Operation HollowQuill – Weaponized PDFs Deliver a Cobalt Strike Malware Into Gov & Military Networks

In a recent revelation by SEQRITE Labs, a highly sophisticated cyber-espionage campaign, dubbed Operation HollowQuill, has been uncovered.

The operation targets academic, governmental, and defense-related networks in Russia using weaponized decoy PDFs to deliver Cobalt Strike malware implants.

The campaign appears to focus on infiltrating critical institutions such as the Baltic State Technical University (BSTU “VOENMEKH”) a key contributor to Russia’s military-industrial complex.

Technical Exploitation Chain

The infection chain begins with a malicious RAR archive containing a .NET-based malware dropper disguised as official research invitations from the Ministry of Science and Higher Education of Russia.

This archive includes multiple components:

1. A legitimate OneDrive executable.
2. A Golang-based shellcode loader.
3. A decoy PDF document that serves as a lure for the targeted entities.

Upon execution, the .NET dropper deploys the shellcode loader, injects malicious code into the OneDrive process, and spawns the decoy PDF to avoid suspicion.

The shellcode loader employs advanced techniques such as APC injection to execute the payload in memory stealthily.

Decoy Document Analysis

The decoy PDF mimics official communication regarding state-assigned research projects for the 2026–2028 budget cycle.

It includes detailed guidelines for submitting proposals within Russia’s Unified State Information System for Scientific Research and Technological Projects (ЕГИСУ НИОКТР).

Signed by high-ranking officials, including A.E. Shashurin, acting rector of BSTU “VOENMEKH,” the document enhances credibility and increases the likelihood of user engagement.

The final stage involves deploying a Cobalt Strike beacon a widely used penetration testing tool often repurposed for malicious activities.

The beacon connects to a command-and-control (C2) server hosted on domains such as phpsymfony[.]com.

It uses standard HTTP GET requests with encoded data to communicate covertly with the attacker infrastructure.

Key artifacts extracted from the shellcode reveal advanced anti-analysis techniques, such as time-based evasion mechanisms and memory injection processes, ensuring minimal detection by security systems.

Analysis of the campaign’s infrastructure shows operational security lapses by the attackers, including exposed Go build IDs and rotating C2 domains across multiple ASN services globally.

These identifiers have enabled researchers to trace similar payloads and associated malicious binaries distributed through other campaigns.

Operation HollowQuill highlights an alarming trend in cyber warfare targeting critical research and defense networks through sophisticated phishing tactics and advanced malware delivery mechanisms.

By leveraging legitimate applications like OneDrive and employing in-memory execution techniques, the attackers have demonstrated a high level of technical expertise aimed at evading detection while compromising sensitive systems.

This campaign underscores the need for robust cybersecurity measures across government and military sectors to mitigate risks posed by increasingly sophisticated threat actors.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!