HOSPITALS UNDER SIEGE: How a Single RAR Archive Unlocks a Multi-Stage Infostealer Campaign Targeting Thailand’s Healthcare Sector + Video

Listen to this Post

Featured Image

Introduction

A sophisticated cyber offensive is currently unfolding across Thailand’s healthcare landscape, with threat actors weaponizing innocuous-looking RAR archives to deploy Python-based information stealers against Ministry of Health personnel, hospital administrators, and medical procurement teams. This campaign, active for at least ten weeks from April to June 2026, exemplifies how attackers are increasingly leveraging trusted platforms like GitHub for payload hosting and Telegram APIs for data exfiltration—creating a stealthy, low-cost, and highly effective attack chain that bypasses traditional security controls. Understanding this multi-stage infection methodology is critical for defenders seeking to protect sensitive healthcare data and critical infrastructure from similar threats.

Learning Objectives

  • Analyze the complete infection chain of the RAR-to-infostealer campaign, from initial spear-phishing delivery to Telegram-based exfiltration.
  • Master detection and hunting techniques for obfuscated batch loaders, GitHub-hosted payloads, and persistence mechanisms across Windows environments.
  • Implement practical mitigation strategies including script execution controls, Startup folder monitoring, and network restrictions for file-hosting and messaging services.

You Should Know

  1. Deconstructing the Infection Chain: From RAR to Exfiltration

The campaign follows a remarkably consistent and repeatable execution flow: RAR Archive → Obfuscated BAT Loader → Rouki-Obfuscated Payload Loader → Startup Persistence Script (WindowSecuryt.bat) → Secondary Batch Payload (u‑t2.bat) → Python‑Based Information Stealer (sim.py) → Telegram Exfiltration.

The initial vector arrives as a healthcare-themed spear-phishing email containing a malicious RAR archive. Lure filenames are meticulously crafted to impersonate legitimate documents—patient admission requests, CT scan results, medical records, X‑ray inquiries, and Ministry of Health equipment approval forms. This targeted approach demonstrates prior reconnaissance of healthcare workflows and job functions.

Once the victim extracts and executes the archive’s contents, an obfuscated batch script launches. This first‑stage loader employs Rouki obfuscation to conceal its functionality and hinder static analysis. The script then downloads a secondary payload—a batch file named u‑t2.bat—from a GitHub repository, establishing persistence by placing a script called `WindowSecuryt.bat` into the Windows Startup folder. This ensures the malware re‑executes at every user logon.

The final stage deploys sim.py, a Python‑based information stealer executed through a bundled Python environment. The script terminates Chromium‑based browsers (Chrome, Edge, Brave, Chromium) to unlock credential databases, harvests stored passwords, cookies, and session data, compresses the stolen information, and exfiltrates it via the Telegram Bot API.

Step‑by‑step guide to simulating and analyzing this attack flow:

Linux (for forensic analysis of captured samples):

 Extract and examine the RAR archive structure
unrar l malicious_archive.rar

Extract contents for analysis
unrar x malicious_archive.rar -p<password_if_known>

Check for obfuscated batch scripts
file .bat
cat suspicious.bat | less

Decode common obfuscation patterns (base64, XOR)
grep -E 'base64|certutil|powershell' suspicious.bat

Windows (simulating the execution chain for testing):

 Simulate the attacker's execution flow (for lab use only)
 1. Create the target directory structure
$targetDir = "C:\Users\Public\Desktop\lib"
if (!(Test-Path $targetDir)) { New-Item -Path $targetDir -ItemType Directory -Force }

<ol>
<li>Simulate the Python stealer script
$scriptPath = "$targetDir\sim.py"
"print('Simulating credential harvesting...')" | Out-File -FilePath $scriptPath -Encoding utf8</p></li>
<li><p>Execute the Python script
Start-Process "python.exe" -ArgumentList "<code>"$scriptPath</code>"" -Wait</p></li>
<li><p>Terminate browser processes to unlock databases (mimicking attacker behavior)
$browsers = @("chrome.exe", "edge.exe", "brave.exe", "chromium.exe")
foreach ($browser in $browsers) {
Start-Process "taskkill.exe" -ArgumentList "/IM", $browser, "/F" -ErrorAction SilentlyContinue
}
  1. Threat Hunting: Detecting Obfuscated Loaders and GitHub Payloads

Hunting for this campaign requires shifting focus from known signatures to behavioral indicators. The attackers rely heavily on living‑off‑the‑land techniques, making traditional antivirus detection insufficient.

Key hunting artifacts include:

  • Unusual batch file execution from temporary directories (%TEMP%, AppData\Local\Temp) with obfuscated content.
  • PowerShell or certutil commands within batch scripts used to decode and execute payloads.
  • Outbound connections to GitHub from non‑developer workstations, particularly downloading raw script files.
  • Startup folder modifications—specifically the creation of `WindowSecuryt.bat` or similar‑named scripts in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup.
  • Python execution (python.exe) from non‑standard paths or bundled Python environments.

Linux threat hunting commands (for SOC analysts):

 Search for suspicious batch files with obfuscation patterns
grep -r -l --include=".bat" -E '(certutil|base64|powershell|decode)' /path/to/exported/artifacts/

Extract and analyze PowerShell one‑liners from batch files
grep -r -oP 'powershell -[bash].?(?= &)' /path/to/samples/

Identify GitHub‑hosted payload indicators in scripts
grep -r -E 'https://raw.githubusercontent.com/[^/]+/[^/]+/' /path/to/samples/

Windows PowerShell hunting commands:

 Find recently created .bat files in Startup folders
Get-ChildItem -Path "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup.bat" -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.CreationTime -gt (Get-Date).AddDays(-30) }

Detect Python execution from suspicious locations
Get-WinEvent -LogName "Windows PowerShell" | Where-Object { $<em>.Message -match "python.exe" -and $</em>.Message -match "C:\Users\Public" }

Search for encoded PowerShell commands in event logs
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | Where-Object { $<em>.Message -match "-enc" -or $</em>.Message -match "-e " }

3. Persistence Mechanisms: The Startup Folder Attack

The campaign’s reliance on the Windows Startup folder for persistence is deceptively simple yet highly effective. By placing `WindowSecuryt.bat` in this directory, the malware ensures execution at every user logon without requiring administrator privileges or complex registry modifications.

Step‑by‑step guide to monitoring and securing Startup folder persistence:

1. Enable auditing of the Startup folder:

 Enable SACL for the Startup folder
$path = "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
$acl = Get-Acl -Path $path
$rule = New-Object System.Security.AccessControl.FileSystemAuditRule("Everyone", "CreateFiles,WriteData", "Success, Failure")
$acl.AddAuditRule($rule)
Set-Acl -Path $path -Acl $acl

2. Deploy continuous monitoring using PowerShell:

 Real‑time monitoring script for Startup folder changes
$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"
$watcher.Filter = ".bat"
$watcher.EnableRaisingEvents = $true
Register-ObjectEvent $watcher "Created" -Action {
$path = $Event.SourceEventArgs.FullPath
Write-Host "ALERT: New .bat file created in Startup: $path"
 Log to SIEM or trigger response
}
  1. Implement application control to restrict script execution from the Startup folder:

– Use Windows Defender Application Control (WDAC) or AppLocker to block unsigned batch scripts.
– Create a policy that only allows scripts from trusted paths (e.g., C:\Windows\System32).

  1. Network Defense: Blocking GitHub and Telegram Exfiltration Channels

The attackers leverage GitHub for payload hosting and Telegram for data exfiltration—two legitimate services that are often whitelisted in corporate environments. This highlights the need for granular, behavior‑based network controls rather than blanket allowlisting.

Step‑by‑step guide to restricting abuse of GitHub and Telegram:

1. Identify legitimate GitHub usage within your organization:

  • Inventory all developers and teams that require GitHub access.
  • Create an allowlist of approved GitHub repositories and users.

2. Implement network segmentation for non‑development workstations:

 Windows Firewall rule to block GitHub raw content for non‑approved processes
New-1etFirewallRule -DisplayName "Block GitHub Raw for Non-Dev" -Direction Outbound -Action Block -RemoteAddress "185.199.108.0/22", "140.82.112.0/20" -Protocol TCP -RemotePort 443

3. Detect Telegram exfiltration using network monitoring:

  • Monitor for traffic to Telegram API endpoints (api.telegram.org).
  • Alert on large outbound data transfers to Telegram IP ranges.
  • Use proxy or TLS inspection to identify `bot/sendDocument` API calls.

4. Linux‑based network detection (using Zeek/Bro):

 Zeek script to detect Telegram API exfiltration
zeek -r capture.pcap -s telegram-exfil.sig
 Example signature
signature telegram_exfil {
ip-proto == tcp
payload /api.telegram.org.sendDocument/
event "Telegram exfiltration detected"
}

5. Forensic Analysis: Collecting and Examining Artifacts

When a compromise is suspected, rapid and thorough forensic analysis is essential. The campaign leaves distinct artifacts across multiple locations.

Step‑by‑step forensic collection guide:

Windows artifact collection:

 Collect key artifacts for analysis
$outputDir = "C:\Forensic_Collection_$(Get-Date -Format 'yyyyMMdd')"
New-Item -Path $outputDir -ItemType Directory -Force

Copy suspicious batch files from Temp and Startup
Copy-Item -Path "$env:TEMP.bat" -Destination "$outputDir\Temp_BAT" -Recurse -ErrorAction SilentlyContinue
Copy-Item -Path "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup.bat" -Destination "$outputDir\Startup_BAT"

Collect browser credential stores (for analysis, not exfiltration)
Copy-Item -Path "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\Login Data" -Destination "$outputDir\Chrome_LoginData" -ErrorAction SilentlyContinue
Copy-Item -Path "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default\Login Data" -Destination "$outputDir\Edge_LoginData" -ErrorAction SilentlyContinue

Export recent PowerShell and command history
Get-Content -Path "$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" | Out-File "$outputDir\PSHistory.txt"

Linux‑based memory analysis (using Volatility):

 Extract and analyze memory dump for Python stealer processes
volatility -f memory.dmp --profile=Win10x64_19041 pslist | grep python
volatility -f memory.dmp --profile=Win10x64_19041 cmdline | grep sim.py
volatility -f memory.dmp --profile=Win10x64_19041 netscan | grep telegram

Critical artifacts to examine:

– `%TEMP%` and `AppData\Local\Temp` directories for secondary payloads
– Browser credential stores and history for signs of compromise
– Windows event logs (Security, PowerShell Operational, Application) for execution traces
– Network connection logs showing outbound connections to GitHub and Telegram IP ranges

6. Mitigation and Hardening Strategies

Organizations in the healthcare sector—and any sector facing similar threats—must adopt a defense‑in‑depth approach.

Immediate hardening measures:

  1. Restrict script execution using Group Policy or AppLocker:

– Block execution of scripts from user‑writable directories (%TEMP%, Downloads, Desktop).
– Allow only signed scripts from trusted publishers.

2. Monitor and audit the Windows Startup folder:

  • Enable auditing as described in Section 3.
  • Deploy endpoint detection and response (EDR) rules for Startup folder modifications.

3. Implement email security controls:

  • Block RAR attachments or scan them in isolated sandbox environments.
  • Deploy advanced phishing detection and user awareness training.

4. Network‑level controls:

  • Restrict outbound access to GitHub and Telegram for non‑approved systems.
  • Implement SSL/TLS inspection to detect API‑based exfiltration.

5. Incident response readiness:

  • Isolate affected endpoints immediately upon detection.
  • Initiate password resets for all potentially affected users.
  • Preserve forensic artifacts for further analysis.

What Undercode Say

  • Key Takeaway 1: The campaign’s use of GitHub and Telegram—legitimate, trusted services—demonstrates how attackers are increasingly “living off trusted land” to bypass security controls. Defenders must move beyond simple allowlisting and implement behavior‑based monitoring for these platforms.

  • Key Takeaway 2: The targeted nature of the lures—meticulously crafted to impersonate specific healthcare documents—indicates significant pre‑attack reconnaissance. This underscores the critical importance of security awareness training tailored to specific job roles and workflows.

Analysis: This campaign is not a sophisticated zero‑day exploit but rather a masterclass in operational security and tradecraft simplicity. By chaining together readily available tools—RAR archives, batch scripts, GitHub, Python, and Telegram—the attackers achieve a highly effective, low‑cost, and difficult‑to‑detect operation. The ten‑week active window suggests the attackers are patient, methodical, and have established reliable infrastructure. The consistency of the infection chain across all observed samples points to a single threat actor or a closely coordinated cluster, indicating a well‑organized operation rather than opportunistic attacks. For defenders, this highlights the need for proactive threat hunting, behavioral analytics, and a shift from signature‑based to TTP‑based detection. The healthcare sector, with its legacy systems, underfunded security teams, and high‑value data, remains an attractive and vulnerable target. This campaign serves as a stark warning that no organization is immune to well‑executed, multi‑stage attacks that exploit human psychology and trusted platforms.

Prediction

+1 Expect a surge in similar campaigns targeting other sectors—finance, government, and education—as threat actors replicate this proven RAR‑to‑infostealer playbook. The low barrier to entry and high success rate will attract both state‑aligned groups and cybercriminal enterprises.

-1 Healthcare organizations that fail to implement basic controls—such as Startup folder monitoring, script execution restrictions, and network segmentation—will continue to be breached. The ten‑week campaign window suggests many victims remain undetected, and the true scale of compromise is likely much larger than currently reported.

+1 Security vendors will rapidly develop and deploy detection rules for this specific campaign, but attackers will adapt by shifting to other archive formats (ZIP, 7z), alternative hosting platforms (Dropbox, OneDrive), and different messaging APIs (Slack, Discord) for exfiltration.

-1 The use of Python‑based stealers and bundled Python environments will complicate detection for organizations without application control, as Python is increasingly used in legitimate administrative scripts.

+1 This campaign will accelerate the adoption of zero‑trust architectures and behavioral analytics in the healthcare sector, driving investment in next‑gen EDR, SIEM, and SOAR solutions.

-1 However, the fragmented nature of healthcare IT—with numerous clinics, hospitals, and third‑party vendors operating independently—will continue to create security gaps that attackers can exploit. Supply‑chain compromises, as seen in this campaign’s targeting of procurement teams, will remain a critical vulnerability.

▶️ Related Video (74% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Flavioqueiroz Infostealer – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky