A sophisticated multi-stage malware campaign targeting Russian users, leveraging social engineering, legitimate cloud services, and native Windows functionality to achieve full system compromise without exploiting vulnerabilities.
The campaign begins with deceptively crafted business-themed documents delivered via compressed archives.
Victims receive Russian-language files that appear to be routine accounting tasks, but the archive contains a malicious LNK shortcut that serves as the infection vector.
Once executed, this initial payload initiates a carefully orchestrated attack chain designed to systematically turn off security controls, establish persistent surveillance, and deploy ransomware alongside remote access trojans.
The threat actors employ a modular hosting architecture, distributing PowerShell loaders and scripts via GitHub while hosting binary payloads on Dropbox.
This separation ensures attackers can update or rotate components independently, complicates takedown efforts, and allows malicious traffic to blend seamlessly into legitimate enterprise network activity.
FortiGuard Labs recently identified a multi-stage malware campaign primarily targeting users in Russia. The attack begins with social engineering lures delivered via business-themed documents.
Initial Infection and Social Engineering
The LNK shortcut to appear as a standard text document (“Assignment_for_accountant_02department.txt.lnk”) launches PowerShell with an execution policy bypass, immediately downloading a first-stage loader from GitHub.
The script employs no zero-day exploits or privilege escalations; success relies entirely on user interaction, a technique that remains highly effective in enterprise environments where document sharing is routine.
Upon execution, the PowerShell loader suppresses console windows, generates a decoy Russian-language accounting document to occupy user attention, and sends execution confirmation to the attacker via Telegram Bot API.
After a 444-second delay, it retrieves an obfuscated VBScript payload and executes it through Windows Script Host in a hidden window, ensuring no visible execution artifacts remain.
The VBScript orchestrator (SCRRC4ryuk.vbe) represents the critical stage where the malware systematically dismantles Windows security.
Encoded using Script Encoder Plus with layered Base64 and RC4 decryption, the payload reconstructs its core logic entirely in memory, preventing disk-based detection.
Before deploying high-impact payloads, the script disables Microsoft Defender through multiple complementary techniques.
It modifies registry policies under HKLMSOFTWAREPoliciesMicrosoftWindows Defender, disabling real-time monitoring, behavior analysis, and archive scanning.
Filesystem exclusions are added for common staging directories, including ProgramData, Program Files, and Downloads, ensuring subsequent payloads fall outside Defender’s scanning scope.
Critically, the malware deploys Defendnot, a research tool that exploits Windows Security Center trust assumptions rather than forcefully terminating Defender.
SCRRC4ryuk.vbe, is written to disk in a fully encoded form generated using Script Encoder Plus. In its stored state, the file bears no resemblance to readable VBScript.
The tool injects a DLL into the trusted Taskmgr.exe process and registers a fake antivirus product, triggering automatic Defender disablement to prevent conflicts an elegant abuse of legitimate Windows security architecture.
Surveillance and System Lockdown
Following defensive neutralization, the attack deploys Amnesia RAT, a data-exfiltration trojan with expansive reconnaissance capabilities.
The RAT targets Chromium-based browsers, stealing passwords, cookies, and session tokens through Windows DPAPI decryption.
It explicitly hijacks Telegram Desktop sessions by exfiltrating the tdata directory, enabling full account takeover without credentials. The malware also monitors clipboard contents to intercept cryptocurrency seed phrases and targets desktop wallets including MetaMask, Electrum, and Exodus.
Simultaneously, the script implements comprehensive system lockdown by disabling administrative tools through registry policies.
Task Manager, Registry Editor, Run dialog, and System Settings are all disabled. Windows Recovery Environment is neutralized using reagentc /disable, backup catalogs are deleted, and all Volume Shadow Copy snapshots are removed, eliminating recovery options entirely.
The Hakuna Matata ransomware stage encrypts hundreds of file extensions, renaming infected files with the extension @NeverMind12F.
The ransomware terminates database, office, email, and virtualization processes before rescanning to maximize encryption coverage.
Simultaneously, a WinLocker component enforces full desktop lockout with Russian-language messages demanding Telegram contact within two hours.
Critically, the ransomware implements clipboard hijacking (ClipBanker), replacing cryptocurrency wallet addresses with attacker-controlled values ensuring financial extraction remains viable even if victims possess encrypted backups.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.