The Rainbow Hyena threat actor cluster has launched a new phishing campaign targeting healthcare and IT organizations in Russia, employing a shift in tactics and novel malware tools. Unlike previous campaigns that relied on traditional malicious document attachments, this campaign uses compromised email addresses to distribute polyglot files and LNK shortcut files that masquerade as legitimate documents. These alternative file formats help evade detection by conventional security solutions that focus on common document exploits. The campaign delivers a newly identified custom backdoor named PhantomRemote, which provides capabilities for system information gathering and remote command execution. This backdoor enables the attackers to maintain persistence, conduct reconnaissance, and execute arbitrary commands on compromised systems. The use of polyglot and LNK files indicates a sophisticated approach to social engineering and evasion, leveraging Windows shortcut files that can execute commands when clicked, and polyglot files that can be interpreted in multiple ways to bypass security filters. The campaign’s tactics align with MITRE ATT&CK techniques such as T1566 (phishing), T1204 (user execution), T1082 (system information discovery), T1059.003 (command and scripting interpreter: Windows Command Shell), and T1105 (ingress tool transfer). The shift away from traditional malicious documents towards alternative file formats and the deployment of a custom backdoor suggest an evolution in Rainbow Hyena’s operational methods, possibly reflecting a move towards more conventional cyber espionage and financially motivated intrusions. While currently observed in Russia, the sophistication and targeting of healthcare and IT sectors highlight the potential for broader impact if the campaign expands geographically or sector-wise.

For European organizations, especially those in healthcare and IT sectors, the emergence of Rainbow Hyena’s new tactics and PhantomRemote backdoor poses a significant risk. Healthcare organizations are critical infrastructure with sensitive personal data and operational continuity requirements, making them attractive targets for espionage, data theft, or disruption. IT organizations often serve as supply chain nodes, so compromise here could lead to secondary infections or broader supply chain attacks. The use of phishing with sophisticated file formats increases the likelihood of successful initial compromise, potentially leading to unauthorized access, data exfiltration, and operational disruption. The backdoor’s capabilities for system reconnaissance and command execution could facilitate lateral movement, privilege escalation, and long-term persistence within networks. Although the campaign is currently focused on Russia, the techniques and tools could be adapted or redeployed against European targets, especially given the interconnectedness of IT and healthcare sectors across Europe. The campaign’s medium severity rating reflects the moderate but tangible risk of espionage and financial crime, which could have reputational, regulatory, and operational consequences for affected organizations.

European organizations should implement targeted defenses against phishing campaigns that use unconventional file formats. This includes enhancing email security gateways to detect and block polyglot files and suspicious LNK files, employing advanced sandboxing solutions capable of analyzing such file types. User awareness training should be updated to highlight the risks of clicking on shortcut files and unfamiliar attachments, emphasizing verification of sender authenticity even when emails appear to come from known contacts. Endpoint detection and response (EDR) tools should be tuned to detect behaviors associated with PhantomRemote, such as unusual command execution, system information gathering, and network communications consistent with backdoor activity. Network segmentation and strict access controls can limit lateral movement if a system is compromised. Regular threat hunting exercises focusing on indicators of compromise related to Rainbow Hyena’s tactics should be conducted. Additionally, organizations should monitor threat intelligence feeds for updates on this campaign and related indicators. Incident response plans should be reviewed and tested to ensure rapid containment and remediation of infections involving custom backdoors. Finally, multi-factor authentication (MFA) and least privilege principles should be enforced to reduce the impact of credential compromise.