Social-Engineering Malware Campaigns Targeting End Users via Browser Stores and Fake Installers
Multiple active social-engineering-driven malware operations are targeting end users through trusted distribution channels. One campaign, dubbed GhostPoster, distributed 17 malicious browser extensions across Chrome, Firefox, and Edge with 840,000+ installs, using legitimate-sounding names (e.g., “Google Translate in Right Click,” “Youtube Download,” “Ads Block Ultimate”) and evading store reviews for years. The extensions used steganography to hide code in PNGs, then extracted payloads to contact attacker infrastructure, enabling credential/data theft, tracking, affiliate-link hijacking, script injection, and HTTP header manipulation to weaken protections.
Separately, threat actors are impersonating Malwarebytes via trojanized ZIP “installers” (e.g., malwarebytes-windows-github-io-X.X.X.zip) and using DLL sideloading—pairing a legitimate EXE with a malicious CoreMessaging.dll—to execute infostealers; reporting highlighted a campaign fingerprint via behash 4acaac53c8340a8c236c91e68244e6cb and distinctive DLL strings used for infrastructure mapping. A different operation identified by CloudSEK involves “RedLineCyber” masquerading as an affiliate of “RedLine Solutions” to build credibility inside private Discord communities and deliver a Python-based clipboard hijacker (often Pro.exe / peeek.exe) aimed at cryptocurrency wallet theft, relying on long-term grooming of high-value targets rather than broad phishing.
Timeline
Jan 19, 2026
Researchers disclose fake Malwarebytes DLL sideloading infostealer campaign
Researchers publicly disclosed the fake Malwarebytes campaign, detailing its use of DLL sideloading, behavioral fingerprints, and secondary-stage stealer detections. They said the payloads targeted browser data, cryptocurrency assets, and MFA-related information.
Jan 19, 2026
CloudSEK reports RedLineCyber Discord clipper campaign
CloudSEK publicly reported that RedLineCyber was impersonating an affiliate of RedLine Solutions to distribute Python-based clipboard hijacker malware through Discord. The malware replaced copied cryptocurrency wallet addresses with attacker-controlled ones and targeted assets including Bitcoin, Ethereum, Solana, Dogecoin, Litecoin, and Tron.
Jan 19, 2026
Researchers report GhostPoster campaign tied to 17 malicious extensions
Researchers said the GhostPoster campaign involved 17 malicious browser extensions with more than 840,000 installs across Chrome, Firefox, and Edge. LayerX Security, building on an initial finding by Koi Security, linked the extensions through shared infrastructure and described the activity as a coordinated financially motivated operation.
Jan 15, 2026
Researchers link fake Malwarebytes lures to broader fake installer infrastructure
During analysis of the January 2026 activity, researchers used a behavioral hash, unusual DLL metadata, and benign-looking text files in the archives to pivot to related infrastructure. This connected the operation to additional fake installers themed as Logitech G Hub, OpenIV, and Asus Armoury Crate.
Jan 11, 2026
Fake Malwarebytes installer campaign is observed
Researchers observed a malware campaign between January 11 and January 15, 2026 that impersonated Malwarebytes installers using ZIP archives named in a malwarebytes-windows-github-io-X.X.X.zip pattern. The archives used DLL sideloading by bundling a legitimate executable with a malicious CoreMessaging.dll to launch infostealer payloads.
Dec 1, 2025
CloudSEK identifies RedLineCyber through HUMINT
CloudSEK's STRIKE team identified a cybercrime actor it calls RedLineCyber in December 2025. The actor was observed infiltrating private Discord communities tied to gaming, gambling, and streaming to socially engineer cryptocurrency users and influencers.
Jan 19, 2021
GhostPoster browser extension campaign begins operating in official stores
A coordinated malicious extension operation later dubbed GhostPoster was active across the Chrome, Firefox, and Microsoft Edge stores, with some extensions persisting undetected for up to five years. The campaign used legitimate-looking extension names and evasion techniques such as steganography, delayed execution, and runtime-decoded payloads.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Affected Products
Sources
Related Stories
Malware Campaigns Using Social Engineering to Deliver Proxyware, RATs, and Ransomware
Multiple active malware campaigns are using **social engineering** and **trojanized content** to compromise Windows systems, with lures ranging from pirated software downloads to business and shipping documents. AhnLab reported a “proxyjacking” operation attributed to **Larva-25012** that distributes fake installers (notably a trojanized *Notepad++* package) via cracked-software sites; the `Setup.zip` bundle includes a legitimate `Setup.exe` plus a malicious sideloaded DLL (`TextShaping.dll`) that decrypts and installs **DPLoader** for persistent command retrieval and follow-on payload delivery. The malware also tampers with defenses by changing Microsoft Defender settings (e.g., exclusions, reduced notifications, and blocking sample submission) to reduce detection while monetizing victims’ bandwidth through installed **proxyware**. Separately, FortiGuard Labs described a Russia-focused, multi-stage intrusion chain that abuses trusted services (**GitHub** and **Dropbox**) for payload hosting and weaponizes **Defendnot** (a Windows Security Center trust-model research tool) to disable **Microsoft Defender** before deploying a ransomware payload. Fortinet also documented phishing campaigns using weaponized shipping-themed Word documents to deliver **Remcos RAT**, including fileless execution behavior and exploitation of `CVE-2017-11882` (Microsoft Equation Editor) via remotely fetched templates. These campaigns reinforce the operational risk from user-driven execution paths (pirated installers and document lures), “living off the land” techniques, and defense evasion through both policy tampering and security tooling abuse.
1 months ago
Social-engineering malware delivery via trusted installation and download paths
Security researchers reported two active/feasible malware-delivery patterns that abuse user trust in “normal” software acquisition flows rather than exploiting a specific browser or OS vulnerability. LayerX demonstrated a proof-of-concept Chrome add-on (*Totally Innocent Extension*) that can **silently modify executables as they are downloaded**—including from legitimate vendor sites—by appending attacker-controlled code without breaking the original application or requiring additional extension permissions, enabling follow-on outcomes such as persistence, lateral movement, and data theft. The researchers said the technique highlights gaps in browser extension security controls; Google and Mozilla did not acknowledge it as a product issue, with Google indicating social-engineering-driven intrusions fall outside its browser threat model. Separately, Push Security documented **InstallFix**, a new variant of the ClickFix social-engineering technique, where attackers clone installation pages for popular CLI tools and replace the install steps with malicious “copy/paste” commands (e.g., `curl`-to-shell patterns) that fetch payloads from attacker infrastructure. A noted example used a cloned *Claude Code* (Anthropic) CLI install page that preserved legitimate branding and redirected most links back to the real site, while only the macOS/Windows install instructions delivered malware; the pages were promoted via **Google Ads malvertising** for searches like “Claude Code install,” increasing the likelihood of developer and non-developer victims executing the malicious commands.
1 months ago
Credential-Theft Malware Campaigns Targeting Windows via Social Engineering and Trusted Services
Multiple reports describe **active malware campaigns targeting Windows users** with a focus on **credential, session, and wallet theft** delivered through social engineering and abuse of legitimate services. **CharlieKirk Grabber**, a Python infostealer packaged with *PyInstaller*, is distributed via phishing, cracked software, cheats, and social-media lures; it kills browser processes (via `TASKKILL`) to access credential stores, collects passwords/cookies/autofill/Wi‑Fi data, zips the loot, uploads it to *GoFile*, and relays the download link to operators via **Discord webhooks** or **Telegram bots**. Separately, attackers are buying **Facebook ads** impersonating Microsoft to drive victims to cloned Windows 11 download pages on lookalike domains (e.g., `ms-25h2-update[.]pro`), delivering a malicious installer that steals saved passwords, browser sessions, and **cryptocurrency wallet** data; the campaign uses **geofencing/sandbox evasion** to show benign content to data-center IPs while serving malware to likely end users. Other contemporaneous activity highlights broader Windows-targeted intrusion tradecraft and adjacent threats. FortiGuard Labs reported **Winos 4.0 (ValleyRat)** phishing campaigns in Taiwan using tax and e-invoice lures, with delivery chains including malicious **LNK** downloaders, **DLL sideloading**, and **BYOVD** using the vulnerable driver `wsftprm.sys`, supported by rapidly rotating domains and cloud hosting. In LATAM, a fake bank-receipt lure delivers **XWorm v5.6** via a `.pdf.js` double-extension WSH dropper that uses junk-padding and Unicode obfuscation, then reconstructs and runs PowerShell (spawned via WMI) and abuses trusted hosting (e.g., Cloudinary) for later stages—enabling credential theft and potential ransomware follow-on. Additional reporting covered a USB-propagating **Monero cryptomining** operation capable of crossing air-gapped environments, a new Linux **SysUpdate** variant with encrypted C2 traffic (and a Unicorn Engine-based decryption approach developed during DFIR), and the **Foxveil** loader abusing **Cloudflare Pages, Netlify, and Discord** to stage shellcode and persist via services or *SysWOW64* masquerading—these are separate threats but reinforce the trend of attackers blending into trusted infrastructure and common user workflows.
1 months ago