Signed Malware Installers and Live C2 Infrastructure Fuel Multiple Loader Campaigns
Breakglass Intelligence identified several active malware delivery operations using signed installers, compromised websites, and live command-and-control infrastructure to distribute loaders, stealers, and remote access tools. One campaign used the newly registered domain maybedontbanplease[.]com as CastleLoader C2 on 3NT Solutions LLP infrastructure, with a large NSIS installer embedding Python 3.14, AES-encrypted payloads, and in-memory shellcode execution via pythonw.exe; the installer was signed with an EV certificate issued to the likely fictitious entity SERPENTINE SOLAR LIMITED. The activity was attributed with medium-high confidence to GrayBravo and linked to delivery of LummaC2, StealC, RedLine, Rhadamanthys, DeerStealer, NetSupport RAT, and SectopRAT, with targeting that included U.S. government, critical infrastructure, IT, and logistics organizations.
A separate operation distributed a trojanized MSTeamsSetup.exe that installed a weaponized RustDesk client and communicated with mon.systemautoupdater[.]com on EvoXT infrastructure, while presenting a TLS certificate for calipology[.]com, tying the activity to the GeorgeGinx/Striker operator. In another live campaign, attackers used the compromised Syrian web development site allsydevs[.]com to host an obfuscated .NET loader masquerading as a WordPress image and connected victims to 172[.]93[.]167[.]12:4263 over HTTPS using a self-signed certificate with the fake common name Mesh Data; at least six related samples were linked to the same C2, with lure names suggesting targeting of Middle Eastern construction and export firms. Together, the investigations show financially motivated actors expanding malware distribution through fraudulent code-signing, trojanized business software, and hijacked web infrastructure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
Breakglass exposes live AllSyDevs multi-campaign malware operation
Breakglass reported that a compromised Syrian web development server, allsydevs[.]com, was hosting a .NET malware loader disguised as a WordPress image file, with a separate live C2 at 172[.]93[.]167[.]12:4263. The analysis tied at least six samples to the operation and described AES decryption, process injection, and targeting of Middle Eastern construction and export businesses.
Breakglass identifies signed MSTeams installer delivering RustDesk malware
Breakglass reported that mon.systemautoupdater[.]com on 23.27.141[.]44 was active infrastructure for a trojanized Microsoft Teams installer that deployed a weaponized RustDesk client. The infrastructure and TLS artifacts linked the activity to the previously identified GeorgeGinx/Striker operator using the "calipology" handle.
Breakglass documents live CastleLoader C2 and GrayBravo attribution
Breakglass reported that maybedontbanplease[.]com was being used as live CastleLoader C2 infrastructure resolving to 38[.]180[.]136[.]139, though the backend was down and only an nginx reverse proxy remained reachable. The report linked CastleLoader with medium-high confidence to GrayBravo and described delivery of multiple secondary payloads across U.S. government, critical infrastructure, IT, and logistics targets.
Trojanized MSTeams installer sample appears on MalwareBazaar
A malicious MSTeamsSetup.exe sample delivering a weaponized RustDesk client was first observed on MalwareBazaar. The installer was signed with a suspicious certificate issued to "Zlatin Stamatov."
AllSyDevs-linked stealer and RAT infrastructure is established
Infrastructure for the AllSyDevs operation was assessed as newly established in early April 2026, using compromised allsydevs[.]com hosting and a live C2 at 172[.]93[.]167[.]12:4263. The campaign supported multiple malware samples targeting mainly Middle Eastern commercial entities.
CastleLoader C2 domain maybedontbanplease.com is registered
The domain maybedontbanplease[.]com, later identified as CastleLoader command-and-control infrastructure, was newly registered. Breakglass later tied it to GrayBravo-linked malware activity.
ThreatFox flags 172.93.167.12:4263 as botnet C2
ThreatFox identified 172.93.167.12:4263 as botnet command-and-control infrastructure. This indicator was later linked to the AllSyDevs multi-campaign stealer and RAT operation.
Breakglass reports signed IcedID MSI delivering Latrodectus
Breakglass analyzed a malicious signed MSI file, info_IR-99661418.msi, used as an IcedID Stage-1 dropper via the WiX custom action framework to execute an embedded .NET assembly and launch an IcedID DLL with rundll32.exe. The report said the malware beaconed to statifaronta.com and retrieved a Latrodectus Stage-2 payload tied to active infrastructure on 45.61.136.30, assessing the activity as a live ransomware-precursor campaign linked with medium-high confidence to TA577 or TA551-aligned operations.
Breakglass identifies Pulsar RAT v2.4.5 MSI campaign
Breakglass reported an active campaign using a Windows Installer named haunt.msi, first seen on 2026-03-12, to deliver Pulsar RAT v2.4.5 through a multi-stage loader that disables AMSI, ETW, and WLDP. The report said command-and-control traffic was proxied through host.fedmenigga.workers.dev on Cloudflare Workers to a backend at 31.57.147.207 and assessed the actor as operating a sustained multi-tool campaign since at least February 2026.
Breakglass identifies CryptoVista trojanized installer signed with stolen EV certificate
Breakglass reported a trojanized installer impersonating CryptoVista that was signed with a freshly issued SSL.com EV code-signing certificate belonging to TRUST & SIGN POLAND, a Docaposte subsidiary. The sample appeared by March 5, 2026 and used an Inno Setup-based loader with ChaCha20 encryption, XOR obfuscation, geofencing, and process injection, while achieving 0/36 AV detections as of March 10.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
AllSyDevs C2 Infrastructure - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceCalipology / SystemAutoUpdater - Trojanized RustDesk via Signed MSTeams Installer - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceCastleLoader / maybedontbanplease[.]com - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceIcedID / Latrodectus - Signed WiX MSI Dropper Campaign - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourcePulsar RAT v2.4.5 - MSI Dropper with GUID-Encoded Shellcode & Cloudflare Workers C2 - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceCryptoVista Trojanized Installer: Stolen Docaposte EV Certificate Achieves 0/36 AV Detection While Impersonating Legitimate Crypto Brand - Breakglass Intelligence - Breakglass Intelligence
intel.breakglass.tech
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malware Campaigns Using Fake Installers and Multi-Stage Loaders to Steal Credentials and Enable Remote Control
Multiple active malware campaigns are using **trojanized installers** and social engineering—rather than software vulnerabilities—to gain initial access and then deploy credential theft or remote-control capabilities. Intel 471 reported a new Android banking trojan dubbed **FvncBot** targeting Polish mobile banking users by impersonating an *mBank* “security” app; the dropper prompts installation of an additional “Play” component and then abuses **Android Accessibility Services** for persistence and control, enabling **keylogging**, **screen capture**, and hidden **VNC-style remote interaction** to facilitate fraudulent transactions. Separately, Cyderes described an ongoing, large-scale piracy-channel campaign where cracked game installers hide behind a legitimate-looking **Ren’Py** launcher tracked as **RenEngine**, which decrypts and launches subsequent stages and introduces **HijackLoader** via techniques including **DLL side-loading** and module stomping; observed final payloads include **ACR Stealer** (and in some cases **Vidar**) to exfiltrate browser credentials, cookies, and crypto wallet data. Cybereason detailed a different installer-themed operation in Chinese-speaking communities delivering **ValleyRat/Winos 4.0** attributed to **Silver Fox APT**, notable for using the rare **“PoolParty Variant 7”** process injection (abusing Windows I/O completion ports and `ZwSetIoCompletion()` after duplicating a handle from `Explorer.exe`) plus a strengthened watchdog mechanism via injection into `Explorer.exe` and `UserAccountBroker.exe` to maintain persistence.
Mar 21, 2026
ResolverRAT, LummaStealer, and Amadey Linked in Multi-Tool Cybercrime Campaign
Researchers tied **ResolverRAT**, **LummaStealer**, and an **Amadey** botnet cluster to an active financially motivated campaign that has operated since at least late 2025 and uses fake browser update lures, staged loaders, and legitimate remote management tools for persistence. One analyzed chain used a Donut-decrypted, triple-protected `.NET` loader to deliver both ResolverRAT and LummaStealer at once, combining persistent remote access with credential and cryptocurrency wallet theft. The malware used layered obfuscation including .NET Reactor, custom transformations, AES-256-CBC, GZip, process hollowing, fragmented WinAPI reconstruction, forged compile timestamps, encrypted resource blobs, and certificate pinning, while operators rotated infrastructure across dozens of IPs, multiple domains, and hosting providers in Russia, the Netherlands, Germany, Poland, and elsewhere. Investigators also identified a fake Microsoft-themed domain, **pat[.]microsoft-telemetry[.]at**, and newly activated infrastructure such as **kampf[.]huehnchenfarm[.]ru** tied to the same ecosystem. A parallel March 2026 investigation linked the **fbf543** Amadey campaign to more than 50 payloads spanning at least 13 malware families, including Vidar, QuasarRAT, XWorm, AsyncRAT, Smoke Loader, and LummaStealer, with delivery through fake installers and hosting on infrastructure centered on **Omegatech LTD (AS202412)** and related abusive networks. Analysts found that the operators also abused nine legitimate, signed RMM tools from **ConnectWise, DattoRMM, Atera, GoToResolve, and N-able**, configuring them to beacon to attacker-controlled relays rather than compromising the vendors themselves. A separate Go-based loader unpacked LummaStealer with AES, RC4, and QuickLZ before hollowing **AppLaunch.exe**, reinforcing a playbook built around stealthy loaders, infostealer deployment, redundant access channels, and monetization consistent with an initial access broker or ransomware affiliate operation.
May 24, 2026
Malware Delivery via Deceptive Distribution and Evasion Techniques
Threat researchers reported multiple active campaigns focused on **stealthy malware delivery** by abusing trusted execution paths and deceptive distribution. Trellix described attackers using **DLL side-loading** against a legitimate, signed `ahost.exe` binary associated with the *c-ares* ecosystem (commonly seen with GitKraken Desktop) by placing a malicious `libcares-2.dll` alongside the executable to trigger search-order hijacking and execute attacker code. The activity was linked to delivery of commodity malware families including **Agent Tesla, Formbook, Remcos RAT, Quasar RAT, DCRat, XWorm, Vidar Stealer, Lumma Stealer, CryptBot**, and others, with targeting observed across business functions (finance, procurement, supply chain, administration) and lures in multiple languages, suggesting regionally focused operations. Separately, Malwarebytes documented a **fake RustDesk download site** (`rustdesk[.]work`) that installs legitimate RustDesk while silently deploying a persistent backdoor framework (**Winos4.0**) via a trojanized installer (e.g., `rustdesk-1.4.4-x86_64.exe`), relying on user deception rather than exploiting a software vulnerability. Sucuri detailed a WordPress compromise where attackers modified `index.php` to perform **selective content injection/SEO cloaking**, using IP-verified logic with hardcoded **Google ASN CIDR ranges** to serve malicious content to Googlebot while showing normal content to human visitors and site owners—an evasion technique that can facilitate downstream malware distribution while reducing the chance of detection.
Mar 21, 2026