A new multi-stage phishing campaign has been detected, specifically targeting users in Russia with a combination of ransomware and a remote access trojan (RAT) called Amnesia RAT. According to a technical analysis by Fortinet’s FortiGuard Labs, the attack initiates with social engineering tactics, utilizing business-themed documents designed to appear routine and harmless.
Attack Methodology
The campaign employs various public cloud services to distribute its payloads. While scripts are primarily hosted on GitHub, binary payloads are stored on Dropbox. This separation complicates efforts to dismantle the attack infrastructure, enhancing its resilience. A notable tactic used in this campaign is the operational abuse of defendnot, a tool that tricks Microsoft Defender into disabling itself by masquerading as another antivirus product.
Execution of Malicious Payloads
The attackers distribute compressed archives containing multiple decoy documents alongside a malicious Windows shortcut (LNK) file, which features Russian-language filenames. This LNK file uses a double extension to mislead users into believing it is a text file. Upon execution, it triggers a PowerShell command that retrieves a next-stage script from a GitHub repository, acting as a loader to establish a foothold on the victim’s system.
The PowerShell script suppresses visible execution by hiding the console window and generates a decoy document to maintain the ruse. It also communicates with the attacker via the Telegram Bot API to confirm successful execution of the first stage. Subsequent actions include running a highly obfuscated Visual Basic Script that assembles the next-stage payload directly in memory, avoiding disk artifacts.
Payload Capabilities
The final payloads include Amnesia RAT, capable of extensive data theft and remote control, and ransomware derived from the Hakuna Matata ransomware family. Amnesia RAT can pilfer information from web browsers, cryptocurrency wallets, and various applications, while also enabling full remote interaction with the infected system. The ransomware encrypts various file types and modifies clipboard contents to reroute cryptocurrency transactions.
This attack chain exemplifies how modern malware campaigns can achieve comprehensive system compromise without exploiting software vulnerabilities. By leveraging native Windows features and administrative tools, the attackers disable endpoint defenses before deploying surveillance and destructive payloads.
Recommended Mitigations
To counter the abuse of the Windows Security Center API, Microsoft advises users to enable Tamper Protection to prevent unauthorized changes to Defender settings and to monitor for suspicious API calls or modifications to Defender services.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.








