Russia Hit by a Sneaky Cyber Onslaught: Double-Extension Phishing Delivers Amnesia RAT and Hakuna Matata Ransomware

A Silent, Business-Themed Cyber Trap Unfolds

A newly uncovered cyberattack campaign is quietly targeting organizations in Russia, blending polished business-style phishing emails with technical deception to slip past defenses. The operation relies on multi-stage delivery, weaponized shortcuts, and stealthy data exfiltration methods that turn familiar workplace files into effective malware carriers. What looks like routine corporate communication quickly escalates into a full-scale compromise once victims interact with the malicious payload.

the Original Report: How the Attack Works from Start to Finish

The campaign begins with carefully crafted phishing emails designed to appear as legitimate business correspondence, often referencing invoices, contracts, or operational documents. These messages are tailored to blend seamlessly into everyday corporate workflows, reducing suspicion and increasing the likelihood of engagement. Attached to the emails are files using a double-extension trick, typically disguised as documents or archives but actually functioning as LNK shortcut files. When opened, these shortcuts execute hidden commands rather than displaying any real content.
Once triggered, the infection chain unfolds in stages. The malicious LNK file launches scripts that download and deploy Amnesia RAT, a remote access trojan capable of spying on infected systems, stealing credentials, and maintaining persistent access. In parallel or in later stages, the attackers deploy Hakuna Matata ransomware, which encrypts data and disrupts operations, increasing pressure on victims.
To maintain stealth, the attackers actively disable Microsoft Defender, removing one of the primary layers of built-in Windows protection. This allows the malware to operate with reduced interference and prolongs the attackers’ dwell time inside compromised environments. For command-and-control and data exfiltration, the campaign leverages Telegram Bot APIs, abusing a legitimate messaging platform to transmit stolen information and receive attacker instructions. This choice helps the traffic blend in with normal network activity and complicates detection efforts.
Overall, the attack demonstrates a calculated balance between social engineering and technical evasion. By combining believable business lures, deceptive file extensions, well-known malware families, and trusted cloud-based services, the threat actors create a resilient intrusion chain that is difficult to stop once initiated.

What Undercode Say:

This campaign highlights a persistent truth in modern cybersecurity: attackers no longer need zero-day exploits when human trust and built-in system features can do the heavy lifting. The use of double-extension LNK files is particularly telling, as shortcuts are often overlooked in security awareness training compared to macros or executable files. Many users still associate “.pdf” or “.docx” endings with safety, even when an extra hidden extension changes everything.
The deployment of both Amnesia RAT and Hakuna Matata ransomware suggests a dual-purpose operation. On one hand, the attackers gain long-term surveillance and data theft capabilities; on the other, they retain the option to monetize the intrusion quickly through ransomware. This hybrid approach maximizes return on investment and gives threat actors flexibility depending on the value of the compromised target.
Disabling Microsoft Defender is another critical signal. It shows the attackers understand the default security posture of Windows environments and actively script around it. This is not opportunistic malware but a campaign tested against real-world enterprise setups. Once Defender is neutralized, lateral movement and payload execution become significantly easier.
The choice of Telegram Bot APIs for exfiltration is equally strategic. Telegram is widely used, encrypted, and generally trusted, making outbound connections less likely to raise alarms. By hiding malicious communications inside legitimate platforms, attackers effectively weaponize convenience and privacy features against defenders.
From a broader perspective, this operation reflects the continued professionalization of phishing campaigns targeting specific regions. Russia, often portrayed solely as a source of cyber threats, is also a frequent target of sophisticated cybercrime. This attack underscores that no region is immune and that cybercriminal tactics are increasingly standardized, portable, and adaptable across geopolitical boundaries.
For defenders, the lesson is clear: file type awareness, shortcut execution policies, and outbound traffic monitoring are just as important as advanced threat detection tools. The weakest link remains the intersection between user behavior and trusted system functionality, an area attackers continue to exploit with alarming efficiency.

🔍 Fact Checker Results

✅ The use of double-extension LNK files is a known and documented phishing technique.
✅ Amnesia RAT and Hakuna Matata ransomware have been observed in real-world attacks.
❌ No public evidence confirms the total number of affected organizations at this time.

📊 Prediction

Cybercriminal groups will increasingly combine remote access trojans with ransomware in the same campaign, using trusted platforms like Telegram for stealthy communication. As defenders improve malware detection, social engineering and abuse of legitimate services will become the primary battlefield in future phishing operations.