New Infostealer Campaign Targets Users via Spoofed Software Installers
Summary:
VirusTotal shared details of an active malware campaign that occurred between January 11 and January 15, 2026. The operation targets users by distributing malicious ZIP archives that impersonate legitimate software installers, primarily Malwarebytes (e.g., malwarebytes-windows-github-io-X.X.X[.]zip) and Logitech.
The infection chains starts when users download a ZIP file containing a legitimate executable (EXE) and a malicious DLL named CoreMessaging[.]dll. The campaign employs DLL Sideloading. When the trusted EXE is run, it automatically loads the malicious CoreMessaging[.]dll from the same directory, bypassing traditional signature-based detections that might trust the legitimate installer.
Each archive also contains a distinctive TXT file (named gitconfig[.]com[.]txt or Agreement_About[.]txt) which, while harmless in itself, serves as a crucial "pivot point" for researchers to map the threat actor's infrastructure.
Security Officer Comments:
The primary goal of this campaign is data exfiltration via secondary-stage infostealers.
The campaign is highly targeted and rapidly evolving, as evidenced by the consistent structure across multiple versions of the spoofed installers. Because the malware is delivered through a loader, the threat actors could easily swap the final payload.
The stolen credentials might be sold on the dark web to ransomware groups. In a corporate environment, a single infected machine can provide the credentials needed to move through a company’s network, leading to a full-scale data breach or ransomware event.
Suggested Corrections:
Monitor for legitimate executables (like those from Malwarebytes or Logitech) that unexpectedly load CoreMessaging.dll from temporary or non-standard system directories.
Security teams can access the Public VirusTotal Collection which contains all currently identified Indicators of Compromise (IOCs), including SHA-256 hashes of the malicious ZIPs and DLLs.
IOCs are also included at the end of the VirusTotal blog below.
Link(s):
https://blog.virustotal.com/2026/01/malicious-infostealer-january-26.html
VirusTotal shared details of an active malware campaign that occurred between January 11 and January 15, 2026. The operation targets users by distributing malicious ZIP archives that impersonate legitimate software installers, primarily Malwarebytes (e.g., malwarebytes-windows-github-io-X.X.X[.]zip) and Logitech.
The infection chains starts when users download a ZIP file containing a legitimate executable (EXE) and a malicious DLL named CoreMessaging[.]dll. The campaign employs DLL Sideloading. When the trusted EXE is run, it automatically loads the malicious CoreMessaging[.]dll from the same directory, bypassing traditional signature-based detections that might trust the legitimate installer.
Each archive also contains a distinctive TXT file (named gitconfig[.]com[.]txt or Agreement_About[.]txt) which, while harmless in itself, serves as a crucial "pivot point" for researchers to map the threat actor's infrastructure.
Security Officer Comments:
The primary goal of this campaign is data exfiltration via secondary-stage infostealers.
- The malware is designed to harvest sensitive user credentials from infected machines.
- A significant focus of the campaign is the theft of cryptocurrency wallet browser extension IDs, allowing attackers to potentially drain digital assets.
- The initial CoreMessaging.dll acts as a loader that drops and executes final-stage infostealer payloads. These secondary stages are often flagged by YARA rules specifically targeting "Eosinophil" signatures.
The campaign is highly targeted and rapidly evolving, as evidenced by the consistent structure across multiple versions of the spoofed installers. Because the malware is delivered through a loader, the threat actors could easily swap the final payload.
The stolen credentials might be sold on the dark web to ransomware groups. In a corporate environment, a single infected machine can provide the credentials needed to move through a company’s network, leading to a full-scale data breach or ransomware event.
Suggested Corrections:
Monitor for legitimate executables (like those from Malwarebytes or Logitech) that unexpectedly load CoreMessaging.dll from temporary or non-standard system directories.
Security teams can access the Public VirusTotal Collection which contains all currently identified Indicators of Compromise (IOCs), including SHA-256 hashes of the malicious ZIPs and DLLs.
IOCs are also included at the end of the VirusTotal blog below.
Link(s):
https://blog.virustotal.com/2026/01/malicious-infostealer-january-26.html