Find notable cyber news and cases, enriched with sources, timelines, and signals.

OAuth-phished ZIP/LNK/PowerShell malware delivery chain

Malware Activity
First reported
Last updated
Happening score
H score 19
2 unique sources, 2 articles

Summary

Hide ▲

ZIP-delivered malware now uses a PowerShell and DLL side-loading chain to infect Windows devices and reach an external C2 server, increasing the risk of follow-on compromise. The payload arrives in a ZIP archive containing a LNK shortcut. Opening it triggers reconnaissance commands, then crashhandler.dll is sideloaded through steam_monitor.exe to run the final payload in memory. The same delivery pattern is tied to phishing lures aimed at government and public-sector targets.

Related Happenings

AI-generated PowerShell Active Directory reconnaissance script

Malware Activity
H score23 First: 09.07.2026 17:00 Last: 09.07.2026 17:00 Sources 1

About this happening: An **AI-generated PowerShell script** was used in a real **Windows intrusion**, showing how one-off malware can automate **Active Directory reconnaissance** and evade signature-ba...

TONResolver RAT delivered via ZIP, LNK, and PowerShell

Malware Activity
H score22 First: 30.06.2026 13:30 Last: 30.06.2026 13:30 Sources 1

About this happening: The **TONResolver** malware implant was delivered through a **ZIP/LNK/PowerShell** chain that can establish a **remote access trojan** foothold and enable **command execution**. T...

Mistic backdoor deployment via ClickFix and DLL side-loading

Malware Activity
H score22 First: 25.06.2026 11:54 Last: 25.06.2026 11:54 Sources 1

About this happening: The **Mistic** backdoor is being used in **financially motivated attacks** against organizations across **insurance, education, IT, and professional services**, raising the risk o...

OXLOADER loader stages CastleStealer via UAC prompting and DLL side-loading

Malware Activity
H score20 First: 22.06.2026 16:20 Last: 22.06.2026 16:20 Sources 1

About this happening: The **OXLOADER** malware activity now shows a **loader** delivering **CastleStealer** through **PowerShell**, **UAC** prompting, and **DLL side-loading**, giving the stealer a ste...

ModeloRAT malicious PowerShell and Dropbox delivery activity

Malware Activity
H score16 First: 14.05.2026 15:12 Last: 14.05.2026 15:12 Sources 1

About this happening: The **ModeloRAT** activity now uses a **malicious PowerShell command** and a **Dropbox ZIP payload** to gain persistent footholds, enabling **system reconnaissance**, **screenshot...

Timeline

  1. 03.03.2026 11:20 2 articles · 4mo ago

    Microsoft details OAuth redirect malware delivery chain

    Technical Analysis Update

    OAuth phishing campaigns targeting government and public-sector organizations use malicious apps, lure emails, and manipulated Entra ID or Google Workspace redirect flows to send victims to attacker-controlled landing pages; in some cases the delivered ZIP archive opens a LNK shortcut that launches PowerShell, runs host reconnaissance, sideloads crashhandler.dll through steam_monitor.exe, decrypts crashlog.dat, and executes a final payload in memory that connects to external C2 infrastructure.

    Show sources