Multi-Stage Phishing Campaign Targets Russia with Amnesia RAT and Ransomware

### Multi-Stage Phishing Campaign Targets Russia with Amnesia RAT and RansomwareA new multi-stage phishing campaign targeting users in Russia has been observed by Fortinet’s FortiGuard Labs. The attack begins with social engineering lures delivered via business-themed documents crafted to appear routine and benign, according to Cara Lin of FortiGuard Labs. These documents and accompanying scripts serve as visual distractions, diverting victims to fake tasks or status messages while malicious activity runs silently in the background.#### Key CharacteristicsThe campaign stands out for a couple of reasons. First, it uses multiple public cloud services to distribute different kinds of payloads. GitHub is mainly used to distribute scripts, whereas binary payloads are staged on Dropbox. This separation complicates takedown efforts and effectively improves resilience. Another “defining characteristic” of the campaign, per Fortinet, is the operational abuse of Defender Not to disable Microsoft Defender. Defendnot was released last year by a security researcher who goes by the online alias es3n1n as a way to trick the security program into believing another antivirus product has already installed on the Windows host.The phishing campaign leverages social engineering to distribute compressed archives, which contain multiple decoy documents and a malicious Windows shortcut (LNK) with Russian-language filenames. The LNK file uses a double extension (“Задание_для_бухгалтера_02отдела.txt.lnk”) to give the impression that it’s a text file. When executed, it runs a PowerShell command to retrieve the next-stage PowerShell script hosted on a GitHub repository, which then serves as a first-stage loader to establish a foothold and hide evidence of malicious activity.The subsequent stages involve hiding visible execution by programmatically suppressing the PowerShell console window, generating a decoy document in the user’s local application data directory, sending a message to the attacker using Telegram Bot API, running a Visual Basic Script to keep the loader lightweight, and deploying the Amnesia RAT payload. The RAT enables full remote interaction including process enumeration and termination, shell command execution, arbitrary payload deployment, and additional malware deployment.In summary, this attack chain demonstrates how modern malware campaigns can achieve full system compromise without exploiting software vulnerabilities. By systematically abusing native Windows features, administrative tools, and policy enforcement mechanisms, the attacker disables endpoint defenses before deploying persistent surveillance tooling and destructive payloads. To counter abuse of Defender Not, Microsoft recommends enabling Tamper Protection.### Background on Threat ActorsTo counter defendnot’s abuse of the Windows Security Center API, Microsoft has recommended that users enable Tamper Protection to prevent unauthorized changes to Defender settings and monitor for suspicious API calls or Defender service changes. The development comes as human resources, payroll, and internal administrative departments belonging to Russian corporate entities have been targeted by a threat actor UNG0902.#### Operation DupeHikeUNG0902 is responsible for delivering an unknown implant dubbed DUPERUNNER that loads AdaptixC2, a command-and-control (C2) framework. The spear-phishing campaign, codenamed Operation DupeHike, has been ongoing since November 2025 and involves the use of decoy documents centered around themes related to employee bonuses and internal financial policies.UNG0902 deceives recipients into opening a malicious LNK file within ZIP archives that leads to the execution of DUPERUNNER. The implant reaches out to an external server to fetch and display a decoy PDF document, while system profiling and download of the AdaptixC2 beacon are carried out in the background.### Additional DetailsAnother threat actor tracked as Paper Werewolf (aka GOFFEE) has also been active recently, employing artificial intelligence (AI)-generated decoys and DLL files compiled as Excel XLL add-ins to deliver a backdoor referred to as EchoGather. “Once launched,” Intezer security researcher Nicole Fishbein said of the backdoor, “it collects system information, communicates with a hardcoded command-and-control (C2) server, supports command execution, and file transfer operations.”### ConclusionThis article highlights how sophisticated malware campaigns are evolving to evade detection and maintain persistence. The use of social engineering techniques combined with multiple layers of obfuscation underscores the need for robust security measures and continuous threat intelligence monitoring in today’s cybersecurity landscape.—**SEO Title:** Multi-Stage Phishing Campaign Targets Russia with Amnesia RAT and Ransomware – Fortinet’s FortiGuard Labs Analysis**Meta Description:** A detailed analysis by Fortinet’s FortiGuard Labs of a new multi-stage phishing campaign targeting Russian users, including details on the use of social engineering, multiple cloud services for payload distribution, and the operational abuse of Defender Not.—Follow us on Google News, Twitter, LinkedIn, and more to stay updated with exclusive cybersecurity content.