Operation DupeHike: Targeting Russian employees with DUPERUNNER and AdaptixC2
Essential information
- Published
- 03/12/2025 14:29
- Modified
- 21/12/2025 18:21
- Tags
- 2025-12-03 adaptixc2 c2 communication duperunner employee bonus lure process injection russian corporate spear-phishing
- Related entities
- 12 observables, 1 intrusion sets (apt), 19 techniques (mitre), 2 malware, 2 others
Description
A campaign targeting Russian corporate entities, particularly HR, payroll, and administrative departments, has been uncovered. The attack uses realistic decoy documents themed around employee bonuses and financial policies. The malware ecosystem involves a malicious LNK file leading to an implant dubbed DUPERUNNER, which then loads the AdaptixC2 Beacon to connect to the threat actor's infrastructure. The infection chain begins with a spear-phishing ZIP archive containing PDF-themed LNK files. The DUPERUNNER implant, programmed in C++, performs various functions including downloading and opening decoy PDFs, process enumeration, and shellcode injection. The final stage involves the AdaptixC2 Beacon, which communicates with the command-and-control server. The campaign, tracked as UNG0902, uses multiple malicious infrastructures and is believed to be targeting employees of various organizations.