A new multi-stage phishing campaign targeting users with ransomware and a remote access trojan called Amnesia RAT has been spotted in Russia.
“The attack begins with social engineering lures delivered through business-themed documents designed to appear routine and benign,” Fortinet FortiGuard Labs researcher Cara Lynn said in a technical analysis published this week. “These documents and accompanying scripts serve as visual distractions, diverting victims to fake actions or status messages, while the malicious activity runs quietly in the background.”
This campaign is in discussion for some reasons. First, it uses multiple public cloud services to deliver different types of payloads. While GitHub is primarily used to distribute scripts, binary payloads are staged on Dropbox. This separation complicates removal efforts, effectively improving resiliency.
Another “defining feature” of the campaign, according to Fortinet, is the operational abuse of Defense to disable Microsoft Defender. DefendNot was released last year by a security researcher who uses the online alias es3n1n to trick the security program into believing that another antivirus product is already installed on a Windows host.
The campaign leverages social engineering to distribute compressed archives, which contain several fake documents and a malicious Windows shortcut (LNK) with Russian-language file names. The LNK file uses a double extension (“Затание_для_бухгалтера_02отdela.txt.lnk”) to give the impression that it is a text file.
When executed, it runs the PowerShell command to retrieve the next step’s PowerShell script hosted on the GitHub repository (“github[.]com/Mafin111/MafinREP111”), which then acts as a first-stage loader to gain a foothold, prepare the system to hide evidence of malicious activity, and hand off control flow to later stages.
“The script first suppresses visible execution by programmatically hiding the PowerShell console window,” Fortinet said. “This removes any immediate visual indicators that a script is running. It then generates a decoy text document in the user’s local application data directory. Once written to disk, the decoy document automatically opens.”
Once the document is displayed to the victim to continue the trick, the script sends a message to the attacker using the Telegram bot API, informing the operator that the first step has been successfully executed. Deliberately introduced after a delay of 444 seconds, the Powershell script runs a Visual Basic script (“SCRRC4ryuk.vbe”) hosted at the same repository location.
This provides two important benefits in that it keeps the loader lightweight and allows threat actors to quickly update or change payload functionality without making any changes to the attack chain.
The Visual Basic script is highly abstract and acts as a controller that assembles the next stage’s payload directly into memory, thereby avoiding leaving any artifacts on disk. The final stage script checks if it is running with elevated privileges, and if not, displays repeated User Account Control (UAC) prompts to force the victim to grant the necessary permissions. The script pauses for 3,000 milliseconds between attempts.
In the next phase, the malware initiates a series of actions to suppress visibility, neutralize endpoint security mechanisms, perform reconnaissance, disrupt recovery, and ultimately deploy the main payload –
- Configure Microsoft Defender exclusions to prevent programs from scanning ProgramData, Program Files, Desktop, Downloads, and System Temporary directories
- Use Powershell to turn off additional Defender security components
- Deploy DefendNot to register a fake antivirus product with the Windows Security Center interface and disable Microsoft Defender itself to avoid potential conflicts.
- Conduct environmental reconnaissance and monitoring through screenshot capture via a dedicated .NET module downloaded from the GitHub repository that takes a screengrab every 30 seconds, saves it as a PNG image, and spits out the data using a Telegram bot.
- Disable Windows Administrative and Diagnostic Tools by Tampering with Registry-Based Policy Controls
- Implement a file association hijacking mechanism such that opening files with certain predefined extensions displays a message to the victim, instructing them to contact the threat actor via Telegram.
One of the final payloads deployed after successfully disabling security controls and recovery mechanisms is the Amnesia RAT (“svchost.scr”), recovered from Dropbox and capable of widespread data theft and remote control. It is designed to steal information stored in web browsers, cryptocurrency wallets, Discord, Steam, and Telegram, along with system metadata, screenshots, webcam images, microphone audio, clipboard, and active window titles.
“RAT enables full remote interactions, including process enumeration and termination, shell command execution, arbitrary payload deployment, and execution of additional malware,” Fortinet said. “Exfiltration is primarily performed over HTTPS using the Telegram bot API. Large datasets can be uploaded to third-party file-hosting services like GoFile, with download links sent to the attacker via Telegram.”
Overall, Amnesia RAT facilitates credential theft, session hijacking, financial fraud, and real-time data gathering, turning it into a comprehensive tool for account takeover and follow-on attacks.
The second payload delivered by the script is a ransomware derived from the Hakuna Matata ransomware family and is configured to encrypt documents, archives, images, media, source code, and application assets on the infected endpoint, but not before terminating any processes that may interfere with its functioning.
Additionally, the ransomware monitors clipboard contents and silently modifies cryptocurrency wallet addresses with attacker-controlled wallets to re-route transactions. The infection sequence ends with the script deploying WinLocker to restrict user interaction.
Lin concluded, “This attack series demonstrates how modern malware campaigns can achieve full system compromise without exploiting software vulnerabilities.” “By systematically abusing native Windows features, administrative tools, and policy enforcement mechanisms, the attacker disables endpoint protection before deploying persistent monitoring tooling and destructive payloads.”
To combat Defensenaut’s misuse of the Windows Security Center API, Microsoft recommends that users enable tamper protection to prevent unauthorized changes to Defender settings and monitor suspicious API calls or Defender service changes.
This development comes at a time when human resources, payroll and internal administrative departments related to Russian corporate entities have been targeted by a threat actor UNG0902 for delivering an unknown implant named DUPERUNNER, which is responsible for loading AdaptixC2, a command-and-control (C2) framework. The spear-phishing campaign, codenamed Operation Dupehike, has been running since November 2025.
Secrite Labs said the attacks included the use of fake documents focused on topics related to employee bonuses and internal financial policies to persuade recipients to open a malicious LNK file within ZIP archives that leads to the execution of Duprerunner.
The implant accesses an external server to fetch and display a decoy PDF document, while system profiling and the download of the AdaptixC2 beacon is performed in the background.
In recent months, Russian organizations have also been targeted by another threat actor tracked as Paper Werewolf (aka GOFFEE), which employed artificial intelligence (AI)-generated decoys and DLL files compiled as Excel XML add-ins to deliver a backdoor called EchoGather.
“Once launched, the backdoor system collects information, communicates with hardcoded command-and-control (C2) servers, and supports command execution and file transfer operations,” said Integer security researcher Nicole Fishbein. It “communicates with C2 over HTTP(S) using the WinHTTP API.”
