Listen to this Post
Silent but Deadly: A New Breed of Infostealer
In a chilling reminder of how rapidly cyber threats are evolving, researchers at FortiGuard Labs have uncovered an ongoing cyberattack campaign driven by a newly identified infostealer named NordDragonScan. Tailored to infiltrate Microsoft Windows environments, this campaign leverages seemingly innocuous HTA scripts, malicious LNK shortcuts, and weaponized compressed archives to breach systems, steal sensitive data, and establish long-term persistence without raising immediate red flags.
What makes this campaign particularly insidious is its multilayered and covert delivery mechanism. The attack begins with a shortened link redirecting victims to a deceptive file-sharing platform, secfileshare[.]com. Disguised as a legitimate Ukrainian document, the payload lures users into downloading a RAR archive. Once unpacked, an LNK file launches a PowerShell command through mshta.exe, which then executes a malicious 1.hta script. This initial script stealthily displays a decoy document while triggering a background payload named adblocker.exe, cleverly hidden within the system’s temporary directory.
The malware is coded in .NET and employs custom string obfuscation, ensuring it bypasses basic detection. It creates a dedicated directory within %LOCALAPPDATA%, where it stores exfiltrated data. The connection to the attacker’s Command and Control (C2) server at kpuszkiev[.]com is masked via crafted HTTP headers using the system’s MAC address, allowing a silent handshake with the attacker.
NordDragonScan
What raises even more concern is the malware’s robust persistence strategy. By creating a startup registry key named “NordStar”, the malware ensures it executes each time the system boots. The campaign uses a rotating theme of decoy documents to evade pattern detection, enhancing its success rate across a wide range of victims.
Fortinet has responded swiftly, updating its protection systems to detect all key components of this attack, including the HTA, LNK, and executable files. Organizations are being urged to practice vigilant endpoint monitoring, avoid interacting with suspicious compressed files, and educate employees about such modern phishing tactics. For cases of suspected infection, Fortinet’s incident response team remains on standby.
What Undercode Say: Dissecting the NordDragonScan Threat Landscape
Tactical Infection Vectors Redefined
NordDragonScan demonstrates a calculated and professional approach to modern malware deployment. Its reliance on HTA scripts and LNK shortcuts represents a resurgence of techniques once considered outdated but now fine-tuned to bypass today’s antivirus engines. This signals a broader trend in cybercrime—recycling old vectors with new sophistication.
Custom Obfuscation and Stealth Design
The malware’s use of .NET-based architecture and custom obfuscation layers showcases an effort to blend into legitimate processes and avoid triggering endpoint detection systems. This attention to detail hints at the involvement of advanced persistent threat (APT) groups, or at the very least, well-funded cybercriminal entities.
Network Awareness and LAN Reconnaissance
Unlike traditional infostealers that stop at browser passwords or clipboard data, NordDragonScan includes LAN host enumeration, signaling its intent to map out entire corporate infrastructures. This added layer indicates a possible pivot from espionage to lateral movement within enterprise environments, which could eventually lead to ransomware deployment or complete domain compromise.
C2 Infrastructure Intelligence
The malware communicates with a known malicious domain using crafted HTTP headers and device-specific identifiers. This allows attackers to fine-tune payloads in real-time, adapt to the victim’s environment, and maintain resilience even in the face of partial remediation. These C2 techniques mimic state-sponsored espionage protocols, albeit in a financially motivated campaign.
Multi-Payload Architecture
The inclusion of decoy documents alongside adblocker.exe allows the malware to remain hidden while performing destructive tasks. By layering payloads in a modular fashion, attackers ensure scalability and adaptability, allowing the same infrastructure to be reused in future campaigns with minimal changes.
Evasion Through User Deception
The choice of disguising payloads as Ukrainian government documents is not coincidental. It leverages ongoing geopolitical tension to increase click-through rates among curious or emotionally driven targets. This social engineering aspect ensures high infection success even in environments with trained users.
Persistent Compromise via Registry Manipulation
Registry persistence is a tried-and-tested method for malware, and NordDragonScan doesn’t reinvent the wheel. What it does, however, is camouflage itself under a benign-sounding key (“NordStar”), ensuring that even registry analysts may overlook its presence during standard inspections.
Limitations and Missed Opportunities
While NordDragonScan is highly capable, it remains heavily Windows-dependent, with no reported variants for macOS or Linux environments yet. Its reliance on downloading large payloads could raise red flags in bandwidth-sensitive environments, providing some room for detection.
Defensive Best Practices
Companies must prioritize email filtering, HTA/LNK blocking, and advanced behavior analysis within endpoint detection tools. Static signature detection is insufficient given the malware’s dynamic and obfuscated nature. Training users to spot misleading file-sharing links and foreign-language document bait remains essential.
Potential for Future Exploits
Given its modular build, NordDragonScan could evolve to include keylogging, audio recording, or screen capturing in real-time. If left unchecked, this malware might serve as a staging tool for larger, ransomware-based operations or even industrial espionage.
🔍 Fact Checker Results
✅ NordDragonScan was confirmed by Fortinet as a real, active threat
✅ The malware uses HTA scripts, LNK files, and obfuscated PowerShell commands
✅ Indicators of Compromise include real domains and verified file hashes
📊 Prediction
Expect NordDragonScan to evolve into a multi-platform threat, with variants targeting Linux or macOS in the future. As malware developers continue to pivot toward modular architectures, attacks like these will become more targeted, stealthier, and deeply embedded in enterprise systems. Defensive vendors will need to shift from signature-based detection to behavioral AI-driven analytics to keep pace with these threats.
References:
Reported By: cyberpress.org
Extra Source Hub:
https://www.medium.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
