OAuth-phished ZIP/LNK/PowerShell malware delivery chain
Malware Activity
Summary
Hide ▲
Show ▼
ZIP-delivered malware now uses a PowerShell and DLL side-loading chain to infect Windows devices and reach an external C2 server, increasing the risk of follow-on compromise. The payload arrives in a ZIP archive containing a LNK shortcut. Opening it triggers reconnaissance commands, then crashhandler.dll is sideloaded through steam_monitor.exe to run the final payload in memory. The same delivery pattern is tied to phishing lures aimed at government and public-sector targets.
Related Happenings
AI-generated PowerShell Active Directory reconnaissance script
Malware Activity
H score23
First: 09.07.2026 17:00
Last: 09.07.2026 17:00
Sources 1
About this happening:
An **AI-generated PowerShell script** was used in a real **Windows intrusion**, showing how one-off malware can automate **Active Directory reconnaissance** and evade signature-ba...
AI-generated PowerShell Active Directory reconnaissance script
Malware ActivityAbout this happening: An **AI-generated PowerShell script** was used in a real **Windows intrusion**, showing how one-off malware can automate **Active Directory reconnaissance** and evade signature-ba...
TONResolver RAT delivered via ZIP, LNK, and PowerShell
Malware Activity
H score22
First: 30.06.2026 13:30
Last: 30.06.2026 13:30
Sources 1
About this happening:
The **TONResolver** malware implant was delivered through a **ZIP/LNK/PowerShell** chain that can establish a **remote access trojan** foothold and enable **command execution**. T...
TONResolver RAT delivered via ZIP, LNK, and PowerShell
Malware ActivityAbout this happening: The **TONResolver** malware implant was delivered through a **ZIP/LNK/PowerShell** chain that can establish a **remote access trojan** foothold and enable **command execution**. T...
Mistic backdoor deployment via ClickFix and DLL side-loading
Malware Activity
H score22
First: 25.06.2026 11:54
Last: 25.06.2026 11:54
Sources 1
About this happening:
The **Mistic** backdoor is being used in **financially motivated attacks** against organizations across **insurance, education, IT, and professional services**, raising the risk o...
Mistic backdoor deployment via ClickFix and DLL side-loading
Malware ActivityAbout this happening: The **Mistic** backdoor is being used in **financially motivated attacks** against organizations across **insurance, education, IT, and professional services**, raising the risk o...
OXLOADER loader stages CastleStealer via UAC prompting and DLL side-loading
Malware Activity
H score20
First: 22.06.2026 16:20
Last: 22.06.2026 16:20
Sources 1
About this happening:
The **OXLOADER** malware activity now shows a **loader** delivering **CastleStealer** through **PowerShell**, **UAC** prompting, and **DLL side-loading**, giving the stealer a ste...
OXLOADER loader stages CastleStealer via UAC prompting and DLL side-loading
Malware ActivityAbout this happening: The **OXLOADER** malware activity now shows a **loader** delivering **CastleStealer** through **PowerShell**, **UAC** prompting, and **DLL side-loading**, giving the stealer a ste...
ModeloRAT malicious PowerShell and Dropbox delivery activity
Malware Activity
H score16
First: 14.05.2026 15:12
Last: 14.05.2026 15:12
Sources 1
About this happening:
The **ModeloRAT** activity now uses a **malicious PowerShell command** and a **Dropbox ZIP payload** to gain persistent footholds, enabling **system reconnaissance**, **screenshot...
ModeloRAT malicious PowerShell and Dropbox delivery activity
Malware ActivityAbout this happening: The **ModeloRAT** activity now uses a **malicious PowerShell command** and a **Dropbox ZIP payload** to gain persistent footholds, enabling **system reconnaissance**, **screenshot...
Timeline
-
03.03.2026 11:20 2 articles · 4mo ago
Microsoft details OAuth redirect malware delivery chain
Technical Analysis UpdateOAuth phishing campaigns targeting government and public-sector organizations use malicious apps, lure emails, and manipulated Entra ID or Google Workspace redirect flows to send victims to attacker-controlled landing pages; in some cases the delivered ZIP archive opens a LNK shortcut that launches PowerShell, runs host reconnaissance, sideloads crashhandler.dll through steam_monitor.exe, decrypts crashlog.dat, and executes a final payload in memory that connects to external C2 infrastructure.
Show sources
- Microsoft Warns OAuth Redirect Abuse Delivers Malware to Government Targets — thehackernews.com — 03.03.2026 11:20
- Microsoft: Hackers abuse OAuth error flows to spread malware — www.bleepingcomputer.com — 03.03.2026 22:59