The analyzed threat is a sophisticated malware campaign distributing an infostealer via malicious emails targeting Russian private-sector entities. The infection vector is a malicious executable disguised as a PDF document, leveraging social engineering with filenames referencing enforcement proceedings and additional payouts to entice victims to execute the file. The initial downloader is built on the .NET framework and downloads a secondary loader that installs itself as a Windows service named NetworkDiagnostic.exe, mimicking legitimate network diagnostic tools. This loader retrieves a JSON string from a command-and-control (C2) server hosted on a domain visually similar to Russia's official state and municipal services portal (gossuslugi.com), enhancing stealth by blending with legitimate traffic. The loader saves encrypted payload files in C:\ProgramData\Microsoft Diagnostic\Tasks and executes them sequentially. The current payload is an infostealer composed of an executable and three DLLs responsible for persistence, data collection, screen capture, and data exfiltration. The malware collects system information (computer name, OS version, hardware specs, IP address), captures screenshots, and harvests files of interest (documents and archives under 100MB). Exfiltration occurs to a separate server (ants-queen-dev.azurewebsites.net) with network requests including an AuthKey header containing the OS identifier. The modular design allows attackers to swap payloads, potentially deploying ransomware, wipers, or lateral movement tools in future campaigns. The malware’s activity is masked by mimicking legitimate system services and state-related network traffic, complicating detection and forensic analysis. No known exploits in the wild have been reported yet, but the campaign demonstrates advanced evasion and persistence techniques.

For European organizations, the primary impact lies in the potential for data theft, including sensitive documents and system information, which could lead to intellectual property loss, espionage, or competitive disadvantage. The malware’s stealthy behavior and use of legitimate-looking network traffic increase the risk of prolonged undetected presence, enabling attackers to conduct extended reconnaissance or prepare for more damaging attacks such as ransomware deployment. The flexible payload delivery mechanism means that even if the current campaign is limited to infostealing, future variants could escalate to destructive attacks impacting availability and integrity of systems. Organizations with cross-border operations or partnerships with Russian entities may face increased exposure. Additionally, the use of social engineering in Russian language and targeting of Russian private sector suggests a potential spillover risk to European companies with Russian-speaking employees or business ties. Incident response efforts may be hindered due to the malware’s activity masking, increasing remediation costs and operational disruption.

European organizations should implement multi-layered defenses tailored to detect and block this threat’s specific tactics. Deploy advanced endpoint detection and response (EDR) solutions capable of identifying .NET-based downloaders and suspicious service installations, especially those masquerading as network diagnostic tools. Network monitoring should include anomaly detection to identify traffic to domains visually similar to legitimate government portals, and inspect HTTP headers for unusual AuthKey values. Email security gateways must be configured to detect and quarantine emails with executable attachments disguised as documents, employing sandboxing to analyze attachment behavior. User awareness training should emphasize the risks of opening unexpected attachments, particularly those with enticing filenames related to official proceedings or payments. Restrict execution of files from user directories and enforce application whitelisting to prevent unauthorized service installations. Regularly audit and monitor the C:\ProgramData\Microsoft Diagnostic\Tasks directory for unauthorized files. Incident response plans should include procedures for identifying and eradicating persistent services named similarly to legitimate system tools. Finally, maintain up-to-date threat intelligence feeds and integrate them into security operations to detect emerging variants or related campaigns.