Summary: A report by SEQRITE Labs APT-Team reveals a sophisticated cyber campaign named Operation HollowQuill, which targets sensitive Russian research and development organizations using weaponized decoy documents. The operation, notably involving the Baltic State Technical University, employs a multi-stage infection chain to deliver a Cobalt Strike beacon and compromise valuable data. The campaign highlights advanced malware techniques and the attackers’ strategies of deception through seemingly legitimate documents.
Affected: Baltic State Technical University and other governmental and defense-related entities
Keypoints :
- Operation HollowQuill utilizes weaponized, decoy documents resembling official research invitations to initiate attacks.
- The multi-stage infection process includes a malicious RAR file, a .NET dropper, a Golang shellcode loader, and a final Cobalt Strike payload.
- The threat actor’s infrastructure displayed OPSEC mistakes that allowed for easier investigation and tracking of similar attacks.