Multiple reports highlight a surge in social-engineering-led initial access, with attackers increasingly relying on trusted-looking delivery mechanisms rather than novel exploits. Microsoft-described activity impersonates Zoom, Microsoft Teams, and Adobe Reader updates and uses stolen Extended Validation (EV) code-signing certificates (including one issued to TrustConnect Software PTY LTD) to make malicious executables appear legitimate; lures include fake meeting invites and deceptive download sites, and payloads commonly install RMM tooling such as ScreenConnect and MeshAgent for persistent access, followed by additional tooling via encoded PowerShell. Separately, Moonlock reported a ClickFix-style operation targeting crypto/Web3 professionals via fake venture capital personas on LinkedIn, redirecting victims through Calendly to spoofed video-conferencing pages to induce execution of attacker-supplied commands, with infrastructure tied to multiple fake firms (e.g., SolidBit Capital, MegaBit, Lumax Capital) and domains attributed to a single registrant.
In parallel, NCC Group’s Fox-IT assessed that messaging platforms (e.g., WhatsApp, Telegram, Discord, Signal, LinkedIn messaging) are increasingly used to deliver phishing links, malicious attachments, QR codes, and fake invitations while bypassing traditional email controls, and that Telegram in particular is also used to host phishing infrastructure, malware repositories, and bot-enabled fraud services. One referenced item is materially different from the above social-engineering theme: reporting on suspected DPRK-linked intrusions into cryptocurrency organizations describes web-app exploitation (including CVE-2025-55182 in React2Shell) and the use of pre-obtained AWS access tokens to steal source code, private keys, and cloud secrets—an intrusion set focused on direct compromise and theft rather than the phishing/update-impersonation and messaging-platform delivery techniques described elsewhere.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
Microsoft reported that the February 2026 phishing campaign used fake meeting invitations, deceptive download sites, and signed payloads that installed remote monitoring and management tools such as ScreenConnect and MeshAgent. The company said the activity also used encoded PowerShell to fetch additional tooling, underscoring that code-signing trust alone is insufficient.
NCC Group's Fox-IT reported that attackers are increasingly using platforms such as WhatsApp, Telegram, Discord, Signal, LinkedIn, and integrated messaging services for phishing, payload delivery, and coordination. The report also highlighted Telegram's role as infrastructure for phishing pages, malware hosting, stolen data, and bot-driven criminal services.
Moonlock linked the campaign's malicious domains to a single registrant, identified as Anatolli Bigdasch in Boston, and found additional fake fronts including MegaBit and Lumax Capital. The findings showed the operators were rotating investor identities and decoy sites as exposure increased.
A phishing campaign began in February 2026 targeting office workers with fake software update installers for applications such as Zoom, Microsoft Teams, and Adobe Reader. The attackers used stolen or compromised digital certificates so the malicious executables appeared trustworthy and could bypass some security controls.
In early 2026, researchers first tracked a coordinated campaign targeting cryptocurrency and Web3 professionals through LinkedIn social engineering and fake venture capital personas. The operation used a ClickFix lure chain involving a fake investor identity, Calendly scheduling, and spoofed video-conferencing pages to trick victims into running attacker-supplied commands.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcecybersecuritynews.com
Open sourceblog.knowbe4.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.