{"id":55104,"date":"2026-01-12T15:00:28","date_gmt":"2026-01-12T20:00:28","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=55104"},"modified":"2026-01-12T15:00:28","modified_gmt":"2026-01-12T20:00:28","slug":"malicious-mailing-masking-activity","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/malicious-mailing-masking-activity\/55104\/","title":{"rendered":"Stealthy malware masking its activity, deploying infostealer"},"content":{"rendered":"

Our experts have detected a new wave of malicious emails targeting Russian private-sector organizations. The goal of the attack is to infect victims\u2019 computers with an infostealer. This campaign is particularly noteworthy because the attackers tried to disguise their activity as the operations of legitimate software and traffic to the ubiquitously-used state and municipal services website.<\/p>\n

How the attack begins<\/h2>\n

The attackers distribute an email containing a malicious attachment disguised as a regular PDF document. In reality, the file is an executable hiding behind a PDF icon; double-clicking it triggers an infection chain on the victim\u2019s computer. In the campaign we analyzed, the malicious files were named \u0423\u0412\u0415\u0414\u041e\u041c\u041b\u0415\u041d\u0418\u0415 \u043e \u0432\u043e\u0437\u0431\u0443\u0436\u0434\u0435\u043d\u0438\u0438 \u0438\u0441\u043f\u043e\u043b\u043d\u0438\u0442\u0435\u043b\u044c\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0441\u0442\u0432\u0430 <\/em>(NOTICE of Initiation of Enforcement Proceedings) and \u0414\u043e\u043f\u043e\u043b\u043d\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0435 \u0432\u044b\u043f\u043b\u0430\u0442\u044b <\/em>(Additional Payouts), though these are probably not the only document names the attackers employ to trick victims into clicking the files.<\/p>\n

Technically, the file disguised as a document is a downloader built with the help of the .NET<\/em> framework. It downloads a secondary loader that installs itself as a service to establish persistence on the victim\u2019s machine. This other loader then retrieves a JSON string containing encrypted files from the command-and-control server. It saves these files to the compromised computer in C:\\ProgramData\\Microsoft Diagnostic\\Tasks<\/em>, and executes them one by one.<\/p>\n

\"Example<\/a>

Example of the server response<\/p><\/div>\n

The key feature of this delivery method is its flexibility: the attackers can provide any malicious payload from the command-and-control server for the malware to download and execute. Presently, the attackers are using an infostealer as the final payload, but this attack could potentially be used to deliver even more dangerous threats \u2013 such as ransomware, wipers, or tools for deeper lateral movement within the victim\u2019s infrastructure.<\/p>\n

Masking malicious activity<\/h2>\n

The command-and-control server used to download the malicious payload in this attack was hosted on the domain gossuslugi{.}com<\/em>. The name is visually similar to Russia\u2019s widely used state and municipal services portal. Furthermore, the second-stage loader has the filename NetworkDiagnostic.exe<\/em>, which installs itself in the system as a Network Diagnostic Service.<\/p>\n

Consequently, an analyst doing only a superficial review of network traffic logs or system events might overlook the server communication and malware execution. This can also complicate any subsequent incident investigation efforts.<\/p>\n

What the infostealer collects<\/h2>\n

The attackers start by gathering information about the compromised system: the computer name, OS version, hardware specifications, and the victim\u2019s IP address. Additionally, the malware is capable of capturing screenshots from the victim\u2019s computer, and harvesting files in formats of interest to the attackers (primarily various documents and archives). Files smaller than 100MB, along with the rest of the collected data, are sent to a separate communication server: ants-queen-dev.azurewebsites{.}net.<\/em><\/p>\n

\"File<\/a>

File formats of interest to the attackers<\/p><\/div>\n

The final malicious payload currently in use consists of four files: one executable and three DLL libraries. The executable enables screen capture capabilities. One of the libraries is used to add the executable to startup, another is responsible for data collection, while the third handles data exfiltration.<\/p>\n

During network communication, the malware adds an AuthKey header to its requests, which contains the victim\u2019s operating system identifier.<\/p>\n

\"Code<\/a>

Code snippet: a function for sending messages to the attackers\u2019 server<\/p><\/div>\n

How to stay safe<\/h2>\n

Our security solutions detect both the malicious code used in this attack and its communication with the attackers\u2019 command-and-control servers. Therefore, we recommend using reliable security solutions<\/a> on all devices used by your company to access the internet. And to prevent malicious emails from ever reaching your employees, we also advise deploying a security solution at the corporate email gateway level<\/a> too.<\/p>\n\n","protected":false},"excerpt":{"rendered":"

Cybercriminals are distributing malware that deploys an infostealer and masks its activity in network and system logs.<\/p>\n","protected":false},"author":2787,"featured_media":55108,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3051],"tags":[19,4657,36],"class_list":{"0":"post-55104","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"tag-email","10":"tag-infostealers","11":"tag-malware-2"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/malicious-mailing-masking-activity\/55104\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/malicious-mailing-masking-activity\/41141\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/malicious-mailing-masking-activity\/30153\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/infostealers\/","name":"infostealers"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/55104","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2787"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=55104"}],"version-history":[{"count":1,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/55104\/revisions"}],"predecessor-version":[{"id":55109,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/55104\/revisions\/55109"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/55108"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=55104"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=55104"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=55104"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}