An ongoing campaign that distributes a Windows spyware that has never been documented has targeted Russian organizations. According to cybersecurity vendor Kaspersky, the activity began in July

2024.

The attackers are allegedly the owners of the domain "oblast-ru[. ]com," from which the emails are sent. While gathering system logs, office documents, and screenshots in the background, the malware probably shows the victim a fictitious contract as a diversion. As a fourth step in the attack chain, the freshly gathered data is then sent to a different domain, from which an unidentified executable is downloaded.

Security researcher Cara Lin stated that NordDragonScan can sniff Chrome and Firefox profiles, take a screenshot, extract documents and PDFs, and scan the host. "Once installed, Nord dragonScan harvests entire Chrome and Mozilla profiles, copies documents, and takes screenshots," she explained. The revelation coincides with Fortinet FortiGuard Labs' description of a malicious campaign that distributed the NordDragon scanner, a Windows stealer malware.

Although the precise initial access vector is unknown, it is thought to be a phishing email that spreads a link that initiates the download of a RAR archive. According to the Russian company, "the primary objective of the attack is to infect organizations with the previously unknown Batavia spyware, which then proceeds to steal internal documents." Over 100 users from several dozen organizations are thought to have received phishing emails during the previous year. Removable devices that are connected to the host are also included in the data collection.

Images, emails, Microsoft PowerPoint presentations, archive files, and text documents (*.jpeg, *.jpg, *.cdr, *.csv, *.eml, *.ppt, *.pptx, *.odp, *.rar, *.zip, *.rtf, and *.xlsx) fall under this category.