GOVERSHELL multi-variant phishing-delivered malware activity
Malware Activity
Summary
Hide ▲
Show ▼
The GOVERSHELL malware was observed in five evolving variants, raising the risk of remote command execution and persistent access on infected systems. The payload was delivered through malware-laden archive files that paired a legitimate-looking executable with a hidden DLL. Later variants added encrypted WebSocket and HTTPS channels, indicating a more capable remote-access toolset.
Related Happenings
Microsoft AutoGen Studio AutoJack MCP WebSocket command execution security flaw
Vulnerability
H score33
First: 22.06.2026 20:28
Last: 22.06.2026 20:28
Sources 1
About this happening:
Microsoft’s **AutoJack** chain exposed **AutoGen Studio** to **arbitrary command execution** for developers building from the main GitHub branch before the hardening commit.
Microsoft AutoGen Studio AutoJack MCP WebSocket command execution security flaw
VulnerabilityAbout this happening: Microsoft’s **AutoJack** chain exposed **AutoGen Studio** to **arbitrary command execution** for developers building from the main GitHub branch before the hardening commit.
TCLBANKER banking trojan activity targeting 59 financial platforms
Malware Activity
H score20
First: 08.05.2026 21:12
Last: 08.05.2026 21:12
Sources 1
About this happening:
**TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...
TCLBANKER banking trojan activity targeting 59 financial platforms
Malware ActivityAbout this happening: **TCLBANKER** is a newly documented **Brazilian banking trojan** that can hit **59 banking, fintech, and cryptocurrency platforms**, increasing the risk of credential theft and re...
OAuth-phished ZIP/LNK/PowerShell malware delivery chain
Malware Activity
H score19
First: 03.03.2026 11:20
Last: 03.03.2026 11:20
Sources 1
About this happening:
**ZIP-delivered malware** now uses a **PowerShell** and **DLL side-loading** chain to infect Windows devices and reach an external **C2 server**, increasing the risk of follow-on...
OAuth-phished ZIP/LNK/PowerShell malware delivery chain
Malware ActivityAbout this happening: **ZIP-delivered malware** now uses a **PowerShell** and **DLL side-loading** chain to infect Windows devices and reach an external **C2 server**, increasing the risk of follow-on...
SloppyLemming BurrowShell and Rust-based keylogger activity
Malware Activity
H score26
First: 03.03.2026 08:53
Last: 03.03.2026 08:53
Sources 1
About this happening:
**SloppyLemming** deployed **BurrowShell** and a **Rust-based keylogger** through **two attack chains**, expanding its malware toolkit for **backdoor access**, **credential theft*...
SloppyLemming BurrowShell and Rust-based keylogger activity
Malware ActivityAbout this happening: **SloppyLemming** deployed **BurrowShell** and a **Rust-based keylogger** through **two attack chains**, expanding its malware toolkit for **backdoor access**, **credential theft*...
LummaStealer infection surge via CastleLoader
Malware Activity
H score30
First: 11.02.2026 19:02
Last: 11.02.2026 19:02
Sources 1
About this happening:
The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...
LummaStealer infection surge via CastleLoader
Malware ActivityAbout this happening: The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...
Latest development: 06.03.2026 08:44
Microsoft disclosed a widespread ClickFix social-engineering campaign that uses Windows Terminal (wt.exe) instead of the Windows Run dialog to trick users into launching malicious commands, then chains through Terminal, PowerShell, cmd.exe, and MSBuild.exe to download payloads, set persistence via scheduled tasks, configure Microsoft Defender exclusions, and inject Lumma Stealer into chrome.exe and msedge.exe with QueueUserAPC().
Timeline
-
10.11.2025 18:00 2 articles · 8mo ago
GOVERSHELL multi-variant phishing-delivered malware activity
Initial DisclosureIn the earliest observed phase, **GOVERSHELL** was delivered through phishing archives that bundled a legitimate-looking executable with a hidden malicious **DLL**. Opening the archive triggered **search order hijacking**, giving the attacker remote access.
Show sources
- China-Aligned UTA0388 Uses AI Tools in Global Phishing Campaigns — www.infosecurity-magazine.com — 10.11.2025 18:00
- China-Aligned UTA0388 Uses AI Tools in Global Phishing Campaigns — www.infosecurity-magazine.com — 10.11.2025 18:00