GOVERSHELL multi-variant phishing-delivered malware activity
Malware Activity
Summary
Hide ▲
Show ▼
The GOVERSHELL malware was observed in five evolving variants, raising the risk of remote command execution and persistent access on infected systems. The payload was delivered through malware-laden archive files that paired a legitimate-looking executable with a hidden DLL. Later variants added encrypted WebSocket and HTTPS channels, indicating a more capable remote-access toolset.
Related Happenings
TCLBANKER banking trojan activity targeting 59 financial platforms
Malware Activity
First: 08.05.2026 21:12
Last: 08.05.2026 21:12
Sources 1
About this happening:
**TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...
TCLBANKER banking trojan activity targeting 59 financial platforms
Malware ActivityAbout this happening: **TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...
OAuth-phished ZIP/LNK/PowerShell malware delivery chain
Malware Activity
First: 03.03.2026 11:20
Last: 03.03.2026 11:20
Sources 1
About this happening:
**ZIP-delivered malware** now uses a **PowerShell** and **DLL side-loading** chain to infect Windows devices and reach an external **C2 server**, increasing the risk of follow-on...
OAuth-phished ZIP/LNK/PowerShell malware delivery chain
Malware ActivityAbout this happening: **ZIP-delivered malware** now uses a **PowerShell** and **DLL side-loading** chain to infect Windows devices and reach an external **C2 server**, increasing the risk of follow-on...
SloppyLemming BurrowShell and Rust-based keylogger activity
Malware Activity
First: 03.03.2026 08:53
Last: 03.03.2026 08:53
Sources 1
About this happening:
**SloppyLemming** deployed **BurrowShell** and a **Rust-based keylogger** through **two attack chains**, expanding its malware toolkit for **backdoor access**, **credential theft*...
SloppyLemming BurrowShell and Rust-based keylogger activity
Malware ActivityAbout this happening: **SloppyLemming** deployed **BurrowShell** and a **Rust-based keylogger** through **two attack chains**, expanding its malware toolkit for **backdoor access**, **credential theft*...
LummaStealer infection surge via CastleLoader
Malware Activity
First: 11.02.2026 19:02
Last: 11.02.2026 19:02
Sources 1
About this happening:
The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...
LummaStealer infection surge via CastleLoader
Malware ActivityAbout this happening: The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...
Latest development: 06.03.2026 08:44
Microsoft disclosed a widespread ClickFix social-engineering campaign that uses Windows Terminal (wt.exe) instead of the Windows Run dialog to trick users into launching malicious commands, then chains through Terminal, PowerShell, cmd.exe, and MSBuild.exe to download payloads, set persistence via scheduled tasks, configure Microsoft Defender exclusions, and inject Lumma Stealer into chrome.exe and msedge.exe with QueueUserAPC().
Amnesia RAT retrieved from Dropbox for data theft and remote control
Malware Activity
First: 24.01.2026 13:09
Last: 24.01.2026 13:09
Sources 1
About this happening:
The **Amnesia RAT** payload is being staged from **Dropbox**, giving the operators a **remote-access trojan** that can steal data and control infected endpoints. It is the final s...
Amnesia RAT retrieved from Dropbox for data theft and remote control
Malware ActivityAbout this happening: The **Amnesia RAT** payload is being staged from **Dropbox**, giving the operators a **remote-access trojan** that can steal data and control infected endpoints. It is the final s...
Timeline
-
10.11.2025 18:00 2 articles · 6mo ago
GOVERSHELL multi-variant phishing-delivered malware activity
Initial DisclosureIn the earliest observed phase, **GOVERSHELL** was delivered through phishing archives that bundled a legitimate-looking executable with a hidden malicious **DLL**. Opening the archive triggered **search order hijacking**, giving the attacker remote access.
Show sources
- China-Aligned UTA0388 Uses AI Tools in Global Phishing Campaigns — www.infosecurity-magazine.com — 10.11.2025 18:00
- China-Aligned UTA0388 Uses AI Tools in Global Phishing Campaigns — www.infosecurity-magazine.com — 10.11.2025 18:00