{ "id": "ecb3695b-2c44-4ec9-8477-6549bd2bf299", "created_at": "2026-04-06T00:21:22.351234Z", "updated_at": "2026-04-10T13:11:43.736807Z", "deleted_at": null, "sha1_hash": "a8991deaf426f43dd74a6b32ab1e7f6b4eb2ae30", "title": "Operation HollowQuill: Malware delivered into Russian R\u0026D Networks via Research Decoy PDFs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2171622, "plain_text": "Operation HollowQuill: Malware delivered into Russian R\u0026D\r\nNetworks via Research Decoy PDFs\r\nBy Subhajeet Singha\r\nPublished: 2025-03-31 · Archived: 2026-04-02 10:34:53 UTC\r\nContents\r\nIntroduction\r\nKey Targets\r\nIndustries Affected\r\nGeographical Focus\r\nInfection Chain\r\nInitial Findings\r\nLooking into the decoy-document\r\nTechnical Analysis\r\nStage 1 – Malicious RAR File\r\nStage 2 – Malicious .NET malware-dropper\r\nStage 3 – Malicious Golang Shellcode loader\r\nStage 4 – Shellcode Overview\r\nHunting and Infrastructure\r\nConclusion\r\nSeqrite Protection\r\nIOCs\r\nMITRE ATT\u0026CK\r\nAuthors\r\nIntroduction\r\nSEQRITE Labs APT-Team has been tracking and has uncovered a campaign targeting the Baltic State Technical\r\nUniversity, a well-known institution for various defense, aerospace, and advanced engineering programs that\r\ncontribute to Russia’s military-industrial complex. Tracked as Operation HollowQuill, the campaign\r\nleverages weaponized decoy documents masquerading as official research invitations to infiltrate academic,\r\ngovernmental, and defense-related networks. The threat entity delivers a malicious RAR file which contains a\r\n.NET malware dropper, which further drops other Golang based shellcode loader along with legitimate OneDrive\r\napplication and a decoy-based PDF with a final Cobalt Strike payload.\r\nKey Targets\r\nIndustries Affected\r\nhttps://www.seqrite.com/blog/operation-hollowquill-russian-rd-networks-malware-pdf/\r\nPage 1 of 18\n\nAcademic \u0026 Research Institutions\r\nMilitary \u0026 Defense Industry.\r\nAerospace \u0026 Missile Technology\r\nGovernment oriented research entities.\r\nGeographical Focus\r\nRussian Federation.\r\nInfection Chain.\r\nInitial Findings.\r\nIn the early months of 2025, our team found a malicious RAR archive file named as Исх 3548 о формировании\r\nгосударственных заданий на проведение фундаментальных и поисковых исследований БГТУ «ВОЕНМЕХ»\r\nим. Д.Ф. Устинова.rar , which translates to Outgoing 3548 on the formation of state assignments for conducting\r\nfundamental and exploratory research at BSTU ‘VOENMEKH’ named after D.F. Ustinov.rar surfaced on Virus\r\nTotal. Upon investigation, we determined that this RAR has been used as a preliminary source of infection,\r\ncontaining a malicious .NET dropper which contains multiple other payloads along with a PDF based decoy.\r\nThe RAR archive contains a malicious .NET executable functioning as a dropper, named “Исх 3548 о\r\nформировании государственных заданий на проведение фундаментальных и поисковых исследований\r\nБГТУ «ВОЕНМЕХ» им. Д.Ф. Устинова” which also translates to Outgoing No. 3548 regarding the formation of\r\nstate assignments for conducting fundamental and exploratory research at BSTU ‘VOENMEKH’ named after D.F.\r\nUstinov. This dropper is responsible for deploying a legitimate OneDrive executable alongside a malicious\r\nshellcode loader written in Golang. Upon execution, the .NET executable performs several operations: one of\r\nthem it deploys the Golang loader containing shellcode, injects the shellcode into the legitimate OneDrive process,\r\nand spawns a decoy document. Before delving into the technical details, let’s first examine the decoy document.\r\nhttps://www.seqrite.com/blog/operation-hollowquill-russian-rd-networks-malware-pdf/\r\nPage 2 of 18\n\nLooking into the decoy-document.\r\nUpon looking into the decoy document, it turns out that this lure is a document related to the Ministry of Science\r\nand Higher Education of Russia, specifically concerning Baltic State Technical University “VOENMEKH”\r\nnamed after D.F. Ustinov. The document appears to be an official communication addressed to multiple\r\norganizations, potentially discussing state-assigned research projects or defense-related academic collaborations.\r\nThe above is a translated version of the initial sections of the decoy.\r\nhttps://www.seqrite.com/blog/operation-hollowquill-russian-rd-networks-malware-pdf/\r\nPage 3 of 18\n\nThe contents and the entire decoy confirm that this PDF serves as a comprehensive guideline for the allocation of\r\nstate-assigned research tasks, outlining the process for organizations to submit proposals for fundamental and\r\napplied research projects under the 2026-2028 budget cycle. It provides instructions for institutions, particularly\r\nthose engaged in advanced scientific and technological research, on how to register their technological requests\r\nwithin the Unified State Information System for Scientific Research and Technological Projects (ЕГИСУ\r\nНИОКТР) before the specified deadline.\r\nhttps://www.seqrite.com/blog/operation-hollowquill-russian-rd-networks-malware-pdf/\r\nPage 4 of 18\n\nNow, looking into the later part of the decoy it can be seen that the decoy document provides additional\r\ninformation on the submission process for state-assigned research tasks, emphasizing that financial support for\r\nthese projects will come from budgetary allocations through the Ministry of Science and Higher Education of\r\nRussia. Also, the document mentions contact details for inquiries of Bogdan Evgenyevich Melnikov, a senior\r\nresearcher in the Department of Fundamental and Exploratory Research, with an email address for\r\ncommunication.\r\nWell, at the end of this decoy, it can be seen that it has been signed by A.E. Shashurin, who is identified as a\r\nDoctor of Technical Sciences (д.т.н.), professor, and acting rector (и.о. ректора) of the institution. Overall, this\r\nlure document serves as an official communication from the Ministry of Science and Higher Education of Russia,\r\nproviding guidelines for organizations regarding state-funded research initiatives.\r\nTechnical Analysis\r\nWe will divide our analysis into four main sections. First, we will examine the malicious RAR archive. Second,\r\nwe will delve into the malicious .NET dropper. Third, we will focus on analyzing the working of the malicious\r\nGolang based shellcode injector and at the end, we will look into the malicious Cobalt Strike payload. This\r\ndetailed exploration will shed light on the methodologies employed and provide insights into the threat actor’s\r\ntactics within this particular campaign.\r\nhttps://www.seqrite.com/blog/operation-hollowquill-russian-rd-networks-malware-pdf/\r\nPage 5 of 18\n\nStage 1 – Malicious RAR File.\r\nUpon examining the malicious RAR file, it contains another malicious executable named Исх 3548 о\r\nформировании государственных заданий на проведение фундаментальных и поисковых исследований\r\nБГТУ «ВОЕНМЕХ» им. Д.Ф. Устинова. After initial analysis of the file’s artefacts it was revealed it is a 32-bit\r\n.NET-based executable. In the next section, we will explore the functionality of this.NET executable.\r\nStage 2 – Malicious .NET malware-dropper.\r\nNow, let us look into the workings of the .NET file which was compressed inside the RAR archive. As in the\r\nprevious section we found that the binary is basically a 32-bit.NET executable, it is also renamed as\r\nSystemUpdaters.exe while we loaded it into analysis tools.\r\nhttps://www.seqrite.com/blog/operation-hollowquill-russian-rd-networks-malware-pdf/\r\nPage 6 of 18\n\nUpon looking inside, the sample, we found three interesting methods. Now let us dive deep into them.\r\nLooking into the first method we can see that the Main function, we can see that it calls another method\r\nMyCustomApplicationContext . Let us analyze the method.\r\nhttps://www.seqrite.com/blog/operation-hollowquill-russian-rd-networks-malware-pdf/\r\nPage 7 of 18\n\nNext, looking into the method, we found that the code initially checks whether the decoy PDF is present inside the\r\nC:\\Users\\Appdata\\Roaming\\Documents location, in case the PDF file is not present, it goes ahead and copies the\r\ndecoy, which is stored under the resources section, and writes it into the location.\r\nNext, looking into the code further, we found that it checks if the file OneDrive.exe which is basically the\r\nlegitimate OneDrive application exists, in case it does not find it on the desired location, it goes ahead and copies\r\nthe legitimate application stored under the resource section, and writes it into the location.\r\nLooking into the later part of code, we found that it checks for a file named as OneDrives_v2_1.exe under the\r\nlocation C:\\Users\\Appdata\\Roaming\\Driver , in case it did not find the file, just like similar files, it copies the\r\nexecutable from the resources section and writes it to the location.\r\nhttps://www.seqrite.com/blog/operation-hollowquill-russian-rd-networks-malware-pdf/\r\nPage 8 of 18\n\nThen looking into one of the most intriguing aspects of this dropper is its use of a shortcut (.lnk) file named\r\nX2yL.lnk as a persistence mechanism by placing it in the Windows Startup folder to ensure execution upon\r\nsystem boot. Upon analyzing the H3kT7fXw method, we observed that it is responsible for creating this shortcut\r\nfile. The method utilizes WshShell to generate the .lnk file and assigns it a Microsoft Office-based icon, making\r\nit less suspicious. Additionally, the target path of the shortcut is set to the location where the malicious payload\r\nI.e., OneDrives_v2_1.exe is stored, ensuring its execution whenever the shortcut is triggered upon booting.\r\nAt the end, it goes ahead and spawns the decoy PDF into the screen. As, we conclude the analysis of the malicious\r\n.NET dropper, in the next sections, we will analyze the malicious executable dropped by this dropper.\r\nStage 3 – Malicious Golang Shellcode loader.\r\nhttps://www.seqrite.com/blog/operation-hollowquill-russian-rd-networks-malware-pdf/\r\nPage 9 of 18\n\nInitially, upon looking into the sample inside analysis tools. we can confirm that this executable is programmed\r\nusing Golang. Next, we will look into the working of the shellcode loader and its injection mechanism.\r\nLooking into the very first part of this shellcode loader, we found that the binary executes time_now function to\r\ninitially capture the current system time, then it calls time_sleep which is also a Golang function with a hardcoded\r\nvalue, then again it calls the time_now function, which checks for the timestamp after the sleep. Then, it calls\r\ntime_Time_Sub which checks the difference between the timestamp captured by the function and goes ahead and\r\nhttps://www.seqrite.com/blog/operation-hollowquill-russian-rd-networks-malware-pdf/\r\nPage 10 of 18\n\nchecks if the total sleep time is less then 6 seconds, in case the sleep duration is shorter, the program exits, this\r\nacts as a little anti-analysis technique.\r\nNext, moving ahead and checking the code, we found that the legitimate OneDrive executable, which was\r\ndropped by the.NET dropper, that similar process is being created using the CreateProcess API in Golang, and the\r\nprocess is being created in a suspended mode.\r\nhttps://www.seqrite.com/blog/operation-hollowquill-russian-rd-networks-malware-pdf/\r\nPage 11 of 18\n\nThen, the shellcode which is already embedded in this loader binary is being read by using Golang function\r\nembed_FS_ReadFile which returns the shellcode.\r\nNext, the shellcode which was returned by the previous function in a base64 encoded format is being decoded\r\nusing Golang native function base64.StdEncoding.DecodeString and returned.\r\nThen, the code basically uses a hardcoded 13-byte sized key, which is basically used to decode the entire\r\nshellcode.\r\nhttps://www.seqrite.com/blog/operation-hollowquill-russian-rd-networks-malware-pdf/\r\nPage 12 of 18\n\nThen finally, the code performs APC Injection technique to inject the shellcode inside the memory, by first starting\r\nwith the process in a suspended state, followed by decoding and decrypting the shellcode, followed by allocating\r\nmemory on the suspended OneDrive.exe process, then once the memory is allocated, it goes ahead and writes the\r\nshellcode inside the memory using WriteProcessMemory , then it uses QueueUserAPC API to queue a function\r\nhttps://www.seqrite.com/blog/operation-hollowquill-russian-rd-networks-malware-pdf/\r\nPage 13 of 18\n\ncall inside the main thread of the suspended OneDrive.exe process. Finally using ResumeThread which causes the\r\nqueued APC function (containing the shellcode) to execute, effectively running the injected malicious code within\r\nthe context of OneDrive.exe. Now, let us analyze some key artifacts of the shellcode.\r\nStage 4 -Shellcode overview.\r\nUpon looking inside, the malicious shellcode and analyzing it we found that the shellcode is actually a loader,\r\nwhich works by initially loading a Windows wwanmm.dll library.\r\nOnce, the DLL is loaded it zeroes out the .text section of the DLL. It uses a windows API DllCanUnloadNow\r\nwhich helps to prepare the beacon in memory. Thus, further facilitating the working of the shellcode which is a\r\nCobalt Strike beacon.\r\nhttps://www.seqrite.com/blog/operation-hollowquill-russian-rd-networks-malware-pdf/\r\nPage 14 of 18\n\nFurther analyzing it becomes quite evident that the beacon is connecting to the C2-server, hosted by the attacker\r\nusing certain user-agent. As, this tool is quite commonly used, therefore, we will not delve in-depth on the\r\nworkings of the malicious beacon. The configuration of the beacon can be extracted as follows.\r\nExtracted Configuration:\r\nMethod : GETHost[Command \u0026 Control] : phpsympfony.comUser-Agent : “Mozilla/5.0 (Windows NT 6.3;\r\nTrident/7.0; rv:11.0) like Gecko”\r\nHunting and Infrastructure.\r\nUpon analysis of the shellcode injector programmed in Golang, we found little OPSEC related mistakes from the\r\nthreat actor such as leaving Go-build ID along with the injector, which helped us to hunt for similar payloads, used\r\nby the same threat actor. The Go-build ID is as follows:\r\n-_APqjT14Rci2qCv58VO/QN6emhFauHgKzaZvDVYE/3lVOVKh9ePO_EDoV_lSN/NL58izAdTGRId20sd3CJ\r\nNow, looking into the infrastructural artefacts, the malicious command-and-control server which has been hosted\r\nat the domain phpsymfony[.]com , has been rotating the domain across multiples ASN services. Also, there has\r\nbeen a unique HTTP-Title which has also been rotated multiple times across the C2-server.\r\nhttps://www.seqrite.com/blog/operation-hollowquill-russian-rd-networks-malware-pdf/\r\nPage 15 of 18\n\nLooking into the response across the history we can see that the title Coming Soon –\r\npariaturzzphy.makebelievercorp[.]com has been set up multiple times.\r\nUpon further searching for the same HTTP-Title, we found that a lot of hosts are serving the same title, out of\r\nwhich some of them are serving malicious binaries such as ASyncRAT and much more.\r\nLooking into the ASNs, the C2 server has been rotating since the date of activation. The list is as follows.\r\nASN Geolocation Owner\r\nAS13335 United States Cloudflare Net\r\nAS35916 United States MULTA-ASN1\r\nhttps://www.seqrite.com/blog/operation-hollowquill-russian-rd-networks-malware-pdf/\r\nPage 16 of 18\n\nAS135377 Hong Kong\r\nUCLOUD-HK-AS-AP UCLOUD INFORMATION TECHNOLOGY HK\r\nLIMITED\r\nAS174 United States COGENT-174\r\nAS47846 Germany SEDO-AS\r\nAS8560 🌍\r\nUnknown\r\nIONOS-AS\r\nConclusion\r\nWe have found that a threat actor is targeting the Baltic Technical University using research themed lure where\r\nthey have been using a.NET dropper to shellcode loader finally delivering a Cobalt Strike in-memory implant.\r\nAnalyzing the overall campaign and TTPs employed by the threat actor, we can conclude that the threat actor has\r\nstarted targeting few months back since December 2024.\r\nSEQRITE Protection.\r\nTrojan.Ghanarava.1738100518c73fdb\r\nTrojan.Ghanarava.1735165667615275\r\nIOCs.\r\nMD5 Filename\r\nhttps://www.seqrite.com/blog/operation-hollowquill-russian-rd-networks-malware-pdf/\r\nPage 17 of 18\n\nab310ddf9267ed5d613bcc0e52c71a08\r\nИсх 3548 о формировании государственных заданий на\r\nпроведение фундаментальных и поисковых исследований БГТУ\r\n«ВОЕНМЕХ» им. Д.Ф. Устинова.rar\r\nfad1ddfb40a8786c1dd2b50dc9615275 SystemsUpdaters.exe\r\ncac4db5c6ecfffe984d5d1df1bc73fdb OneDrives_v2_1.exe\r\nC2\r\nphpsymfony[.]com\r\nhxxps://phpsymfony[.]com/css3/index2.shtml\r\nMITRE ATT\u0026CK.\r\nTactic Technique ID Name\r\nInitial Access T1566.001 Phishing: Spear phishing Attachment\r\nExecution\r\nT1204.002\r\nT1053.005\r\nUser Execution: Malicious File\r\nScheduled Task.\r\nPersistence T1547.001 Registry Run Keys / Startup Folder\r\nDefense Evasion\r\nT1036\r\nT1027.009\r\nT1055.004\r\nT1497.003\r\nMasquerading\r\nEmbedded Payloads.\r\nAsynchronous Procedure Call\r\nTime Based Evasion\r\nCommand and Control T1132.001 Data Encoding: Standard Encoding\r\nAuthors\r\nSubhajeet Singha\r\nSathwik Ram Prakki\r\nSource: https://www.seqrite.com/blog/operation-hollowquill-russian-rd-networks-malware-pdf/\r\nhttps://www.seqrite.com/blog/operation-hollowquill-russian-rd-networks-malware-pdf/\r\nPage 18 of 18\n\n https://www.seqrite.com/blog/operation-hollowquill-russian-rd-networks-malware-pdf/ \nUpon looking inside, the sample, we found three interesting methods. Now let us dive deep into them.\nLooking into the first method we can see that the Main function, we can see that it calls another method\nMyCustomApplicationContext . Let us analyze the method. \n Page 7 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.seqrite.com/blog/operation-hollowquill-russian-rd-networks-malware-pdf/" ], "report_names": [ "operation-hollowquill-russian-rd-networks-malware-pdf" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c7cab8cf-81aa-4a94-a9d3-0f0b40317e53", "created_at": "2025-05-29T02:00:03.195374Z", "updated_at": "2026-04-10T02:00:03.851587Z", "deleted_at": null, "main_name": "HollowQuill", "aliases": [], "source_name": "MISPGALAXY:HollowQuill", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434882, "ts_updated_at": 1775826703, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a8991deaf426f43dd74a6b32ab1e7f6b4eb2ae30.pdf", "text": "https://archive.orkl.eu/a8991deaf426f43dd74a6b32ab1e7f6b4eb2ae30.txt", "img": "https://archive.orkl.eu/a8991deaf426f43dd74a6b32ab1e7f6b4eb2ae30.jpg" } }