Threat Research

Operation Oxidový: Advanced Malware Campaign Aims at Czech Officials with NATO-Themed Decoys – Insights on IT, Networking & Cybersecurity | Seqrite

Securonix

Seqrite Labs’ APT-Team uncovered a NATO-themed malware campaign targeting Czech government and military officials, leveraging NATO-related decoys and a Rust-based loader (Freeze) to drive a HavocC2 post-exploitation framework. The analysis covers the infection chain, malware details, and possible Russian-origin attribution. #Freeze #HavocC2 #NATO #CzechRepublic #Russia

Keypoints

  • The campaign targets Czech government and military officials.
  • Utilizes NATO-themed decoy documents to lure victims.
  • Malicious ZIP file contains an LNK and batch scripts as the initial infection vector.
  • The Rust-based loader, named Freeze, is used to execute further malicious payloads.
  • Havoc DLL is part of the post-exploitation Havoc framework (Demon subroutines).
  • Threat actor is suspected to have Russian origins based on geopolitical context.
  • Multiple indicators of compromise (IOCs) identified, including file hashes and IP addresses.

MITRE Techniques

  • [T1566.001] Phishing: Spear phishing Attachment – The ZIP contains a malicious LNK file named “The importance of and outlook for the Czech Republic in NATO.pdf.lnk” which is responsible for running another malicious batch script named “AdobeAcrobatReader.bat”.
  • [T1204.002] User Execution: Malicious File – Next, the batch renames the masqueraded PDF to AdobeReader.exe and uses xcopy to copy it to the Startup folder for execution.
  • [T1547.001] Registry Run Keys / Startup Folder – The payload is copied to the Startup folder for persistence.
  • [T1562.001] Impair Defenses: Disable or Modify Tools – The loader is described as bypassing EDRs with suspended processes and direct syscalls.
  • [T1562.006] Indicator Blocking – ETW patching / unhooking to evade detection.
  • [T1055] Process Injection – The rust loader injects malicious DLL as part of its operation.
  • [T1055.002] Process Injection: Portable Executable Injection – The loader’s injection process is described in the Demon pipeline.
  • [T1140] De-obfuscate/Decode Files or Information – Shellcode is obtained via Base64 decoding and LZMA decompression.
  • [T1027.007] Obfuscated Files or Information: Dynamic API Resolution – The loader/ Havoc uses dynamic API resolution.
  • [T1033] System Owner/User Discovery – DemonMetadata collects metadata like Demon ID, User-name, OS info, etc.

Indicators of Compromise

  • [URL] context – hxxps://206.188.197.113/, hxxps://195.123.225.88/
  • [IP Address] context – 206.188.197.113, 195.123.225.88
  • [SHA-256 Hash] context – 9549d3d2b8e8b4e8f163a8b9fa3b02b8a28d78e4b583baccb6210ef267559c6e, 436994d4a5c8d54acb2b521d0847d77e6af6c2c0e40468248b1dd019c6dafa84
  • [File Name] context – CZ_army_NATO_cooperation.zip, 1.The importance of and outlook for the Czech Republic in NATO.pdf.lnk
  • [PDB Path] context – C:TOOLFreeze.rs-maintargetreleasevihutargetreleasedepsvihu.pdb, C:TOOLFreeze.rs-maintargetreleasegnobyatargetreleasedepsgnobya.pdb, C:TOOLFreeze.rs-maintargetreleaseAdobeReadertargetreleasedepsAdobeReader.pdb
  • [User-Agent] context – Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36

Read more: https://www.seqrite.com/blog/operation-oxidovy-sophisticated-malware-campaign-targets-czech-officials-using-nato-themed-decoys/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint