TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

VirusTotal Blog

New Infostealer Campaign Targets Users via Spoofed Software Installers

Joseliyo Sánchez ([email protected]) · 2026-01-16 · Read original ↗

ATT&CK techniques detected

36 predictions
T1574.001DLL
99%
“231c05f4db4027c131259d1acf940e87e15261bb8cb443c7521294512154379b coremessaging. dll dll loaded by dll sideloading ec2e30d8e5cacecdf26c713e3ee3a45ebc512059a64ba4062b20ca8bec2eb9e7 coremessaging. dll dll loaded by dll sideloading 58bd2e6932270921028ab54e5ff4b0dbd1bf67424d4a5d83883c…”
T1574.001DLL
99%
“##c8b79e7c313e5e741e1d59c39ae91bc1f10cdefa68b47bf77519be57 / execution _ parents the primary payload of this campaign is contained within a malicious dll named coremessaging. dll. threat actors are utilizing a technique known as dll sideloading to execute this code. this involves…”
T1574.001DLL
99%
“##d21afb3796666092ce40fbb7fe51782ae280 malwarebytes - windows - github - io - x. x. x. zip 580d37fc9d9cc95dc615d41fa2272f8e86c9b4da2988a336a8b3a3f90f4363c2 malwarebytes - windows - github - io - x. x. x. zip d47fd17d1d82ea61d850ccc2af3bee54adce6975d762fb4dee8f4006692c5ef7 malware…”
T1574.001DLL
99%
“##dd464a2c90a8c965db655906d0dc84a9ac84701a13267d3d0c89a3c97e1e9b coremessaging. dll dll loaded by dll sideloading 35211074b59417dd5a205618fed3402d4ac9ca419374ff2d7349e70a3a462a15 coremessaging. dll dll loaded by dll sideloading 6863b4906e0bd4961369b8784b968b443f745869dbe19c6d97e2…”
T1574.001DLL
99%
“##3 coremessaging. dll dll loaded by dll sideloading fd855aa20467708d004d4aab5203dd5ecdf4db2b3cb2ed7e83c27368368f02bb coremessaging. dll dll loaded by dll sideloading a0687834ce9cb8a40b2bb30b18322298aff74147771896787609afad9016f4ea coremessaging. dll dll loaded by dll sideloading…”
T1574.001DLL
99%
“##5335865ef1e2 coremessaging. dll dll loaded by dll sideloading 43e2936e4a97d9bc43b423841b137fde1dd5b2f291abf20d3ba57b8f198d9fab coremessaging. dll dll loaded by dll sideloading f001ae3318ba29a3b663d72b5375d10da5207163c6b2746cfae9e46a37d975cf coremessaging. dll dll loaded by dll …”
T1574.001DLL
99%
“##81a6c0518c6be4729e2bc369040ca5 coremessaging. dll dll loaded by dll sideloading f798c24a688d7858efd6efeaa8641822ad269feeb3a74962c2f7c523cf8563ff coremessaging. dll dll loaded by dll sideloading 0698a2c6401059a3979d931b84d2d4b011d38566f20558ee7950a8bf475a6959 coremessaging. dll …”
T1574.001DLL
98%
“##8b14 coremessaging. dll dll loaded by dll sideloading cfcf3d248100228905ad1e8c5849bf44757dd490a0b323a10938449946eabeee coremessaging. dll dll loaded by dll sideloading f02be238d14f8e248ad9516a896da7f49933adc7b36db7f52a7e12d1c2ddc6af coremessaging. dll dll loaded by dll sideload…”
T1574.001DLL
97%
“##2335b15af32310f38198b5ee10b158 coremessaging. dll dll loaded by dll sideloading f9549e382faf0033b12298b4fd7cd10e86c680fe93f7af99291b75fd3d0c9842 coremessaging. dll dll loaded by dll sideloading 92f4d95938789a69e0343b98240109934c0502f73d8b6c04e8ee856f606015c8 coremessaging. dll …”
T1546.015Component Object Model Hijacking
92%
“coremessaging. dll ) from an infostealer campaign impersonating malwarebytes, logitech, and others via dll sideloading. " reference = " https : / / blog. virustotal. com / 2026 / 01 / malicious - infostealer - january - 26. html " date = " 2026 - 01 - 16 " behash = " 4acaac53c834…”
T1546.015Component Object Model Hijacking
86%
“##c8b79e7c313e5e741e1d59c39ae91bc1f10cdefa68b47bf77519be57 / execution _ parents the primary payload of this campaign is contained within a malicious dll named coremessaging. dll. threat actors are utilizing a technique known as dll sideloading to execute this code. this involves…”
T1574.001DLL
85%
“##lopodous codicillary. " signature : " © 2026 eosinophil llc " furthermore, the exported functions within these dlls contains unusual alphanumeric strings. these exports serve as reliable indicators for identifying related malicious components across different stages of the camp…”
T1620Reflective Code Loading
81%
“coremessaging. dll ) from an infostealer campaign impersonating malwarebytes, logitech, and others via dll sideloading. " reference = " https : / / blog. virustotal. com / 2026 / 01 / malicious - infostealer - january - 26. html " date = " 2026 - 01 - 16 " behash = " 4acaac53c834…”
T1574.001DLL
81%
“##8e3dce86a8c114d8b0aa6b68b1d26ace7ef0f85b438a payload dropped by one of the malicious dlls e84b0dadb0b6be9b00a063ed82c8ddba06a2bd13f07d510d14e6fd73cd613fba payload dropped by one of the malicious dlls”
T1204.002Malicious File
76%
“##cb " the initial instance of these samples was identified on january 11, 2026, with the most recent occurrence recorded on january 14. all of these zip archives share a nearly identical internal structure, containing the same set of files across the different versions identifie…”
T1204.002Malicious File
75%
“new infostealer campaign targets users via spoofed software installers introduction as part of our commitment to sharing interesting hunts, we are launching these ' flash hunting findings ' to highlight active threats. our latest investigation tracks an operation active between j…”
T1620Reflective Code Loading
71%
“##2335b15af32310f38198b5ee10b158 coremessaging. dll dll loaded by dll sideloading f9549e382faf0033b12298b4fd7cd10e86c680fe93f7af99291b75fd3d0c9842 coremessaging. dll dll loaded by dll sideloading 92f4d95938789a69e0343b98240109934c0502f73d8b6c04e8ee856f606015c8 coremessaging. dll …”
T1620Reflective Code Loading
66%
“##8b14 coremessaging. dll dll loaded by dll sideloading cfcf3d248100228905ad1e8c5849bf44757dd490a0b323a10938449946eabeee coremessaging. dll dll loaded by dll sideloading f02be238d14f8e248ad9516a896da7f49933adc7b36db7f52a7e12d1c2ddc6af coremessaging. dll dll loaded by dll sideload…”
T1620Reflective Code Loading
65%
“##5335865ef1e2 coremessaging. dll dll loaded by dll sideloading 43e2936e4a97d9bc43b423841b137fde1dd5b2f291abf20d3ba57b8f198d9fab coremessaging. dll dll loaded by dll sideloading f001ae3318ba29a3b663d72b5375d10da5207163c6b2746cfae9e46a37d975cf coremessaging. dll dll loaded by dll …”
T1055.001Dynamic-link Library Injection
64%
“new infostealer campaign targets users via spoofed software installers introduction as part of our commitment to sharing interesting hunts, we are launching these ' flash hunting findings ' to highlight active threats. our latest investigation tracks an operation active between j…”
T1620Reflective Code Loading
61%
“##81a6c0518c6be4729e2bc369040ca5 coremessaging. dll dll loaded by dll sideloading f798c24a688d7858efd6efeaa8641822ad269feeb3a74962c2f7c523cf8563ff coremessaging. dll dll loaded by dll sideloading 0698a2c6401059a3979d931b84d2d4b011d38566f20558ee7950a8bf475a6959 coremessaging. dll …”
T1620Reflective Code Loading
58%
“##3 coremessaging. dll dll loaded by dll sideloading fd855aa20467708d004d4aab5203dd5ecdf4db2b3cb2ed7e83c27368368f02bb coremessaging. dll dll loaded by dll sideloading a0687834ce9cb8a40b2bb30b18322298aff74147771896787609afad9016f4ea coremessaging. dll dll loaded by dll sideloading…”
T1620Reflective Code Loading
54%
“##dd464a2c90a8c965db655906d0dc84a9ac84701a13267d3d0c89a3c97e1e9b coremessaging. dll dll loaded by dll sideloading 35211074b59417dd5a205618fed3402d4ac9ca419374ff2d7349e70a3a462a15 coremessaging. dll dll loaded by dll sideloading 6863b4906e0bd4961369b8784b968b443f745869dbe19c6d97e2…”
T1620Reflective Code Loading
52%
“231c05f4db4027c131259d1acf940e87e15261bb8cb443c7521294512154379b coremessaging. dll dll loaded by dll sideloading ec2e30d8e5cacecdf26c713e3ee3a45ebc512059a64ba4062b20ca8bec2eb9e7 coremessaging. dll dll loaded by dll sideloading 58bd2e6932270921028ab54e5ff4b0dbd1bf67424d4a5d83883c…”
T1574.001DLL
51%
“coremessaging. dll ) from an infostealer campaign impersonating malwarebytes, logitech, and others via dll sideloading. " reference = " https : / / blog. virustotal. com / 2026 / 01 / malicious - infostealer - january - 26. html " date = " 2026 - 01 - 16 " behash = " 4acaac53c834…”
T1204.002Malicious File
48%
“##91460be36899 malwarebytes - windows - github - io - x. x. x. zip 42d53bf0ed5880616aa995cad357d27e102fb66b2fca89b17f92709b38706706 malwarebytes - windows - github - io - x. x. x. zip 5aa6f4a57fb86759bbcc9fc6c61b5f74c0ca74604a22084f9e0310840aa73664 malwarebytes - windows - github…”
T1204.002Malicious File
44%
“x. zip ca8467ae9527ed908e9478c3f0891c52c0266577ca59e4c80a029c256c1d4fce malwarebytes - windows - github - io - x. x. x. zip 9619331ef9ff6b2d40e77a67ec86fc81b050eeb96c4b5f735eb9472c54da6735 malwarebytes - windows - github - io - x. x. x. zip a2842c7cfaadfba90b29e0b9873a592dd5dbea0…”
T1546.015Component Object Model Hijacking
41%
“##3 coremessaging. dll dll loaded by dll sideloading fd855aa20467708d004d4aab5203dd5ecdf4db2b3cb2ed7e83c27368368f02bb coremessaging. dll dll loaded by dll sideloading a0687834ce9cb8a40b2bb30b18322298aff74147771896787609afad9016f4ea coremessaging. dll dll loaded by dll sideloading…”
T1546.015Component Object Model Hijacking
39%
“##8b14 coremessaging. dll dll loaded by dll sideloading cfcf3d248100228905ad1e8c5849bf44757dd490a0b323a10938449946eabeee coremessaging. dll dll loaded by dll sideloading f02be238d14f8e248ad9516a896da7f49933adc7b36db7f52a7e12d1c2ddc6af coremessaging. dll dll loaded by dll sideload…”
T1574Hijack Execution Flow
38%
“##8e3dce86a8c114d8b0aa6b68b1d26ace7ef0f85b438a payload dropped by one of the malicious dlls e84b0dadb0b6be9b00a063ed82c8ddba06a2bd13f07d510d14e6fd73cd613fba payload dropped by one of the malicious dlls”
T1546.015Component Object Model Hijacking
37%
“##d21afb3796666092ce40fbb7fe51782ae280 malwarebytes - windows - github - io - x. x. x. zip 580d37fc9d9cc95dc615d41fa2272f8e86c9b4da2988a336a8b3a3f90f4363c2 malwarebytes - windows - github - io - x. x. x. zip d47fd17d1d82ea61d850ccc2af3bee54adce6975d762fb4dee8f4006692c5ef7 malware…”
T1204.002Malicious File
36%
“15mmm95ml1rbfjh1vuyelyfcf " ) and pe. exports ( " 2dlsketpzvo1mhdn4fygv " ) } sha256 description 6773af31bd7891852c3d8170085dd4bf2d68ea24a165e4b604d777bd083caeaa malwarebytes - windows - github - io - x. x. x. zip 4294d6e8f1a63b88c473fce71b665bbc713e3ee88d95f286e058f1a37d4162be m…”
T1027.015Compression
36%
“##cb " the initial instance of these samples was identified on january 11, 2026, with the most recent occurrence recorded on january 14. all of these zip archives share a nearly identical internal structure, containing the same set of files across the different versions identifie…”
T1546.015Component Object Model Hijacking
33%
“##aler. this malicious component is identified by various yara rules, including those specifically designed to detect signatures associated with stealing cryptocurrency wallet browser extension ids among others. to identify and pivot through the various secondary - stage payloads…”
T1546.015Component Object Model Hijacking
32%
“##5335865ef1e2 coremessaging. dll dll loaded by dll sideloading 43e2936e4a97d9bc43b423841b137fde1dd5b2f291abf20d3ba57b8f198d9fab coremessaging. dll dll loaded by dll sideloading f001ae3318ba29a3b663d72b5375d10da5207163c6b2746cfae9e46a37d975cf coremessaging. dll dll loaded by dll …”
T1546.015Component Object Model Hijacking
30%
“231c05f4db4027c131259d1acf940e87e15261bb8cb443c7521294512154379b coremessaging. dll dll loaded by dll sideloading ec2e30d8e5cacecdf26c713e3ee3a45ebc512059a64ba4062b20ca8bec2eb9e7 coremessaging. dll dll loaded by dll sideloading 58bd2e6932270921028ab54e5ff4b0dbd1bf67424d4a5d83883c…”

Summary

Introduction

As part of our commitment to sharing interesting hunts, we are launching these 'Flash Hunting Findings' to highlight active threats. Our latest investigation tracks an operation active between January 11 and January 15, 2026, which uses consistent ZIP file structures and a unique behash ("4acaac53c8340a8c236c91e68244e6cb") for identification. The campaign relies on a trusted executable to trick the operating system into loading a malicious payload, leading to the execution of secondary-stage infostealers.

Findings

The primary samples identified are ZIP files that mostly reference the MalwareBytes company and software using the filename malwarebytes-windows-github-io-X.X.X.zip. A notable feature for identification is that all of them share the same behash.
behash:"4acaac53c8340a8c236c91e68244e6cb"
The initial instance of these samples was identified on January 11, 2026, with the most recent occurrence recorded on January 14.
All of these ZIP archives share a nearly identical internal structure, containing the same set of files across the different versions identified. Of particular importance is the DLL file, which serves as the initial malicious payload, and a specific TXT file found in each archive. This text file has been observed on VirusTotal under two distinct filenames: gitconfig.com.txt and Agreement_About.txt.
The content of the TXT file holds no significant importance for the intrusion itself, as it merely contains a single string consisting of a GitHub URL.
However, this TXT is particularly valuable for pivoting and infrastructure mapping. By examining its "execution parents," analysts can identify additional ZIP archives that are likely linked to the same malicious campaign. These related files can be efficiently retrieved for further investigation using the following VirusTotal API v3 endpoint:
/api/v3/files/09a8b930c8b79e7c313e5e741e1d59c39ae91bc1f10cdefa68b47bf77519be57/execution_parents
The primary payload of this campaign is contained within a malicious DLL named CoreMessaging.dll. Threat actors are utilizing a technique known as DLL Sideloading to execute this code. This involves placing the malicious DLL in the same directory as a legitimate, trusted executable (EXE) also found within the distributed ZIP file. When an analyst or user runs the legitimate EXE, the operating system is tricked into loading the malicious CoreMessaging.dll.
The identified DLLs exhibit distinctive metadata characteristics that are highly effective for pivoting and uncovering additional variants within the same campaign. Security analysts can utilize specific hunting queries to track down other malicious DLLs belonging to this activity. For instance, analysts can search for samples sharing the following unique signature strings found in the file metadata:
signature:"Peastaking plenipotence ductileness chilopodous codicillary."
signature:"© 2026 Eosinophil LLC"
Furthermore, the exported functions within these DLLs contains unusual alphanumeric strings. These exports serve as reliable indicators for identifying related malicious components across different stages of the campaign:
exports:15Mmm95ml1RbfjH1VUyelYFCf exports:2dlSKEtPzvo1mHDN4FYgv
Finally, another observation for behavioral analysis can be found in the relations tab of the ZIP files. These files document the full infection chain observed during sandbox execution, where the sandbox extracts the ZIP, runs the legitimate EXE, and subsequently triggers the loading of the malicious DLL. Within the Payload Files section, additional payloads are visible. These represent secondary stages dropped during the initial DLL execution, which act as the final malware samples. These final payloads are primarily identified as infostealers, designed to exfiltrate sensitive data.
Analysis of all the ZIP files behavioral relations reveals a recurring payload file consistently flagged as an infostealer. This malicious component is identified by various YARA rules, including those specifically designed to detect signatures associated with stealing cryptocurrency wallet browser extension IDs among others.
To identify and pivot through the various secondary-stage payloads dropped during this campaign, analysts can utilize a specific behash identifier. These files represent the final infection stage and are primarily designed to exfiltrate credentials and crypto-wallet information. The following behash provides a reliable pivot point for uncovering additional variants.
behash:5ddb604194329c1f182d7ba74f6f5946

IOCs

We have created a public VirusTotal Collection to share all the IOCs in an easy and free way. Below you can find the main IOCs related to the ZIP files and DLLs too.
import "pe"

rule win_dll_sideload_eosinophil_infostealer_jan26
{
  meta:
    author = "VirusTotal"
    description = "Detects malicious DLLs (CoreMessaging.dll) from an infostealer campaign impersonating Malwarebytes, Logitech, and others via DLL sideloading."
    reference = "https://blog.virustotal.com/2026/01/malicious-infostealer-january-26.html"
    date = "2026-01-16"
    behash = "4acaac53c8340a8c236c91e68244e6cb"
    target_entity = "file"
    hash = "606baa263e87d32a64a9b191fc7e96ca066708b2f003bde35391908d3311a463"
  condition:
    (uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and pe.is_dll()) and
    pe.exports("15Mmm95ml1RbfjH1VUyelYFCf") and pe.exports("2dlSKEtPzvo1mHDN4FYgv")
}
sha256 description
6773af31bd7891852c3d8170085dd4bf2d68ea24a165e4b604d777bd083caeaa malwarebytes-windows-github-io-X.X.X.zip
4294d6e8f1a63b88c473fce71b665bbc713e3ee88d95f286e058f1a37d4162be malwarebytes-windows-github-io-X.X.X.zip
5591156d120934f19f2bb92d9f9b1b32cb022134befef9b63c2191460be36899 malwarebytes-windows-github-io-X.X.X.zip
42d53bf0ed5880616aa995cad357d27e102fb66b2fca89b17f92709b38706706 malwarebytes-windows-github-io-X.X.X.zip
5aa6f4a57fb86759bbcc9fc6c61b5f74c0ca74604a22084f9e0310840aa73664 malwarebytes-windows-github-io-X.X.X.zip
84021dcfad522a75bf00a07e6b5cb4e17063bd715a877ed01ba5d1631cd3ad71 malwarebytes-windows-github-io-X.X.X.zip
ca8467ae9527ed908e9478c3f0891c52c0266577ca59e4c80a029c256c1d4fce malwarebytes-windows-github-io-X.X.X.zip
9619331ef9ff6b2d40e77a67ec86fc81b050eeb96c4b5f735eb9472c54da6735 malwarebytes-windows-github-io-X.X.X.zip
a2842c7cfaadfba90b29e0b9873a592dd5dbea0ef78883d240baf3ee2d5670c5 malwarebytes-windows-github-io-X.X.X.zip
4705fd47bf0617b60baef8401c47d21afb3796666092ce40fbb7fe51782ae280 malwarebytes-windows-github-io-X.X.X.zip
580d37fc9d9cc95dc615d41fa2272f8e86c9b4da2988a336a8b3a3f90f4363c2 malwarebytes-windows-github-io-X.X.X.zip
d47fd17d1d82ea61d850ccc2af3bee54adce6975d762fb4dee8f4006692c5ef7 malwarebytes-windows-github-io-X.X.X.zip
606baa263e87d32a64a9b191fc7e96ca066708b2f003bde35391908d3311a463 CoreMessaging.dll DLL loaded by DLL SideLoading
fd855aa20467708d004d4aab5203dd5ecdf4db2b3cb2ed7e83c27368368f02bb CoreMessaging.dll DLL loaded by DLL SideLoading
a0687834ce9cb8a40b2bb30b18322298aff74147771896787609afad9016f4ea CoreMessaging.dll DLL loaded by DLL SideLoading
4235732440506e626fd4d0fffad85700a8fcf3e83ba5c5bc8e19ada508a6498e CoreMessaging.dll DLL loaded by DLL SideLoading
cd1fe2762acf3fb0784b17e23e1751ca9e81a6c0518c6be4729e2bc369040ca5 CoreMessaging.dll DLL loaded by DLL SideLoading
f798c24a688d7858efd6efeaa8641822ad269feeb3a74962c2f7c523cf8563ff CoreMessaging.dll DLL loaded by DLL SideLoading
0698a2c6401059a3979d931b84d2d4b011d38566f20558ee7950a8bf475a6959 CoreMessaging.dll DLL loaded by DLL SideLoading
1b3bee041f2fffcb9c216522afa67791d4c658f257705e0feccc7573489ec06f CoreMessaging.dll DLL loaded by DLL SideLoading
231c05f4db4027c131259d1acf940e87e15261bb8cb443c7521294512154379b CoreMessaging.dll DLL loaded by DLL SideLoading
ec2e30d8e5cacecdf26c713e3ee3a45ebc512059a64ba4062b20ca8bec2eb9e7 CoreMessaging.dll DLL loaded by DLL SideLoading
58bd2e6932270921028ab54e5ff4b0dbd1bf67424d4a5d83883c429cadeef662 CoreMessaging.dll DLL loaded by DLL SideLoading
57ed35e6d2f2d0c9bbc3f17ce2c94946cc857809f4ab5c53d7cb04a4e48c8b14 CoreMessaging.dll DLL loaded by DLL SideLoading
cfcf3d248100228905ad1e8c5849bf44757dd490a0b323a10938449946eabeee CoreMessaging.dll DLL loaded by DLL SideLoading
f02be238d14f8e248ad9516a896da7f49933adc7b36db7f52a7e12d1c2ddc6af CoreMessaging.dll DLL loaded by DLL SideLoading
f60802c7bec15da6d84d03aad3457e76c5760e4556db7c2212f08e3301dc0d92 CoreMessaging.dll DLL loaded by DLL SideLoading
02dc9217f870790b96e1069acd381ae58c2335b15af32310f38198b5ee10b158 CoreMessaging.dll DLL loaded by DLL SideLoading
f9549e382faf0033b12298b4fd7cd10e86c680fe93f7af99291b75fd3d0c9842 CoreMessaging.dll DLL loaded by DLL SideLoading
92f4d95938789a69e0343b98240109934c0502f73d8b6c04e8ee856f606015c8 CoreMessaging.dll DLL loaded by DLL SideLoading
66fba00b3496d61ca43ec3eae02527eb5222892186c8223b9802060a932a5a7a CoreMessaging.dll DLL loaded by DLL SideLoading
e5dd464a2c90a8c965db655906d0dc84a9ac84701a13267d3d0c89a3c97e1e9b CoreMessaging.dll DLL loaded by DLL SideLoading
35211074b59417dd5a205618fed3402d4ac9ca419374ff2d7349e70a3a462a15 CoreMessaging.dll DLL loaded by DLL SideLoading
6863b4906e0bd4961369b8784b968b443f745869dbe19c6d97e2287837849385 CoreMessaging.dll DLL loaded by DLL SideLoading
a83c478f075a3623da5684c52993293d38ecaa17f4a1ddca10f95335865ef1e2 CoreMessaging.dll DLL loaded by DLL SideLoading
43e2936e4a97d9bc43b423841b137fde1dd5b2f291abf20d3ba57b8f198d9fab CoreMessaging.dll DLL loaded by DLL SideLoading
f001ae3318ba29a3b663d72b5375d10da5207163c6b2746cfae9e46a37d975cf CoreMessaging.dll DLL loaded by DLL SideLoading
c67403d3b6e7750222f20fa97daa3c05a9a8cce39db16455e196cd81d087b54d CoreMessaging.dll DLL loaded by DLL SideLoading
5ee9d4636b01fd3a35bd8e3dce86a8c114d8b0aa6b68b1d26ace7ef0f85b438a Payload dropped by one of the malicious DLLs
e84b0dadb0b6be9b00a063ed82c8ddba06a2bd13f07d510d14e6fd73cd613fba Payload dropped by one of the malicious DLLs