Unraveling Operation DupeHike: A Spear-Phishing Campaign

A sophisticated spear-phishing campaign known as Operation DupeHike has been active since November 2025, targeting organizations with deceptive tactics.

Seqrite Labs has revealed that the attackers behind this campaign have been using decoy documents related to employee bonuses and financial policies to lure recipients into opening malicious LNK files hidden within ZIP archives. These files ultimately trigger the execution of a dangerous malware called DUPERUNNER.

Upon execution, DUPERUNNER connects to an external server to retrieve and display a fake PDF document as a distraction. Simultaneously, it conducts system profiling and downloads the AdaptixC2 beacon in the background.

In addition to Operation DupeHike, Russian organizations have faced threats from another malicious actor known as Paper Werewolf or GOFFEE. This threat actor has utilized artificial intelligence (AI) to create decoys and Excel XLL add-ins containing DLL files to distribute a backdoor named EchoGather.

According to Intezer security researcher Nicole Fishbein, once EchoGather is activated, it gathers system information, communicates with a predefined command-and-control (C2) server, and enables command execution and file transfers. The communication with the C2 server occurs over HTTP(S) using the WinHTTP API.