A newly disclosed infostealer dubbed "NordDragonScan" executes stealthily on Windows machines using living-off-the-land (LOTL) techniques, Fortinet reports.

The attack kicks off when users visit a site called secfileshare[.]com, which downloads a RAR archive designed to look like a Ukrainian government document, Fortinet’s FortiGuard Labs Threat Research unit described in a blog post Monday.

A LNK shortcut within the archive invokes the Windows utility mshta.exe to retrieve and execute an HTML Application (HTA) script from the secfileshare[.]com domain, called 1.hta.

This HTA copies the legitimate PowerShell.exe binary to the Documents folder and renames to install.exe to hide its activity. It then downloads a benign decoy document, tricking the victim into believing this is the file they installed while the malicious payload runs in the background.

The final NordDragonScan payload, named adblocker.exe to further hide its nature, communicates with a command and control (C2) server called kpuszkiev[.]com. It establishes persistence by creating a Windows registry key that ensures the malware will always run whenever the victim logs in to their machine.

The infostealer’s data theft activities include collecting basic system and user information, taking screenshots, retrieving data from Chrome and Firefox browsers and copying certain files from the Desktop, Documents and Downloads folders.

The malware targets Microsft Word documents and text files, PDFs, spreadsheets and configuration files for OpenVPN and the Remote Desktop Protocol.

NordDragonScan also scans for active network interfaces, extracts the IP address and subnet mask, calculates the CIDR range for the subnet and probes each address to identify active connections. This allows it to create an inventory of potential targets for lateral movement across the local area network (LAN).

Stolen files are exfiltrated to the kpuszkiev[.]com C2 server. Details obtained by the stealer could be leveraged in subsequent attacks, FortiGuard Labs notes.

Researchers identified several different Ukrainian-language decoy documents with various themes hosted at the secfileshare[.]com domain, suggesting a widespread campaign targeting diverse Ukrainian targets.

The abuse of legitimate Windows tools to facilitate infection, rather than software vulnerabilities, emphasizes the importance of phishing awareness and detection methods that can recognize the malicious behavior and data extraction.

While this campaign appeared to target Ukrainian users, phishing attacks impersonating government entities are also common in the United States, with about 160,000 such scams being reported to the Federal Trade Commission (FTC) in 2023. Phishing email impersonating government officials were also noted to have increased by 35% in 2024, according to Trend Micro