Operation DupeHike is a targeted malware campaign primarily aimed at Russian corporate entities, focusing on employees in HR, payroll, and administrative departments. The attack begins with spear-phishing emails containing ZIP archives that include malicious LNK files masquerading as PDF documents themed around employee bonuses and financial policies to entice victims to open them. When executed, the LNK file launches the DUPERUNNER implant, a C++-based malware that performs several functions: it downloads and opens legitimate-looking decoy PDFs to avoid suspicion, enumerates running processes on the infected system, and injects shellcode into processes to maintain stealth and persistence. DUPERUNNER subsequently loads the AdaptixC2 Beacon, which facilitates communication with the attacker’s command-and-control (C2) infrastructure, enabling remote control and data exfiltration. The campaign, tracked under the UNG0902 adversary group, uses multiple malicious infrastructure nodes to maintain resilience and evade detection. The malware employs advanced techniques such as process injection (MITRE ATT&CK T1055), use of LNK files for execution (T1204.002), and C2 communication (T1071.001). Although no known exploits are used, the campaign relies heavily on social engineering and user interaction to succeed. Indicators of compromise include numerous file hashes and an IP address (46.149.71.230) associated with the C2 server. The campaign’s sophistication and targeted nature indicate a medium severity threat, with potential for data theft and espionage within targeted organizations.

For European organizations, the direct impact of Operation DupeHike is currently limited given its primary focus on Russian corporate entities. However, European companies with subsidiaries, partners, or business ties to Russia, especially those with HR or payroll departments handling Russian employees, could be at risk of infection. Successful compromise could lead to unauthorized access to sensitive employee data, financial information, and internal communications, potentially resulting in data breaches, espionage, or financial fraud. The use of process injection and shellcode increases the difficulty of detection and removal, potentially allowing prolonged attacker presence and lateral movement within networks. Additionally, the campaign’s use of realistic decoy documents may reduce suspicion and increase the likelihood of successful infection. The presence of a C2 beacon enables attackers to exfiltrate data or deploy additional payloads, escalating the threat. European organizations should be aware of this campaign’s tactics as it could be adapted or expanded to target entities within Europe, especially in countries with significant Russian business presence or geopolitical interest.

1. Implement advanced email filtering and sandboxing to detect and block spear-phishing emails containing malicious LNK files or suspicious ZIP archives. 2. Educate employees, particularly in HR, payroll, and administrative roles, on recognizing spear-phishing attempts and the risks of opening unexpected attachments or links. 3. Deploy endpoint detection and response (EDR) solutions capable of identifying process injection, shellcode execution, and unusual process behaviors indicative of DUPERUNNER activity. 4. Monitor network traffic for anomalous outbound connections, especially to known malicious IPs such as 46.149.71.230, and implement strict egress filtering to limit unauthorized C2 communications. 5. Use application whitelisting to prevent execution of unauthorized LNK files and restrict execution from user directories where such files may be placed. 6. Regularly update and patch systems to reduce attack surface, even though no specific exploits are used, to prevent exploitation of other vulnerabilities that could be chained. 7. Conduct threat hunting exercises focusing on the identified indicators of compromise (IOCs), including the provided file hashes, to detect potential infections early. 8. Isolate and analyze suspicious files in a controlled environment to understand new variants and update detection signatures accordingly.