Multiple reports describe social-engineering campaigns that use trusted-looking lures (meeting invites, public-safety alerts, and official-looking documents) to drive victims to install malware or disclose credentials. Microsoft researchers reported a wave of fake Zoom/Teams/Adobe update sites reached via meeting-invite and document lures; the downloaded executables were signed with a compromised EV code-signing certificate (issued to TrustConnect Software PTY LTD) and acted as droppers for remote monitoring and management (RMM) tools, enabling persistent access. Separately, ClearSky described a suspected Russian espionage phishing operation targeting Ukraine that delivers a ZIP containing a Ukrainian-language border-crossing “permit” document, installing a loader (BadPaw) and a backdoor (MeowMeow) with file manipulation capabilities and sandbox/VM evasion; attribution was assessed as high confidence to a Russian state-aligned actor and low confidence to APT28.
Mobile-focused lures were also reported: CloudSEK detailed SMS phishing targeting Israeli civilians with a trojanized Red Alert rocket-warning app, using a multi-stage loader chain to deploy spyware with banking trojan capabilities and exfiltrate SMS, contacts, and location to attacker infrastructure—raising concerns about surveillance and erosion of trust in official alerting. Other items in the set are either broader research or consumer-oriented scam advisories: a Zimperium write-up on the Android “Massiv” IPTV-app disguise highlights overlay-based banking fraud techniques, while Kaspersky’s mobile threat landscape report provides 2025 ecosystem statistics; two OnlineThreatAlerts posts describe generic smishing patterns (Amazon “refund” and flood-warning texts) without tying to a specific, evidenced campaign or new technical findings.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
In the same March 4 reporting, ClearSky said with high confidence that the Ukraine-focused malware campaign was conducted by a Russian state-aligned actor and with low confidence linked it to APT28. The report did not identify specific victims or confirm whether the operation successfully compromised targets.
ClearSky disclosed a suspected Russian espionage campaign against Ukraine using phishing emails that delivered a ZIP archive with a Ukrainian-language decoy document. The infection chain installed the BadPaw loader and the MeowMeow backdoor, which included anti-analysis checks and file-manipulation capabilities.
CloudSEK and Acronis described a cyberespionage campaign targeting Israelis via SMS phishing with a trojanized Red Alert/Oref Alert app. The malware harvested SMS messages, contacts, location data, and credentials, maintained persistence, and exfiltrated data to attacker-controlled infrastructure; Acronis said the activity may be linked to Arid Viper.
Acronis Threat Research Unit identified a malicious Android app on March 1, 2026, after Israeli citizens reported SMS scam messages on social media. The campaign impersonated Israel's official rocket-warning services and used shortened links to deliver spyware disguised as an emergency-alert app.
Microsoft Defender Security Research Team said a phishing campaign began around February 2026, using fake Zoom, Microsoft Teams, and Adobe Reader update sites tied to meeting-invite lures. The attackers used a compromised Extended Validation code-signing certificate associated with TrustConnect Software PTY LTD to make the malware appear legitimate.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
go.theregister.com
Open sourcehackread.com
Open sourcescworld.com
Open sourcetherecord.media
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.