Threat Actors Weaponizing RAR Archives to Target Thailand's Healthcare Sector

June 22, 2026, 9:30 a.m.

Description

An active malware campaign is targeting Thailand's healthcare sector, including Ministry of Health personnel and affiliated organizations. The operation leverages healthcare-themed spear-phishing lures distributed through malicious RAR archives containing obfuscated batch scripts and executable payloads. The infection chain employs multiple stages of obfuscation, GitHub-hosted payload delivery, and persistence mechanisms. The final payload is a Python-based information stealer designed to harvest browser credentials, session data, and cookies, with exfiltration attempts through Telegram Bot API. The campaign demonstrates sophisticated tradecraft including Rouki-obfuscated batch loaders, Startup folder persistence, and bundled Python interpreters. Active operational window spans from April to June 2026, with all samples uploaded from Thailand.

External References

https://www.seqrite.com/blog/threat-actors-weaponizing-rar-archives-to-target-thailands-healthcare-sector/
https://otx.alienvault.com/pulse/6a3551ceb394e391f2a341f1
Tags
2026-06-19
batch script obfuscation
github payload hosting
python stealer
rouki obfuscation

Date

  • Created: June 19, 2026, 2:27 p.m.
  • Published: June 19, 2026, 2:27 p.m.
  • Modified: June 22, 2026, 9:30 a.m.

Indicators

  • 7709d8c34d490509f3624104611eb75a862944dd9d7a642f44514ada16c85ee9
  • f4d4b8cac004bb63834c6df436721babd9464c09787c80b268d839e0aada9f87
  • 74bb6ad7e1310f30a3e24fd3cbbffa2c0c41c64e89e5d0dd1d6900e96b914183
  • 4eebc38297a307d18784d6f9ebc8aa6e6f69860be970cc70d9e544deb1ff6ce0
  • 523388567630e4fbdc359f75232bf2ad82671a680d4bfdce0237fc30dfec4c80
  • 442e0f4e822842922e7e4685840194e99fd68c7f0ec38c1925914b8f724d5865
  • e5f6d9d405819e6b05b5d8268a2e973294859ad65237ede36ab612b536d0ac2b
Download all indicators here!

Attack Patterns

  • sim.py

Additional Informations

  • Health
  • Government and administrations
  • Thailand