Do Son 
Russian and Mongolian governmental institutions have become the latest targets in a new wave of cyberattacks involving an updated variant of the MysterySnail remote access trojan, according to cybersecurity experts at Kaspersky Lab.
Researchers report that the MysterySnail malware was previously employed in 2021 in operations linked to the IronHusky cyber-espionage group. In this latest campaign, the adversaries are deploying a newly refined, modular version of the trojan, tailored for fresh targets and updated delivery techniques.
The infection chain begins with the execution of a malicious script disguised as an official document from Mongolia’s National Land Affairs Agency (ALAMGAC). The script is designed to run via Microsoft Management Console, a standard Windows utility used by administrators for system configuration and monitoring. Upon execution, it fetches additional malicious payloads, including a critical dynamic link library named CiscoSparkLauncher.dll.
This DLL functions as a backdoor, responsible for loading and activating the primary MysterySnail trojan. Once embedded, the malware establishes communication with attacker-controlled command-and-control servers using the HTTP protocol.
Analysis reveals that this version of MysterySnail is equipped to execute approximately 40 distinct commands. These include file manipulation (creation, reading, deletion), process management, directory and drive enumeration, and the creation of proxy channels for covert data transmission. It can also surreptitiously monitor the connection of external storage devices in the background.
Subsequently, the attackers introduced another variant—an optimized, lightweight edition dubbed MysteryMonoSnail. This streamlined version consists of a single component and communicates with its C2 infrastructure via WebSocket instead of HTTP. Although its functionality is reduced to 13 basic commands, experts caution that it still poses a significant threat.
Kaspersky researchers remind us that the IronHusky threat group has been active since at least 2012 and has repeatedly used MysterySnail in cyber-espionage operations targeting IT enterprises and diplomatic institutions.
