Campaign data summary. These counts are not a risk score or coverage percentage.
- Mapped tactics
- 1
- Mapped techniques
- 2
- Techniques with evidence
- 2
- Limited or missing evidence
- 0
- Detection guidance
- 2
- Related detection packs
- 0
Visual investigation
Campaign investigation
Techniques are arranged by repository ATT&CK tactic order. This path supports investigation; it does not claim chronology or causal relationships.
Analyst decision point
Defenders should connect suspicious installer execution with mshta.exe, Python, PowerShell, registry persistence, staged payload delivery, and resilient C2 rather than treating each behavior as an isolated alert.
- Evidence
- 1 source notes, 2 mapped evidence entries, and 1 reviewed related briefs.
- Mapping
- 2 mapped ATT&CK / ATLAS behaviors with high mapping confidence.
- Next action
- Read this as a manually reviewed activity cluster, then validate exposure, telemetry, and coverage gaps in your own environment.
Attack understanding
Understand this campaign without over-claiming
Campaign pages explain a cluster of related activity while keeping attribution, continuity, and technique scope tied to reviewed evidence.
Campaign type
Use type as context, not proof of actor identity.
Observed window
Timeline entries show reviewed activity order and evidence scope.
Related briefs
Only manually linked reviewed threat activity appears here.
Coverage gaps
Defensive work that remains uncertain or untested.
Why this matters
Why this campaign matters to defenders
Defenders should connect suspicious installer execution with mshta.exe, Python, PowerShell, registry persistence, staged payload delivery, and resilient C2 rather than treating each behavior as an isolated alert.
A multi-stage Windows intrusion campaign capable of persistent remote access, credential and cryptocurrency theft, host reconnaissance, and delivery of additional malware.
Related reviewed threat activity
Telemetry and investigation checklist
Investigate
- 01Validate the origin and signature of recently executed installers impersonating remote access, collaboration, database, or gaming software.
- 02Hunt for the complete HTA-to-installer-to-Python-to-PowerShell process chain.
- 03Review persistence, reconnaissance, credential access, and secondary payload evidence on every affected endpoint.
- 04Rotate exposed credentials and wallet secrets, revoke sessions, and scope access to enterprise and developer systems.
Detect
- 01Process creation and ancestry for installers, mshta.exe, pythonw.exe, curl, cmd.exe, and PowerShell.
- 02Registry Run key, Startup-folder, and scheduled-task creation events.
- 03DNS, proxy, firewall, and endpoint network telemetry for the published IOC set and unusual Telegram or Polygon RPC access.
- 04PowerShell script-block, AMSI, file creation, process injection, and credential or wallet access telemetry.
Respond
- 01Software download controls that trust filenames or branding without validating the distribution source and signature.
- 02Endpoint policies that allow mshta.exe, unapproved Python runtimes, and obfuscated PowerShell from user-writable paths.
- 03Network monitoring that does not correlate short-lived staging domains, periodic HTTP beaconing, Telegram access, and blockchain-based fallback resolution.
Telemetry
- Process creation and ancestry for installers, mshta.exe, pythonw.exe, curl, cmd.exe, and PowerShell.
- Registry Run key, Startup-folder, and scheduled-task creation events.
- DNS, proxy, firewall, and endpoint network telemetry for the published IOC set and unusual Telegram or Polygon RPC access.
- PowerShell script-block, AMSI, file creation, process injection, and credential or wallet access telemetry.
Investigation notes
- Validate the origin and signature of recently executed installers impersonating remote access, collaboration, database, or gaming software.
- Hunt for the complete HTA-to-installer-to-Python-to-PowerShell process chain.
- Review persistence, reconnaissance, credential access, and secondary payload evidence on every affected endpoint.
- Rotate exposed credentials and wallet secrets, revoke sessions, and scope access to enterprise and developer systems.
Coverage gaps
- Software download controls that trust filenames or branding without validating the distribution source and signature.
- Endpoint policies that allow mshta.exe, unapproved Python runtimes, and obfuscated PowerShell from user-writable paths.
- Network monitoring that does not correlate short-lived staging domains, periodic HTTP beaconing, Telegram access, and blockchain-based fallback resolution.
Editorial Note
This campaign page only groups manually reviewed AttackTrace briefs and cited sources. It does not infer attribution, actor identity, infrastructure reuse, or additional ATT&CK/ATLAS techniques unless supported by evidence.
UAT-11795 is a Cisco Talos tracking label. The source describes a Russian-speaking, financially motivated adversary, but AttackTrace does not infer nationality, state sponsorship, or identity beyond the published evidence.
Record history
Update history
Update history
- First seen
- 2025-06-05
- Last seen
- 2026-07-16
- Reviewed
- 2026-07-18
- Campaign confidence
- high
Source Notes
High campaign confidence reflects Cisco Talos's direct clustering of infrastructure, tooling, lures, payloads, and telemetry into one campaign. The lastSeen value is the disclosure date and does not claim the activity ended on that date.
Tactic-order sequence: Execution: T1059.001 PowerShell, T1204.002 Malicious File. This is ATT&CK tactic order, not event chronology.
ATT&CK tactic
Execution
ATT&CK tactic
Execution
2 of 2 unique techniques shown.
ATT&CK tactic
Execution
Only campaign-mapped techniques are shown. Strong evidence, limited evidence, defensive guidance, and detection-pack availability are labelled independently.
2 of 2 techniques shown. The table is the complete text alternative to the visual path.
Execution
The WLDR stager, downloader, and agent use PowerShell to load and execute an encrypted in-memory command-and-control capability.
Detection guidance available · Detection pack not linked
Execution
Talos observed malicious installers presented as several legitimate software products, with user execution initiating the infection chain.
Detection guidance available · Detection pack not linked