Operation DupeHike

Operation DupeHike is a threat activity cluster referenced in reporting as linked by related activity and similar TTPs to campaigns targeting Russian organizations. The provided content directly states that related activity has been linked to Operation DupeHike (UNG0902) and to Paper Werewolf/GOFFEE, with similar techniques and objectives against Russian entities. In the referenced activity, targets include Russian corporate organizations, particularly HR, payroll, and internal administration departments. The observed tradecraft uses multi-stage spearphishing with Russian-language business lures in ZIP/RAR archives containing malicious LNK files with double extensions, followed by abuse of native Windows capabilities including PowerShell, VBScript, registry modification, and file association hijacking rather than CVE exploitation. Payload staging and delivery use public cloud and web services including GitHub and Dropbox; command-and-control and exfiltration use the Telegram Bot API over HTTPS, with larger transfers via GoFile. The infection chain includes opening decoy documents, delayed execution, UAC elevation attempts, weakening endpoint defenses by adding Microsoft Defender exclusions and using the defendnot tool to disable Defender, deployment of a .NET screenshot capture module exfiltrating images via Telegram, delivery of Amnesia RAT for remote access and data theft, and deployment of a Hakuna Matata-family ransomware variant. The activity is described as combining surveillance/espionage objectives with destructive or financially motivated ransomware impact. Known related names directly mentioned in the content are UNG0902 and Paper Werewolf/GOFFEE.