AI-Assisted Malware Campaign Distributed Through Fake Software Downloads
Researchers reported a large-scale malware distribution campaign that used fake software offerings hosted on trusted platforms to infect users, with operators increasingly relying on AI-assisted or “vibe-coded” development to scale payload creation. McAfee identified more than 443 malicious ZIP archives masquerading as AI tools, game cheats, VPNs, drivers, and decryptors, distributed via services including Discord, SourceForge, FOSSHub, MediaFire, and mydofiles.com. The campaign used 48 variants of WinUpdateHelper.dll across 17 kill chains, each with separate command-and-control infrastructure but linked through shared cryptocurrency wallet credentials, allowing researchers to trace monetization activity and victim distribution across countries including the US, UK, India, Brazil, France, Canada, and Australia.
A separate but related report described another multi-stage malware campaign that also relied on deceptive delivery and evasion, using .NET Ahead-of-Time (AOT) compilation to hinder analysis and a host-scoring system to avoid sandboxes and low-value targets. In that intrusion chain, a phishing-delivered ZIP launched KeyAuth.exe, which fetched bound_build.exe and then deployed both the Rhadamanthys infostealer and an XMRig miner disguised as MicrosoftEdgeUpdater. The malware checked conditions such as RAM, uptime, document count, and active antivirus processes, and terminated itself if the environment scored below a threshold, showing a deliberate effort to evade detection while maximizing successful infections.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Trend Micro details Rust dropper using Claude Code and TradeAI lures
On 2026-04-03, Trend Micro disclosed a malware campaign in which differently branded lure archives such as ClaudeCode_x64.exe and TradeAI.exe delivered the same Rust-compiled dropper. The malware masqueraded as a graphics driver updater, used XOR-encrypted strings and anti-analysis checks, and retrieved staging data from Pastebin and Snippet.host while supporting multiple execution modes.
Netskope uncovers GitHub split-payload malware campaign
On 2026-03-24, Netskope disclosed a large-scale malware delivery campaign using more than 300 trojanized GitHub repositories posing as AI tools, game cheats, crypto bots, Roblox scripts, and VPN crackers. The operation used a custom LuaJIT-based trojan split into a legitimate runtime and an obfuscated encrypted script, with anti-analysis, geolocation checks, screenshot capture, and C2 communications aimed at ultimately deploying an infostealer.
Researchers reveal environment-scoring anti-analysis feature
Howler Cell reported that the .NET AOT malware used an environment-scoring system that evaluated RAM, uptime, document count, and antivirus presence to distinguish real victims from sandboxes. If a host scored below 5, the malware terminated itself to reduce detection.
Howler Cell identifies .NET AOT malware campaign
Researchers at Howler Cell identified a new multi-stage malware campaign using .NET Ahead-of-Time compilation to complicate analysis and evade security tools. The infection chain began with phishing emails carrying malicious ZIP archives that launched KeyAuth.exe, which downloaded additional components including bound_build.exe, Crypted_build.exe, Rhadamanthys infostealer, and an XMRig miner disguised as MicrosoftEdgeUpdater.
Campaign deploys miners, stealers, and persistence mechanisms
After execution, the fake-software malware redirected victims to bogus dependency downloads while establishing persistence, generating dynamic command-and-control infrastructure, running fileless PowerShell payloads, and adding Windows Defender exclusions. McAfee found the campaign deployed CPU and GPU coin miners and, in some cases, delivered SalatStealer or Mesh Agent, with infections concentrated in the United States and several other countries.
McAfee identifies large fake-software malware campaign
In January 2026, McAfee identified a large-scale malware campaign distributing trojanized ZIP archives disguised as AI tools, game hacks, VPNs, drivers, and decryptors. The operation used a malicious DLL, WinUpdateHelper.dll, across 48 variants and 17 kill chains, with payloads hosted on trusted platforms such as Discord, SourceForge, FOSSHub, MediaFire, and mydofiles.com.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Weaponizing Trust Signals: Claude Code Lures and GitHub Release Payloads | Trend Micro (US)
trendmicro.com
Open sourceGitHub-hosted malware campaign uses split payload to evade detection - Help Net Security
helpnetsecurity.com
Open sourceNew .NET AOT malware uses scoring system to evade detection | brief | SC Media
scworld.com
Open source‘Vibe-Coded’ Malware Campaign Uses Fake Tools, CDNs and File Hosts to Infect Users
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malware Delivery via Deceptive Distribution and Evasion Techniques
Threat researchers reported multiple active campaigns focused on **stealthy malware delivery** by abusing trusted execution paths and deceptive distribution. Trellix described attackers using **DLL side-loading** against a legitimate, signed `ahost.exe` binary associated with the *c-ares* ecosystem (commonly seen with GitKraken Desktop) by placing a malicious `libcares-2.dll` alongside the executable to trigger search-order hijacking and execute attacker code. The activity was linked to delivery of commodity malware families including **Agent Tesla, Formbook, Remcos RAT, Quasar RAT, DCRat, XWorm, Vidar Stealer, Lumma Stealer, CryptBot**, and others, with targeting observed across business functions (finance, procurement, supply chain, administration) and lures in multiple languages, suggesting regionally focused operations. Separately, Malwarebytes documented a **fake RustDesk download site** (`rustdesk[.]work`) that installs legitimate RustDesk while silently deploying a persistent backdoor framework (**Winos4.0**) via a trojanized installer (e.g., `rustdesk-1.4.4-x86_64.exe`), relying on user deception rather than exploiting a software vulnerability. Sucuri detailed a WordPress compromise where attackers modified `index.php` to perform **selective content injection/SEO cloaking**, using IP-verified logic with hardcoded **Google ASN CIDR ranges** to serve malicious content to Googlebot while showing normal content to human visitors and site owners—an evasion technique that can facilitate downstream malware distribution while reducing the chance of detection.
Mar 21, 2026
Windows Malware Campaigns Abusing Trusted Tools and Cloud Hosting for Stealthy Execution
Multiple Windows-focused malware campaigns were reported leveraging *trusted distribution and execution paths* rather than exploiting software vulnerabilities. One campaign attributed to **Larva-25012** disguised proxyware as legitimate *Notepad++* installers distributed via fake cracked-software portals and deceptive ads, primarily impacting South Korea. The payloads were hosted on GitHub and delivered as MSI/ZIP packages containing legitimate components plus malicious DLLs, using **DLL side-loading** and process injection into **Windows Explorer** to deploy proxyware (e.g., **Infatica** and **DigitalPulse**) for **proxyjacking**—monetizing victims’ internet bandwidth by reselling access through their networks. A separate multi-stage Windows malware operation used business-themed lures and weaponized archives containing **LNK** shortcuts to run hidden **PowerShell** with execution-policy bypass, pulling an obfuscated loader from GitHub and using legitimate services (e.g., **Dropbox**) to blend into normal traffic. Fortinet-reported tradecraft included persistence, decoy document generation, and beaconing via the **Telegram Bot API**, followed by defense evasion through abuse of **Defendnot** to disable Microsoft Defender before dropping follow-on payloads such as ransomware, banking trojans, and surveillance tooling. Additional reporting highlighted a broader trend of attackers abusing legitimate infrastructure and admin tooling (including **RMM** software after credential theft) to establish persistent access, while generic “common threats” content provided no incident-specific intelligence.
Mar 21, 2026
Windows Malware Campaigns Using Social Engineering and Legitimate Platforms to Deliver RATs, Stealers, and Proxyware
Multiple research reports detailed **Windows-focused malware delivery chains** that rely on social engineering and abuse of legitimate services to blend into normal enterprise traffic. FortiGuard Labs described a **multi-stage campaign targeting users in Russia** that starts with business-themed decoy documents and scripts, then escalates to security-control bypass and surveillance before deploying **Amnesia RAT** and ultimately **ransomware** with widespread file encryption. A notable technique in that intrusion is the abuse of **Defendnot** (a Windows Security Center trust-model research tool) to **disable Microsoft Defender**, while payloads are hosted modularly across public cloud services (e.g., **GitHub** for scripts and **Dropbox** for binaries) to improve resilience and complicate takedowns. Separately, ReliaQuest reported attackers using **LinkedIn private messages** to build trust with targets and deliver a **WinRAR SFX** that triggers **DLL sideloading** via a legitimate PDF reader, then establishes persistence (Registry `Run` key) and executes **Base64-encoded shellcode in-memory** to load a RAT-like payload. Trend Micro and Koi Security documented **Evelyn Stealer**, which weaponizes **malicious VS Code extensions** to drop a downloader DLL (e.g., `Lightshot.dll`), run hidden PowerShell to fetch `runtime.exe`, and inject the stealer into `grpconv.exe`, exfiltrating data (credentials, cookies, wallets, screenshots, Wi‑Fi credentials) to `server09.mentality[.]cloud` over FTP. AhnLab ASEC also reported **proxyjacking** activity in South Korea attributed to **Larva‑25012**, distributing **proxyware disguised as a Notepad++ installer** and evolving evasion (e.g., injecting into Windows Explorer and using Python-based loaders) to monetize victims’ bandwidth via unauthorized proxyware installation.
Mar 21, 2026