A brand new multi-stage phishing marketing campaign has been noticed focusing on customers in Russia with ransomware and a distant entry trojan known as Amnesia RAT.
“The assault begins with social engineering lures delivered through business-themed paperwork crafted to look routine and benign,” Fortinet FortiGuard Labs researcher Cara Lin stated in a technical breakdown printed this week. “These paperwork and accompanying scripts function visible distractions, diverting victims to faux duties or standing messages whereas malicious exercise runs silently within the background.”
The marketing campaign stands out for a few causes. First, it makes use of a number of public cloud companies to distribute totally different sorts of payloads. Whereas GitHub is principally used to distribute scripts, binary payloads are staged on Dropbox. This separation complicates takedown efforts, successfully enhancing resilience.
One other “defining attribute” of the marketing campaign, per Fortinet, is the operational abuse of defendnot to disable Microsoft Defender. Defendnot was launched final 12 months by a safety researcher who goes by the web alias es3n1n as a method to trick the safety program into believing one other antivirus product has already put in on the Home windows host.
The marketing campaign leverages social engineering to distribute compressed archives, which comprise a number of decoy paperwork and a malicious Home windows shortcut (LNK) with Russian-language filenames. The LNK file makes use of a double extension (“Задание_для_бухгалтера_02отдела.txt.lnk”) to offer the impression that it is a textual content file.
When executed, it runs a PowerShell command to retrieve the next-stage PowerShell script hosted on a GitHub repository (“github[.]com/Mafin111/MafinREP111”), which then serves as a first-stage loader to determine a foothold, readies the system to cover proof of malicious exercise, and palms off management circulation to subsequent phases.
“The script first suppresses seen execution by programmatically hiding the PowerShell console window,” Fortinet stated. “This removes any quick visible indicators {that a} script is operating. It then generates a decoy textual content doc within the consumer’s native utility knowledge listing. As soon as written to disk, the decoy doc is robotically opened.”
As soon as the doc is exhibited to the sufferer to maintain up the ruse, the script sends a message to the attacker utilizing the Telegram Bot API, informing the operator that the primary stage has been efficiently executed. A deliberately-introduced 444 second delay later, the PowerShell script runs a Visible Fundamental Script (“SCRRC4ryuk.vbe”) hosted on the similar repository location.
This presents two essential benefits in that it retains the loader light-weight and permits the menace actors to replace or substitute the payload’s performance on the fly with out having to introduce any modifications to the assault chain itself.
The Visible Fundamental Script is extremely obfuscated and acts because the controller that assembles the next-stage payload instantly in reminiscence, thereby avoiding leaving any artifacts on disk. The ultimate-stage script checks if it is operating with elevated privileges, and, if not, repeatedly shows a Person Account Management (UAC) immediate to power the sufferer to grant it the mandatory permissions. The script pauses for 3,000 milliseconds between makes an attempt.
Within the subsequent section, the malware initiates a collection of actions to suppress visibility, neutralize endpoint safety mechanisms, conduct reconnaissance, inhibit restoration, and in the end deploy the primary payloads –
Configure Microsoft Defender exclusions to stop this system from scanning ProgramData, Program Information, Desktop, Downloads, and the system momentary listing
Use PowerShell to show off further Defender safety elements
Deploy defendnot to register a faux antivirus product with the Home windows Safety Heart interface and trigger Microsoft Defender to disable itself to keep away from potential conflicts
Conduct surroundings reconnaissance and surveillance through screenshot seize by way of a devoted .NET module downloaded from the GitHub repository that takes a screengrab each 30 seconds, put it aside as a PNG picture, and exfiltrates the info utilizing a Telegram bot
Disable Home windows administrative and diagnostic instruments by tampering with the Registry-based coverage controls
Implement a file affiliation hijacking mechanism such that opening recordsdata with sure predefined extensions causes a message to be exhibited to the sufferer, instructing them to contact the menace actor through Telegram
One of many ultimate payloads deployed after efficiently disarming safety controls and restoration mechanisms is Amnesia RAT (“svchost.scr”), which is retrieved from Dropbox and is able to broad knowledge theft and distant management. It is designed to pilfer info saved in internet browsers, cryptocurrency wallets, Discord, Steam, and Telegram, together with system metadata, screenshots, webcam pictures, microphone audio, clipboard, and energetic window title.
“The RAT allows full distant interplay, together with course of enumeration and termination, shell command execution, arbitrary payload deployment, and execution of further malware,” Fortinet stated. “Exfiltration is primarily carried out over HTTPS utilizing Telegram Bot APIs. Bigger datasets could also be uploaded to third-party file-hosting companies akin to GoFile, with obtain hyperlinks relayed to the attacker through Telegram.”
In all, Amnesia RAT facilitates credential theft, session hijacking, monetary fraud, and real-time knowledge gathering, turning it right into a complete software for account takeover and follow-on assaults.
The second payload delivered by the script is a ransomware that is derived from the Hakuna Matata ransomware household and is configured to encrypt paperwork, archives, pictures, media, supply code, and utility property on the contaminated endpoint, however not earlier than terminating any course of that might intervene with its functioning.
As well as, the ransomware retains tabs on clipboard contents and silently modifies cryptocurrency pockets addresses with attacker-controlled wallets to reroute transactions. The an infection sequence ends with the script deploying WinLocker to limit consumer interplay.
“This assault chain demonstrates how fashionable malware campaigns can obtain full system compromise with out exploiting software program vulnerabilities,” Lin concluded. “By systematically abusing native Home windows options, administrative instruments, and coverage enforcement mechanisms, the attacker disables endpoint defenses earlier than deploying persistent surveillance tooling and damaging payloads.”
To counter defendnot’s abuse of the Home windows Safety Heart API, Microsoft recommends that customers allow Tamper Safety to stop unauthorized modifications to Defender settings and monitor for suspicious API calls or Defender service modifications.
The event comes as human sources, payroll, and inside administrative departments belonging to Russian company entities have been focused by a menace actor UNG0902 to ship an unknown implant dubbed DUPERUNNER that is chargeable for loading AdaptixC2, a command-and-control (C2) framework. The spear-phishing marketing campaign, codenamed Operation DupeHike, has been ongoing since November 2025.
Seqrite Labs stated the assaults contain the usage of decoy paperwork centered round themes associated to worker bonuses and inside monetary insurance policies to persuade recipients into opening a malicious LNK file inside ZIP archives that results in the execution of DUPERUNNER.
The implant reaches out to an exterior server to fetch and show a decoy PDF doc, whereas system profiling and the obtain of the AdaptixC2 beacon are carried out within the background.
In current months, Russian organizations have additionally been probably focused by one other menace actor tracked as Paper Werewolf (aka GOFFEE), which has employed synthetic intelligence (AI)-generated decoys and DLL recordsdata compiled as Excel XLL add-ins to ship a backdoor known as EchoGather.
“As soon as launched, the backdoor collects system info, communicates with a hardcoded command-and-control (C2) server, and helps command execution and file switch operations,” Intezer safety researcher Nicole Fishbein stated. It “communicates with the C2 over HTTP(S) utilizing the WinHTTP API.”
