26.01.2026
2 min
337
A large-scale phishing campaign was identified by Fortinet FortiGuard Labs which targets Russian users, utilizing the Amnesia RAT malware along with ransomware and various methods to avoid detection and lower defenses on Windows systems. One aspect of this attack is its use of public cloud services to deliver the next stage of the attack and the misuse of defender to render Microsoft Defender ineffective.
This attack starts with social engineering, where victims receive zip archives that contain “work-related” decoys (documentation, instructions, task lists) as well as a malicious LNK shortcut using two extensions to resemble a legitimate file. Upon execution, the LNK shortcut will execute PowerShell to retrieve the second stage script from GitHub which acts as a first stage loader to hide the execution of the subsequent stages. It will drop and open the decoy document and begin to prepare the subsequent stages.
Following this, an obfuscated VBE/controller script will assemble the following payload in memory to minimize the amount of on-disk artifacts. Then it will perform defense evasion and preparation; create Defender exclusions, disable other additional protection features, deploy defendnot to register a fake antivirus with Windows Security Center to turn off Defender, and run surveillance/reconnaissance (including taking periodic screenshots that will be sent via the Telegram Bot API).
Other final payloads include:
Amnesia RAT (downloaded from Dropbox) to enable full remote access to the victim’s computer and steal all types of sensitive information (e.g., browser history, crypto wallet information, login credentials to popular applications such as Discord, Steam, and Telegram, system-wide metadata, etc.)
Hakuna Matata-derived ransomware to encrypt virtually every type of file available and terminate any process that could potentially interfere with the encryption process, and clipboard-based crypto address tampering.
WinLocker to limit user interactions.
Fortinet emphasizes how this campaign distributes the distribution of each phase of the attack over multiple cloud providers, specifically GitHub for the scripts/stages and Dropbox for the binaries, which will complicate any takedown efforts and increase the campaign’s resiliency. Additionally, the report points out that there is evidence of similar activity against Russian organizations through similar methods (archive + LNK), usually with themes related to workflow related to HR/payroll/accounting.
This campaign exemplifies that cyber attacks can result in complete system compromise without the exploitation of software vulnerabilities, but rather through social engineering and systematic misuse of native Windows functions. Therefore, strong controls regarding the execution of shortcuts/scripts, Defender changes and enabled Tamper Protection are essential.
