OAuth-phished ZIP/LNK/PowerShell malware delivery chain
Malware Activity
Summary
Hide ▲
Show ▼
ZIP-delivered malware now uses a PowerShell and DLL side-loading chain to infect Windows devices and reach an external C2 server, increasing the risk of follow-on compromise. The payload arrives in a ZIP archive containing a LNK shortcut. Opening it triggers reconnaissance commands, then crashhandler.dll is sideloaded through steam_monitor.exe to run the final payload in memory. The same delivery pattern is tied to phishing lures aimed at government and public-sector targets.
Related Happenings
ModeloRAT malicious PowerShell and Dropbox delivery activity
Malware Activity
First: 14.05.2026 15:12
Last: 14.05.2026 15:12
Sources 1
About this happening:
The **ModeloRAT** activity now uses a **malicious PowerShell command** and a **Dropbox ZIP payload** to gain persistent footholds, enabling **system reconnaissance**, **screenshot...
ModeloRAT malicious PowerShell and Dropbox delivery activity
Malware ActivityAbout this happening: The **ModeloRAT** activity now uses a **malicious PowerShell command** and a **Dropbox ZIP payload** to gain persistent footholds, enabling **system reconnaissance**, **screenshot...
APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations
Campaign
First: 28.04.2026 08:50
Last: 28.04.2026 08:50
Sources 1
About this happening:
A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...
APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations
CampaignAbout this happening: A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...
BlackSanta EDR killer malware activity targeting HR departments
Malware Activity
First: 11.03.2026 00:57
Last: 11.03.2026 00:57
Sources 1
About this happening:
The **BlackSanta** malware operation has run for **more than a year**, targeting **HR departments** and using an **EDR killer** to weaken host defenses before payload execution. T...
BlackSanta EDR killer malware activity targeting HR departments
Malware ActivityAbout this happening: The **BlackSanta** malware operation has run for **more than a year**, targeting **HR departments** and using an **EDR killer** to weaken host defenses before payload execution. T...
Transparent Tribe AI-assisted implant campaign targeting India
Campaign
First: 06.03.2026 17:11
Last: 06.03.2026 17:11
Sources 1
About this happening:
**Transparent Tribe (APT36)** is using **AI-powered coding tools** to mass-produce disposable implants in an active **campaign** targeting the **Indian government**, its embassies...
Transparent Tribe AI-assisted implant campaign targeting India
CampaignAbout this happening: **Transparent Tribe (APT36)** is using **AI-powered coding tools** to mass-produce disposable implants in an active **campaign** targeting the **Indian government**, its embassies...
InstallFix Claude Code malvertising campaign
Campaign
First: 06.03.2026 17:00
Last: 06.03.2026 17:00
Sources 1
About this happening:
**InstallFix** is being used in an active **malvertising** operation that pushes cloned **Claude Code** install pages and malicious CLI instructions, putting users who search for...
InstallFix Claude Code malvertising campaign
CampaignAbout this happening: **InstallFix** is being used in an active **malvertising** operation that pushes cloned **Claude Code** install pages and malicious CLI instructions, putting users who search for...
Timeline
-
03.03.2026 11:20 2 articles · 2mo ago
Microsoft details OAuth redirect malware delivery chain
Technical Analysis UpdateOAuth phishing campaigns targeting government and public-sector organizations use malicious apps, lure emails, and manipulated Entra ID or Google Workspace redirect flows to send victims to attacker-controlled landing pages; in some cases the delivered ZIP archive opens a LNK shortcut that launches PowerShell, runs host reconnaissance, sideloads crashhandler.dll through steam_monitor.exe, decrypts crashlog.dat, and executes a final payload in memory that connects to external C2 infrastructure.
Show sources
- Microsoft Warns OAuth Redirect Abuse Delivers Malware to Government Targets — thehackernews.com — 03.03.2026 11:20
- Microsoft: Hackers abuse OAuth error flows to spread malware — www.bleepingcomputer.com — 03.03.2026 22:59