{
	"id": "7c93dd0d-d45f-47b1-9f63-2714d9977001",
	"created_at": "2026-04-06T00:19:43.88327Z",
	"updated_at": "2026-04-10T03:21:52.893652Z",
	"deleted_at": null,
	"sha1_hash": "25cb205a03d685439a349cb2cb59a3bf173047ba",
	"title": "Operation Oxidový: Sophisticated Malware Campaign Targets Czech Officials Using NATO-Themed Decoys",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2332685,
	"plain_text": "Operation Oxidový: Sophisticated Malware Campaign Targets Czech\r\nOfficials Using NATO-Themed Decoys\r\nBy Subhajeet Singha\r\nPublished: 2024-08-28 · Archived: 2026-04-05 16:36:37 UTC\r\nSeqrite Labs APT-Team has recently found a campaign targeting the Czech Republic. The campaign targets government\r\nand military officials with multiple lures aimed at the relationship between NATO and the Czech Republic. The entire\r\nmalware ecosystem is involved in this campaign, starting from the loader to a well-known Command-and-Control\r\nframework known as HavocC2 and Freeze programmed in Rust, a lucrative,compiled programming language widely\r\nadopted by threat actors in the wild.\r\nThis blog explores the sophistication and technical details of the campaign we encountered during our analysis. We will\r\nexamine the various stages of this campaign, starting with a deep dive into the decoy documents and then the malicious\r\nbatch and LNK payloads, which further help the rust loader inject malicious DLL. We will end with a final overview\r\ncovering the campaign.\r\nInitial Findings \r\nOn August 4th 2024, our team found a malicious ZIP file, which surfaced on various sources like VirusTotal, where it\r\nhas been used as a preliminary source of infection. The file contained various decoys with PDF and LNK file\r\nextensions. The same file was found by other threat researchers the very next day.\r\nThe ZIP contains a malicious LNK file named “The importance of and outlook for the Czech Republic in\r\nNATO.pdf.lnk,” which is responsible for running another malicious batch script named “AdobeAcrobatReader.bat.” This\r\nis responsible for spawning the decoy document “Postup_zmeny_hesla_z_IMO.pdf “and then renaming a masqueraded\r\nPDF file called “NatoDoc.PDF “to a portable executable. This is copied to the startup folder upon execution, acting as a\r\nmechanism for the persistence of the malicious payload. Let us look into the two decoy documents.\r\nLooking into the decoy-document – I \r\nUpon diving into the first document, Postup_zmeny_hesla_z_IMO.pdf, we see the heading is written in Czech,\r\ntranslating to “Password Change from the Internal Network of the Ministry of Defense (IMO)” in English.\r\nhttps://www.seqrite.com/blog/operation-oxidovy-sophisticated-malware-campaign-targets-czech-officials-using-nato-themed-decoys/\r\nPage 1 of 22\n\nhttps://www.seqrite.com/blog/operation-oxidovy-sophisticated-malware-campaign-targets-czech-officials-using-nato-themed-decoys/\r\nPage 2 of 22\n\nThe first page of the decoy mentions steps to navigate to the URL hxxps://x.army.cz, where one changes their\r\npasswords. The other page image mentions ways to change passwords by adhering to specific guidelines, such as proper\r\npassword length and other artifacts like avoiding guessable passwords.\r\nNow, the final page of this decoy document contains a message that translates to “Information for local administrators:\r\nTo access the page hxxps://x[.]army[.]cz, an exception must be set,” with guides on setting up a proper proxy network.\r\nOverall, this decoy document acts as a lure for the target to immediately change their passwords and provides\r\nguidelines for doing so, which is completely irrelevant to the name of the initial ZIP file.\r\nLooking into the decoy-document – II\r\nLike the previous document, we have another decoy document: The importance of and outlook for the Czech Republic\r\nin NATO. This document clearly mentions various reasons for the importance of relations between the Czech Republic\r\nand NATO, as well as multiple aspects of geopolitical advantages and history.\r\nhttps://www.seqrite.com/blog/operation-oxidovy-sophisticated-malware-campaign-targets-czech-officials-using-nato-themed-decoys/\r\nPage 3 of 22\n\nThe next page mentions the current security issues and discusses strengthening relations between all NATO nations for\r\nprosperity, growth, and modernization. Overall, this document discusses relations and goals between NATO and the\r\nCzech Republic, which makes this lure document relevant to the name of the initial ZIP file.\r\nInfection Chain\r\nTechnical Analysis\r\nhttps://www.seqrite.com/blog/operation-oxidovy-sophisticated-malware-campaign-targets-czech-officials-using-nato-themed-decoys/\r\nPage 4 of 22\n\nWe will break down the analysis into four different parts.\r\nStage 1 – Malicious Batch \u0026 LNK Script.\r\nThe ZIP contains a malicious LNK file known as 1.The importance of and outlook for the Czech Republic in\r\nNATO.pdf.lnk. Looking into its contents, we see its sole purpose is spawning another malicious batch script known as\r\nAdobeAcrobatReader.bat.\r\nUpon, analyzing the malicious batch script we found the following:\r\n① Initially, the batch script spawns the first decoy document onto the screen.\r\n② Next, it changes the attributes for the second decoy document and the masqueraded PDF, which is an executable.\r\n③ Then, it goes ahead and renames the masqueraded PDF to AdobeReader.exe and uses xcopy to copy it to the Startup\r\nfolder for execution.\r\n④ Lastly, it modifies file attributes to set the shortcut and payload files as hidden, read-only, and system files. This\r\nensures that the malicious LNK file and associated payload are concealed from typical user visibility and protected\r\nagainst unauthorized modification or deletion.\r\nIn the next section, we will look into the malicious payload. From this initial stage, it is evident that the batch script and\r\nthe LNK were responsible for deploying the payload.\r\nStage 2 – Malicious Rust Loader.\r\nA malicious x64 executable payload is present in the ZIP File.\r\nhttps://www.seqrite.com/blog/operation-oxidovy-sophisticated-malware-campaign-targets-czech-officials-using-nato-themed-decoys/\r\nPage 5 of 22\n\nDuring the initial analysis, we found that the payload is actually a Rust-based loader known as Freeze. Researchers at\r\nOptiv created this evasive toolkit for red-team emulation-oriented exercises, such as bypassing EDRs using suspended\r\nprocesses, direct syscalls, etc. Next, we navigated the file to IDA, a binary analysis tool for further reverse engineering\r\nand payload extraction.\r\nUpon looking into the code, we see that the loader is performing ETW Patching , as it is one of the features supported\r\nby Freeze.\r\nhttps://www.seqrite.com/blog/operation-oxidovy-sophisticated-malware-campaign-targets-czech-officials-using-nato-themed-decoys/\r\nPage 6 of 22\n\nhttps://www.seqrite.com/blog/operation-oxidovy-sophisticated-malware-campaign-targets-czech-officials-using-nato-themed-decoys/\r\nPage 7 of 22\n\nNext, the loader spawns the notepad.exe process in a suspended mode and then performs the DLL’s unhooking by\r\nloading a fresh copy of NTDLL from memory and replacing the hooked .text section with the fresh copy of .text section\r\nfrom the unhooked NTDLL.\r\nhttps://www.seqrite.com/blog/operation-oxidovy-sophisticated-malware-campaign-targets-czech-officials-using-nato-themed-decoys/\r\nPage 8 of 22\n\nPost unhooking, it repatches the ETW.\r\nFinally, the compressed and encoded shellcode is obtained via Base64 decoding and LZMA decompression.\r\nhttps://www.seqrite.com/blog/operation-oxidovy-sophisticated-malware-campaign-targets-czech-officials-using-nato-themed-decoys/\r\nPage 9 of 22\n\nNow, after the shellcode is decoded, crypto algorithms like AES/RC4 are used to decrypt it. Once the shellcode is\r\ndecrypted, using NTAPIs, it is written into memory.\r\nNext, we set a breakpoint on the NTAPIs to extract the shellcode from the loader. The shellcode turned out to be a\r\nmalicious Havoc DLL, which we will look into in the next section.\r\nStage 3 – Malicious Havoc Demon. \r\nInitial analysis of this DLL file points it to Demon DLL, a payload that is part of the post-exploitation framework\r\nknown as Havoc.\r\nhttps://www.seqrite.com/blog/operation-oxidovy-sophisticated-malware-campaign-targets-czech-officials-using-nato-themed-decoys/\r\nPage 10 of 22\n\nUpon analysis, we found that the DLL payload contains 4 important subroutines (renamed on IDA for convenience),\r\nwhich are responsible for the facilitation of payload’s activities, which are as follows:\r\n① DemonInit.\r\n② DemonConfig.\r\n③ DemonMetadata.\r\n④ DemonRoutine.\r\nNow, let us dive into each one of the functions, looking into some key artifacts.\r\nhttps://www.seqrite.com/blog/operation-oxidovy-sophisticated-malware-campaign-targets-czech-officials-using-nato-themed-decoys/\r\nPage 11 of 22\n\nhttps://www.seqrite.com/blog/operation-oxidovy-sophisticated-malware-campaign-targets-czech-officials-using-nato-themed-decoys/\r\nPage 12 of 22\n\nThe DemonInit function is responsible for loading modules like ntdll.dll and kernel32.dll via PEB (Process-Environment Block). It then resolves or retrieves the functions from those loaded modules and finally calls another\r\nsubroutine, DemonConfig.\r\nhttps://www.seqrite.com/blog/operation-oxidovy-sophisticated-malware-campaign-targets-czech-officials-using-nato-themed-decoys/\r\nPage 13 of 22\n\nhttps://www.seqrite.com/blog/operation-oxidovy-sophisticated-malware-campaign-targets-czech-officials-using-nato-themed-decoys/\r\nPage 14 of 22\n\nhttps://www.seqrite.com/blog/operation-oxidovy-sophisticated-malware-campaign-targets-czech-officials-using-nato-themed-decoys/\r\nPage 15 of 22\n\nExtracted Configuration:\r\nSpawn:\r\n– x86: C:\\Windows\\SysWOW64\\notepad.exe\r\n– x64: C:\\Windows\\System32\\notepad.exe\r\nMethod: POST\r\nHost[Command \u0026 Control] : 206.188.197.113\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/96.0.4664.110 Safari/537.36\r\nThe DemonConfig function parses the configuration stored in the .data section. Once parsed, it is further used in the\r\nprogram. The DemonConfig function also contains multiple parsing-oriented functions.\r\nhttps://www.seqrite.com/blog/operation-oxidovy-sophisticated-malware-campaign-targets-czech-officials-using-nato-themed-decoys/\r\nPage 16 of 22\n\nhttps://www.seqrite.com/blog/operation-oxidovy-sophisticated-malware-campaign-targets-czech-officials-using-nato-themed-decoys/\r\nPage 17 of 22\n\nThe DemonMetadata function generates unique metadata for the demon payload, which contains artefacts like Demon\r\nID, User-name, Process Architecture, OS Info, Domain info, and similar information.\r\nhttps://www.seqrite.com/blog/operation-oxidovy-sophisticated-malware-campaign-targets-czech-officials-using-nato-themed-decoys/\r\nPage 18 of 22\n\nhttps://www.seqrite.com/blog/operation-oxidovy-sophisticated-malware-campaign-targets-czech-officials-using-nato-themed-decoys/\r\nPage 19 of 22\n\nThe final DemonRoutine function employs various other things, like connecting to the Command and Control Server,\r\nwhich it does by using the PackageTransmitNow function, which then decrypts the data using AES encryption. Then, it\r\nuses the CommandDispatcher routine to perform the tasking routine and, in the end, uses Sleep Obfuscation via the\r\nfunction, which uses various techniques like Ekko, Zilean, and WaitForSingleObjectEx.\r\nHunting and Infrastructure \r\nUpon analysis of the loader payload, we found a unique PDB path linked to the binary C:\\TOOL\\Freeze.rs-main\\target\\release\\AdobeReader\\target\\release\\deps\\AdobeReader.pdb , which helped us to hunt for similar loaders,\r\nused by the same threat actor. So, upon hunting, we found two similar samples.\r\nFile-Name: vihu.exe\r\nPDB-Path: C:\\TOOL\\Freeze.rs-main\\target\\release\\vihu\\target\\release\\deps\\vihu.pdb\r\nTimestamp: 2024-07-24\r\nFile-Name: gnobya.exe\r\nPDB-Path: C:\\TOOL\\Freeze.rs-main\\target\\release\\gnobya\\target\\release\\deps\\gnobya.pdb\r\nTimestamp: 2024-05-22\r\nOnce we extracted the shellcode from both the loaders, the shellcode extracted was a similar demon.x64.dll from the\r\nfirst file vihu.exe while the shellcode extracted from the second file turned out to be a URL, which is further\r\ndownloading a custom Sliver Stager. The C2 and the User-Agent found in this Havoc Demon are:\r\nC2: 195.123.225.88\r\nUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 9_3_5 like Mac OS X) AppleWebKit/531.2 (KHTML, like Gecko)\r\nThe ZIP archive was submitted from the Czech Republic whereas the last two payloads found through PDB path were\r\nuploaded from Russia. The informational details of Havoc C2:\r\nIP ASN Geolocation\r\n206.188.197.113 AS399629 (BL Networks) Netherlands\r\n195.123.225.88 AS59729 (Green Floid LLC) Bulgaria\r\n“Based on the heavy usage of post-exploitation frameworks like Havoc, Sliver \u0026 Freeze and keeping in mind the\r\nongoing tensions in the geopolitics, with respect to Russian interests in the Czech Region, we attribute the threat actor\r\npossibly could be of Russian origin with medium confidence.”\r\nConclusion\r\nWe have found that a threat actor is targeting the Czech Military using NATO-themed lure where they are heavily\r\ndependent on open-source offensive tooling, starting from Rust-based loader to the final DLL payload. Analyzing the\r\noverall campaign and TTPs employed by the threat actor, we can conclude that the threat actor started targeting a few\r\nmonths back in May 2024.\r\nSeqrite Protection\r\nhttps://www.seqrite.com/blog/operation-oxidovy-sophisticated-malware-campaign-targets-czech-officials-using-nato-themed-decoys/\r\nPage 20 of 22\n\nFreezeL\r\nHavocp.S33863897\r\nCRCampaign.49004.GC\r\nIOCs \r\nHashes[SHA-256] File-Name\r\n9549d3d2b8e8b4e8f163a8b9fa3b02b8a28d78e4b583baccb6210ef267559c6e CZ_army_NATO_cooperation.zip\r\n436994d4a5c8d54acb2b521d0847d77e6af6c2c0e40468248b1dd019c6dafa84\r\n1.The importance of and outlook\r\nfor the Czech Republic in\r\nNATO.pdf.lnk\r\nace33243994a9da0797601bdd4191e25967a1da2644f0d0b530e26c71854d5d9 AdobeAcrobatReader.bat\r\na05d053174b52a9b158a5ec841c1a7633b9368c4ac2da371a11a9364f8a8dc60 NatoDoc.pdf\r\n1dbcade04333b9dc81ba0746bc604d12489da49b9b65fcb5b1f61d139dc5949c vihu.exe\r\n38da8d1576bdd0a03e649e8e6543594b35a423aa5b0a0c4081fc477c8e487e09 gnobya.exe\r\nb29ed89e0428ba476459adabb5630c8d29f7fee5905c5de10d792fe3a02e52a6 x64.demon.dll\r\n6e0d12cd0252599fd1dec7aa460cae7a12a1b2e322b6664e64c773c23627d1b4 x64.demon.dll\r\ned6775184051ef36c3049e24167471ab42bd4301e99631c8423d4d753cdad455 Inter-Regular.woff\r\nPDB Paths\r\n·         C:\\TOOL\\Freeze.rs-main\\target\\release\\vihu\\target\\release\\deps\\vihu.pdb\r\n·         C:\\TOOL\\Freeze.rs-main\\target\\release\\gnobya\\target\\release\\deps\\gnobya.pdb\r\n·         C:\\TOOL\\Freeze.rs-main\\target\\release\\AdobeReader\\target\\release\\deps\\AdobeReader.pdb\r\nIP Addresses\r\n·         hxxps://206.188.197.113/\r\n·         hxxps://195.123.225.88/\r\nHashes [SHA-256] File-Name [Lure Document]\r\nfda71a7de6d473826465bb83210107501e66a5d96e533772444b3b24806286fd\r\nThe importance of and outlook\r\nfor the Czech Republic in\r\nNATO.pdf\r\n8820e0c249305ffa3d38e72a7f27c0e2195bc739d08f5d270884be6237eea500 Postup_zmeny_hesla_z_IMO.pdf\r\nMITRE TTPs\r\nhttps://www.seqrite.com/blog/operation-oxidovy-sophisticated-malware-campaign-targets-czech-officials-using-nato-themed-decoys/\r\nPage 21 of 22\n\nTactic Technique ID Name\r\nInitial Access T1566.001 Phishing: Spear phishing Attachment\r\nExecution\r\nT1204.002\r\nT1059.005\r\nUser Execution: Malicious File\r\nCommand and Scripting Interpreter: Visual Basic\r\nPersistence T1547.001 Registry Run Keys / Startup Folder\r\nDefense Evasion\r\nT1562.001\r\nT1562.006\r\nT1055\r\nT1055.002\r\nT1140\r\nT1027.007\r\nImpair Defenses: Disable or Modify Tools\r\nIndicator Blocking.\r\nProcess Injection.\r\nProcess Injection: Portable Executable Injection\r\nDe-obfuscate/Decode Files or Information\r\nObfuscated Files or Information: Dynamic API Resolution\r\nDiscovery T1033 System Owner/User Discovery\r\nAuthors\r\nSathwik Ram Prakki\r\nSubhajeet Singha\r\nSource: https://www.seqrite.com/blog/operation-oxidovy-sophisticated-malware-campaign-targets-czech-officials-using-nato-themed-decoys/\r\nhttps://www.seqrite.com/blog/operation-oxidovy-sophisticated-malware-campaign-targets-czech-officials-using-nato-themed-decoys/\r\nPage 22 of 22\n\n https://www.seqrite.com/blog/operation-oxidovy-sophisticated-malware-campaign-targets-czech-officials-using-nato-themed-decoys/    \nPost unhooking, it repatches the ETW.   \nFinally, the compressed and encoded shellcode is obtained via Base64 decoding and LZMA decompression.\n   Page 9 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.seqrite.com/blog/operation-oxidovy-sophisticated-malware-campaign-targets-czech-officials-using-nato-themed-decoys/"
	],
	"report_names": [
		"operation-oxidovy-sophisticated-malware-campaign-targets-czech-officials-using-nato-themed-decoys"
	],
	"threat_actors": [],
	"ts_created_at": 1775434783,
	"ts_updated_at": 1775791312,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/25cb205a03d685439a349cb2cb59a3bf173047ba.pdf",
		"text": "https://archive.orkl.eu/25cb205a03d685439a349cb2cb59a3bf173047ba.txt",
		"img": "https://archive.orkl.eu/25cb205a03d685439a349cb2cb59a3bf173047ba.jpg"
	}
}