Hackers Backdoor Russian State, Industrial Organizations for Data Theft

Several state and industrial organizations in Russia have been targeted by a custom Go-based backdoor that steals data, potentially aiding espionage operations. The campaign was first detected by Kaspersky in June 2023, with a newer version of the backdoor spotted in mid-August. The attack begins with a malicious email containing a decoy PDF document and an NSIS script that fetches the payload from an external URL. The malware payload is dropped in a specific directory and establishes persistence by adding a Start Menu link. The backdoor can list files, exfiltrate files, obtain clipboard contents, grab screenshots, and search for specific file extensions. All data sent to the command and control server is encrypted. The malware also performs checks to detect if it's running in a virtualized environment and exits if it does. A new variant of the backdoor discovered in August includes the ability to steal passwords from 27 web browsers and the Thunderbird email client.