Inside a Multi-Stage Windows Malware Campaign

FortiGuard Labs documents a sophisticated, multi-stage malware campaign targeting Windows users—primarily in Russia—where malicious LNK files launch PowerShell to fetch staged scripts hosted on GitHub and Dropbox. The chain hides execution with decoy documents, disables Microsoft Defender (including abusing Defendnot), establishes persistence and surveillance via Amnesia RAT (credential/session theft, clipboard monitoring, screenshots), then deploys Hakuna Matata–derived ransomware and a WinLocker to encrypt files, destroy recovery artifacts, and coerce victims; the report includes detailed TTPs, MITRE ATT&CK mappings, and IOCs.