Microsoft Defender Security Research Team reports a WhatsApp-delivered malware campaign that uses malicious VBS files to kick off a multi-stage infection chain. The activity blends social engineering and living-off-the-land techniques, pulling payloads from AWS, Tencent Cloud & Backblaze B2 before installing malicious MSI packages. https://www.microsoft.com/en-us/security/blog/2026/03/31/whatsapp-malware-campaign-delivers-vbs-payloads-msi-backdoors/

Kedar Shashikant Pandit & Prathamesh Shingare at Point Wild uncover a fileless Remcos RAT chain that starts with a phishing email and a ZIP disguised as a business document. An obfuscated JavaScript dropper then pulls a remote PowerShell loader, which reconstructs and executes a .NET payload entirely in memory. https://www.pointwild.com/threat-intelligence/from-inbox-to-intrusion-multi-stage-remcos-rat-and-c2-delivered-payloads-in-network/

McAfee reports Operation NoVoice, an Android rootkit campaign that hides inside legitimate-looking utility and game apps previously hosted on Google Play. Behind the scenes, the app profiles the handset, downloads exploits, and can seize complete control of the device. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/new-research-operation-novoice-rootkit-malware-android/

CERT Polska analyses new FvncBot samples targeting Polish users. A fake app poses as Token U2F Mobilna Ochrona SGB, then pushes victims to enable an accessibility service presented as System Update before registering the device with attacker infrastructure https://cert.pl/en/posts/2026/03/fvncbot-analysis/

ReliaQuest observes DeepLoad hitting enterprise environments through ClickFix delivery. The analysis points to likely AI-assisted obfuscation, process injection into trusted Windows binaries, and immediate credential theft that can continue even when the primary loader is stopped. https://reliaquest.com/blog/threat-spotlight-deepload-malware-pairs-clickfix-delivery-with-ai-generated-evasion/

Seqrite details Operation DualScript, a multi-stage malware infection built around Scheduled Task persistence, VBScript launchers, and PowerShell execution. Two parallel paths drive the compromise: one retrieves remote payloads from the web, while the other runs the RetroRAT implant. https://www.seqrite.com/blog/operation-dualscript-powershell-malware-retrorat-analysis/

Sophos analyses STAC6405, a phishing campaign that used invite-themed lures to trick users into installing LogMeIn Resolve for remote access. In some cases, the actor then used both existing and newly deployed ScreenConnect instances to pull additional binaries, including an infostealer. https://www.sophos.com/en-us/blog/incident-responders-s-il-vous-plait

Trend Micro analyses the latest TeamPCP supply chain hit, where malicious Telnyx PyPI versions 4.87.1 & 4.87.2 were published just 3 days after the LiteLLM compromise. The payload marks a shift in tradecraft, adding WAV-based steganography, split file injection, and Windows persistence. https://www.trendmicro.com/en_us/research/26/c/teampcp-telnyx-attack-marks-a-shift-in-tactics.html

ReversingLabs tracks TeamPCP as an evolving supply chain campaign that began with Trivy & Checkmarx, shifted to LiteLLM, and has now landed on the telnyx PyPI package. The goal remains consistent across the chain: steal cloud secrets from trusted developer tooling. https://www.reversinglabs.com/blog/teampcp-supply-chain-attack-spreads

CYFIRMA analyses CrySome RAT, a C#-based .NET remote access trojan. Alongside the usual RAT toolkit, it combines multi-layered persistence mechanisms with aggressive defence evasion through its AVKiller module. https://www.cyfirma.com/research/crysome-rat-an-advanced-persistent-net-remote-access-trojan/