What's happening in email security: March 30 – April 5, 2026

STAC6405 Delivers RMM Tools via Fake Party Invitations to 80+ US Organisations

Sophos has been tracking STAC6405 since at least April 2025, with peak activity in October and November 2025. Over 80 US organizations were affected, concentrated in Finance, Professional Services (accounting, legal), and Real Estate.

The initial lure is a fake event invitation mimicking the Punchbowl party planning service, sent from compromised third-party email accounts with "SPECIAL INVITATION" subject lines. The links didn't go directly to a download. They redirected through Google Sites and HubSpot first, two trusted domains that link-scanning tools won't block, before landing on the payload.

What the victim downloaded depended on the campaign wave. Early activity distributed ScreenConnect exclusively. By October 2025 the toolkit had expanded to include LogMeIn Resolve (formerly GoTo Resolve) and Naverisk alongside ScreenConnect. None of these are malware. They're legitimate remote monitoring and management tools, each registered to attacker-controlled accounts.

Once a victim ran the binary, the LogMeIn Resolve agent installed with a hard-coded attacker relay domain written into a configuration file on disk. It registered a Windows service with a unique UID tied to that config, kept entirely separate from any legitimate RMM tooling already on the machine. The attacker then had persistent, unattended remote access that security tools see as normal business software.

The ZIP files were packed with HeartCrypt, a Packer-as-a-Service tool, and included HideMouse.exe alongside the primary payload. HideMouse replaces the system cursor with a transparent one, concealing mouse movement during attacker-controlled remote sessions. In at least two confirmed cases, attackers used that access to deploy infostealer payloads as a follow-on.

The campaign's design creates detection gaps at every layer. Compromised sender accounts pass reputation checks. Google Sites and HubSpot links pass URL filtering. The RMM tools are signed, legitimate software. The Windows service blends in with others. The clearest signal is behavioural: a freshly installed RMM agent calling an unusual relay domain shortly after an email was opened. Some phishing links were still live as of March 30.

Casbaneiro Campaign Uses Bespoke Per-Victim PDFs and Self-Propagating Malware

Brazilian cybercrime groups Augmented Marauder and Water Saci are targeting Spanish-speaking organizations in Latin America and Europe with court summons-themed phishing emails.

Each victim receives a unique, password-protected judicial summons PDF generated dynamically via a remote PHP API. No two documents are identical, which defeats signature-based detection outright. The PDF links to a ZIP archive containing VBS and HTA payloads, which chain through an AutoIt loader to deliver encrypted Casbaneiro banking trojan and Horabot payloads.

Horabot is what gives this campaign its compounding reach. Once on an infected machine, it harvests Outlook contacts and uses the compromised account to send further phishing emails to those contacts. The infection becomes self-propagating through legitimate inboxes, inheriting established sender reputation and bypassing sender-level filtering.

China's TA416 Uses Tracking Pixels and Microsoft OAuth to Target EU and NATO Missions

New research published this week documents a TA416 (Mustang Panda) espionage campaign targeting European government and diplomatic organizations that has been running since mid-2025. The campaign expanded to Middle Eastern targets in February 2026 following the U.S.-Israel-Iran conflict escalation.

The campaign runs in two phases. First, tracking pixels in initial emails return the recipient's IP address, email client, and timing data to attacker infrastructure before any link is clicked. Second, a phishing email links to Microsoft's legitimate OAuth authorization endpoint, redirecting through attacker-controlled domains to deliver PlugX. A December 2025 wave introduced Entra ID cloud apps to make the OAuth flow technically sanctioned by the identity platform. The February 2026 wave moved payload hosting to Google Drive and a compromised SharePoint instance.