New PhantomRemote Backdoor Targets Russian Healthcare & IT, Linked to Rainbow Hyena Attacks

A new wave of phishing attacks has been observed sweeping across Russia’s healthcare and IT sectors, attributed to the elusive Rainbow Hyena threat cluster. According to BI.ZONE’s Threat Intelligence team, the group has deployed a previously undocumented backdoor dubbed PhantomRemote, showcasing both technical maturity and an evolving playbook.

The attackers employed compromised email accounts of legitimate organizations to distribute emails with subject lines like:

• Транспортная накладная ТТН № 391-44 от 26.06.2025 (Waybill WB No. 391-44)
• Договор РН83-371 (Contract PH83-371)

Each message contained a polyglot ZIP attachment, appearing as a legitimate archive but containing a PE32+ DLL. Inside was a .LNK file that kicked off a stealthy infection chain.

The LNK file was designed to:

1. Search for the ZIP polyglot in user directories
2. Execute the embedded DLL via rundll32.exe
3. Extract a decoy document to TEMP to minimize suspicion
4. Open the decoy file using a stealthy PowerShell command

“The messages included .zip polyglot attachments… concealing a decoy and a ZIP archive with an LNK file,” BI.ZONE explained.

One sample command from the LNK file demonstrates just how deeply embedded and obfuscated the attack chain was, combining PowerShell, ZIP extraction, and DLL injection.

BI.ZONE’s most important discovery is a brand-new malware family: PhantomRemote, a PE32+ DLL written in C++.

Once executed, PhantomRemote:

• Collects system metadata, including GUID, computer name, and domain
• Creates a hidden working directory in %PROGRAMDATA%, such as YandexCloud or MicrosoftAppStore
• Establishes communication with its Command & Control server: http://91.239.148[.]21/poll?id=&hostname=&domain=
• Executes commands via cmd.exe, downloads files, and sends results via HTTP POST requests

Notably, its traffic uses custom User-Agent headers like YandexCloud/1.0 and MicrosoftAppStore/2001.0 to blend in with legitimate software.

PhantomRemote supports at least two command types:

• cmd:<command>: Executes system commands and captures output
• download:<URL>: Fetches files and stores them in the working directory

After executing a command, PhantomRemote waits 10 seconds, or 1 second if the command fails—an indication of basic but functional delay mechanisms.

“The backdoor collects information about the compromised system, loads other executables from the C2 server, and runs commands via the cmd.exe interpreter.”

BI.ZONE notes that Rainbow Hyena—initially believed to be a hacktivist collective—has increasingly shifted toward espionage and financially motivated cybercrime.

“Hacktivist groups are increasingly shifting toward more conventional illicit activities such as espionage and financial gain while adopting more sophisticated methods and tools,” the report concludes.

Related Posts:

• Sapphire Werewolf’s Amethyst Stealer Targets Energy Companies
• Bloody Wolf Cybercrime Group Evolves Tactics, Expands Targets
• Data of Over 100 Million Individuals Exposed in Change Healthcare Cyberattack
• LNK Files and SSH Commands: The New Arsenal of Advanced Cyber Attacks