Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A targeted malware campaign is actively hitting Thailand’s healthcare sector through weaponized RAR archives. These archives carry obfuscated batch scripts that trigger a multi-stage infection chain and ultimately run a Python-based information stealer. The malware is designed to capture browser credentials and session cookies, then exfiltrate the stolen data through Telegram.
Investigation
Seqrite Lab identified an active campaign window spanning ten weeks from April to June 2026. Their investigation uncovered a complex execution chain involving Rouki-obfuscated loaders, payloads hosted on GitHub, and persistence established through the Windows Startup folder. Analysts also observed attempts to steal information from Chromium-based browsers and send it out through the Telegram Bot API.
Mitigation
Organizations should enforce strict controls on execution of untrusted scripts and binaries obtained from external sources. Close monitoring of unauthorized changes to the Windows Startup folder is essential. Security teams should also restrict access to file-hosting and messaging services such as GitHub and Telegram when used by non-approved processes.
Response
If infection is detected, responders should isolate affected endpoints immediately to stop further data theft. Forensic analysis should focus on the %TEMP% and AppData directories to identify secondary payloads and related artifacts. Browser history and credential stores should be reviewed for signs of compromise, and a password reset process should be initiated for all potentially affected users.
"graph TB %% Class Definitions Section classDef action fill:#99ccff classDef tool fill:#cccccc classDef malware fill:#ff9999 classDef persistence fill:#ccffcc classDef exfiltration fill:#ffccff %% Node Definitions action_phishing["<b>Action</b> – <b>T1566.001 Phishing: Spearphishing Attachment</b><br/>Description: Healthcare-themed emails containing<br/>malicious RAR archives like Health_Ministry_Approved_Equipment_2026.rar"] class action_phishing action action_user_exec["<b>Action</b> – <b>T1204.002 User Execution: Malicious File</b><br/>Description: Victim opens the archive and executes<br/>the embedded malicious batch script"] class action_user_exec action tool_powershell["<b/>Tool – <b/>Name: PowerShell<br/><b>Technique</b> – T1059.001 Command and Scripting Interpreter: PowerShell<br/>Description: Used to decode embedded content and<br/>initiate the download of subsequent stages"] class tool_powershell tool action_ingress["<b/>Action – <b/>T1105 Ingress Tool Transfer</b><br/>Description: Utilizing PowerShell and curl to download<br/>secondary payloads from GitHub-hosted repositories"] class action_ingress action malware_persistence["<b/>Action – <b/>T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder</b><br/>Description: Malicious batch file WindowSecuryt.bat is<br/>placed in the Windows Startup directory for persistence"] class malware_persistence persistence action_elevation["<b/>Action – <b/>T1548 Abuse Elevation Control Mechanism</b><br/>Description: Secondary batch payload u-t2.bat attempts<br/>to relaunch itself with elevated privileges"] class action_elevation action malware_stealer["<b/>Malware – <b/>Name: sim.py<br/>Description: Python-based information stealer<br/>designed to harvest sensitive data"] class malware_stealer malware action_credentials["<b/>Action – <b/>T1555.003 Credentials from Web Browsers</b><br/>Description: Terminates browser processes to harvest<br/>credentials, cookies, and session artifacts"] class action_credentials action action_archive["<b/>Action – <b/>T1560 Archive Collected Data</b><br/>Description: Stolen data is compressed into ZIP archives<br/>for efficient collection"] class action_archive action action_exfiltration["<b/>Action – <b/>T1567 Exfiltration Over Web Service</b><br/>Description: Transmits harvested data to attacker-controlled<br/>Telegram channels via the Telegram Bot API"] class action_exfiltration exfiltration %% Connections Section %% The attack starts with phishing action_phishing –>|leads_to| action_user_exec %% User execution triggers the interpreter action_user_exec –>|triggers| tool_powershell %% PowerShell performs ingress tool_powershell –>|executes| action_ingress %% Ingress brings in the persistence mechanism action_ingress –>|downloads| malware_persistence %% Persistence leads to elevation attempts malware_persistence –>|initiates| action_elevation %% Elevation leads to the deployment of the stealer action_elevation –>|deploys| malware_stealer %% Stealer performs credential harvesting malware_stealer –>|performs| action_credentials %% Harvesting leads to archiving action_credentials –>|results_in| action_archive %% Archiving leads to final exfiltration action_archive –>|facilitates| action_exfiltration "
Attack Flow
Detections
Suspicious Taskkill Execution (via cmdline)
View
Python Execution from Suspicious Folders (via cmdline)
View
Suspicious PowerShell Download of ZIP File (via cmdline)
View
Download or Upload via Powershell (via cmdline)
View
Suspicious Execution from Public User Profile (via process_creation)
View
Suspicious CURL Usage (via cmdline)
View
Call Suspicious .NET Methods from Powershell (via powershell)
View
Suspicious Binary / Scripts in Autostart Location (via file_event)
View
Suspicious Files in Public User Profile (via file_event)
View
Possible Telegram Abuse As Command And Control Channel (via dns_query)
View
Python Execution and Taskkill Usage in Information Stealer Deployment [Windows System]
View
Detect Obfuscated Curl Command in Start-up Persistence Script [Windows Process Creation]
View
PowerShell Commands for Payload Deployment and Startup Persistence [Windows Powershell]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: The adversary has successfully gained initial access and dropped a Python-based information stealer named
sim.pyintoC:UsersPublicDesktopsLib. The goal is to harvest credentials from Chrome and Edge. To prevent database locks on the user’s profile, the attacker executes the Python script and immediately runstaskkillcommands to terminate the browser processes. This sequence is designed to mimic automated malware behavior. -
Regression Test Script:
# 1. Setup the environment (Simulate attacker footprint) $targetDir = "C:UsersPublicDesktopsLib" if (!(Test-Path $targetDir)) { New-Item -Path $targetDir -ItemType Directory -Force } $scriptPath = "$targetDirsim.py" "print('Stealing data...')" | Out-File -FilePath $scriptPath -Encoding utf8 # 2. Execute the "Malicious" Python script (Trigger Selection 1) Write-Host "Executing Python script..." Start-Process "python.exe" -ArgumentList "`"$scriptPath`"" -Wait # 3. Execute Taskkill commands (Trigger Selection 2) Write-Host "Executing taskkill commands..." $browsers = @("chrome.exe", "edge.exe", "brave.exe", "chromium.exe") foreach ($browser in $browsers) { Start-Process "taskkill.exe" -ArgumentList "/IM", $browser, "/F" -ErrorAction SilentlyContinue } -
Cleanup Commands:
# Remove the simulated malware files and directory Remove-Item -Path "C:UsersPublicDesktopsLib" -Recurse -Force