A threat actor is conducting a targeted malware campaign against Thailand’s healthcare sector, with attacks aimed at Ministry of Health officials, hospital administrators, clinic staff, and medical procurement teams, according to researchers at Seqrite Lab.
The campaign uses healthcare-themed spear-phishing emails that contain malicious RAR archives disguised as legitimate documents. The lures include fake patient admission requests, CT scan results, medical records, X-ray inquiries, and Ministry of Health equipment approval documents.
Researchers said the themes show a clear understanding of healthcare workflows and suggest the attackers carefully selected their targets.
Once a victim opens the malicious archive, an obfuscated batch file launches a multi-stage infection chain. The malware uses obfuscated scripts to download additional payloads from GitHub repositories, establish persistence on the infected system, and ultimately deploy a Python-based information stealer.
“The use of GitHub-hosted payloads, deceptive file extensions, and multi-stage execution provides operational flexibility while reducing the likelihood of detection,” the report notes.
During analysis, researchers found that the malware creates persistence through a script named “WindowSecuryt.bat,” which later downloads another batch file called “u-t2.bat.” The final payload, called “sim.py,” is executed through a bundled Python environment and is designed to collect sensitive information from compromised devices.
The malware terminates web browsers including Google Chrome, Microsoft Edge, Brave, and other Chromium-based browsers, allowing it to access stored credentials, cookies, and session data. It then compresses the stolen information into archives and attempts to exfiltrate the data through Telegram-based channels.
The earliest known sample linked to the campaign was uploaded on April 7, 2026, while the most recent sample was observed on June 3, 2026, indicating that the operation remained active for at least ten weeks. All identified samples were uploaded from Thailand, suggesting the attackers may be using local infrastructure or compromised systems within the country to distribute the malware.