Operation HollowQuill Deploys Weaponized PDFs to Infiltrate Academic and Government Systems

In a meticulously orchestrated cyber-espionage campaign dubbed “Operation HollowQuill,” threat actors have leveraged weaponized PDF documents to infiltrate academic, governmental, and defense-related networks in Russia.

The campaign, tracked by SEQRITE Labs’ Advanced Persistent Threat (APT) team, specifically targets institutions like the Baltic State Technical University (BSTU) “VOENMEKH,” a critical hub for aerospace and defense research supporting Russia’s military-industrial complex.

Malware Delivered via Decoy Research Documents

The operation begins with a malicious RAR archive masquerading as an official research communication from the Russian Ministry of Science and Higher Education.

The archive contains a .NET-based malware dropper disguised under the filename “Outgoing 3548 on the formation of state assignments for conducting fundamental and exploratory research.”

Upon execution, this dropper deploys multiple payloads, including a legitimate OneDrive application, a Golang-based shellcode loader, and a decoy PDF document.

The decoy document appears to be an authentic guideline for state-funded research projects, detailing procedures for submitting proposals for the 2026–2028 budget cycle.

It includes official signatures and contact details to enhance its credibility. However, its primary purpose is to distract users while the malware executes in the background.

Technical Breakdown of the Infection Chain

The infection chain unfolds in four stages:

1. Malicious RAR Archive: The initial RAR file contains a .NET executable that acts as a dropper. This executable deploys additional components, including the decoy document and a legitimate OneDrive application, while initiating the malware’s core functionality.
2. .NET Malware Dropper: The dropper creates persistence by installing malicious files in critical system directories and using shortcut files (.lnk) in the Windows Startup folder to ensure execution upon boot. It also injects shellcode into the OneDrive process to evade detection.
3. Golang Shellcode Loader: This loader employs advanced anti-analysis techniques, such as time-based evasion mechanisms, before injecting shellcode into the memory of the OneDrive process using Asynchronous Procedure Call (APC) injection.
4. Cobalt Strike Payload: The final payload is a Cobalt Strike beacon that establishes communication with a command-and-control (C2) server hosted on domains like “phpsymfony[.]com.” This beacon facilitates data exfiltration and allows attackers to maintain control over compromised systems.

The attackers demonstrated significant operational security (OPSEC) lapses, such as leaving Go-build IDs within their payloads, which enabled researchers to trace similar malware samples linked to the same threat actor.

Additionally, their C2 infrastructure exhibited patterns of domain rotation across multiple autonomous systems (ASNs), including Cloudflare and UCLOUD-HK-AS-AP in Hong Kong.

The malicious domains were found hosting other malware families like ASyncRAT alongside Cobalt Strike beacons.

HTTP headers and user-agent strings further confirmed their use of standard encoding techniques for data exfiltration.

According to the Report, Operation HollowQuill underscores the increasing sophistication of cyber-espionage campaigns targeting high-value sectors such as defense research and academia.

By exploiting trust in official communications, these campaigns effectively bypass traditional security measures, posing significant risks to intellectual property and national security.

SEQRITE Labs advises institutions to adopt advanced endpoint protection solutions and conduct regular threat-hunting exercises to mitigate such threats.

Find this Story Interesting! Follow us on LinkedIn, and X to Get More Instant Updates