NordDragon Scan

13658112496?profile=RESIZE_400xResearchers from FortiGuard Labs recently uncovered an active delivery site that hosts a weaponized HTA script and silently drops the infostealer “NordDragonScan” into victims’ environments.  Once installed, NordDragonScan examines the host and copies documents, harvests entire Chrome and Firefox profiles, and takes screenshots.  The package is then sent over TLS to its command-and-control server, “kpuszkiev.com,” which also serves as a heartbeat server to confirm the victim is still online and to request additional data when needed.

Initial Vector - Attackers leverage shorter link services with “hxxps://cutt[.]ly/4rnmskDe” that redirects to “hxxps://secfileshare[.]com,” triggering the download of a RAR archive named “Укрспецзв_Акт_30_05_25_ДР25_2313_13 від 26_02_2025.rar” (Ukrspetszv_Act_30_05_25_DR25_2313_13 dated 26_02_2025).  This file contains a malicious LNK shortcut that silently invokes mshta.exe to execute the hosted HTA payload “1.hta” from the same server.

13658113056?profile=RESIZE_400xFigure 1: LNK file

The malicious HTA file copies the legitimate PowerShell.exe binary to the path “C:\Users\Public\Documents\install.exe” to mask itself.  It then downloads an encoded TXT file from a remote server, decodes it, and saves the result as “Act300525.doc.”  This decoy document, titled “Акт здачі-приймання наданих Послуг до договору про надання послуг” (Act of Acceptance of Services under Service Agreement), is benign and intended to distract the user.  Finally, the HTA script quietly drops and executes the actual malicious payload, embedded as a hardcoded executable named adblocker.exe, into the victim’s directory “\AppData\Local\Temp\adblocker.exe.”
13658112871?profile=RESIZE_584xFigure 2: HTA file "1.hta"


13658112883?profile=RESIZE_584xFigure 3: Decoy document from "1.hta"

The attacker’s server maintains multiple decoy files designed to entice user interactions.  These decoys employ a similar HTA script mechanism, which drops and executes the same payload, “adblocker.exe,” on compromised systems.  The repeated use of the same executable across diverse decoys suggests a systematic approach by the threat actor to maximize infection opportunities while utilizing varied document themes and filenames to evade detection and security monitoring.


13658112883?profile=RESIZE_584xFigure 4: Decoy documents

Infostealer - The payload is a .NET executable containing an embedded PDB path: “C:\Users\NordDragon\Documents\visual studio.” 

NordDragonScan employs a custom string obfuscation routine, which performs an XOR operation and byte-swapping to conceal hard-coded strings from static analysis. It initially verifies if its dedicated working directory, “NordDragonScan,” exists in the “%LOCALAPPDATA%” folder. If this directory is absent, it creates it as a staging area to temporarily store stolen data before uploading it to the C2 server.
13658113271?profile=RESIZE_710xFigure 5: Checking the directory

It contacts the C2 server, ”kpuszkiev.com,” that contains specially crafted HTTP headers, specifically, “User-Agent: RTYUghjNM,” along with the victim machine’s MAC address.  During its initial connection, the primary objective is to retrieve a dynamic URL from the C2, which is later leveraged as an endpoint for exfiltrating stolen data.
13658113096?profile=RESIZE_710xFigure 6: Getting the upload URL

It then sets up persistence by adding a registry “NordStar” in “Software\Microsoft\Windows\CurrentVersion\Run.”
13658113464?profile=RESIZE_710xFigure 7: Registry

After the connection, NordDragonScan pivots to local reconnaissance.  It retrieves the victim’s basic information, including computer name, username, OS version, architecture, processor count, driver information, and RAM using a combination of WMI (Win32_OperatingSystem, Win32_ComputerSystem) and .NET environment calls.  The stealer then enumerates every active network adapter, extracts the primary IPv4 address and subnet mask, and calculates the full CIDR range.  It then initiates lightweight probes to each address in the same subnet, building an inventory of reachable hosts on the same local area network (LAN).
13658113476?profile=RESIZE_710xFigure 8: Getting networking information
13658113673?profile=RESIZE_710xFigure 9: Scanning the network

It also captures a screenshot and saves it as “SPicture.png” and collects data from the targeted Chrome and Firefox browsers.
13658114052?profile=RESIZE_400xFigure 10: Copying Chrome data into “Chrm”
13658114070?profile=RESIZE_400xFigure 11: Copying Firefox data

NordDragonScan next scans the local file system, including Desktop, Documents, and Downloads folders, and copies the files in these folders with the following extensions: “.docx,” “.doc,” “.xls,” “.ovpn,” “.rdp,” “.txt,” and “.pdf.”  Once it obtains a matched file, it copies it into the working directory and groups it according to the source from which it was obtained.  When the scanning stage is complete, it initiates a POST to the C2 server. That request carries the custom header “User-Agent: Upload,” a second header, “Backups:,” and the name of the data it is about to send, such as “sysinfo.txt” for system information.
13658114676?profile=RESIZE_584xFigure 12: Stolen data in the working directory
13658114689?profile=RESIZE_584xFigure 13: Uploading system information

Conclusion - NordDragonScan utilizes an effective distribution network for dissemination.  The RAR file contains LNK calls that invoke mshta.exe to execute a malicious HTA script, displaying a decoy document in the Ukrainian language.  Finally, it quietly installs its payload in the background.  NordDragonScan is capable of scanning the host, capturing a screenshot, extracting documents and PDFs, and sniffing Chrome and Firefox profiles.  Users should treat LNK shortcuts and untrusted compressed archives with extreme caution.


13658114699?profile=RESIZE_584xFigure 14: C2's telemetry

IOCs

Domain:

secfileshare[.]com
kpuszkiev[.]com

Rar:

2102c2178000f8c63d01fd9199400885d1449501337c4f9f51b7e444aa6fbf50
e07b33b5560bbef2e4ae055a062fdf5b6a7e5b097283a77a0ec87edb7a354725
3f3e367d673cac778f3f562d0792e4829a919766460ae948ab2594d922a0edae

HTA:

f8403e30dd495561dc0674a3b1aedaea5d6839808428069d98e30e19bd6dc045
fbffe681c61f9bba4c7abcb6e8fe09ef4d28166a10bfeb73281f874d84f69b3d
39c68962a6b0963b56085a0f1a2af25c7974a167b650cf99eb1acd433ecb772b
9d1f587b1bd2cce1a14a1423a77eb746d126e1982a0a794f6b870a2d7178bd2c
7b2b757e09fa36f817568787f9eae8ca732dd372853bf13ea50649dbb62f0c5b

Executable:

f4f6beea11f21a053d27d719dab711a482ba0e2e42d160cefdbdad7a958b93d0

 

This article is shared at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC).  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com    

Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!