Do Son 
Infection Chain | Image: Seqrite Lab
At a glance
- Actor: Suspected unknown threat cluster (tracked by Seqrite Lab)
- Activity Type: Spear-phishing, credential theft, and information stealing
- Targets: Thailand’s healthcare sector (hospitals, Ministry of Health, clinics)
- Scale: Active campaign lasting roughly ten weeks
- Jurisdiction: No official arrests or law enforcement actions reported
- Source: Seqrite Lab
TL;DR
Threat actors are targeting medical organizations with Thailand healthcare malware. Consequently, attackers steal browser data and credentials using RAR archive phishing. Defenders must monitor systems for unauthorized startup modifications and block malicious scripts.
What happened
On April 7, 2026, a new cyberattack campaign emerged. Attackers sent fake medical approval documents to government health teams. These files contain malicious code. The initial infection vector begins with RAR archive phishing.
Inside the archive, an obfuscated batch file executes. First, the script creates a temporary payload. Next, it uses PowerShell to decode embedded data. Afterward, the malware downloads a persistence script. It stores this script in the Windows Startup folder. Therefore, the malware runs every time the victim logs in.
Finally, the attack chain deploys a Python-based information stealer. The malware, named sim.py, forcibly terminates web browsers. It then harvests stored credentials and session cookies. A recent Seqrite Lab report explains this process. Researchers noted, “The campaign leverages healthcare-themed spear-phishing lures distributed through malicious RAR archives containing obfuscated batch scripts and executable payloads.”
Who is behind it
Analysts attribute this activity to a suspected single threat actor. However, researchers have not confirmed an exact identity. Seqrite Lab tracks similar campaigns linked to China-aligned groups. Regardless, evidence points to a focused operation. The attackers understand medical workflows well. Their lures specifically impersonate the Ministry of Health. Authorities have not announced any formal charges against the operators.
Impact or scale
The operation impacted Thailand’s healthcare sector for about ten weeks. The attackers cast a wide net across the industry. Targeted groups included hospital administration staff, radiology clinics, and supply chain teams.
The malware extracts highly sensitive information. It collects browser data and stores it in ZIP files. Then, the malware attempts to send this data to a Telegram channel. The report states, “The lure themes suggest deliberate targeting of healthcare-related functions and demonstrate a strong understanding of operational workflows within the sector.” Although some Telegram exfiltration attempts failed, the threat remains high.
What comes next and protection
Healthcare organizations face ongoing risks from this Thailand healthcare malware. The threat actor can update payloads remotely. The persistence script retrieves new commands directly from GitHub.
Administrators should train staff to spot RAR archive phishing attempts. Furthermore, security teams must monitor the Windows Startup folder closely. Defenders should restrict the execution of untrusted binaries. Finally, organizations must investigate any unusual automated browser terminations on staff computers.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
