Multi-Stage WebSocket RAT Targets Ukraine in Single-Day Spearphishing Operation

Description

A coordinated spearphishing campaign targeted NGOs and Ukrainian government administrations involved in war relief efforts. The attack used emails impersonating the Ukrainian President's Office with weaponized PDFs, employing a fake Cloudflare captcha page to execute malware. The final payload was a WebSocket RAT enabling remote command execution and data exfiltration. Despite six months of preparation, the attackers' infrastructure was only active for one day, indicating sophisticated planning and operational security. An additional mobile attack vector was discovered, using fake applications to collect data from Android devices. The campaign demonstrated extensive operational planning, compartmentalized infrastructure, and deliberate exposure control.