Multi-Stage Phishing Campaign Targets Russia with Amnesia RAT and Ransomware

On January 24, 2026, Fortinet’s FortiGuard Labs reported a new multi-stage phishing campaign targeting users in Russia. This sophisticated cyber attack leverages social engineering lures delivered via business-themed documents to trick victims into downloading malicious software including the Remote Access Trojan (RAT) called Amnesia RAT and ransomware.

The campaign employs multiple public cloud services for distributing different types of payloads. While GitHub is primarily used for script dissemination, binary payloads are staged on Dropbox. This strategy complicates takedown efforts by improving resilience. The phishing operation also abuses defendnot to disable Microsoft Defender.

Key Characteristics of the Campaign

  • Multiple Public Cloud Services: Fortinet observed the use of multiple public cloud services for payload distribution. GitHub is primarily utilized for script dissemination, while binary payloads are staged on Dropbox. This tactic complicates takedown efforts by improving resilience against rapid countermeasures.
  • Defendnot Abuses:The campaign exploits social engineering to distribute compressed archives containing decoy documents and a malicious Windows shortcut with Russian-language filenames. The LNK file uses a double extension (“Задание_для_бухгалтера_02отдела.txt.lnk”) to give the impression that it is merely a text document.
  • Phishing Sequence:The phishing operation leverages social engineering to distribute compressed archives containing multiple decoy documents and a malicious Windows shortcut. When executed, the LNK file triggers a PowerShell command to retrieve the next-stage PowerShell script hosted on a GitHub repository (github[.]com/Mafin111/MafinREP111).

Phishing Execution

# First Stage: PowerShell Script

The script initially suppresses visible execution by programmatically hiding the PowerShell console window. It then generates a decoy text document in the user’s local application data directory and automatically opens it upon display. Once opened, the script sends a message to the attacker using Telegram Bot API, indicating that the first stage has been successfully executed.

A 444-second delay is deliberately introduced before the PowerShell script runs a Visual Basic Script (SCRRC4ryuk.vbe). This Visual Basic Script acts as the controller for assembling the next-stage payload directly in memory, avoiding leaving any artifacts on disk. The final-stage script checks if it is running with elevated privileges and repeatedly displays a User Account Control (UAC) prompt to force victim authorization.

# Final Stage Actions:

  • The malware initiates a series of actions such as configuring Microsoft Defender exclusions, disabling additional Defender protection components, deploying defendnot to register a fake antivirus product in the Windows Security Center interface, enabling environment reconnaissance via screenshot capture, and ultimately deploying the main payloads including Amnesia RAT and ransomware.

Advanced Payloads

Amnesia RAT:The final payload is Amnesia RAT (svchost.scr), which is retrieved from Dropbox. This tool enables comprehensive data theft and remote control functions, such as pilfering information stored in web browsers, cryptocurrency wallets, Discord, Steam, Telegram, and system metadata like screenshots, webcam images, and clipboard contents.

Ransomware Payload:The ransomware payload derived from the Hakuna Matata family is configured to encrypt documents, archives, media files, source code, and application assets on infected endpoints. The ransomware also keeps tabs on clipboard contents and silently modifies cryptocurrency wallet addresses with attacker-controlled wallets to reroute transactions.

Conclusion

“This attack chain demonstrates how modern malware campaigns can achieve full system compromise without exploiting software vulnerabilities,” Cara Lin from Fortinet said. “By systematically abusing native Windows features, administrative tools, and policy enforcement mechanisms, the attacker disables endpoint defenses before deploying persistent surveillance tooling and destructive payloads.”

Countermeasures and Recommendations

  • Users:– Users should be cautious with business-themed emails containing attachments or links.
    – Employ strong security practices such as multi-factor authentication, regular software updates, and awareness training on phishing attacks.
  • Organizations:– Implement comprehensive threat intelligence solutions to detect anomalies early.
    – Conduct regular security assessments and audits focusing on employee behavior and social engineering techniques.

Related News

This campaign highlights the evolving tactics of threat actors. Fortinet has also reported a similar but distinct attack targeting Russian entities, involving the use of defendnot to disable Microsoft Defender. In another instance, researchers at Seqrite Labs identified human resources departments targeted by UNG0902 with an implant known as DUPERUNNER that loads AdaptixC2.

These reports underscore the importance of robust cybersecurity protocols and continuous vigilance in the face of increasingly sophisticated cyber threats.