Amnesia RAT

Amnesia RAT is a remote access trojan used in a multi-stage phishing campaign primarily targeting Windows users and organizations in Russia. The campaign relies on social engineering rather than software exploits: victims receive compressed archives containing Russian-language business or accounting decoy documents and a malicious LNK shortcut that launches PowerShell to download a first-stage loader (including kira.ps1) from GitHub. Subsequent stages use obfuscated VBScript reconstructed in memory via Base64 and RC4 decoding, attempt privilege escalation through repeated UAC prompts, and disable Microsoft Defender using PowerShell, registry changes, and the Defendnot tool. Payloads are hosted across GitHub and Dropbox, with Amnesia RAT commonly delivered from Dropbox as svchost.scr and persisted via the Startup folder and HKCU\Software\Microsoft\Windows\CurrentVersion\Run.

The malware is described as a PyInstaller-packaged, Python-based RAT with an embedded module named amnesiarat1.pyc. Its capabilities include persistent remote access, interactive system control, reconnaissance, screenshot capture, audio capture, remote command execution, and data exfiltration via Telegram and file-hosting services such as GoFile. It steals browser credentials and data from Chromium-based browsers including Chrome, Edge, Brave, Opera/Opera GX, Vivaldi, Chromium, and Yandex, including passwords, cookies, session tokens, history, downloads, and autofill data. It also targets Telegram Desktop session data (tdata), Discord data/tokens, Steam data, cryptocurrency wallets, seed phrases including BIP-39 phrases, clipboard contents, and broader system, user, network, and security-environment information.

Amnesia RAT has been observed deployed alongside a Hakuna Matata-derived ransomware payload and a WinLocker component. In the reported campaign, the broader intrusion also disables administrative and diagnostic tools, deletes recovery artifacts, hijacks file associations, changes wallpaper, drops ransom notes, and performs clipboard hijacking to replace cryptocurrency wallet addresses with attacker-controlled values. FortiGuard Labs reported that the campaign can achieve full system compromise without exploiting software vulnerabilities. The activity has been described as combining espionage-style surveillance and credential theft with financially motivated ransomware impact, and reporting noted TTP similarities to Operation DupeHike (UNG0902) and Paper Werewolf/GOFFEE. High-confidence identifiers mentioned in the reporting include filenames such as kira.ps1, SCRRC4ryuk.vbe, svchost.scr, TelegramWorker.scr, WmiPrvSE.scr, gedion.scr, the embedded module name amnesiarat1.pyc, and the ransom-note filename ЧИТАЙМЕНЯ.txt.