DUPERUNNER

DUPERUNNER is a previously undocumented Windows implant, described by Seqrite as a C++ second-stage payload, used in the spear-phishing campaign Operation DupeHike / DUPEHIKE tracked as UNG0902. The activity targeted Russian corporate employees, especially HR, payroll, internal administrative, finance, accounting, procurement, and legal functions, using bonus- and policy-themed lures delivered via spear-phishing. Observed infection chains used ZIP archives containing PDF-themed malicious LNK files; when executed, the LNK launched hidden PowerShell to download and run the DUPERUNNER payload, including from 46[.]149[.]71[.]230, saving it as s.exe in the victim Temp directory.

DUPERUNNER retrieves and opens a decoy PDF for user deception, including downloading a file disguised as fontawesome_tld.woff and saving it to the Temp directory with a timestamp-based filename before opening it. It then downloads an additional payload disguised as fontawesome.woff and injects shellcode into legitimate Windows processes such as explorer.exe, notepad.exe, and msedge.exe using VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread. The injected payload is an AdaptixC2 beacon/stager, and reporting states DUPERUNNER ultimately loads AdaptixC2 via process injection.

Associated reporting ties DUPERUNNER to Operation DupeHike / DUPEHIKE and threat cluster UNG0902. Seqrite noted infrastructure hosted under AS48282 (VDSINA-AS) and AS9123 (TIMEWEB-AS). AdaptixC2 traffic was observed using HTTP POST, including a /result endpoint, and Seqrite extracted configuration artifacts such as a Beacon-ID, User-Agent, and C2 URL/host. High-confidence observables directly mentioned in the reporting include 46[.]149[.]71[.]230, the ZIP name "Премия 2025.zip," the malicious shortcut "Документ_1_О_размере_годовой_премии.pdf.lnk," and the disguised payload names fontawesome_tld.woff and fontawesome.woff.