A brand new multi-stage phishing marketing campaign has been noticed concentrating on customers in Russia with ransomware and a distant entry trojan referred to as Amnesia RAT.
“The assault begins with social engineering lures delivered through business-themed paperwork crafted to look routine and benign,” Fortinet FortiGuard Labs researcher Cara Lin mentioned in a technical breakdown printed this week. “These paperwork and accompanying scripts function visible distractions, diverting victims to faux duties or standing messages whereas malicious exercise runs silently within the background.”
The marketing campaign stands out for a few causes. First, it makes use of a number of public cloud providers to distribute totally different sorts of payloads. Whereas GitHub is principally used to distribute scripts, binary payloads are staged on Dropbox. This separation complicates takedown efforts, successfully bettering resilience.
One other “defining attribute” of the marketing campaign, per Fortinet, is the operational abuse of defendnot to disable Microsoft Defender. Defendnot was launched final yr by a safety researcher who goes by the net alias es3n1n as a method to trick the safety program into believing one other antivirus product has already put in on the Home windows host.
The marketing campaign leverages social engineering to distribute compressed archives, which comprise a number of decoy paperwork and a malicious Home windows shortcut (LNK) with Russian-language filenames. The LNK file makes use of a double extension (“Задание_для_бухгалтера_02отдела.txt.lnk”) to offer the impression that it is a textual content file.
When executed, it runs a PowerShell command to retrieve the next-stage PowerShell script hosted on a GitHub repository (“github[.]com/Mafin111/MafinREP111”), which then serves as a first-stage loader to ascertain a foothold, readies the system to cover proof of malicious exercise, and arms off management move to subsequent phases.
“The script first suppresses seen execution by programmatically hiding the PowerShell console window,” Fortinet mentioned. “This removes any quick visible indicators {that a} script is working. It then generates a decoy textual content doc within the consumer’s native software knowledge listing. As soon as written to disk, the decoy doc is robotically opened.”
As soon as the doc is exhibited to the sufferer to maintain up the ruse, the script sends a message to the attacker utilizing the Telegram Bot API, informing the operator that the primary stage has been efficiently executed. A deliberately-introduced 444 second delay later, the PowerShell script runs a Visible Fundamental Script (“SCRRC4ryuk.vbe”) hosted on the identical repository location.
This affords two essential benefits in that it retains the loader light-weight and permits the risk actors to replace or change the payload’s performance on the fly with out having to introduce any modifications to the assault chain itself.
The Visible Fundamental Script is extremely obfuscated and acts because the controller that assembles the next-stage payload straight in reminiscence, thereby avoiding leaving any artifacts on disk. The ultimate-stage script checks if it is working with elevated privileges, and, if not, repeatedly shows a Consumer Account Management (UAC) immediate to power the sufferer to grant it the required permissions. The script pauses for 3,000 milliseconds between makes an attempt.
Within the subsequent part, the malware initiates a collection of actions to suppress visibility, neutralize endpoint safety mechanisms, conduct reconnaissance, inhibit restoration, and in the end deploy the primary payloads –
- Configure Microsoft Defender exclusions to forestall this system from scanning ProgramData, Program Recordsdata, Desktop, Downloads, and the system short-term listing
- Use PowerShell to show off further Defender safety parts
- Deploy defendnot to register a faux antivirus product with the Home windows Safety Middle interface and trigger Microsoft Defender to disable itself to keep away from potential conflicts
- Conduct surroundings reconnaissance and surveillance through screenshot seize via a devoted .NET module downloaded from the GitHub repository that takes a screengrab each 30 seconds, reserve it as a PNG picture, and exfiltrates the information utilizing a Telegram bot
- Disable Home windows administrative and diagnostic instruments by tampering with the Registry-based coverage controls
- Implement a file affiliation hijacking mechanism such that opening information with sure predefined extensions causes a message to be exhibited to the sufferer, instructing them to contact the risk actor through Telegram
One of many last payloads deployed after efficiently disarming safety controls and restoration mechanisms is Amnesia RAT (“svchost.scr”), which is retrieved from Dropbox and is able to broad knowledge theft and distant management. It is designed to pilfer info saved in net browsers, cryptocurrency wallets, Discord, Steam, and Telegram, together with system metadata, screenshots, webcam photos, microphone audio, clipboard, and energetic window title.
“The RAT permits full distant interplay, together with course of enumeration and termination, shell command execution, arbitrary payload deployment, and execution of further malware,” Fortinet mentioned. “Exfiltration is primarily carried out over HTTPS utilizing Telegram Bot APIs. Bigger datasets could also be uploaded to third-party file-hosting providers akin to GoFile, with obtain hyperlinks relayed to the attacker through Telegram.”
In all, Amnesia RAT facilitates credential theft, session hijacking, monetary fraud, and real-time knowledge gathering, turning it right into a complete device for account takeover and follow-on assaults.
The second payload delivered by the script is a ransomware that is derived from the Hakuna Matata ransomware household and is configured to encrypt paperwork, archives, photos, media, supply code, and software property on the contaminated endpoint, however not earlier than terminating any course of that would intrude with its functioning.
As well as, the ransomware retains tabs on clipboard contents and silently modifies cryptocurrency pockets addresses with attacker-controlled wallets to reroute transactions. The an infection sequence ends with the script deploying WinLocker to limit consumer interplay.
“This assault chain demonstrates how trendy malware campaigns can obtain full system compromise with out exploiting software program vulnerabilities,” Lin concluded. “By systematically abusing native Home windows options, administrative instruments, and coverage enforcement mechanisms, the attacker disables endpoint defenses earlier than deploying persistent surveillance tooling and damaging payloads.”
To counter defendnot’s abuse of the Home windows Safety Middle API, Microsoft recommends that customers allow Tamper Safety to forestall unauthorized modifications to Defender settings and monitor for suspicious API calls or Defender service modifications.
The event comes as human assets, payroll, and inner administrative departments belonging to Russian company entities have been focused by a risk actor UNG0902 to ship an unknown implant dubbed DUPERUNNER that is chargeable for loading AdaptixC2, a command-and-control (C2) framework. The spear-phishing marketing campaign, codenamed Operation DupeHike, has been ongoing since November 2025.
Seqrite Labs mentioned the assaults contain using decoy paperwork centered round themes associated to worker bonuses and inner monetary insurance policies to persuade recipients into opening a malicious LNK file inside ZIP archives that results in the execution of DUPERUNNER.
The implant reaches out to an exterior server to fetch and show a decoy PDF doc, whereas system profiling and the obtain of the AdaptixC2 beacon are carried out within the background.
In latest months, Russian organizations have additionally been seemingly focused by one other risk actor tracked as Paper Werewolf (aka GOFFEE), which has employed synthetic intelligence (AI)-generated decoys and DLL information compiled as Excel XLL add-ins to ship a backdoor known as EchoGather.
“As soon as launched, the backdoor collects system info, communicates with a hardcoded command-and-control (C2) server, and helps command execution and file switch operations,” Intezer safety researcher Nicole Fishbein mentioned. It “communicates with the C2 over HTTP(S) utilizing the WinHTTP API.”
