A new multi stage phishing campaign has been observed targeting users in Russia, delivering both ransomware and a remote access trojan known as Amnesia RAT, according to findings published this week by Fortinet FortiGuard Labs. The campaign relies heavily on social engineering techniques, using business themed documents designed to appear routine and harmless to lure victims into executing malicious files. Researchers noted that these documents and accompanying scripts act as visual distractions, presenting fake tasks or status messages to the user while malicious activity runs silently in the background, allowing the attackers to establish a foothold without raising immediate suspicion.
One of the notable aspects of the campaign is its use of multiple public cloud services to host different components of the attack chain. GitHub is primarily used to distribute scripts, while binary payloads are staged on Dropbox, a separation that complicates takedown efforts and increases operational resilience. The attack begins with compressed archives containing decoy documents and a malicious Windows shortcut file with Russian language filenames. The shortcut uses a double file extension to appear as a text document, increasing the likelihood that it will be opened. When executed, the shortcut launches a PowerShell command that retrieves a first stage script from a GitHub repository, which then suppresses visible execution, prepares the system to hide evidence of malicious behavior, and generates a decoy document that is automatically opened to maintain the illusion of legitimate activity.
As the campaign progresses, the PowerShell loader communicates with the attacker using the Telegram Bot API to signal successful execution, then introduces a deliberate delay before downloading and running an obfuscated Visual Basic Script from the same GitHub location. This script operates entirely in memory to avoid leaving artifacts on disk and checks whether it is running with elevated privileges. If administrative access is not available, it repeatedly triggers User Account Control prompts until permissions are granted. Once elevated, the malware initiates a series of actions to suppress visibility, disable endpoint protection, and conduct reconnaissance. This includes abusing a tool called defendnot to disable Microsoft Defender by registering a fake antivirus product with the Windows Security Center, configuring Defender exclusions, turning off additional protection components, modifying registry based policy controls, and capturing screenshots at regular intervals for exfiltration via Telegram.
After neutralizing security controls, the attackers deploy their final payloads. One of these is Amnesia RAT, retrieved from Dropbox and capable of extensive data theft and remote control. The malware is designed to collect information from web browsers, cryptocurrency wallets, messaging and gaming applications, as well as system metadata, screenshots, webcam images, microphone audio, clipboard contents, and active window titles. It supports full remote interaction, including command execution, process management, and delivery of additional malware, with data exfiltration primarily conducted over HTTPS through Telegram APIs and external file hosting services. The second payload is ransomware derived from the Hakuna Matata family, configured to encrypt a wide range of files after terminating processes that could interfere with encryption. It also monitors clipboard activity to replace cryptocurrency wallet addresses with attacker controlled ones and deploys WinLocker to restrict user interaction.
Fortinet researchers noted that the attack chain demonstrates how modern malware campaigns can achieve full system compromise without exploiting software vulnerabilities, instead relying on native Windows features and policy mechanisms to disable defenses before deploying surveillance and destructive tools. Microsoft has advised users to enable Tamper Protection and monitor for suspicious changes to Defender settings to counter the abuse of Windows Security Center APIs. The findings come amid broader activity targeting Russian organizations, including spear phishing campaigns delivering other implants and backdoors through decoy documents and malicious shortcuts, highlighting continued interest by multiple threat actors in exploiting social engineering and cloud hosted infrastructure to compromise corporate environments.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
