Researchers from FortiGuard Labs recently uncovered an active delivery site that hosts a weaponized HTA script and silently drops the infostealer “NordDragonScan” into victims’ environments. Once installed, NordDragonScan examines the host and copies documents, harvests entire Chrome and Firefox profiles, and takes screenshots. The package is then sent over TLS to its command-and-control server, “kpuszkiev.com,” which also serves as a heartbeat server to confirm the victim is still online and to request additional data when needed.
Initial Vector - Attackers leverage shorter link services with “hxxps://cutt[.]ly/4rnmskDe” that redirects to “hxxps://secfileshare[.]com,” triggering the download of a RAR archive named “Укрспецзв_Акт_30_05_25_ДР25_2313_13 від 26_02_2025.rar” (Ukrspetszv_Act_30_05_25_DR25_2313_13 dated 26_02_2025). This file contains a malicious LNK shortcut that silently invokes mshta.exe to execute the hosted HTA payload “1.hta” from the same server.
Figure 1: LNK file
The malicious HTA file copies the legitimate PowerShell.exe binary to the path “C:\Users\Public\Documents\install.exe” to mask itself. It then downloads an encoded TXT file from a remote server, decodes it, and saves the result as “Act300525.doc.” This decoy document, titled “Акт здачі-приймання наданих Послуг до договору про надання послуг” (Act of Acceptance of Services under Service Agreement), is benign and intended to distract the user. Finally, the HTA script quietly drops and executes the actual malicious payload, embedded as a hardcoded executable named adblocker.exe, into the victim’s directory “\AppData\Local\Temp\adblocker.exe.”
Figure 2: HTA file "1.hta"
Figure 3: Decoy document from "1.hta"
The attacker’s server maintains multiple decoy files designed to entice user interactions. These decoys employ a similar HTA script mechanism, which drops and executes the same payload, “adblocker.exe,” on compromised systems. The repeated use of the same executable across diverse decoys suggests a systematic approach by the threat actor to maximize infection opportunities while utilizing varied document themes and filenames to evade detection and security monitoring.
Figure 4: Decoy documents
Infostealer - The payload is a .NET executable containing an embedded PDB path: “C:\Users\NordDragon\Documents\visual studio.”
NordDragonScan employs a custom string obfuscation routine, which performs an XOR operation and byte-swapping to conceal hard-coded strings from static analysis. It initially verifies if its dedicated working directory, “NordDragonScan,” exists in the “%LOCALAPPDATA%” folder. If this directory is absent, it creates it as a staging area to temporarily store stolen data before uploading it to the C2 server.
Figure 5: Checking the directory
It contacts the C2 server, ”kpuszkiev.com,” that contains specially crafted HTTP headers, specifically, “User-Agent: RTYUghjNM,” along with the victim machine’s MAC address. During its initial connection, the primary objective is to retrieve a dynamic URL from the C2, which is later leveraged as an endpoint for exfiltrating stolen data.
Figure 6: Getting the upload URL
It then sets up persistence by adding a registry “NordStar” in “Software\Microsoft\Windows\CurrentVersion\Run.”
Figure 7: Registry
After the connection, NordDragonScan pivots to local reconnaissance. It retrieves the victim’s basic information, including computer name, username, OS version, architecture, processor count, driver information, and RAM using a combination of WMI (Win32_OperatingSystem, Win32_ComputerSystem) and .NET environment calls. The stealer then enumerates every active network adapter, extracts the primary IPv4 address and subnet mask, and calculates the full CIDR range. It then initiates lightweight probes to each address in the same subnet, building an inventory of reachable hosts on the same local area network (LAN).
Figure 8: Getting networking information
Figure 9: Scanning the network
It also captures a screenshot and saves it as “SPicture.png” and collects data from the targeted Chrome and Firefox browsers.
Figure 10: Copying Chrome data into “Chrm”
Figure 11: Copying Firefox data
NordDragonScan next scans the local file system, including Desktop, Documents, and Downloads folders, and copies the files in these folders with the following extensions: “.docx,” “.doc,” “.xls,” “.ovpn,” “.rdp,” “.txt,” and “.pdf.” Once it obtains a matched file, it copies it into the working directory and groups it according to the source from which it was obtained. When the scanning stage is complete, it initiates a POST to the C2 server. That request carries the custom header “User-Agent: Upload,” a second header, “Backups:,” and the name of the data it is about to send, such as “sysinfo.txt” for system information.
Figure 12: Stolen data in the working directory
Figure 13: Uploading system information
Conclusion - NordDragonScan utilizes an effective distribution network for dissemination. The RAR file contains LNK calls that invoke mshta.exe to execute a malicious HTA script, displaying a decoy document in the Ukrainian language. Finally, it quietly installs its payload in the background. NordDragonScan is capable of scanning the host, capturing a screenshot, extracting documents and PDFs, and sniffing Chrome and Firefox profiles. Users should treat LNK shortcuts and untrusted compressed archives with extreme caution.
Figure 14: C2's telemetry
IOCs
Domain:
secfileshare[.]com
kpuszkiev[.]com
Rar:
2102c2178000f8c63d01fd9199400885d1449501337c4f9f51b7e444aa6fbf50
e07b33b5560bbef2e4ae055a062fdf5b6a7e5b097283a77a0ec87edb7a354725
3f3e367d673cac778f3f562d0792e4829a919766460ae948ab2594d922a0edae
HTA:
f8403e30dd495561dc0674a3b1aedaea5d6839808428069d98e30e19bd6dc045
fbffe681c61f9bba4c7abcb6e8fe09ef4d28166a10bfeb73281f874d84f69b3d
39c68962a6b0963b56085a0f1a2af25c7974a167b650cf99eb1acd433ecb772b
9d1f587b1bd2cce1a14a1423a77eb746d126e1982a0a794f6b870a2d7178bd2c
7b2b757e09fa36f817568787f9eae8ca732dd372853bf13ea50649dbb62f0c5b
Executable:
f4f6beea11f21a053d27d719dab711a482ba0e2e42d160cefdbdad7a958b93d0
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
Comments