October 3, 2023

Researchers has spotted a malicious campaign against entities in Armenia that used a backdoor OxtaRAT

As per the advisory, the malicious campaign was executed amid rising tensions between Azerbaijan and Armenia over the Lachin corridor in late 2022.

The version of OxtaRAT used in the campaign is a polyglot file, which combines compiled AutoIT script and an image. The tool capabilities include searching for and exfiltrating files from the infected machine, recording the video from the web camera and desktop, remotely controlling the compromised machine with TightVNC, installing a web shell, performing port scanning.


The samples are related to Azerbaijani government interests; they either targeted Azerbaijani political or human rights activists. This new campaign represents the first instance of these attackers using OxtaRAT against Armenian individuals and corporations.

A significant overlap in major TTPs is been identified

  • The use of AutoIT malware.
  • The use of files with SCR extensions bearing document-related icons (PDF, Word).
  • A focus on surveillance technology (keylogging, screen capture, data exfiltration).
  • Similar consistent targeting.

It presents changes in the infection chain, improved operational security, and new functionality to improve the ways to steal the victim’s data. It indicates that the underlying threat actors have been maintaining the development of Auto-IT based malware for the last seven years and are using it in surveillance campaigns whose targets are consistent with Azerbaijani interests.

This research was documented by researchers from Checkpoint


Indicators of Compromise

  • 6ac414fad3d61ad5b23c2bcdd8ee797f
  • ddac9a1189e4b9528d411e07d0e98895
  • 0360185bc6371ae42ca0dffe0a21455d
  • ddac9a1189e4b9528d411e07d0e98895
  • 1c94f1c6241cb598da5da7150a0dc541
  • df9673032789847a367df9923bbd44d2
  • a1a39e458977aa512b7ff2ba1995b18d
  • cf225029cade918d92b4b4e2b789b7a5
  • 86b5245112436e8a5eabf92fab01ffba
  • edupoliceam[.]info
  • filesindrive[.]info
  • mediacloud[.]space
  • avvpassport[.]info
  • filecloudservices[.]xyz
  • 38.242.197[.]156

Leave a Reply

%d bloggers like this: