Threat Actors Weaponizing RAR Archives to Target Thailand’s Healthcare Sector

MITRE Techniques

• [T1566.001] Spearphishing Attachment – The campaign began with malicious RAR archives delivered as healthcare-themed attachments (‘malicious RAR archives containing obfuscated batch scripts and executable payloads’).
• [T1204.002] User Execution: Malicious File – The victim had to open the lure archive/document to trigger the infection chain (‘lures distributed through malicious RAR archives’).
• [T1027] Obfuscated Files or Information – Multiple stages used obfuscation and junk code to hide malicious logic (‘obfuscated batch scripts’, ‘junk data and obfuscation logic’).
• [T1036] Masquerading – Payloads were disguised as legitimate files such as PNGs, TXT files, and healthcare documents (‘masquerading as a PNG image’, ‘spoofed medical records’).
• [T1059.003] Windows Command Shell – Batch scripts and cmd commands were used to execute the malware chain (‘cmd /c “curl … && call …”’).
• [T1059.001] PowerShell – PowerShell downloaded, decoded, and executed payloads (‘PowerShell to decode the embedded content’, ‘powershell.exe -WindowStyle Hidden -Command’).
• [T1070.004] File Deletion – Temporary artifacts and downloaded archives were deleted after use (‘temporary artifacts are removed’, ‘del C:UsersPublicDesktops.zip’).
• [T1547.001] Registry Run Keys / Startup Folder – Persistence was established by placing WindowSecuryt.bat in the Windows Startup folder (‘Placement within the Startup directory ensures automatic execution’).
• [T1548] Abuse Elevation Control Mechanism – The secondary payload attempted to relaunch with elevated privileges (‘attempts to relaunch itself with elevated privileges’).
• [T1033] System Owner/User Discovery – The exfiltration metadata included usernames and system identifiers (‘System identifiers’, ‘Username information’).
• [T1555] Credentials from Password Stores – The stealer targeted stored credentials and session artifacts (‘Harvests stored credentials and session information’).
• [T1555.003] Credentials from Web Browsers – The malware specifically terminated browsers to access browser databases and cookies (‘Google Chrome, Microsoft Edge, Brave’).
• [T1560] Archive Collected Data – Harvested data was compressed into ZIP archives before exfiltration (‘Compresses harvested data into ZIP archives’).
• [T1005] Data from Local System – The stealer collected local browser data and staged files on disk (‘Collects browser-related data’, ‘Stages collected data within temporary directories’).
• [T1105] Ingress Tool Transfer – Additional payloads were downloaded from GitHub-hosted infrastructure (‘DownloadFile’, ‘curl … from a GitHub-hosted repository’).
• [T1071.001] Application Layer Protocol: Web Protocols – The malware used HTTPS/Web requests for retrieval and transmission (‘https://github.com/…’, ‘api.telegram.org’).
• [T1102] Web Service – The attackers relied on GitHub as a legitimate service for hosting payloads (‘GitHub-hosted payload delivery’).
• [T1567] Exfiltration Over Web Service – Stolen data was sent out through Telegram Bot API requests (‘attempted to transmit stolen data to attacker-controlled Telegram channels’).
• [T1567.002] Exfiltration to Cloud Storage/Web Service – The campaign used Telegram channels as a cloud/web service exfiltration path (‘Telegram Bot API’).