This multi-stage phishing campaign begins with social engineering lures delivered through business-themed documents containing malicious Windows shortcut (LNK) files with double extensions to appear benign. When executed, the LNK triggers a PowerShell command that downloads a first-stage loader script from a GitHub repository. This script hides its execution, opens a decoy document to distract the user, and notifies the attacker via Telegram Bot API. After a delay, it runs a highly obfuscated Visual Basic Script that assembles subsequent payloads in memory, avoiding disk artifacts. The script attempts to elevate privileges by repeatedly prompting for UAC consent. Once elevated, it disables Microsoft Defender by configuring exclusions and deploying defendnot, a tool that tricks Defender into disabling itself by registering a fake antivirus product. The malware disables Windows administrative and diagnostic tools, hijacks file associations to display attacker contact messages, and conducts reconnaissance including periodic screenshots exfiltrated via Telegram. The primary payload, Amnesia RAT, is downloaded from Dropbox and enables broad data theft (browsers, wallets, communication apps), remote control, process management, and additional malware deployment. Data exfiltration uses HTTPS and Telegram Bot APIs, with large files uploaded to third-party services. The secondary payload is a ransomware variant from the Hakuna Matata family, which encrypts a wide range of user files after terminating interfering processes and silently modifies clipboard cryptocurrency wallet addresses to redirect funds. The infection concludes with WinLocker restricting user interaction. The campaign demonstrates advanced abuse of native Windows features and cloud services to maintain persistence and evade detection without exploiting software vulnerabilities. Microsoft recommends enabling Tamper Protection to counter defendnot abuse. The campaign is part of a broader targeting of Russian corporate sectors with related implants and backdoors.

For European organizations, the direct targeting appears focused on Russian entities; however, the use of public cloud services (GitHub, Dropbox) and social engineering tactics could enable spillover or adaptation to European targets, especially those with business ties to Russia or similar sectors such as HR, payroll, and internal administration. The campaign’s ability to disable endpoint defenses, conduct stealthy reconnaissance, and deploy both data theft and ransomware payloads poses significant risks to confidentiality, integrity, and availability. The Amnesia RAT’s extensive data exfiltration capabilities threaten sensitive corporate data, credentials, and financial assets, potentially facilitating account takeovers and financial fraud. The ransomware component can cause operational disruption and financial loss. The campaign’s use of native Windows features and legitimate cloud infrastructure complicates detection and mitigation, increasing the risk of prolonged undetected compromise. European organizations with inadequate endpoint protection, especially those not using Tamper Protection or monitoring Defender API calls, are vulnerable. The campaign also highlights risks from supply chain and cloud-hosted script abuse, relevant to European firms relying on these services.

European organizations should implement the following specific measures: 1) Enable Microsoft Defender Tamper Protection to prevent unauthorized changes to Defender settings and block defendnot abuse. 2) Monitor Windows Security Center API calls and Defender service status for suspicious changes indicative of disablement attempts. 3) Restrict execution of PowerShell and Visual Basic scripts from untrusted sources and enforce script signing policies. 4) Implement strict email filtering and attachment scanning to detect and quarantine phishing emails containing LNK files or double extensions. 5) Educate users on identifying social engineering lures, especially business-themed documents with unusual file extensions. 6) Monitor network traffic for unusual HTTPS connections to Telegram Bot APIs and third-party file hosting services, which may indicate data exfiltration. 7) Harden endpoint configurations by disabling unnecessary administrative and diagnostic tools and enforcing least privilege principles to limit UAC prompt acceptance. 8) Employ behavioral detection tools capable of identifying in-memory payload assembly and suspicious process behaviors. 9) Regularly update and patch endpoint protection platforms and maintain offline backups to mitigate ransomware impact. 10) Conduct threat hunting focused on indicators of Amnesia RAT and Hakuna Matata ransomware activity, including registry tampering and file association hijacking.