Researchers documented several multi-stage malware campaigns that used phishing lures, fake software updates, and DLL sideloading to deploy credential theft and remote access payloads. In one June 2026 intrusion targeting a small number of German financial institutions, a spear-phishing email posing as an urgent VPN update delivered a 7-Zip self-extracting archive that dropped a signed copy of Radmin VPN alongside a trojanized Qt5Core.dll, launching HijackLoader and ultimately Vidar v2.1 through process hollowing into a signed dBpoweramp binary. A parallel chain used Opera sideloading to install SnappyClient RAT. Separate reporting also described a targeted Spanish-language phishing lure that delivered a password-protected archive containing a .NET loader and a byte-reversed DLL payload, as well as a fake browser update chain that used a signed G DATA AntiVirus binary to sideload PlugX linked to suspected Mustang Panda activity.
Across the cases, the malware families showed strong emphasis on credential theft, stealth, and layered execution. Vidar samples were observed harvesting browser passwords, cookies, screenshots, FileZilla and WinSCP data, and cryptocurrency wallet information, while also bypassing Chromium App-Bound Encryption by launching legitimate Chrome and Edge instances with specific flags and using dead-drop resolvers such as Steam and Telegram to locate command-and-control servers. The PlugX implant used multiple decoding and encryption layers, manual PE mapping, registry-based persistence, and WinHTTP communications to fruitbrat[.]com:443, while another credential-stealing sample tied in open sources to RedFoxtrot targeted Firefox and Internet Explorer data and used proxy-aware HTTP communications with hardcoded infrastructure. The reporting highlights continued attacker reliance on signed binaries, staged loaders, and obfuscated payload handling to evade detection while stealing credentials and enabling follow-on access.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
6 events from the most recent confirmed update back to the earliest known activity.
The June 2026 campaign also included a second execution chain that used Opera side-loading to deploy the SnappyClient RAT in parallel with the Vidar delivery path. This showed the operation was capable of delivering multiple payload families through related lures and staging.
In June 2026, a spear-phishing campaign themed as urgent VPN software updates targeted a small number of German financial institutions. A 7-Zip self-extracting archive named Setup.exe used DLL side-loading via a signed Radmin VPN binary to launch HijackLoader and deliver Vidar v2.1.
A January 2026 PlugX sample suspected to be associated with Mustang Panda used a fake browser update lure and DLL sideloading with a legitimate signed G DATA AntiVirus binary. The malware installed itself under %PUBLIC%\GData, created Run-key persistence, and communicated with fruitbrat[.]com:443 using WinHTTP.
Researchers discovered a targeted phishing campaign after a malicious email using a Spanish-language account-creation lure and a Google Drive link was sent to a Deriv employee. The downloaded password-protected archive contained a .NET loader that extracted and ran a secondary payload.
Analysis of a Vidar infection chain found a 64-bit loader and a 32-bit stealer payload that were compiled in early 2025. The chain used shellcode decryption, API hashing, and remote process injection into MSBuild.exe before stealing browser, system, and wallet data.
Infrastructure pivoting tied the QUICKHEAL malware to a cluster of domains and IP addresses that were active mainly from 2022 to 2024, with themes suggesting targeting of India's telecom and space sectors and possible lower-confidence targeting in the Middle East and South Korea.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
9 references tracked. Mallory keeps watching after this page renders.
mrtiepolo.medium.com
Open sourcecyderes.com
Open sourcebluecyber.hashnode.dev
Open sourceblog.netomize.ca
Open sourcebluecyber.hashnode.dev
Open sourcemedium.com
Open sourceaviab1.github.io
Open sourcesecurite360.net
Open sourcego.recordedfuture.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.