Inside a Multi-Stage Windows Malware Campaign

    Wednesday, January 21, 2026 In: Threat Research Print

    Date: 01/21/2026

    Severity: High

    Summary

    Labs have uncovered a multi-stage malware campaign mainly targeting users in Russia. The attack starts with social engineering via business-themed documents that appear routine and harmless. These files distract victims with fake tasks or status messages while malicious processes run in the background. The campaign escalates to full system compromise, including security bypass, surveillance, system restrictions, Amnesia RAT, and ransomware. Notably, it abuses Defendnot—a research tool repurposed to disable Microsoft Defender by exploiting weaknesses in Windows Security Center.

    Indicators of Compromise (IOC) List

    Domains\URLs:

    https://github.com/Mafin111/MafinREP111

    https://dl.dropboxusercontent.com/scl/fi/fvugw0l9x7ty665esaul3/svchost.scr?rlkey=urzegysuk9bkrw2b8zmx31457&st=gbhmc2su

    Hash : 

    7b8cf0ef390a7d6126c5e7bf835af5c5ce32c70c0d58ca4ddc9c238b2d3f059a

    1828614be6d9bdd92f7ee30e12c8aac8eba33a6df2c92995f9bf930c3f1b992b

    3aa6ebb73390d304eef8fd897994906c05f3e967f8f6f6a7904c6156cf8819f9

    263b5ba921e478215dc9e3a397157badab415fc775cfb4681821b7446c14fb1a

    5443232a367a83ac2899b37c066dae3ec2010df292291db24ce3d744133218a6

    359fe8df31c903153667fbe93795929ad6172540b3ee7f9eff4bcc1da6d08478

    6222775b877b4be4f5407525d52c5889739b96c302e5a204ef369b4a51c6dab2

    71069a5d2a80a047ca36ca82e630d353829726d4f03a74c7522b7700c5c2bb59

    45e942ba59f3876b263a03ed7e5d5b1b250e84a0a4b4093b3c13b5fca4e12b21

    e6ca6bab85ae1eff08a59b46b7905ae0568110da172dec8367f32779094bdd08

    7de56603a7b41fca9313231df6105dbb8148d3b0d80dfbc00e71e1d88f871915

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://github.com/Mafin111/MafinREP111" or url like "https://github.com/Mafin111/MafinREP111" or siteurl like "https://github.com/Mafin111/MafinREP111" or domainname like "https://dl.dropboxusercontent.com/scl/fi/fvugw0l9x7ty665esaul3/svchost.scr?rlkey=urzegysuk9bkrw2b8zmx31457&st=gbhmc2su" or url like "https://dl.dropboxusercontent.com/scl/fi/fvugw0l9x7ty665esaul3/svchost.scr?rlkey=urzegysuk9bkrw2b8zmx31457&st=gbhmc2su" or siteurl like "https://dl.dropboxusercontent.com/scl/fi/fvugw0l9x7ty665esaul3/svchost.scr?rlkey=urzegysuk9bkrw2b8zmx31457&st=gbhmc2su"

    Detection Query 2 :

    sha256hash IN ("3aa6ebb73390d304eef8fd897994906c05f3e967f8f6f6a7904c6156cf8819f9","6222775b877b4be4f5407525d52c5889739b96c302e5a204ef369b4a51c6dab2","7b8cf0ef390a7d6126c5e7bf835af5c5ce32c70c0d58ca4ddc9c238b2d3f059a","7de56603a7b41fca9313231df6105dbb8148d3b0d80dfbc00e71e1d88f871915","359fe8df31c903153667fbe93795929ad6172540b3ee7f9eff4bcc1da6d08478","45e942ba59f3876b263a03ed7e5d5b1b250e84a0a4b4093b3c13b5fca4e12b21","71069a5d2a80a047ca36ca82e630d353829726d4f03a74c7522b7700c5c2bb59","e6ca6bab85ae1eff08a59b46b7905ae0568110da172dec8367f32779094bdd08","1828614be6d9bdd92f7ee30e12c8aac8eba33a6df2c92995f9bf930c3f1b992b","263b5ba921e478215dc9e3a397157badab415fc775cfb4681821b7446c14fb1a","5443232a367a83ac2899b37c066dae3ec2010df292291db24ce3d744133218a6")

    Reference: 

    https://www.fortinet.com/blog/threat-research/inside-a-multi-stage-windows-malware-campaign


    Tags

    MalwareRussiaSocial EngineeringRATRansomwareExploit

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.