Operation HollowQuill: Russian R&D Networks Targeted via Decoy PDFs

March 31, 2025, 3:56 p.m.

Description

Operation HollowQuill targets Russian research and defense networks, particularly the Baltic State Technical University, using weaponized decoy documents disguised as research invitations. The attack chain involves a malicious RAR file containing a .NET dropper, which deploys a Golang-based shellcode loader and a legitimate OneDrive application. The final payload is a Cobalt Strike beacon. The campaign focuses on academic institutions, military and defense industries, aerospace and missile technology, and government-oriented research entities within the Russian Federation. The threat actor employs sophisticated techniques, including anti-analysis measures, APC injection, and infrastructure rotation across multiple ASNs.

External References

https://www.seqrite.com/blog/operation-hollowquill-russian-rd-networks-malware-pdf/
https://otx.alienvault.com/pulse/67ea888fa30c32d310f46b3c
Tags
cobalt strike
2025-03-31
defense industry
shellcode loader
russian r&d
decoy pdfs
academic institutions
baltic state technical university
operation hollowquill

Date

  • Created: March 31, 2025, 12:20 p.m.
  • Published: March 31, 2025, 12:20 p.m.
  • Modified: March 31, 2025, 3:56 p.m.

Indicators

  • https://phpsymfony.com/css3/index2.shtml
  • pariaturzzphy.makebelievercorp.com
Download all indicators here!

Attack Patterns

  • Cobalt Strike - S0154

Additional Informations

  • Aerospace
  • Defense
  • Education
  • Government
  • Russian Federation