NordDragonScan Strikes – Windows Users Under Attack

FortiGuard Labs has exposed a sophisticated cyber campaign utilizing weaponized HTA scripts to deploy the NordDragonScan infostealer, targeting Windows users through deceptive Ukrainian-language documents.

This malware demonstrates advanced capabilities for data exfiltration, network reconnaissance, and persistent system compromise, representing a significant threat to both individual users and organizations.

Multi-Stage Attack Vector

The attack begins with shortened URL services redirecting victims to malicious RAR archives disguised as legitimate Ukrainian administrative documents.

These archives contain LNK shortcuts that silently execute mshta.exe to launch hosted HTA payloads from the domain secfileshare[.]com.

The HTA script employs multiple evasion techniques, including copying legitimate PowerShell.exe to “C:\Users\Public\Documents\install.exe” to mask its presence.

The malware displays decoy documents with titles such as “Act of Acceptance of Services under Service Agreement” in Ukrainian to distract users while simultaneously dropping the actual payload, “adblocker.exe,” into the victim’s temporary directory.

This multi-layered approach effectively bypasses initial security screening and user suspicion.

Comprehensive Data Theft Capabilities

NordDragonScan, identified as a .NET executable with embedded PDB path references to “NordDragon,” employs sophisticated string obfuscation techniques, including XOR operations and byte-swapping, to evade static analysis.

The malware establishes a dedicated working directory, “NordDragonScan,” in %LOCALAPPDATA% for staging stolen data before exfiltration.

The infostealer demonstrates extensive reconnaissance capabilities, conducting WMI queries to gather system information, including OS version, architecture, processor count, and RAM details.

Notably, it performs active network scanning by enumerating network adapters, calculating CIDR ranges, and probing reachable hosts within the same subnet.

This network reconnaissance functionality suggests potential lateral movement capabilities or preparation for broader network compromise.

The malware systematically harvests complete Chrome and Firefox browser profiles, captures screenshots saved as “SPicture.png,” and searches for documents with extensions including .docx, .doc, .xls, .ovpn, .rdp, .txt, and .pdf across Desktop, Documents, and Downloads folders.

All stolen data is transmitted via TLS to the command-and-control server kpuszkiev.com using custom HTTP headers, including “User-Agent: RTYUghjNM” and victim MAC addresses.

Protection and Mitigation

FortiGuard has implemented detection signatures, including LNK/Agent.ALC!tr, VBS/Dropper.B!tr, and MSIL/Agent.FFF!tr across FortiGate, FortiMail, FortiClient, and FortiEDR platforms.

The FortiGuard Content Disarm and Reconstruction service can neutralize malicious macros within weaponized documents.

Organizations should exercise extreme caution with LNK shortcuts and untrusted compressed archives, particularly those containing Ukrainian-language content.

Network administrators should monitor for unusual mshta.exe executions and implement endpoint detection rules targeting the malware’s distinctive registry persistence mechanism using the “NordStar” key in Windows Run registry entries.

This campaign highlights the evolving sophistication of infostealer operations and the critical importance of multi-layered security defenses.