A multi-stage phishing campaign targeting Russian users delivers Amnesia RAT and a Hakuna Matata–derived ransomware via business-themed decoy documents and malicious LNK files that fetch loaders from a GitHub repository and binaries from Dropbox. The attackers abuse defendnot to disable Microsoft Defender, communicate and exfiltrate data via Telegram Bot APIs, and related activity connects to implants and actors such as DUPERUNNER/UNG0902 and Paper Werewolf’s EchoGather. #AmnesiaRAT #HakunaMatata #defendnot #DUPERUNNER
Keypoints
- The campaign uses business-themed decoy documents and double‑extension LNK files inside ZIP archives to trick victims into executing malicious loaders.
- Attackers host scripts on GitHub and stage binary payloads on Dropbox, separating infrastructure to hinder takedown attempts.
- Operators deploy defendnot to register a fake AV and disable Microsoft Defender, and they modify Defender exclusions and settings to evade detection.
- Amnesia RAT provides broad data theft and remote control capabilities, exfiltrating screenshots, browser and wallet data, and system media via Telegram and third‑party hosts.
- A Hakuna Matata–derived ransomware encrypts targeted files, terminates interfering processes, tampers with clipboard wallet addresses, and deploys a WinLocker component at the end of the chain.
Read More: https://thehackernews.com/2026/01/multi-stage-phishing-campaign-targets.html