Tag: ukraine

29 Attack Reports | 0 Vulnerabilities

Attack reports

New Russia-affiliated actor Void Blizzard targets critical sectors for espionage

Void Blizzard, a newly identified Russia-affiliated threat actor, has been conducting global cyberespionage operations since April 2024. Their primary targets are organizations in critical sectors, particularly in NATO member states and Ukraine, including government, defense, transportation, media,…
ukraine
cyberespionage
nato
spear phishing
evilginx
critical sectors
CVE-2025-27920
2025-05-27
azurehound
stolen credentials
russia-affiliated
cloud abuse
Published: May 27, 2025
Downloadable IOCs: 3

Backdoor implant discovered on PyPI posing as debugging utility

A sophisticated malicious package named 'dbgpkg' was detected on PyPI, masquerading as a Python debugging utility. The package implants a backdoor on systems, enabling execution of malicious code and data exfiltration. It uses function wrapping techniques to evade detection and is believed to be pa…
backdoor
russia
ukraine
pypi
supply chain attack
hacktivist
2025-05-15
dbgpkg
function wrapping
global socket toolkit
requestsdev
discordpydebug
Published: May 15, 2025
Downloadable IOCs: 0

TA406 Pivots to the Front

In February 2025, TA406, a North Korean state-sponsored actor, began targeting Ukrainian government entities with phishing campaigns aimed at gathering intelligence on the Russian invasion. The group utilized freemail senders impersonating think tank members to deliver both credential harvesting at…
phishing
north korea
powershell
ukraine
credential harvesting
reconnaissance
2025-05-13
government targeting
chm files
Published: May 13, 2025
Downloadable IOCs: 11

Russian COLDRIVER Hackers Deploy LOSTKEYS Malware to Steal Sensitive Information

The Google Threat Intelligence Group has identified a sophisticated malware called LOSTKEYS, attributed to the Russian government-backed threat actor COLDRIVER. Active since December 2023, LOSTKEYS represents an evolution in COLDRIVER's toolkit, targeting high-value entities such as NATO government…
powershell
ukraine
captcha
nato
multi-stage infection
ngo
lostkeys
2025-05-10
intelligence collection
russian hackers
western governments
Published: May 10, 2025
Downloadable IOCs: 0

Shuckworm Targets Foreign Military Mission Based in Ukraine

Russian-linked cyber-espionage group Shuckworm appears to be targeting a Western military mission based in Ukraine, according to research by Symantec and its partner, the UK-based security firm.
powershell
infostealer
ukraine
c server
gamaredon
shuckworm
2025-04-10
gammasteel
desktop folder
armageddon
Published: April 10, 2025
Downloadable IOCs: 56

Cyber Espionage using PowerShell stealer WRECKSTEEL

Ukrainian government's CERT-UA has identified a series of cyberattacks against government agencies and critical infrastructure facilities in Ukraine during March 2025. The attacks, aimed at information theft, utilize compromised accounts to distribute emails with links to public file services. Thes…
powershell
ukraine
cyber espionage
government
vbscript
critical infrastructure
2025-04-03
file stealing
wrecksteel
Published: April 3, 2025
Downloadable IOCs: 71

Campaigns Impersonate the CIA to Target Ukraine Sympathizers, Russian Citizens and Informants

Silent Push Threat Analysts have uncovered a sophisticated phishing campaign targeting individuals sympathetic to Ukraine's defense, Russian citizens, and potential informants. The operation, believed to be orchestrated by Russian Intelligence Services, employs four major phishing clusters imperson…
phishing
impersonation
state-sponsored
russia
ukraine
russian volunteer corps
2025-04-01
hochuzhit
cia
intelligence gathering
legion liberty
Published: April 1, 2025
Downloadable IOCs: 0

Gamaredon campaign abuses LNK files to distribute Remcos backdoor

A campaign targeting users in Ukraine with malicious LNK files has been observed since November 2024. The files, using Russian words related to troop movements as lures, run a PowerShell downloader contacting geo-fenced servers in Russia and Germany. The second stage payload uses DLL side loading t…
phishing
powershell
ukraine
remcos
dll sideloading
lnk files
2025-03-28
gthost
hyperhosting
Published: March 28, 2025
Downloadable IOCs: 0

When Getting Phished Puts You in Mortal Danger

The article discusses a network of phishing domains targeting Russians searching for anti-Putin organizations. These domains mimic recruitment websites of Ukrainian paramilitary groups and intelligence agencies. The scam aims to collect personal information from potential recruits, likely for Russi…
phishing
russia
ukraine
recruitment
search engine manipulation
2025-03-28
paramilitary
russian volunteer corps
freedom of russia legion
Published: March 28, 2025
Downloadable IOCs: 0

Ghostwriter | New Campaign Targets Ukrainian Government and Belarusian Opposition

A new campaign attributed to the Ghostwriter threat actor has been observed targeting opposition activists in Belarus and Ukrainian military and government organizations. The operation, which began preparation in mid-2024 and entered an active phase in late 2024, employs weaponized Excel documents …
cobalt strike
ukraine
2025-02-26
confuserex
unc1151
picassoloader
uac-0057
Published: February 26, 2025
Downloadable IOCs: 10

Sandworm APT Targets Ukrainian Users with Trojanized Microsoft KMS Activation Tools in Cyber Espionage Campaigns

EclecticIQ analysts have identified a cyber espionage campaign by Sandworm (APT44) targeting Ukrainian Windows users. The group is leveraging pirated Microsoft Key Management Service (KMS) activators and fake Windows updates to deliver a new version of the BACKORDER loader, which ultimately deploys…
ukraine
cyber espionage
dcrat
apt44
2025-02-12
backorder
kalambur
gru
dark crystal rat
kms activators
backorder loader
software piracy
Published: February 12, 2025
Downloadable IOCs: 35

GetSmoked: UAC-0006 Returns With SmokeLoader Targeting Ukraine's Largest State-Owned Bank

UAC-0006, a financially motivated cyber threat group, has resurfaced with a sophisticated phishing campaign targeting customers of Ukraine’s largest state-owned bank, PrivatBank.
powershell
ukraine
javascript
black basta
vbscript
smokeloader
uac-0006
carbanak
anunak
defense evasion
sha256
2025-02-10
fin7
uac0006
privatbank
bank
model
demo
Published: February 10, 2025
Downloadable IOCs: 62

SmokeLoader Malware Targets Ukraine's Auto & Banking Sectors via Open Directories

An investigation uncovered open directories hosting SmokeLoader malware samples and lure documents targeting Ukraine's automotive and banking sectors. Two servers were identified, containing Windows executables and PDF files posing as invoices from Ukrainian companies. The malware injects into expl…
phishing
malware distribution
ukraine
banking
smokeloader
automotive
open directories
2025-02-07
financial lures
Published: February 7, 2025
Downloadable IOCs: 27

Tracking Adversaries: Ghostwriter APT Infrastructure

This analysis examines the infrastructure used by the Ghostwriter APT group, focusing on their phishing campaign targeting Ukrainian military. By pivoting on overlapping indicators of compromise (IOCs) from multiple threat reports, a cluster of malicious domains was identified. These domains share …
apt
belarus
cobalt strike
ukraine
2025-01-24
Published: January 24, 2025
Linked vulnerabilities : CVE-2022-30190
Downloadable IOCs: 25

Frequent freeloader: Russian actor using tools of other groups to attack Ukraine

Russian nation-state actor Secret Blizzard has been observed using tools and infrastructure from other threat actors to compromise targets in Ukraine. Between March and April 2024, Secret Blizzard utilized the Amadey bot malware associated with cybercriminal activity to deploy its custom Tavdig and…
ukraine
amadey
secret blizzard
2024-12-13
kazuarv2
Published: December 13, 2024
Downloadable IOCs: 0

Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications

FrostyGoop, an operational technology (OT) malware, disrupted critical infrastructure in Ukraine in early 2024, affecting heating systems for over 600 apartment buildings. It is the first OT-centric malware to use Modbus TCP communications for such an impact. The malware can operate both within com…
ukraine
golang
critical infrastructure
2024-11-19
ot-malware
industrial control systems
bustleberm
modbus tcp
frostygoop
Published: November 19, 2024
Linked vulnerabilities : CVE-2024-0012 (CVSS 9.8), CVE-2023-33538, CVE-2023-50358
Downloadable IOCs: 25

Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails

A newly discovered vulnerability in Windows NT LAN Manager (NTLM) has been exploited by suspected Russian hackers in cyber attacks against Ukraine. The flaw, identified as CVE-2024-43451, allows attackers to steal NTLMv2 hashes through minimal user interaction with malicious files. The exploit chai…
rat
phishing
windows
russia
ukraine
zero-day
CVE-2024-43451
2024-11-14
ntlm
spark rat
pass-the-hash
hash stealing
Published: November 14, 2024
Downloadable IOCs: 24

Russian Hackers Attacking Ukraine Military With Malware Via Telegram

Russian hackers, identified as UNC5812, are targeting the Ukrainian military through a sophisticated cyber operation. The attackers use a deceptive Telegram channel and website posing as a civil defense service to distribute malware for both Windows and Android devices. The Windows attack deploys P…
malware
social engineering
android
windows
russia
ukraine
information theft
telegram
cyber-espionage
pronsis loader
sunspinner
craxsrat
purestealer
2024-10-31
Published: October 31, 2024
Downloadable IOCs: 7

Hybrid Russian Espionage and Influence Campaign Aims to Compromise Ukrainian Military Recruits and Deliver Anti-Mobilization Narratives

A Russian hybrid espionage and influence operation, dubbed UNC5812, targets potential Ukrainian military recruits through a Telegram persona called 'Civil Defense'. The campaign delivers Windows and Android malware, including SUNSPINNER, PURESTEALER, and CRAXSRAT, while simultaneously spreading ant…
espionage
ukraine
influence
telegram
russian
recruitment
2024-10-28
military
pronsis loader
sunspinner
craxsrat
purestealer
Published: October 28, 2024
Linked vulnerabilities : CVE-2024-47575 (CVSS 9.8)
Downloadable IOCs: 3

Malicious RDP Files Identified in Latest Attack on Ukrainian Entities

CERT-UA has uncovered a new malicious email campaign targeting Ukrainian government agencies, enterprises, and military entities. The campaign uses RDP configuration files to establish remote connections, enabling data theft and further malware deployment. Attributed to UAC-0215 and linked to APT29…
phishing
apt28
ukraine
rdp
aws
2024-10-26
uac-0218
uac-0215
domain seizure
homesteel
cert-ua
Published: October 26, 2024
Downloadable IOCs: 0

Ukrainian and Polish entities targeted with RomCom malware variants

A Russian-speaking threat group, UAT-5647, has been conducting attacks against Ukrainian government entities and Polish targets since late 2023. The group has evolved its toolset to include four distinct malware families: RustClaw and MeltingClaw downloaders, DustyHammock backdoor, and ShadyHammock…
russia
ukraine
poland
romcom
2024-10-17
singlecamper
dustyhammock
shadyhammock
rustclaw
rustyclaw
meltingclaw
Published: October 17, 2024
Downloadable IOCs: 0

Report on Ukraine government attack campaign

Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
malware
powershell
data theft
ukraine
exfiltration
government
spectr
2024-08-23
firmachagent
Published: August 23, 2024
Downloadable IOCs: 33

Armageddon is more than a Grammy-nominated album

This report details a Russia-linked threat actor targeting Ukraine, employing various obfuscation techniques. The malicious activity involves dropping a compressed file disguised as a RAR archive, which fetches a remote image likely for tracking execution. The payload employs mshta.exe to execute r…
russia
ukraine
geopolitics
2024-06-26
Published: June 26, 2024
Downloadable IOCs: 102

Targets Ukraine's Defense Forces using SPECTR malware alongside legitimate SyncThing

The report describes a cyber attack campaign by the UAC-0020 (Vermin) threat group targeting Ukraine's Defense Forces. The attackers utilized the SPECTR malware in tandem with the legitimate SyncThing software to exfiltrate sensitive data. The malicious payload was delivered via a password-protecte…
ukraine
exfiltration
defense
2024-06-07
spectr
syncthing
Published: June 7, 2024
Downloadable IOCs: 33

DarkCrystal RAT Cyber Attacks Targeting Government Officials in Ukraine

This intelligence document outlines targeted cyber attacks against government officials, military personnel, and defense industry representatives in Ukraine using the DarkCrystal RAT malware. The malware is distributed through the Signal messaging app, disguised as messages from existing contacts o…
rat
ukraine
cyber
2024-06-06
darkcrystal rat
darkcrystal
targeted
Published: June 6, 2024
Downloadable IOCs: 14

Excel File Deploys Cobalt Strike at Ukraine

A sophisticated multi-stage cyberattack was identified, utilizing an Excel file embedded with a VBA macro designed to deploy a DLL file. The attacker employed various evasion techniques and a multi-stage malware strategy to deliver the notorious 'Cobalt Strike' payload, establishing communication w…
malware
evasion
ukraine
2024-06-04
excel
Published: June 4, 2024
Downloadable IOCs: 10

Disrupting FlyingYeti's campaign targeting Ukraine

This report details Cloudforce One's real-time effort to detect, deny, degrade, disrupt, and delay a phishing campaign by the Russia-aligned threat actor FlyingYeti targeting Ukraine. The campaign aimed to capitalize on anxiety over potential loss of housing and utilities by enticing targets to ope…
malware
phishing
russia
ukraine
2024-05-31
CVE-2023-38831
cookbox
Published: May 31, 2024
Linked vulnerabilities : CVE-2023-38831
Downloadable IOCs: 8

Spring Exacerbation: UAC-0006 increased cyberattacks

This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
powershell
ukraine
2024-05-22
smokeloader
uac-0006
taleshot
Published: May 22, 2024
Downloadable IOCs: 31

Uncorking Old Wine: Zero-Day from 2017 + Loader in Unholy Alliance

An analysis uncovered a suspected malicious campaign targeting entities in Ukraine. The attack employed an old vulnerability from 2017, CVE-2017-8570, as the initial entry vector. The operation utilized a customized loader to deliver the Cobalt Strike Beacon payload. While the specific threat actor…
apt
cobalt strike
ukraine
malicious document
cobalt strike beacon
zero-day
CVE-2017-8570
Published: April 29, 2024
Downloadable IOCs: 6
Click here to see more Attack Reports