Operation HollowQuill: Russian R&D Networks Targeted via Decoy PDFs
Essential information
- Published
- 31/03/2025 12:20
- Modified
- 31/03/2025 15:56
- Tags
- 2025-03-31 academic institutions baltic state technical university cobalt strike decoy pdfs defense industry operation hollowquill russian r&d shellcode loader
- Related entities
- 2 observables, 8 techniques (mitre), 1 malware, 5 others
Description
Operation HollowQuill targets Russian research and defense networks, particularly the Baltic State Technical University, using weaponized decoy documents disguised as research invitations. The attack chain involves a malicious RAR file containing a .NET dropper, which deploys a Golang-based shellcode loader and a legitimate OneDrive application. The final payload is a Cobalt Strike beacon. The campaign focuses on academic institutions, military and defense industries, aerospace and missile technology, and government-oriented research entities within the Russian Federation. The threat actor employs sophisticated techniques, including anti-analysis measures, APC injection, and infrastructure rotation across multiple ASNs.