EXECUTIVE SUMMARY:
A Russian-state aligned actor has rapidly shifted its arsenal following the exposure of a previous malware family and is now deploying new tooling across its campaigns. This has targeted high-value individuals and organizations, showing a marked increase in development tempo and aggressive operations. The updated campaign uses a novel lure masquerading as a CAPTCHA verification to entice victims into executing a malicious module.
The attack chain begins with a set of spear-phishing or web-based lures that direct a user to download and execute a DLL using a legitimate Windows DLL-loading utility. The initial loader retrieves subsequent payloads from hard-coded C2 addresses. Early versions of the loader used a complex multi-component crypto key-split mechanism and even bundled a full Python installation to execute a Python-based backdoor. That was quickly replaced with a more streamlined PowerShell-based backdoor which uses an extensible custom protocol allowing download and execute commands, direct shell and PowerShell script execution, and acknowledgement and output paths to the C2. Over time, the actor simplified the delivery chain to evade detection, rotated file names, export names, and infrastructure, and then later reintroduced additional complexity to hinder forensic reconstruction. Domains and infrastructure associated with the campaign include a set of newly observed domains tied to the lure and C2 ecosystem.
This reflects a deliberate shift by the threat actor toward more sophisticated and flexible tooling to support intelligence-collection operations against high-value targets. Defenders should assume that the actor will continue to iterate and refine its delivery and persistence methods. Organizations operating in sensitive or high-risk sectors should proactively review telemetry for indicators of compromise associated with the loader, backdoor and associated infrastructure, enable enhanced web- and device-based protections, and validate their detection and response controls considering this elevated threat activity.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1027.002 | Obfuscated Files or Information | Software Packing |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
REFERENCES:
The following reports contain further technical details: