Cybersecurity

Cyber: Multi-stage Phishing Campaign Targets Russia With Amnesia Rat And...

2026-01-24 0 views admin
Cyber: Multi-stage Phishing Campaign Targets Russia With Amnesia Rat And...

A new multi-stage phishing campaign has been observed targeting users in Russia with ransomware and a remote access trojan called Amnesia RAT.

"The attack begins with social engineering lures delivered via business-themed documents crafted to appear routine and benign," Fortinet FortiGuard Labs researcher Cara Lin said in a technical breakdown published this week. "These documents and accompanying scripts serve as visual distractions, diverting victims to fake tasks or status messages while malicious activity runs silently in the background."

The campaign stands out for a couple of reasons. First, it uses multiple public cloud services to distribute different kinds of payloads. While GitHub is mainly used to distribute scripts, binary payloads are staged on Dropbox. This separation complicates takedown efforts, effectively improving resilience.

Another "defining characteristic" of the campaign, per Fortinet, is the operational abuse of defendnot to disable Microsoft Defender. Defendnot was released last year by a security researcher who goes by the online alias es3n1n as a way to trick the security program into believing another antivirus product has already installed on the Windows host.

The campaign leverages social engineering to distribute compressed archives, which contain multiple decoy documents and a malicious Windows shortcut (LNK) with Russian-language filenames. The LNK file uses a double extension ("Задание_для_бухгалтера_02отдела.txt.lnk") to give the impression that it's a text file.

When executed, it runs a PowerShell command to retrieve the next-stage PowerShell script hosted on a GitHub repository ("github[.]com/Mafin111/MafinREP111"), which then serves as a first-stage loader to establish a foothold, readies the system to hide evidence of malicious activity, and hands off control flow to subsequent stages.

"The script first suppresses visible execution by programmatically hiding the PowerShell console window," Fortinet said. "This removes any immediate visual indicators that a script is running. It then generates a decoy text document in the user's local application data directory. Once written to disk, the decoy document is automatically opened."

Once the document is displayed to the victim to keep up the ruse, the script sends a message to the attacker using the Telegram Bot API, informing the operator that the first stage has been successfully executed. A deliberately-introduced 444 second delay later, the PowerShell script runs

Source: The Hacker News

🏷️ Tags

securityransomwareattack

More from Cybersecurity

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

2026-02-24 0
Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

2026-02-24 0
Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

2026-02-24 0
Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

2026-02-24 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views