This multi-stage Windows malware campaign is a complex attack sequence targeting Windows users, initially observed in Russia. It begins with social engineering tactics to trick users into executing malicious payloads. The attackers use Defendnot, a tool to disable Microsoft Defender, effectively bypassing native Windows security controls. The malware employs a variety of scripting techniques including PowerShell scripts, obfuscated VBScript, and COM object manipulation to evade detection and maintain persistence. The modular nature of the campaign is supported by hosting components across multiple cloud services, complicating takedown efforts and detection. The campaign deploys Amnesia RAT, a remote access trojan designed for data theft and surveillance, enabling attackers to exfiltrate sensitive information. Following reconnaissance and data theft, the Hakuna Matata ransomware encrypts files, while a WinLocker component locks the system to deny user access, increasing pressure for ransom payment. Notably, the campaign achieves full system compromise without exploiting software vulnerabilities, relying instead on social engineering and abuse of legitimate Windows features and administrative tools. The attack chain covers multiple MITRE ATT&CK techniques such as disabling security tools (T1562.004), command and scripting interpreter use (T1059.001), credential dumping (T1003), and ransomware deployment (T1486). Indicators of compromise include multiple file hashes linked to the campaign. No known exploits in the wild or CVEs are associated, and the campaign is rated medium severity by the source. However, the sophistication and multi-stage nature indicate a significant threat to targeted environments.

For European organizations, this campaign poses a substantial risk especially to entities with Windows-based infrastructure and users susceptible to social engineering. The ability to disable Microsoft Defender and use legitimate Windows features for persistence and execution means traditional antivirus solutions may be less effective without proper configuration. The deployment of Amnesia RAT threatens confidentiality through data theft and surveillance, potentially exposing sensitive corporate or personal data. The subsequent ransomware and system lockout components threaten integrity and availability, risking operational disruption and financial loss. Organizations in Europe with remote or hybrid workforces may be particularly vulnerable due to increased phishing attack surfaces. The modular cloud-hosted infrastructure used by attackers complicates detection and response, potentially allowing longer dwell times. Although the campaign currently targets Russia, the techniques and tools could be adapted or spread to European targets, especially those with geopolitical or economic ties to Russia or those using similar Windows environments. The absence of software vulnerability exploitation means patching alone is insufficient; user behavior and endpoint security posture are critical factors. The campaign could impact critical infrastructure, government agencies, and private sector organizations, leading to data breaches, operational downtime, and ransom payments.

European organizations should implement targeted mitigation strategies beyond generic advice: 1) Enhance user awareness training focused on recognizing social engineering and phishing attempts, emphasizing the risks of executing unsolicited scripts or attachments. 2) Harden endpoint security by configuring Microsoft Defender and other antivirus tools to detect and block Defendnot and similar tools that disable security features; enable tamper protection and monitor for unusual Defender service stoppages. 3) Employ application whitelisting and restrict execution of PowerShell scripts and VBScript to trusted contexts; use constrained language mode where possible. 4) Monitor for suspicious COM object usage and unusual network connections to cloud services, leveraging endpoint detection and response (EDR) tools with behavioral analytics. 5) Implement strict least privilege policies to limit user and process permissions, reducing the impact of credential dumping and lateral movement. 6) Regularly audit and monitor for indicators of compromise such as the provided file hashes and unusual file system or registry changes. 7) Maintain robust offline backups and test recovery procedures to mitigate ransomware impact. 8) Use network segmentation to contain infections and limit attacker lateral movement. 9) Collaborate with threat intelligence sharing groups to stay updated on campaign developments and IoCs. 10) Consider deploying deception technologies to detect early stages of the attack chain.