New Infostealer Campaign Targets Users via Spoofed Software Installers

VirusTotal researchers tracked an active campaign (Jan 11–15, 2026) that distributes ZIPs named to resemble legitimate software and contains a trusted executable plus a malicious CoreMessaging.dll which is executed via DLL sideloading; the DLL drops secondary infostealers that exfiltrate credentials and crypto-wallet data. The report provides concrete IOCs (primary behash 4acaac53..., secondary behash 5ddb6041..., many SHA256s), distinctive metadata signature strings and unusual export names for hunting, and points to VirusTotal relations/execution_parents for pivoting and further retrieval of related samples.