Social Engineering and Malware Campaigns Using Diverse Lures and Delivery Chains
Multiple reports describe distinct malware and intrusion campaigns active across enterprise, government, developer, and consumer targets, rather than a single shared incident. The activity includes vishing-led abuse of Quick Assist for remote access and persistence, a .NET AOT malware chain delivering Rhadamanthys and XMRig, renewed Horabot banking Trojan activity using fake CAPTCHA and mshta, a compromised Open VSX extension that fetched BlokTrooper payloads, and a Middle East-focused Ramadan coupon lure delivering a RAT with AWS S3-based exfiltration. Additional reporting covers Operation CamelClone, which used government-themed spear-phishing and LNK files to steal data with Rclone, and Contagious Trader, a cryptocurrency-focused campaign tied to malicious GitHub and npm projects.
One reference stands apart as vulnerability research rather than campaign reporting: watchTowr detailed pre-authenticated RCE chains in BMC FootPrints, which is a separate product security disclosure and not part of the malware operations described elsewhere. Because the references cover unrelated incidents, malware families, and victim sets, the material should not be treated as one cohesive event. It is also not fluff, as the sources contain substantive threat intelligence, technical analysis, exploit research, and incident tradecraft rather than marketing or generic advice.
Timeline
Mar 19, 2026
Horabot resurgence in Mexico reported publicly
A follow-on report highlighted Horabot's re-emergence in Mexico, summarizing the multi-stage phishing chain, email worm behavior, and the scale of infections previously uncovered by researchers. The report reinforced that the campaign had been active since May 2025 and heavily targeted Mexican users.
Mar 18, 2026
Blackpoint details Quick Assist vishing intrusion tied to Tsundere Netto
Blackpoint Security described an intrusion in which a threat actor impersonated IT support over voice calls and convinced a user to grant access through Microsoft Quick Assist. After access, the operator staged payloads, used Node.js and Deno for modular follow-on malware, and activity was linked with high confidence to the Tsundere Netto botnet.
Mar 18, 2026
Aikido reports compromised fast-draft Open VSX releases
Aikido disclosed that multiple fast-draft extension versions published to Open VSX were malicious, while other versions appeared clean, suggesting a compromised publisher account or stolen publishing token. The second-stage payload deployed the BlokTrooper framework, including a Socket.IO RAT, browser and wallet theft, document exfiltration, and clipboard monitoring across Windows, macOS, and Linux.
Mar 18, 2026
Securelist publishes technical analysis and detections for Horabot
Securelist documented the active Horabot campaign's fake CAPTCHA lure, mshta-based execution chain, Delphi banking trojan payload, and PowerShell email spreader. The report also released YARA rules, a Suricata signature, hunting guidance, and indicators of compromise for detection.
Mar 18, 2026
CloudSEK uncovers Ramadan coupon malware campaign in the Middle East
CloudSEK reported a socially engineered campaign using fake Ramadan discount offers and a malicious document impersonating AlCoupon to target Windows users in the Middle East. The infection chain used a hidden VBA macro and C# loader to deploy the Ftu4You RAT, with exfiltration routed through AWS S3 presigned URLs.
Mar 18, 2026
Researchers report .NET AOT malware delivering Rhadamanthys and XMRig
Howler Cell identified a multi-stage malware campaign using .NET Ahead-of-Time compilation to hinder analysis and evade detection. The chain used a ZIP-delivered loader to fetch additional payloads, including the Rhadamanthys infostealer and an XMRig miner, while a host-scoring system screened out sandbox environments.
Mar 17, 2026
Contagious Trader campaign weaponizes crypto bot repos and npm packages
A large campaign dubbed Contagious Trader used malicious GitHub cryptocurrency trading bot repositories and 37 npm packages to steal private keys, sensitive files, and establish persistence, including SSH backdoors on some Linux systems. The activity was attributed with high confidence to North Korean operators based on overlaps with Lazarus-linked tradecraft and infrastructure patterns.
Mar 17, 2026
CamelClone espionage campaign targets government and diplomatic entities
Operation CamelClone targeted government, defense, and diplomatic organizations in Algeria, Mongolia, Ukraine, and Kuwait with spear-phishing ZIP archives disguised as official correspondence. The infection chain used LNK files, hidden PowerShell, the HOPPINGANT JavaScript loader, and Rclone to steal documents and Telegram Desktop session data via public file-sharing sites and MEGA.
Mar 12, 2026
BlokTrooper issue disclosed to fast-draft maintainer
Researchers disclosed the malicious fast-draft Open VSX extension activity to the maintainer via GitHub issue #565. The issue was opened on March 12, 2026 and remained unanswered at the time of reporting.
Feb 1, 2026
CamelClone operators create MEGA accounts for exfiltration
Researchers identified four MEGA accounts linked to Operation CamelClone that were created in February and March 2026. The accounts were used as part of the campaign's cloud-based exfiltration and staging infrastructure.
Feb 1, 2026
Huntress links fake tech support intrusions to customized Havoc implants
Huntress documented a February 2026 intrusion cluster affecting five partner organizations in which attackers used spam emails and fake IT support calls to obtain QuickAssist or RMM access, harvest credentials through a fake Outlook Antispam Control Panel, and deploy customized Havoc Demon payloads via DLL sideloading. The operators moved to nine additional endpoints within about eleven hours and used modified Havoc features, including registry-based fallback C2 recovery, while tradecraft overlapped with Black Basta and FIN7-style activity.
May 1, 2025
Horabot campaign begins infecting victims, mostly in Mexico
An exposed Horabot victim panel showed infections dating back to May 2025, with 5,384 victims recorded and about 93% located in Mexico. The campaign used Spanish-language lures while infrastructure and code artifacts suggested Brazilian operator ties.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Malware
Organizations
Sources
4 more from sources like aikido dev blog, cyber security news, kmsec and huntress blog
Related Stories
Mixed threat reporting: APT campaigns, malware delivery via compromised web assets, and ransomware exploitation
The provided items do not describe a single cohesive cybersecurity event; they span multiple unrelated threat reports and opinion pieces. Notable incident-level reporting includes **APT28** activity in Western/Central Europe (“Operation MacroMaze”) using spear-phishing lures with Office macros that beacon via `INCLUDEPICTURE` to `webhook[.]site` and then execute VBScript/CMD/batch stages for persistence and follow-on payload delivery. Separately, **MuddyWater** (Iran/MOIS-linked) was reported running “Operation Olalampo” against organizations in the Middle East and Africa, delivering new custom malware (including a **Char** backdoor using a **Telegram bot** for C2) and, in some cases, attempting exploitation of public-facing servers in addition to phishing. Criminal activity and initial-access tradecraft were also covered across distinct stories: a DFIR case study described exploitation of **Apache ActiveMQ** `CVE-2023-46604` to gain RCE, conduct post-exploitation (Metasploit/Meterpreter, privilege escalation, LSASS access, lateral movement), and ultimately deploy **LockBit**-branded ransomware via RDP using previously stolen credentials (with indications the payload was built using the leaked builder and used *Session* for communications). Multiple reports described malware delivery via compromised web assets and social engineering, including **GrayCharlie** injecting malicious JavaScript into WordPress sites to push **NetSupport RAT**, **Stealc**, and **SectopRAT** via fake updates/ClickFix-style CAPTCHAs, and a separate **ClickFix** campaign delivering a custom C++ RAT (**MIMICRAT**) through fake Cloudflare verification prompts that trick users into running PowerShell. Additional, unrelated threat reporting included a **NuGet** supply-chain attack (typosquatted `NCryptYo` plus companion packages) targeting ASP.NET Identity data and enabling backdoored authorization rules, and malicious Chrome extensions using a “**Promise Bomb**” browser-crash technique to drive users to run fake “CrashFix” PowerShell steps. Several other items were generic commentary/roundups (data breach trends, quantum preparedness, Enigma history, NATO public opinion polling, recon how-to, and a malware-newsletter link list) and do not add event-specific intelligence.
1 months ago
Inbound Social Engineering and Malware Delivery Campaigns Targeting Crypto, Web3, and Enterprises
Multiple reports describe **social-engineering-led initial access** that pivots into malware execution and credential/financial theft. A documented “pig butchering” approach abuses the higher-trust dynamics of matrimonial platforms to build rapport and then steer victims toward cryptocurrency-related actions. Separately, an “inbound” recruitment lure targets **Web3/crypto professionals** by impersonating legitimate companies and driving candidates to install fake interview software (e.g., `collaborex_setup.msi`) that initiates command-and-control to infrastructure such as `179.43.159.106`, with the added risk that victims often use corporate endpoints that also have personal wallets installed. In parallel, technical reporting highlights enterprise-focused malware delivery via trojanized software and email. **ValleyRAT_S2** (a C++ second-stage backdoor/RAT) is being distributed via fake Chinese-language productivity tools, cracked software, and trojanized installers, including **DLL side-loading** (e.g., a malicious `steam_api64.dll`) and C2 over custom TCP (e.g., `27.124.3.175:14852`), enabling long-term control and theft of financial data. Kaspersky also reported a malicious-email wave against Russian private-sector organizations using a PDF-icon masquerade that drops a .NET downloader, installs a persistent service, and stages payloads under `C:\ProgramData\Microsoft Diagnostic\Tasks` before delivering an **infostealer**. A separate blog post discusses phishing enabled by **misconfigured Microsoft 365/hybrid Exchange mail routing and weak SPF/DKIM/DMARC enforcement**, allowing spoofed “internal” emails that can facilitate credential theft and BEC; while related in theme (phishing), it is not clearly tied to the same malware campaigns described elsewhere.
3 weeks ago
Security Research Roundup: Supply-Chain Malware, Phishing Operations, and Evolving Social Engineering
Multiple security reports and investigations highlighted active threats spanning software supply chain abuse, phishing operations, and commodity malware delivery. Socket identified **four malicious NuGet packages** (e.g., *NCryptYo*, *DOMOAuth2_*, *IRAOAuth2.0*, *SimpleWriter_*) published by `hamzazaheer` that targeted **ASP.NET** developers by exfiltrating ASP.NET Identity data (users/roles/permissions) and manipulating authorization to maintain persistence; the campaign used a staged loader that set up a local proxy on `localhost:7152` to relay traffic to dynamically resolved C2 infrastructure. Separately, investigators disrupted a logistics-focused **phishing-as-a-service** operation (“**Diesel Vortex**”) tied to Russian/Armenian operators, which used dozens of domains to target users of platforms such as **DAT**, **Truckstop**, **Penske Logistics**, **EFS**, and **Timocom**, resulting in theft of over **1,600 credentials** and attempted **EFS check fraud**. Fortinet also detailed a **multi-stage Agent Tesla** infection chain delivered via phishing with RAR attachments leading to `.jse` and PowerShell stages, culminating in in-memory execution and process hollowing into `C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe`. Threat intelligence and ecosystem reporting also underscored how attackers are scaling operations and bypassing traditional controls. Group-IB reported **MuddyWater** (“Operation Olalampo”) targeting the **MENA** region with new tooling including **GhostFetch** and a Rust backdoor (**CHAR**) controlled via **Telegram**, plus variants that deploy **AnyDesk**; the report noted indicators consistent with **AI-assisted development**. Dark Reading described the rise of **telephone-oriented attack delivery (TOAD)** emails—messages containing only a phone number—which accounted for a significant share of gateway-bypassing detections in StrongestLayer’s dataset, reflecting a shift toward social-engineering paths that evade link/attachment scanning. Confiant reported disrupting **D-Shortiez** malvertising operations after discovering exposed internal testing/admin infrastructure, attributing **59 million** malicious ad impressions (primarily US-targeted) to scam campaigns, while Interpol-backed **Operation Red Card 2.0** reported **651 arrests** and **$4.3M** recovered across 16 African countries in actions against fraud rings and cybercrime syndicates.
1 months ago