Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

GOVERSHELL backdoor delivered through malicious archives and DLL side-loading

Malware Activity
First reported
Last updated
Happening score
H score 28
1 unique sources, 1 articles

Summary

Hide ▲

The GOVERSHELL backdoor is being delivered through ZIP and RAR archives that launch a rogue DLL via DLL side-loading, creating a live Windows malware threat for targeted recipients. The family is actively developed and has produced five observed variants since April 2025, showing continued operator investment. Its payloads can run commands with cmd.exe and PowerShell, poll external servers, and adjust execution behavior over time.

Related Happenings

WhatsApp-delivered VBS Windows infection campaign

Campaign
First: 01.04.2026 14:49 Last: 01.04.2026 14:49 Sources 1

About this happening: A **new WhatsApp-delivered campaign** is spreading malicious **VBS files** that launch a **multi-stage Windows infection chain**, raising the risk of persistence and remote access...

Open Happening

OAuth-phished ZIP/LNK/PowerShell malware delivery chain

Malware Activity
First: 03.03.2026 11:20 Last: 03.03.2026 11:20 Sources 1

About this happening: **ZIP-delivered malware** now uses a **PowerShell** and **DLL side-loading** chain to infect Windows devices and reach an external **C2 server**, increasing the risk of follow-on...

Open Happening

ClickFix nslookup-delivered ModeloRAT activity

Malware Activity
First: 17.02.2026 19:03 Last: 17.02.2026 19:03 Sources 1

About this happening: The **ClickFix** infection chain now uses **nslookup** to deliver **ModeloRAT**, increasing the chance that **Windows** users will self-infect and hand attackers remote control. T...

Open Happening

Mustang Panda PlugX DOPLUGS deployment chain for persistent access

Malware Activity
First: 04.02.2026 16:09 Last: 04.02.2026 16:09 Sources 1

About this happening: **Mustang Panda (TA416)** used **malicious ZIP/LNK chains** to deliver its custom **PlugX/DOPLUGS** payload and maintain **persistent access** on compromised hosts. The activity t...

Open Happening

ClickFix fake CAPTCHA campaign delivering Amatera

Campaign
First: 26.01.2026 23:42 Last: 26.01.2026 23:42 Sources 1

About this happening: A **ClickFix** campaign now uses a **fake CAPTCHA** and a signed **Microsoft App-V** script to deliver **Amatera** to **Windows** victims, raising the risk of credential theft and...

Open Happening

Timeline

  1. 09.10.2025 20:19 2 articles · 7mo ago

    GOVERSHELL campaign disclosure and analysis

    Initial Disclosure

    UTA0388, a China-aligned threat actor, conducted tailored spear-phishing against targets in North America, Asia, and Europe to deliver the Go-based backdoor GOVERSHELL through ZIP or RAR archives and DLL side-loading. The activity overlapped with Proofpoint's UNK_DropPitch cluster, abused services such as Netlify, Sync, and OneDrive to stage archives, used Proton Mail, Microsoft Outlook, and Gmail for delivery, and included five observed GOVERSHELL variants first seen from April 2025 through September 2025; Volexity also assessed that OpenAI ChatGPT was used to generate phishing content and support malicious workflows.

    Show sources
    Open in new tab