A multi-stage phishing campaign targeting users in Russia has been observed delivering a remote access trojan called Amnesia RAT and a Hakuna Matata family ransomware. The attack chain uses public cloud services and includes a 444 second delay while the loader captures screenshots every 30 seconds.
KEY FACTS
- Incident Multi-stage phishing that results in remote access and encryption malware
- Targets Users in Russia, with emphasis on HR and payroll staff
- Delivery ZIP archives with LNK shortcuts and decoy documents
- Infrastructure Scripts hosted on GitHub, binaries staged on Dropbox
- Defense bypass Uses defendnot technique to disable Microsoft Defender
A technical breakdown by Fortinet FortiGuard Labs said the campaign begins with business-themed documents and a malicious Windows shortcut that runs a PowerShell command to fetch a first-stage script from a GitHub repository. The loader hides the PowerShell console and opens a decoy document to distract the user while malicious activity runs in the background.
The report describes a highly obfuscated Visual Basic script that assembles subsequent stages in memory and forces repeated User Account Control prompts until elevation is granted. The chain configures Microsoft Defender exclusions and uses a tool known as defendnot to register a fake antivirus product so that Defender disables itself.
The final payloads include Amnesia RAT, which the report says can steal browser data, cryptocurrency wallets, chat and platform credentials, screenshots, webcam and microphone captures, and execute commands remotely. Data exfiltration is conducted over HTTPS using Telegram Bot APIs and by uploading larger files to third party hosting services.
The campaign also drops a Hakuna Matata family ransomware module that terminates interfering processes, encrypts user files, monitors the clipboard to alter cryptocurrency addresses, and deploys a locker to restrict user interaction. The report notes the operators use GitHub for scripts and Dropbox for binaries to increase resilience against takedown efforts.
WHY IT MATTERS
The chain shows how attackers can achieve full system compromise by abusing native Windows features and legitimate cloud services without exploiting software vulnerabilities. Organizations should assume trained phishing lures can lead to severe data theft and encryption if endpoint protections are disabled.