The Reveal Platform
Intel Name: Norddragonscan: quiet data-harvester on windows
Date of Scan: July 8, 2025
Impact: Medium
Summary: An active delivery site was recently identified hosting a weaponized HTA script that silently deploys the infostealer “NordDragonScan” onto victim systems. Once executed, NordDragonScan performs host reconnaissance, exfiltrates documents, harvests entire Chrome and Firefox browser profiles, and captures screenshots. The collected data is transmitted over TLS to its command-and-control server, kpuszkiev.com, which also functions as a heartbeat server to monitor victim activity and issue further data collection requests when necessary.
