New DocuSign-Themed Phishing Scam Delivers Stealth Malware to Windows Devices

Brand‑spoofing phishing continues to evolve, and the latest DocuSign‑themed operation illustrates why trusted names remain prime bait for cybercriminals. By registering a look‑alike domain that mimics the official DocuSign URL, attackers increase user confidence and boost click‑through rates. This tactic aligns with a broader trend where high‑profile SaaS providers are weaponized to harvest credentials, making awareness training and domain monitoring essential components of any security program.

The technical sophistication of the campaign sets it apart from typical phishing drops. The malicious .NET bundle is signed with a legitimate certificate issued to a Chinese company, allowing it to slip past Windows SmartScreen and other reputation‑based defenses. Inside, an access‑code gate contacts a command‑and‑control server, only releasing the second‑stage loader when the correct code is validated, effectively stalling automated analysis tools. A time‑bomb check that references an online clock further thwarts sandbox environments that rely on static system time, while multiple layers of packing obscure static signatures. These evasion layers culminate in the deployment of Vidar, a proven information‑stealer that extracts browser data, login credentials, and cryptocurrency wallet files.

For defenders, the campaign underscores the need for multi‑vector detection approaches. Relying solely on URL reputation or code‑signing validation is insufficient; behavioral analytics that monitor anomalous network callbacks, access‑code exchanges, and time‑based execution patterns are critical. Organizations should also enforce strict email authentication, deploy DMARC policies, and educate users about look‑alike domains. By integrating threat‑intelligence feeds that flag emerging brand‑spoofing campaigns, security operations can shorten the dwell time before Vidar or similar payloads compromise valuable assets.