Privacy Ninja

Hackers Target Russian Govt with Fake Windows Updates Pushing RATs

Hackers Target Russian Govt with Fake Windows Updates Pushing RATs

Hackers are targeting Russian government agencies with phishing emails that pretend to be Windows security updates and other lures to install remote access malware.

The attacks are being conducted by a previously undetected APT (advanced persistent threat) group believed to be operating from China, who are linked to four separate spear-phishing campaigns.

These operations spanned between February and April 2022, coinciding with the Russian invasion of Ukraine. Its targets have been government entities of the Russian Federation.

In all four cases, the ultimate goal of the campaigns was to infect the targets with a custom remote access trojan (RAT) which most likely aided in espionage operations.

The discovery and report come from analysts at the Malwarebytes Threat Intelligence team, who noticed the threat actors’ distinctive attempts to spoof other hacking groups and pass undetected.

Also Read: January 2022 PDPC Incidents and Undertaking

The phishing campaigns

The first of the four campaigns attributed to this new APT began in February 2022, mere days after the Russian invasion of Ukraine, distributing the RAT under the name “interactive_map_UA.exe”.

For the second wave, the APT had more time to prepare something more sophisticated. They used a tar.gz archive that was supposed to be a fix for the Log4Shell vulnerability sent by the Ministry of Digital Development, Telecommunications, and Mass Communications of the Russian Federation.

According to Malwarebytes, this campaign had a narrow targeting as most of the associated emails reached employees of the RT TV station, a state-owned Russian television network.

Those emails contained a PDF with instructions on installing the Log4j patch and even included advice like “not to open or reply to suspicious emails”.

“Taking into account the use by cybercriminals of certain software and server-type vulnerabilities to gain access to user information, a software patch was released to update a Windows 10 system that closes the vulnerability CVE-2021-44228 (severity level 10.0),” reads the translated phishing document, as shown below.

PDF containing instructions on how to install the malware
PDF containing instructions on how to install the malware

The third campaign spoofs Rostec, a Russian state-owned defense conglomerate, and the actors used newly registered domains like “” and fake Facebook accounts to spread their malware while making it look like it comes from the known entity.

Fake company profile on Facebook
Fake company profile on Facebook (Malwarebytes)

Finally, in April 2022, the Chinese hackers switched to a macro-infected Word document containing a fake job advert by Saudi Aramco, a large oil and natural gas firm.

The document used remote template injection to fetch the malicious template and drop the VBS script onto candidates applying for the “Strategy and Growth Analyst” position.

Also Read: The May 2022 PDPC Incidents and Undertaking

The Aramco campaign infection chain
The Aramco campaign infection chain (Malwarebytes)

Stealthy custom payload

Malwarebytes was able to retrieve samples of the dropped payload from all four campaigns and reports that in all cases, it is essentially the same DLL using different names.

The malware features anti-analysis techniques such as control flow flattening via OLLVM and string obfuscation using XOR encoding.

Control flow flattening in the malware
Control flow flattening in the malware (Malwarebytes)

In terms of the commands that the C2 can request from the payload, these include the following:

  • getcomputername – profile the host and assign a unique ID
  • upload – receive a file from the C2 and write it onto the host’s disk
  • execute – execute a command-line instruction from the C2 and respond with the result
  • exit – terminate the malware process
  • ls – retrieve a list of all files under a specified directory and send it to the C2
The malware's upload command
The malware’s upload command (Malwarebytes)

The C2 domains discovered by Malwarebytes were “windowsipdate[.]com”, “microsoftupdetes[.]com”, and “mirror-exchange[.]com”.

Also Read: You can now delete personal data on internet by asking Google

Spoofing other hackers

The evidence that points to this new APT being a Chinese group stems from the infrastructure, but Malwarebytes’ confidence is low.

What is clear is the intention of the threat actor to hide its distinctive tracks by spoofing other hackers and using their malware tools.

For example, parts of the infrastructure used were previously linked to the Sakula RAT, used by the Deep Panda Chinese APT.

Another interesting finding is that the new APT used the same macro builder for the Saudi Aramco wave as TrickBot and BazarLoader.

Finally, there’s the deployment of the wolfSSL library, which is typically seen exclusively in Lazarus or Tropic Trooper campaigns.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us