DLL Sideloading Campaigns Spread RATs via Fake FileZilla and Tax Phishing Lures
Attackers distributed remote-access malware through two distinct delivery chains: a fake FileZilla website serving trojanized installers and phishing emails impersonating South Korea’s National Tax Service. In the FileZilla campaign, victims received either a portable archive containing a malicious version.dll for DLL sideloading or a bundled installer that deployed legitimate FileZilla alongside a rogue DLL in the install path. The malware acted as a multi-stage loader, decrypting payloads in memory before launching a RAT that could steal credentials, log keystrokes, capture screenshots, and provide HVNC-based remote control. The operators also used DNS-over-HTTPS to Cloudflare’s resolver to look up welcome.supp0v3[.]com, likely to reduce visibility to DNS-based defenses, and included anti-analysis checks for VMware and VirtualBox environments.
In the tax-themed campaign, recipients were lured to spoofed tax-notice pages and prompted to download a ZIP archive containing a legitimate signed Intel executable, a malicious sideloaded DLL, and an encrypted BIN payload. The malware decrypted shellcode and a RAT/backdoor from vulkan-1.bin using a modified RC4 routine, then established persistence through a service named "Microsoft Compatibility system". Researchers said the backdoor supports remote control, privilege escalation, process injection, file theft, and lateral movement over RPC. Infrastructure analysis linked the activity to multiple variants and multilingual lures, including impersonation of tax and court authorities in Malaysia and India, indicating an organized, evolving multi-country operation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Researchers link tax-phishing malware to broader ongoing campaign
Analysis of the malware and infrastructure identified multiple variants, multilingual phishing content, and persistence via a service named "Microsoft Compatibility system." The report assessed the activity as an ongoing campaign that continues to be updated and supports remote control, privilege escalation, process injection, file theft, and lateral movement via RPC.
South Korea tax-investigation phishing campaign distributes backdoor
A phishing campaign impersonating South Korea's National Tax Service was observed sending fake tax investigation notices to corporate users. Victims were directed to a spoofed page and prompted to download a ZIP archive containing a legitimate signed Intel executable, a malicious sideloaded DLL, and an encrypted BIN payload.
Alyac documents FileZilla malware campaign technical details
Researchers reported that the FileZilla-themed malware used a multi-stage loader, DNS-over-HTTPS to Cloudflare's resolver to reach the C2 domain welcome.supp0v3[.]com, anti-VM checks, and a final RAT capable of credential theft, keylogging, screenshots, and HVNC-based remote control.
Fake FileZilla site used to distribute trojanized installers
Attackers set up a fake website impersonating the official FileZilla site to distribute malware through trojanized installers. The campaign used both a portable archive with a malicious version.dll for DLL sideloading and a single executable that installed legitimate FileZilla while dropping a malicious DLL.
Malwarebytes identifies trojanized FileZilla site and portable installer
Malwarebytes reported a campaign using the fake domain filezilla-project[.]live to distribute a trojanized portable FileZilla 3.69.5 package. The installer abused DLL sideloading via a malicious version.dll to steal saved FTP credentials and communicate with command-and-control infrastructure.
Multi-country tax-themed phishing campaign begins
A malware campaign using tax and legal notification lures began around mid-December 2025, targeting users with spoofed government-themed messages. Related content and infrastructure indicate activity spanning South Korea, Malaysia, and India.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
국세청 세무조사 사칭 피싱 메일을 통해 유포 중인 백도어 악성코드
blog.alyac.co.kr
Open source가짜 FileZilla 사이트를 이용한 악성코드 유포
blog.alyac.co.kr
Open sourceTrojanized FileZilla FTP Client Targets Developer Credentials via DLL Sideloading • Daily CyberSecurity
securityonline.info
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple RAT Delivery Campaigns Using Phishing and Trojanized Software
Security researchers reported several unrelated **remote access trojan (RAT)** delivery campaigns using different initial access vectors and lures. Seqrite Labs described “**Operation Covert Access**,” a spear‑phishing operation targeting Argentina’s judiciary with a ZIP attachment containing a convincing court-resolution decoy; execution is triggered by a malicious `LNK` masquerading as a PDF, which launches hidden PowerShell to fetch additional stages from a GitHub repository, culminating in a custom **Rust-based RAT** that attempts to blend in by renaming itself (e.g., `msedge_proxy.exe`). Separately, AhnLab Security Intelligence Center reported South Korea-focused activity distributing **RemcosRAT** through illegal online gambling-related tools and trojanized *VeraCrypt* installers, using embedded malicious VBS scripts and a multi-stage chain that ultimately deploys a RAT capable of surveillance and data theft (e.g., keylogging, screenshot/webcam/mic capture, credential/data harvesting). Another campaign documented by ReliaQuest abused **LinkedIn private messages** to deliver a bundled legitimate application alongside a malicious DLL for **DLL sideloading**, enabling RAT deployment under the guise of a trusted process; the reporting emphasized that social platforms can serve as effective phishing channels beyond email and that the technique is portable to other commonly used business messaging platforms.
Mar 21, 2026
LNK-Based Malware Campaigns Deliver PlugX and Custom .NET RAT
Researchers documented two separate but related **LNK-driven intrusion chains** that used shortcut files as the initial lure to fetch additional malware from attacker-controlled infrastructure. In one campaign targeting organizations in the **Arabian Gulf region**, a China-nexus threat actor used a Middle East conflict-themed ZIP archive containing an LNK file that downloaded a malicious CHM file and ultimately deployed a **PlugX** backdoor. The infection chain progressed through a second LNK, a TAR archive, DLL sideloading, and a shellcode loader before installing PlugX with persistence under a fake Microsoft Display Broker path and service name. The malware used RC4-encrypted components, API hooking, reflective DLL loading, corrupted PE headers, and support for **TCP, HTTPS, UDP, and DoH** communications, with a decrypted command-and-control endpoint at `91.193.17[.]117:443` and plugins for keylogging, shell access, screen capture, registry, service, and network operations. A second investigation exposed a live **LNK-to-DLL-to-.NET RAT** operation staged from an open Apache directory on `wildishadventure[.]com/secure9/` and `171.22.182[.]231/secure9/`, where researchers recovered weaponized LNK files, custom DLL downloaders, backup files, and a final payload named `RemoteMgmt.Agent.exe`. That chain abused the legacy `ActiveXObject('htmlfile')` technique to force Windows to retrieve DLLs over UNC paths, then delivered a custom .NET 4.8 remote access trojan that supported command execution, token-based authentication, JSON-over-raw-TCP C2 over port 443, reconnect-based persistence, and logging to `%TEMP%\rmgmt_agent.log`. Operational security failures including exposed directory indexing, `.old` backups, test builds, and unstripped internal names allowed investigators to reconstruct the malware’s development workflow and identify infrastructure spanning **BlueVPS**, **Namecheap**, and **Cloudflare**.
Apr 25, 2026
Phishing and Trojanized Installers Deliver Remote Access Trojans via Multi-Stage, Evasion-Focused Infection Chains
Multiple active malware campaigns are delivering **remote access trojans (RATs)** using deceptive lures and multi-stage execution chains designed to evade endpoint defenses. Malwarebytes reported a campaign dubbed **DEAD#VAX** that distributes a file masquerading as a “PDF” but actually delivered as a **virtual hard disk (`.vhd`)** hosted via **IPFS**; when opened, Windows mounts the VHD and the victim is tricked into launching a **Windows Script File (`.wsf`)** that ultimately deploys **AsyncRAT**. The chain includes anti-analysis checks and **process injection** into Microsoft-signed binaries such as `RuntimeBroker.exe`, `OneDrive.exe`, `taskhostw.exe`, and `sihost.exe`, enabling hands-on-keyboard remote control while minimizing obvious on-disk artifacts. Separately, reporting described **DesckVB RAT v2.9**, a modular **.NET** RAT using an obfuscated **WSH JavaScript** stager followed by **PowerShell**-based anti-analysis checks and an in-memory (“fileless”) loader, emphasizing persistence and a plugin-based architecture for post-compromise capabilities. Another campaign distributes **ValleyRAT** disguised as a legitimate *LINE* installer, targeting **Chinese-speaking users**; it attempts to weaken defenses by using PowerShell to add broad **Windows Defender exclusions**, performs sandbox checks (e.g., mutex/file-locking behaviors), and uses advanced injection (reported as **PoolParty Variant 7** via Windows I/O completion ports) to hide within trusted processes while stealing credentials and maintaining C2 communications.
Mar 21, 2026