A cyberattack targeting Thailand's healthcare sector has been identified, involving spear-phishing techniques that utilize RAR archive phishing to distribute malware. The campaign, active for about ten weeks, primarily affects hospitals and government health organizations, stealing sensitive data such as browser credentials. The malware operates by executing obfuscated scripts within the RAR files, creating persistent infection via the Windows Startup folder.
Although a specific threat actor has not been confirmed, analysis suggests ties to China-aligned groups with a strong understanding of the healthcare sector's workflows. Security measures recommended include monitoring for unauthorized changes and educating staff to identify phishing attempts.