A newly uncovered cyber-espionage campaign, dubbed Operation HollowQuill, has been identified as targeting academic, governmental, and defense-related networks in Russia using weaponized PDF documents.
The operation, tracked by SEQRITE Labs APT-Team, leverages decoy research invitations to infiltrate systems associated with the Baltic State Technical University (BSTU “VOENMEKH”), a key institution for defense and aerospace research supporting Russia’s military-industrial complex.
Malware Infection Chain: From Decoy PDFs to Cobalt Strike Payloads
The infection chain begins with a malicious RAR archive containing a .NET malware dropper disguised as an official research document.
.png
)
This dropper deploys multiple payloads, including a legitimate OneDrive application, a Golang-based shellcode loader, and a decoy PDF file.
The final payload is a Cobalt Strike beacon, a well-known penetration testing tool often repurposed for malicious activities.
The decoy PDF appears to be an official communication from the Russian Ministry of Science and Higher Education.
It outlines guidelines for state-assigned research projects under the 2026–2028 budget cycle, providing detailed instructions for submitting proposals through the Unified State Information System for Scientific Research and Technological Projects (ЕГИСУ НИОКТР).
The document is signed by A.E. Shashurin, acting rector of BSTU “VOENMEKH,” adding authenticity to the lure.
Technical Analysis: Multi-Stage Malware Deployment
The malware deployment involves four distinct stages:
- Malicious RAR File: The archive contains a .NET executable named “Outgoing No. 3548,” which acts as the initial dropper.
- Malicious .NET Dropper: This executable copies the decoy PDF and legitimate OneDrive application to specific directories while deploying a shortcut file (.lnk) in the Windows Startup folder to ensure persistence. It also injects shellcode into the OneDrive process using advanced techniques like Asynchronous Procedure Call (APC).
- Golang Shellcode Loader: The loader decrypts embedded shellcode using a hardcoded key and injects it into the memory of the suspended OneDrive process. This step includes anti-analysis measures such as time-based evasion.
- Shellcode Execution: The shellcode loads a Cobalt Strike beacon in memory, connecting to a command-and-control (C2) server hosted at phpsymfony[.]com.
.webp)
Analysis of the campaign revealed operational security (OPSEC) errors by the threat actor, such as leaving Go-build IDs in the Golang injector binary.
This enabled researchers to identify similar payloads linked to the same actor.
The C2 server has been rotating across multiple ASN services globally, including Cloudflare Net in the United States and UCLOUD-HK-AS-AP in Hong Kong.
Additionally, HTTP titles like “Coming Soon – pariaturzzphy.makebelievercorp[.]com” were repeatedly observed across hosts serving malicious binaries such as ASyncRAT.
Operation HollowQuill highlights the increasing sophistication of cyber-espionage campaigns targeting critical research institutions.
By exploiting authentic-looking documents and advanced malware techniques, threat actors aim to compromise sensitive information related to defense and aerospace technologies.
SEQRITE Labs recommends robust endpoint protection measures against identified threats such as Trojan.Ghanarava variants and vigilance against phishing attempts involving malicious attachments.
Indicators of Compromise (IOCs):
- MD5 Hashes:
- ab310ddf9267ed5d613bcc0e52c71a08 (Malicious RAR file)
- fad1ddfb40a8786c1dd2b50dc9615275 (SystemUpdaters.exe)
- cac4db5c6ecfffe984d5d1df1bc73fdb (OneDrives_v2_1.exe)
- C2 Domain:
- phpsymfony[.]com
MITRE ATT&CK Techniques:
- Initial Access: T1566.001 (Spear phishing attachment)
- Persistence: T1547.001 (Startup folder)
- Defense Evasion: T1055.004 (Asynchronous Procedure Call)
This campaign serves as a stark reminder of evolving cyber threats targeting critical sectors worldwide.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
