registry-based fallback C2 recovery, while tradecraft overlapped with Black Basta and FIN7-style activity.
Horabot campaign begins infecting victims, mostly in Mexico
An exposed Horabot victim panel showed infections dating back to May 2025, with 5,384 victims recorded and about 93% located in Mexico. The campaign used Spanish-language lures while infrastructure and code artifacts suggested Brazilian operator ties.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
9 references tracked. Mallory keeps watching after this page renders.
Horabot Banking Trojan Resurfaces in Mexico With Multi-Stage Phishing and Email Worm Tactics
cybersecuritynews.com
Open sourceA Match Made in Malware: Quick Assist - Blackpoint
blackpointcyber.com
Open sourceNew .NET AOT Malware Hides Code as a Black Box to Evade Detection
hackread.com
Open sourceOpportunistic threat actors using Ramadan coupon as a lure to target retail store customers in Middle East | CloudSEK
cloudsek.com
Open sourceHow we uncovered a Horabot campaign and how you can detect this malware | Securelist
securelist.com
Open sourcefast-draft Open VSX Extension Compromised by BlokTrooper (RAT & Infostealer)
aikido.dev
Open sourceCamelClone Spy Campaign Abuses Public File-Sharing Sites and Rclone in Government-Focused Attacks
cybersecuritynews.com
Open sourceContagious Trader campaign - Coordinated weaponisation of cryptocurrency trading bots by suspected DPRK malware operators | kmsec.uk
kmsec.uk
Open sourceFake Tech Support Delivers Havoc Command & Control | Huntress
huntress.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Mixed threat reporting: APT campaigns, malware delivery via compromised web assets, and ransomware exploitation
The provided items do not describe a single cohesive cybersecurity event; they span multiple unrelated threat reports and opinion pieces. Notable incident-level reporting includes **APT28** activity in Western/Central Europe (“Operation MacroMaze”) using spear-phishing lures with Office macros that beacon via `INCLUDEPICTURE` to `webhook[.]site` and then execute VBScript/CMD/batch stages for persistence and follow-on payload delivery. Separately, **MuddyWater** (Iran/MOIS-linked) was reported running “Operation Olalampo” against organizations in the Middle East and Africa, delivering new custom malware (including a **Char** backdoor using a **Telegram bot** for C2) and, in some cases, attempting exploitation of public-facing servers in addition to phishing. Criminal activity and initial-access tradecraft were also covered across distinct stories: a DFIR case study described exploitation of **Apache ActiveMQ** `CVE-2023-46604` to gain RCE, conduct post-exploitation (Metasploit/Meterpreter, privilege escalation, LSASS access, lateral movement), and ultimately deploy **LockBit**-branded ransomware via RDP using previously stolen credentials (with indications the payload was built using the leaked builder and used *Session* for communications). Multiple reports described malware delivery via compromised web assets and social engineering, including **GrayCharlie** injecting malicious JavaScript into WordPress sites to push **NetSupport RAT**, **Stealc**, and **SectopRAT** via fake updates/ClickFix-style CAPTCHAs, and a separate **ClickFix** campaign delivering a custom C++ RAT (**MIMICRAT**) through fake Cloudflare verification prompts that trick users into running PowerShell. Additional, unrelated threat reporting included a **NuGet** supply-chain attack (typosquatted `NCryptYo` plus companion packages) targeting ASP.NET Identity data and enabling backdoored authorization rules, and malicious Chrome extensions using a “**Promise Bomb**” browser-crash technique to drive users to run fake “CrashFix” PowerShell steps. Several other items were generic commentary/roundups (data breach trends, quantum preparedness, Enigma history, NATO public opinion polling, recon how-to, and a malware-newsletter link list) and do not add event-specific intelligence.
Mar 21, 2026
Inbound Social Engineering and Malware Delivery Campaigns Targeting Crypto, Web3, and Enterprises
Multiple reports describe **social-engineering-led initial access** that pivots into malware execution and credential/financial theft. A documented “pig butchering” approach abuses the higher-trust dynamics of matrimonial platforms to build rapport and then steer victims toward cryptocurrency-related actions. Separately, an “inbound” recruitment lure targets **Web3/crypto professionals** by impersonating legitimate companies and driving candidates to install fake interview software (e.g., `collaborex_setup.msi`) that initiates command-and-control to infrastructure such as `179.43.159.106`, with the added risk that victims often use corporate endpoints that also have personal wallets installed. In parallel, technical reporting highlights enterprise-focused malware delivery via trojanized software and email. **ValleyRAT_S2** (a C++ second-stage backdoor/RAT) is being distributed via fake Chinese-language productivity tools, cracked software, and trojanized installers, including **DLL side-loading** (e.g., a malicious `steam_api64.dll`) and C2 over custom TCP (e.g., `27.124.3.175:14852`), enabling long-term control and theft of financial data. Kaspersky also reported a malicious-email wave against Russian private-sector organizations using a PDF-icon masquerade that drops a .NET downloader, installs a persistent service, and stages payloads under `C:\ProgramData\Microsoft Diagnostic\Tasks` before delivering an **infostealer**. A separate blog post discusses phishing enabled by **misconfigured Microsoft 365/hybrid Exchange mail routing and weak SPF/DKIM/DMARC enforcement**, allowing spoofed “internal” emails that can facilitate credential theft and BEC; while related in theme (phishing), it is not clearly tied to the same malware campaigns described elsewhere.
Apr 12, 2026
Security Research Roundup: Supply-Chain Malware, Phishing Operations, and Evolving Social Engineering
Multiple security reports and investigations highlighted active threats spanning software supply chain abuse, phishing operations, and commodity malware delivery. Socket identified **four malicious NuGet packages** (e.g., *NCryptYo*, *DOMOAuth2_*, *IRAOAuth2.0*, *SimpleWriter_*) published by `hamzazaheer` that targeted **ASP.NET** developers by exfiltrating ASP.NET Identity data (users/roles/permissions) and manipulating authorization to maintain persistence; the campaign used a staged loader that set up a local proxy on `localhost:7152` to relay traffic to dynamically resolved C2 infrastructure. Separately, investigators disrupted a logistics-focused **phishing-as-a-service** operation (“**Diesel Vortex**”) tied to Russian/Armenian operators, which used dozens of domains to target users of platforms such as **DAT**, **Truckstop**, **Penske Logistics**, **EFS**, and **Timocom**, resulting in theft of over **1,600 credentials** and attempted **EFS check fraud**. Fortinet also detailed a **multi-stage Agent Tesla** infection chain delivered via phishing with RAR attachments leading to `.jse` and PowerShell stages, culminating in in-memory execution and process hollowing into `C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe`. Threat intelligence and ecosystem reporting also underscored how attackers are scaling operations and bypassing traditional controls. Group-IB reported **MuddyWater** (“Operation Olalampo”) targeting the **MENA** region with new tooling including **GhostFetch** and a Rust backdoor (**CHAR**) controlled via **Telegram**, plus variants that deploy **AnyDesk**; the report noted indicators consistent with **AI-assisted development**. Dark Reading described the rise of **telephone-oriented attack delivery (TOAD)** emails—messages containing only a phone number—which accounted for a significant share of gateway-bypassing detections in StrongestLayer’s dataset, reflecting a shift toward social-engineering paths that evade link/attachment scanning. Confiant reported disrupting **D-Shortiez** malvertising operations after discovering exposed internal testing/admin infrastructure, attributing **59 million** malicious ad impressions (primarily US-targeted) to scam campaigns, while Interpol-backed **Operation Red Card 2.0** reported **651 arrests** and **$4.3M** recovered across 16 African countries in actions against fraud rings and cybercrime syndicates.
Mar 21, 2026