LevelBlue Labs has recently observed a malicious campaign abusing legitimate anti-virus products to remain undetected. Upon achieving execution, the threat actor deploys several executables to gain a foothold in the infected system. One of these executables caught our attention as it masqueraded as different anti-virus components, while in reality they offer a proxy service through a Command and Control (C&C) server. The binaries are based on the legitimate anti-virus components but are modified to include the malicious code. This activity seems to be a continuation of the activity already reported by Sophos in late April and marks a new iteration in the toolset of this threat actor. In this new iteration of the campaign, we have observed Malwarebytes, BitDefender and APEX products being targeted amongst others.