Inside a Multi-Stage Windows Malware Campaign
A sophisticated multi-stage malware campaign targeting Windows users in Russia has been identified. The attack chain begins with social engineering lures and progresses to a full system compromise, including security bypass, surveillance, and ransomware delivery. It abuses Defendnot to disable Microsoft Defender and uses modular hosting across cloud services. The attack employs various techniques such as PowerShell scripts, obfuscated VBScript, and COM object manipulation. It deploys Amnesia RAT for data theft and surveillance, Hakuna Matata ransomware for file encryption, and a WinLocker component for system lockout. The campaign demonstrates how full system compromise can be achieved without exploiting software vulnerabilities, instead relying on social engineering and abuse of legitimate Windows features.
Indicators of Compromise
- hash: ea498b9d0f0ad35c8ea2c21bf98cc557
- hash: 00f66065a4af319947a1004bb1dbb2c24b5e7fa3
- hash: 1828614be6d9bdd92f7ee30e12c8aac8eba33a6df2c92995f9bf930c3f1b992b
- hash: 263b5ba921e478215dc9e3a397157badab415fc775cfb4681821b7446c14fb1a
- hash: 359fe8df31c903153667fbe93795929ad6172540b3ee7f9eff4bcc1da6d08478
- hash: 3aa6ebb73390d304eef8fd897994906c05f3e967f8f6f6a7904c6156cf8819f9
- hash: 45e942ba59f3876b263a03ed7e5d5b1b250e84a0a4b4093b3c13b5fca4e12b21
- hash: 5443232a367a83ac2899b37c066dae3ec2010df292291db24ce3d744133218a6
- hash: 6222775b877b4be4f5407525d52c5889739b96c302e5a204ef369b4a51c6dab2
- hash: 71069a5d2a80a047ca36ca82e630d353829726d4f03a74c7522b7700c5c2bb59
- hash: 7b8cf0ef390a7d6126c5e7bf835af5c5ce32c70c0d58ca4ddc9c238b2d3f059a
- hash: 7de56603a7b41fca9313231df6105dbb8148d3b0d80dfbc00e71e1d88f871915
- hash: e6ca6bab85ae1eff08a59b46b7905ae0568110da172dec8367f32779094bdd08
Inside a Multi-Stage Windows Malware Campaign
Description
A sophisticated multi-stage malware campaign targeting Windows users in Russia has been identified. The attack chain begins with social engineering lures and progresses to a full system compromise, including security bypass, surveillance, and ransomware delivery. It abuses Defendnot to disable Microsoft Defender and uses modular hosting across cloud services. The attack employs various techniques such as PowerShell scripts, obfuscated VBScript, and COM object manipulation. It deploys Amnesia RAT for data theft and surveillance, Hakuna Matata ransomware for file encryption, and a WinLocker component for system lockout. The campaign demonstrates how full system compromise can be achieved without exploiting software vulnerabilities, instead relying on social engineering and abuse of legitimate Windows features.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign"]
- Adversary
- null
- Pulse Id
- 696fc0723c9020d483708e56
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hashea498b9d0f0ad35c8ea2c21bf98cc557 | — | |
hash00f66065a4af319947a1004bb1dbb2c24b5e7fa3 | — | |
hash1828614be6d9bdd92f7ee30e12c8aac8eba33a6df2c92995f9bf930c3f1b992b | — | |
hash263b5ba921e478215dc9e3a397157badab415fc775cfb4681821b7446c14fb1a | — | |
hash359fe8df31c903153667fbe93795929ad6172540b3ee7f9eff4bcc1da6d08478 | — | |
hash3aa6ebb73390d304eef8fd897994906c05f3e967f8f6f6a7904c6156cf8819f9 | — | |
hash45e942ba59f3876b263a03ed7e5d5b1b250e84a0a4b4093b3c13b5fca4e12b21 | — | |
hash5443232a367a83ac2899b37c066dae3ec2010df292291db24ce3d744133218a6 | — | |
hash6222775b877b4be4f5407525d52c5889739b96c302e5a204ef369b4a51c6dab2 | — | |
hash71069a5d2a80a047ca36ca82e630d353829726d4f03a74c7522b7700c5c2bb59 | — | |
hash7b8cf0ef390a7d6126c5e7bf835af5c5ce32c70c0d58ca4ddc9c238b2d3f059a | — | |
hash7de56603a7b41fca9313231df6105dbb8148d3b0d80dfbc00e71e1d88f871915 | — | |
hashe6ca6bab85ae1eff08a59b46b7905ae0568110da172dec8367f32779094bdd08 | — |
Threat ID: 696fc78c4623b1157c44328d
Added to database: 1/20/2026, 6:21:00 PM
Last updated: 1/20/2026, 6:22:01 PM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Operation Nomad Leopard: Targeted Spear-Phishing Campaign Against Government Entities in Afghanistan
MediumFrom Extension to Infection: An In-Depth Analysis of the Evelyn Stealer Campaign Targeting Software Developers
MediumOperation Covert Access: Weaponized LNK-Based Spear-Phishing Targeting Argentina's Judicial Sector to Deploy a Covert RAT
MediumVoidLink threat analysis: C2-compiled kernel rootkits discovered
MediumTargeted espionage leveraging geopolitical themes
MediumActions
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.