Threat Actors Weaponizing RAR Archives to Target Thailand's Healthcare Sector
An active malware campaign is targeting Thailand's healthcare sector, including Ministry of Health personnel and affiliated organizations. The operation leverages healthcare-themed spear-phishing lures distributed through malicious RAR archives containing obfuscated batch scripts and executable payloads. The infection chain employs multiple stages of obfuscation, GitHub-hosted payload delivery, and persistence mechanisms. The final payload is a Python-based information stealer designed to harvest browser credentials, session data, and cookies, with exfiltration attempts through Telegram Bot API. The campaign demonstrates sophisticated tradecraft including Rouki-obfuscated batch loaders, Startup folder persistence, and bundled Python interpreters. Active operational window spans from April to June 2026, with all samples uploaded from Thailand.
AI Analysis
Technical Summary
This threat involves a targeted malware campaign against Thailand's healthcare sector leveraging spear-phishing with malicious RAR archives. The archives contain Rouki-obfuscated batch loaders and executable payloads that execute a multi-stage infection process. Payload delivery is facilitated through GitHub-hosted components, and persistence is maintained using the Windows Startup folder. The final payload is a Python-based information stealer designed to collect sensitive browser data including credentials, session information, and cookies. Data exfiltration is conducted through the Telegram Bot API. The campaign demonstrates sophisticated tradecraft including script obfuscation, use of bundled Python interpreters, and multi-stage payload deployment. The operational window is from April to June 2026, with all samples uploaded from Thailand.
Potential Impact
The campaign compromises targeted systems within Thailand's healthcare sector by stealing sensitive browser credentials, session data, and cookies, potentially leading to unauthorized access to user accounts and sensitive information. The use of obfuscated scripts and multi-stage payloads complicates detection and mitigation efforts. Data exfiltration via Telegram Bot API enables attackers to remotely collect stolen information. This could result in privacy breaches, disruption of healthcare operations, and potential exposure of confidential patient or organizational data.
Mitigation Recommendations
No official patch or fix is available as this is a malware campaign rather than a software vulnerability. Organizations should focus on user awareness training to recognize spear-phishing attempts, especially those involving RAR archives. Implement email filtering to block malicious attachments and monitor for unusual outbound traffic such as connections to Telegram Bot API endpoints. Employ endpoint detection solutions capable of identifying obfuscated scripts and unauthorized persistence mechanisms like Startup folder modifications. Since the campaign uses GitHub for payload hosting, monitoring and restricting access to suspicious external repositories may also help. Regularly update antivirus and endpoint protection tools to detect known indicators of compromise. Patch status is not applicable; mitigation relies on detection and prevention controls.
Affected Countries
Thailand
Indicators of Compromise
- hash: 8a5dadc5faf424df1e8a0efad023df81
- hash: 4a1a6ed11fd50b621659d7976899d050ba2e15d3
- hash: 442e0f4e822842922e7e4685840194e99fd68c7f0ec38c1925914b8f724d5865
- hash: 4eebc38297a307d18784d6f9ebc8aa6e6f69860be970cc70d9e544deb1ff6ce0
- hash: 523388567630e4fbdc359f75232bf2ad82671a680d4bfdce0237fc30dfec4c80
- hash: 74bb6ad7e1310f30a3e24fd3cbbffa2c0c41c64e89e5d0dd1d6900e96b914183
- hash: 7709d8c34d490509f3624104611eb75a862944dd9d7a642f44514ada16c85ee9
- hash: e5f6d9d405819e6b05b5d8268a2e973294859ad65237ede36ab612b536d0ac2b
- hash: f4d4b8cac004bb63834c6df436721babd9464c09787c80b268d839e0aada9f87
Threat Actors Weaponizing RAR Archives to Target Thailand's Healthcare Sector
Description
An active malware campaign is targeting Thailand's healthcare sector, including Ministry of Health personnel and affiliated organizations. The operation leverages healthcare-themed spear-phishing lures distributed through malicious RAR archives containing obfuscated batch scripts and executable payloads. The infection chain employs multiple stages of obfuscation, GitHub-hosted payload delivery, and persistence mechanisms. The final payload is a Python-based information stealer designed to harvest browser credentials, session data, and cookies, with exfiltration attempts through Telegram Bot API. The campaign demonstrates sophisticated tradecraft including Rouki-obfuscated batch loaders, Startup folder persistence, and bundled Python interpreters. Active operational window spans from April to June 2026, with all samples uploaded from Thailand.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This threat involves a targeted malware campaign against Thailand's healthcare sector leveraging spear-phishing with malicious RAR archives. The archives contain Rouki-obfuscated batch loaders and executable payloads that execute a multi-stage infection process. Payload delivery is facilitated through GitHub-hosted components, and persistence is maintained using the Windows Startup folder. The final payload is a Python-based information stealer designed to collect sensitive browser data including credentials, session information, and cookies. Data exfiltration is conducted through the Telegram Bot API. The campaign demonstrates sophisticated tradecraft including script obfuscation, use of bundled Python interpreters, and multi-stage payload deployment. The operational window is from April to June 2026, with all samples uploaded from Thailand.
Potential Impact
The campaign compromises targeted systems within Thailand's healthcare sector by stealing sensitive browser credentials, session data, and cookies, potentially leading to unauthorized access to user accounts and sensitive information. The use of obfuscated scripts and multi-stage payloads complicates detection and mitigation efforts. Data exfiltration via Telegram Bot API enables attackers to remotely collect stolen information. This could result in privacy breaches, disruption of healthcare operations, and potential exposure of confidential patient or organizational data.
Mitigation Recommendations
No official patch or fix is available as this is a malware campaign rather than a software vulnerability. Organizations should focus on user awareness training to recognize spear-phishing attempts, especially those involving RAR archives. Implement email filtering to block malicious attachments and monitor for unusual outbound traffic such as connections to Telegram Bot API endpoints. Employ endpoint detection solutions capable of identifying obfuscated scripts and unauthorized persistence mechanisms like Startup folder modifications. Since the campaign uses GitHub for payload hosting, monitoring and restricting access to suspicious external repositories may also help. Regularly update antivirus and endpoint protection tools to detect known indicators of compromise. Patch status is not applicable; mitigation relies on detection and prevention controls.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.seqrite.com/blog/threat-actors-weaponizing-rar-archives-to-target-thailands-healthcare-sector/"]
- Adversary
- null
- Pulse Id
- 6a3551ceb394e391f2a341f1
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hash8a5dadc5faf424df1e8a0efad023df81 | — | |
hash4a1a6ed11fd50b621659d7976899d050ba2e15d3 | — | |
hash442e0f4e822842922e7e4685840194e99fd68c7f0ec38c1925914b8f724d5865 | — | |
hash4eebc38297a307d18784d6f9ebc8aa6e6f69860be970cc70d9e544deb1ff6ce0 | — | |
hash523388567630e4fbdc359f75232bf2ad82671a680d4bfdce0237fc30dfec4c80 | — | |
hash74bb6ad7e1310f30a3e24fd3cbbffa2c0c41c64e89e5d0dd1d6900e96b914183 | — | |
hash7709d8c34d490509f3624104611eb75a862944dd9d7a642f44514ada16c85ee9 | — | |
hashe5f6d9d405819e6b05b5d8268a2e973294859ad65237ede36ab612b536d0ac2b | — | |
hashf4d4b8cac004bb63834c6df436721babd9464c09787c80b268d839e0aada9f87 | — |
Threat ID: 6a38ff53eed863c81e93615d
Added to database: 06/22/2026, 09:24:35 UTC
Last enriched: 06/22/2026, 09:39:07 UTC
Last updated: 06/22/2026, 14:53:48 UTC
Views: 13
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.