NordDragonScan: New Infostealer Hits Via Weaponized HTAs, Stealing Browser Data & Documents!

FortiGuard Labs has issued a critical alert regarding a new and actively exploited infostealer malware campaign. Dubbed NordDragonScan, the malware is delivered via weaponized HTA scripts and is capable of extensive reconnaissance, browser profile theft, and data exfiltration, all under the guise of harmless Ukrainian-language documents.

Attackers are using shortened URLs (e.g., hxxps://cutt[.]ly/4rnmskDe) that redirect to a malicious file host at secfileshare[.]com. The downloaded file is a RAR archive titled: Укрспецзв_Акт_30_05_25_ДР25_2313_13 від 26_02_2025.rar. It contains a malicious LNK shortcut, which triggers mshta.exe to fetch and execute the HTA script 1.hta.

“The malicious HTA file copies the legitimate PowerShell.exe binary… downloads an encoded TXT file… saves it as ‘Act300525.doc’—a benign decoy meant to distract the user,” Fortinet explains.

Meanwhile, the real payload—adblocker.exe—is silently dropped into the victim’s %TEMP% directory and executed.

The payload, a .NET executable, contains a hardcoded PDB path revealing its developer’s environment (C:\Users\NordDragon\Documents\visual studio). It uses XOR-based string obfuscation and performs a multi-stage operation:

System Reconnaissance

• Captures system info (hostname, user, OS version, hardware specs)
• Logs MAC address and sends a “heartbeat” to C2 at kpuszkiev.com

Local Surveillance

• Takes screenshots (SPicture.png)
• Scans and inventories all reachable devices on the LAN using CIDR probing

Data Harvesting

• Collects browser data from Chrome and Firefox
• Steals documents and files with extensions like .doc, .xls, .ovpn, .rdp, .pdf from common folders (Desktop, Documents, Downloads)

“It verifies if its dedicated working directory ‘NordDragonScan’ exists in %LOCALAPPDATA%, then creates it to stage the stolen data,” Fortinet noted.

The final upload to the C2 server includes metadata headers:

• User-Agent: Upload
• Backups: [data type name] (e.g., sysinfo.txt)

To survive system reboots, the malware adds itself to: Software\Microsoft\Windows\CurrentVersion\Run
under the registry key: NordStar.

The data exfiltration endpoint is dynamically retrieved from the C2 during the initial connection, allowing attackers to rotate collection infrastructure seamlessly.

FortiGuard Labs warns that LNK shortcuts, HTA scripts, and compressed archive attachments should be treated with extreme caution, especially in multilingual or government-themed phishing emails.

Related Posts:

• Secureserver.net Domain Abused in Widespread Banking Trojan Attacks
• New Agent Tesla Spyware Variant was spread via Microsoft Word documents
• 86% of the compromised Google Cloud instances were used to perform cryptocurrency mining
• AI’s Dark Side: Hackers Harnessing ChatGPT and LLMs for Malicious Attacks