The Trojan Double-Tap: How Amnesia RAT and Ransomware are Ghosting Through Russian Defenses

Security researchers have documented a sophisticated, multi-stage phishing campaign targeting users within the Russian Federation. This offensive employs a dual-payload strategy, integrating both ransomware and the Amnesia RAT (Remote Access Trojan). The findings, disseminated by Fortinet FortiGuard Labs, reveal a meticulously orchestrated infection chain.

The incursion commences with electronic correspondence masquerading as professional business communications. Victims receive “work-related” documents designed to appear mundane and non-threatening. These lures contain scripts and decoy files intended to preoccupy the user with fraudulent tasks or “directives from management” while malicious processes are surreptitiously invoked in the background.

A salient characteristic of this campaign is its distributed delivery architecture. To enhance resilience and evade infrastructure blacklisting, the adversaries leverage disparate cloud ecosystems: scripts are disseminated via GitHub, while binary payloads are retrieved from Dropbox. This bifurcation significantly complicates remediation efforts and prevents the unilateral dismantling of the attack infrastructure.

Furthermore, Fortinet highlights the strategic utilization of Defendnot, an instrument originally conceived as a proof-of-concept by a researcher known as es3n1n. This tool subverts the Windows Security Center by registering a fraudulent antivirus entity, thereby inducing Microsoft Defender to autonomously deactivate to avoid perceived software conflicts.

The malicious artifacts are distributed within ZIP archives containing decoy documents and a lethal Windows Shortcut (LNK) file. To deceive the user, these files employ double extensions, such as Assignment_for_Accounting_Dept.txt.lnk, appearing as innocuous text files. Upon invocation, a PowerShell command retrieves a primary loader from a GitHub repository. This script establishes persistence, sanitizes the environment to elude forensic detection, and orchestrates the subsequent phases of the infection.

To maintain a low profile, the loader programmatically suppresses the PowerShell console window while displaying a fabricated text document to the victim. Concurrently, the script transmits a status notification to the operator via the Telegram Bot API. Following a strategic 444-second hiatus, a heavily obfuscated Visual Basic Script (SCRRC4ryuk.vbe) is executed. This module functions as an in-memory orchestrator, assembling the next stage of the attack within volatile memory to bypass traditional disk-based antivirus scanners.

The final script verifies administrative privileges; if deficient, it relentlessly bombards the user with User Account Control (UAC) prompts until consent is granted. Once elevated, the malware executes a comprehensive defensive neutralization protocol:

• It configures Microsoft Defender exclusions for critical directories such as ProgramData and Desktop.

• It deploys Defendnot to completely disable systemic protection.

• It initiates environmental reconnaissance, capturing screenshots every 30 seconds via a .NET module and exfiltrating them through Telegram.

• It modifies the Windows Registry to disable diagnostic and administrative utilities.

• It hijacks file associations, ensuring that opening specific extensions displays ransom instructions.

Following the dismantling of systemic defenses, the Amnesia RAT (svchost.scr) is retrieved from Dropbox. This comprehensive espionage tool exfiltrates credentials from browsers, cryptocurrency wallets, Discord, Steam, and Telegram. It facilitates total remote dominion, allowing operators to manipulate processes, record audio and video, and monitor the clipboard.

The secondary payload is a ransomware strain derived from the Hakuna Matata family. It enciphered a vast array of file types while monitoring the system clipboard to surreptitiously substitute the user’s cryptocurrency addresses with those controlled by the attackers. The infection culminates in the deployment of a WinLocker, effectively paralyzing the user’s interaction with the operating system.

Fortinet emphasizes that this entire sequence exploits no inherent software vulnerabilities; rather, it weaponizes standard Windows administrative functions and social engineering. In response to the abuse of Defendnot, Microsoft recommends the activation of Tamper Protection to safeguard Defender settings and the rigorous monitoring of Windows Security Center API calls.

Concurrently, researchers have identified other persistent threats, such as the UNG0902 group’s Operation DupeHike, which targets administrative and accounting departments with the DUPERUNNER implant and the AdaptixC2 framework. Similarly, the Paper Werewolf (or GOFFEE) collective has been active, utilizing AI-generated lures and Excel XLL add-ins to disseminate the EchoGather backdoor. Collectively, these campaigns underscore a definitive trend: phishing within the Russian sector is increasingly characterized by multi-stage loading sequences and the sophisticated subversion of legitimate operating system mechanisms.