: Add the specific filename RUS-129.7z to your email security blocklist.
: The user is prompted to extract the .7z file, which may be password-protected to prevent automated sandbox analysis by email gateways. RUS-129.7z
: Common payloads associated with this naming convention include information stealers that target browser credentials, crypto wallets, and session cookies. Geopolitical Context : Add the specific filename RUS-129
The "RUS-129" naming convention is frequently used in campaigns targeting organizations or individuals monitoring Russian military movements or diplomatic relations. These archives are often "spoofed" to look like official correspondence from the Ministry of Defense or related state entities. : The malware often creates a registry key
: Look for unusual PowerShell activity or unauthorized cmd.exe spawns originating from common archive software (like WinRAR or 7-Zip).
: The malware often creates a registry key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run or schedules a task to ensure it survives system reboots.