NordDragonScan: Quiet Data-Harvester on Windows
Essential information
- Published
- 14/07/2025 13:44
- Modified
- 14/07/2025 14:17
- Tags
- 2025-07-14 browser data theft infostealer norddragonscan
- Related entities
- 11 observables, 1 intrusion sets (apt), 12 techniques (mitre), 1 malware
Description
A sophisticated infostealer dubbed NordDragonScan has been discovered, targeting Windows systems through weaponized HTA scripts. The malware is distributed via shortened links leading to RAR archives containing malicious LNK shortcuts. Once installed, NordDragonScan performs extensive reconnaissance, collecting system information, network details, browser data, and sensitive documents. It utilizes custom obfuscation techniques and establishes persistence through registry modifications. The stolen data is exfiltrated to a command-and-control server using TLS encryption. The attack employs various decoy documents to evade detection and maximize infection opportunities. NordDragonScan's capabilities include screenshot capture, Chrome and Firefox profile harvesting, and local network scanning.