Multiple campaigns are using phishing emails and archive-based lures to deliver remote access malware through stealthy, multi-stage infection chains. Point Wild documented Remcos RAT, DesckVB RAT, and a Rust-based COVERT RAT being delivered through ZIP attachments, weaponized LNK files, obfuscated JavaScript droppers, and hidden PowerShell execution, often with decoy documents to mask activity. The payloads were loaded filelessly through .NET reflection and in-memory execution, with operators abusing legitimate binaries and services such as aspnet_compiler.exe, GitHub, and paste or web-hosting platforms to stage malware while evading detection. Reported command-and-control infrastructure included 192.3.27.141:8087, 172.245.246.77:8080, and 181.231.253.69:4444, while observed artifacts included C:\ProgramData\remcos\logs.dat, C:\ProgramData\colors\logs.dat, and payload names such as ALTERNATE.dll, ClassLibrary3.dll, Keylogger.dll, and msedge_proxy.exe.
Separate reporting showed the same tradecraft extending beyond custom RATs to commodity remote-access software and credential theft. A campaign targeting Russian aerospace and aviation organizations used invoice-themed phishing and spoofed domains to install a portable AnyDesk instance for unattended access, maintain persistence with a scheduled task, minimize visibility with Tray Minimizer, and exfiltrate configuration data through a command-line SMTP mailer; Seqrite linked the activity to Rare Werewolf (Librarian Ghouls). Securonix research cited by Trojan Killer described VEIL#DROP using fake document-style JavaScript files, Blogspot-hosted staging, PowerShell download cradles, XOR decoding, and in-memory .NET loading to deploy PureLog Stealer, which targets browser credentials, cookies, session tokens, wallet data, and host information. Across the campaigns, the common pattern is phishing-led initial access followed by LOLBins, PowerShell, staged downloads, persistence, and covert data theft or long-term remote control.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
7 events from the most recent confirmed update back to the earliest known activity.
Seqrite linked a phishing campaign targeting Russian aerospace and aviation organizations to the Rare Werewolf (Librarian Ghouls) threat actor. The campaign used invoice-themed emails and spoofed domains to deploy portable AnyDesk for unattended access, establish persistence with a scheduled task, hide activity with Tray Minimizer, and exfiltrate configuration data via a command-line SMTP mailer.
Securonix Threat Research detailed VEIL#DROP, a multi-stage Windows malware delivery chain using deceptive JavaScript files, PowerShell download cradles, Blogspot staging, XOR-protected data, and in-memory .NET execution to deploy PureLog Stealer. The campaign was described as stealing browser credentials, cookies, session tokens, wallet data, and host information.
A joint report by YesWeHack and Sekoia described ChocoPoC, a Python RAT hidden in fake GitHub proof-of-concept repositories for newly disclosed vulnerabilities and used repeatedly since late 2025 to target vulnerability researchers and pentesters. The malware was reported as still active as of 2026-07-01, using malicious dependencies such as frint and skytext, persistence via trojanized Python packaging components, and infrastructure including 91.132.163.78:8001 for exfiltration.
Point Wild reported on DesckVB RAT, a JavaScript-initiated, fileless .NET RAT active in 2026 that uses PowerShell, reflection, Base64 encoding, and string reversal to load modules in memory. The report identified infrastructure and payload components including pastee.dev, hostgator and Synology domains, ClassLibrary3.dll, ClassLibrary1.dll, Microsoft.exe, and Keylogger.dll.
Point Wild analyzed a phishing campaign in which a ZIP attachment disguised as a business document led to obfuscated JavaScript, PowerShell execution-policy bypass, retrieval of ENCRYPT.Ps1, and in-memory loading of ALTERNATE.dll. The activity abused aspnet_compiler.exe as a LOLBin, communicated with C2 at 192.3.27.141:8087, fetched an additional payload, and created C:\ProgramData\remcos\logs.dat.
Point Wild described Operation Covert Access, a spear-phishing campaign using judicial-themed lures against Argentina’s judicial sector to deliver a Rust-based RAT. The infection chain used a ZIP archive with a weaponized LNK, BAT loader, and PDF decoy, with the malware connecting to 181.231.253.69:4444 and supporting persistence, credential theft, encryption, and privilege escalation.
Point Wild reported on a newer Remcos RAT variant that uses runtime API decryption, encrypted configuration and C2 traffic, dynamic module loading, and direct exfiltration. The report identified indicators including C2 endpoint 172.245.246.77:8080, mutex Rmc-GSEGIF, and artifact C:\ProgramData\colors\logs.dat.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
7 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourcetrojan-killer.net
Open sourcetrojan-killer.net
Open sourcepointwild.com
Open sourcepointwild.com
Open sourcepointwild.com
Open sourcepointwild.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.