Tag: ukraine

44 Attack Reports | 0 Vulnerabilities

Attack reports

Russian RomCom Utilizing SocGholish to Deliver Mythic Agent to U.S. Companies Supporting Ukraine

Arctic Wolf Labs identified a U.S.-based company targeted by the Russian-aligned threat group RomCom via SocGholish, operated by TA569. This marks the first observed instance of a RomCom payload being distributed through SocGholish. The attack chain involved compromising legitimate websites, using …
malvertising
ukraine
socgholish
fakeupdate
gru
2025-11-25
ta569
mythic agent
vipertunnel
Published: November 25, 2025
Downloadable IOCs: 0

The terrible, horrible, no good, very bad day

On February 24, 2022, a cyberattack targeted Viasat's KA-SAT satellite network, exploiting a VPN vulnerability to access management systems. The attackers deployed AcidRain wiper malware, disrupting satellite communications for thousands of users in Ukraine and affecting 5,800 wind turbines in Germ…
ukraine
cyberattack
wiper
infrastructure
satellite
2025-11-13
acidrain
vpnfilter
vpn vulnerability
ka-sat
Published: November 13, 2025
Downloadable IOCs: 6

Multi-Stage WebSocket RAT Targets Ukraine in Single-Day Spearphishing Operation

A coordinated spearphishing campaign targeted NGOs and Ukrainian government administrations involved in war relief efforts. The attack used emails impersonating the Ukrainian President's Office with weaponized PDFs, employing a fake Cloudflare captcha page to execute malware. The final payload was …
spearphishing
android
powershell
ukraine
captcha
ngos
2025-10-22
coldriver
websocket rat
Published: October 22, 2025
Downloadable IOCs: 24

PhantomCaptcha: Multi-Stage WebSocket RAT Targets Ukraine in Single-Day Spearphishing Operation

A coordinated spearphishing campaign targeted NGOs and Ukrainian government administrations involved in war relief efforts. The attack used emails impersonating the Ukrainian President's Office with weaponized PDFs, employing a fake Cloudflare captcha page to execute malware. The final payload was …
spearphishing
android
powershell
ukraine
captcha
ngos
2025-10-22
coldriver
websocket rat
Published: October 22, 2025
Downloadable IOCs: 0

Gamaredon X Turla collaboration

ESET Research has uncovered collaboration between notorious APT groups Gamaredon and Turla, both associated with Russia's FSB, targeting high-profile victims in Ukraine. The research reveals Gamaredon tools being used to restart and deploy Turla's Kazuar backdoor on compromised machines. This marks…
backdoor
apt
russia
ukraine
cyberespionage
fsb
2025-09-19
kazuar
pterographin
pterolnk
pteroeffigy
collaboration
pteroodd
pteropaste
pterostew
2025-09-27
Published: September 27, 2025
Downloadable IOCs: 0

SVG Phishing hits Ukraine with Amatera Stealer, PureMiner

A phishing campaign targeting Ukrainian government entities uses malicious SVG files to initiate an infection chain. The attack begins with emails containing SVG attachments that redirect victims to a download site. A CHM file is then used to execute a remote HTA loader, which delivers two malware …
phishing
data theft
ukraine
cryptomining
fileless
chm
svg
amatera stealer
pureminer
countloader
2025-09-26
hta loader
Published: September 26, 2025
Downloadable IOCs: 0

CountLoader: New Malware Loader Being Served in 3 Different Versions

A new malware loader named CountLoader has been identified, strongly associated with Russian ransomware gangs. It comes in three versions: .NET, PowerShell, and JScript. The threat is believed to be part of an Initial Access Broker's toolset or used by a ransomware affiliate linked to LockBit, Blac…
phishing
ransomware
powershell
ukraine
lumma stealer
malware loader
.net
cobaltstrike
jscript
purehvnc
evasion techniques
initial access broker
adaptixc2
2025-09-19
countloader
Published: September 19, 2025
Downloadable IOCs: 27

Deepens Its Playbook with New Websites and Targets

CopyCop, a Russian covert influence network, has significantly expanded its operations since March 2025, creating over 300 new fictional media websites targeting various countries. The network, likely operated by John Mark Dougan with support from Russian entities, aims to undermine support for Ukr…
ukraine
disinformation
elections
social media
ai-generated content
deepfakes
2025-09-18
russian influence
political fragmentation
Published: September 18, 2025
Downloadable IOCs: 0

Analysis of APT-C-53 (Gamaredon) Attack on Ukrainian Government Agencies

APT-C-53, also known as Gamaredon, is a Russian state-sponsored threat group active since 2013, targeting Ukrainian government and military entities. The group has upgraded its attack techniques, focusing on dynamic cloud-based C2 infrastructure and targeted delivery of cloud storage tools. In 2025…
apt
dropbox
powershell
russia
ukraine
cyberespionage
vbscript
2025-09-01
cloudflareworkers
devtunnels
Published: September 1, 2025
Downloadable IOCs: 11

UAC-0057 Keeps Pressure on Ukraine and Poland

This report details recent cyber espionage campaigns targeting Ukraine and Poland, likely conducted by UAC-0057 (also known as UNC1151 or Ghostwriter). The threat actor used weaponized XLS spreadsheets with obfuscated VBA macros to drop first-stage DLL downloaders. C# and C++ downloaders were used …
cobalt strike
ukraine
cyber espionage
poland
vba macros
upx
confuserex
domain impersonation
downloaders
2025-08-27
Published: August 27, 2025
Linked vulnerabilities : CVE-2024-42009
Downloadable IOCs: 37

Analyzing LAMEHUG

LAMEHUG, discovered on July 10, 2025, is the first known malware integrating large language model capabilities into its attack methodology. Attributed to APT28 (Fancy Bear) with moderate confidence, it targeted Ukrainian government officials through phishing emails containing malicious executables.…
phishing
apt28
ukraine
exfiltration
reconnaissance
llm
proof-of-concept
lamehug
2025-08-24
ai-generated commands
Published: August 24, 2025
Downloadable IOCs: 0

Pressure on Ukraine and Poland Continues

Recent analysis reveals two clusters of malicious archives targeting Ukraine and Poland since April 2025, linked to UAC-0057 (also known as UNC1151, FrostyNeighbor or Ghostwriter). The infection chains aim to collect system information and deploy implants for further exploitation, using readily ava…
espionage
cobalt strike
ukraine
poland
infrastructure
c++
vba macros
downloaders
c#
2025-08-20
slack
xls
Published: August 20, 2025
Downloadable IOCs: 0

New Arsenal: LAMEHUG, the First AI-Powered Malware

APT28, a Russian threat group, has developed LAMEHUG, a Python-based malware that utilizes AI to generate and execute system commands. This malware, targeting Ukraine's security and defense sector, begins with a phishing email containing a malicious attachment. LAMEHUG employs the Qwen 2.5-Coder-32…
phishing
python
ukraine
reconnaissance
data exfiltration
2025-08-07
ai-powered malware
hugging face api
lamehug
Published: August 7, 2025
Downloadable IOCs: 0

MaaS operation using Emmenhtal and Amadey linked to threats against Ukrainian entities

A Malware-as-a-Service operation utilizing Amadey for payload delivery has been identified, with connections to a SmokeLoader phishing campaign targeting Ukrainian entities. The operation exploits fake GitHub accounts to host payloads and tools, bypassing web filtering. Emmenhtal, a multistage down…
obfuscation
phishing
rhadamanthys
ukraine
amadey
asyncrat
redline
smokeloader
downloader
github
lumma
maas
emmenhtal
2025-07-17
Published: July 17, 2025
Downloadable IOCs: 4

Strategic Pivot: From Browser Stealer to Data Exfiltration Platform During Critical Ukraine Negotiations

The cyber-espionage group UAC-0226 has significantly evolved its GIFTEDCROOK malware from a basic browser data stealer to a robust intelligence-gathering tool. Three versions were identified between April-June 2025, with the latest iterations capable of exfiltrating a wide range of sensitive docume…
ukraine
data exfiltration
telegram
geopolitical
spear-phishing
cyber-espionage
2025-06-27
giftedcrook
Published: June 27, 2025
Linked vulnerabilities : CVE-2025-5777 (CVSS 9.3)
Downloadable IOCs: 11

New Russia-affiliated actor Void Blizzard targets critical sectors for espionage

Void Blizzard, a newly identified Russia-affiliated threat actor, has been conducting global cyberespionage operations since April 2024. Their primary targets are organizations in critical sectors, particularly in NATO member states and Ukraine, including government, defense, transportation, media,…
ukraine
cyberespionage
nato
spear phishing
evilginx
critical sectors
CVE-2025-27920
2025-05-27
azurehound
stolen credentials
russia-affiliated
cloud abuse
Published: May 27, 2025
Downloadable IOCs: 3

Backdoor implant discovered on PyPI posing as debugging utility

A sophisticated malicious package named 'dbgpkg' was detected on PyPI, masquerading as a Python debugging utility. The package implants a backdoor on systems, enabling execution of malicious code and data exfiltration. It uses function wrapping techniques to evade detection and is believed to be pa…
backdoor
russia
ukraine
pypi
supply chain attack
hacktivist
2025-05-15
dbgpkg
function wrapping
global socket toolkit
requestsdev
discordpydebug
Published: May 15, 2025
Downloadable IOCs: 0

TA406 Pivots to the Front

In February 2025, TA406, a North Korean state-sponsored actor, began targeting Ukrainian government entities with phishing campaigns aimed at gathering intelligence on the Russian invasion. The group utilized freemail senders impersonating think tank members to deliver both credential harvesting at…
phishing
north korea
powershell
ukraine
credential harvesting
reconnaissance
2025-05-13
government targeting
chm files
Published: May 13, 2025
Downloadable IOCs: 11

Russian COLDRIVER Hackers Deploy LOSTKEYS Malware to Steal Sensitive Information

The Google Threat Intelligence Group has identified a sophisticated malware called LOSTKEYS, attributed to the Russian government-backed threat actor COLDRIVER. Active since December 2023, LOSTKEYS represents an evolution in COLDRIVER's toolkit, targeting high-value entities such as NATO government…
powershell
ukraine
captcha
nato
multi-stage infection
ngo
lostkeys
2025-05-10
intelligence collection
russian hackers
western governments
Published: May 10, 2025
Downloadable IOCs: 0

Shuckworm Targets Foreign Military Mission Based in Ukraine

Russian-linked cyber-espionage group Shuckworm appears to be targeting a Western military mission based in Ukraine, according to research by Symantec and its partner, the UK-based security firm.
powershell
infostealer
ukraine
c server
gamaredon
shuckworm
2025-04-10
gammasteel
desktop folder
armageddon
Published: April 10, 2025
Downloadable IOCs: 56

Cyber Espionage using PowerShell stealer WRECKSTEEL

Ukrainian government's CERT-UA has identified a series of cyberattacks against government agencies and critical infrastructure facilities in Ukraine during March 2025. The attacks, aimed at information theft, utilize compromised accounts to distribute emails with links to public file services. Thes…
powershell
ukraine
cyber espionage
government
vbscript
critical infrastructure
2025-04-03
file stealing
wrecksteel
Published: April 3, 2025
Downloadable IOCs: 71

Campaigns Impersonate the CIA to Target Ukraine Sympathizers, Russian Citizens and Informants

Silent Push Threat Analysts have uncovered a sophisticated phishing campaign targeting individuals sympathetic to Ukraine's defense, Russian citizens, and potential informants. The operation, believed to be orchestrated by Russian Intelligence Services, employs four major phishing clusters imperson…
phishing
impersonation
state-sponsored
russia
ukraine
russian volunteer corps
2025-04-01
hochuzhit
cia
intelligence gathering
legion liberty
Published: April 1, 2025
Downloadable IOCs: 0

Gamaredon campaign abuses LNK files to distribute Remcos backdoor

A campaign targeting users in Ukraine with malicious LNK files has been observed since November 2024. The files, using Russian words related to troop movements as lures, run a PowerShell downloader contacting geo-fenced servers in Russia and Germany. The second stage payload uses DLL side loading t…
phishing
powershell
ukraine
remcos
dll sideloading
lnk files
2025-03-28
gthost
hyperhosting
Published: March 28, 2025
Downloadable IOCs: 0

When Getting Phished Puts You in Mortal Danger

The article discusses a network of phishing domains targeting Russians searching for anti-Putin organizations. These domains mimic recruitment websites of Ukrainian paramilitary groups and intelligence agencies. The scam aims to collect personal information from potential recruits, likely for Russi…
phishing
russia
ukraine
recruitment
search engine manipulation
2025-03-28
paramilitary
russian volunteer corps
freedom of russia legion
Published: March 28, 2025
Downloadable IOCs: 0

Ghostwriter | New Campaign Targets Ukrainian Government and Belarusian Opposition

A new campaign attributed to the Ghostwriter threat actor has been observed targeting opposition activists in Belarus and Ukrainian military and government organizations. The operation, which began preparation in mid-2024 and entered an active phase in late 2024, employs weaponized Excel documents …
cobalt strike
ukraine
2025-02-26
confuserex
unc1151
picassoloader
uac-0057
Published: February 26, 2025
Downloadable IOCs: 10

Sandworm APT Targets Ukrainian Users with Trojanized Microsoft KMS Activation Tools in Cyber Espionage Campaigns

EclecticIQ analysts have identified a cyber espionage campaign by Sandworm (APT44) targeting Ukrainian Windows users. The group is leveraging pirated Microsoft Key Management Service (KMS) activators and fake Windows updates to deliver a new version of the BACKORDER loader, which ultimately deploys…
ukraine
cyber espionage
dcrat
apt44
2025-02-12
backorder
kalambur
gru
dark crystal rat
kms activators
backorder loader
software piracy
Published: February 12, 2025
Downloadable IOCs: 35

GetSmoked: UAC-0006 Returns With SmokeLoader Targeting Ukraine's Largest State-Owned Bank

UAC-0006, a financially motivated cyber threat group, has resurfaced with a sophisticated phishing campaign targeting customers of Ukraine’s largest state-owned bank, PrivatBank.
powershell
ukraine
javascript
black basta
vbscript
smokeloader
uac-0006
carbanak
anunak
defense evasion
sha256
2025-02-10
fin7
uac0006
privatbank
bank
model
demo
Published: February 10, 2025
Downloadable IOCs: 62

SmokeLoader Malware Targets Ukraine's Auto & Banking Sectors via Open Directories

An investigation uncovered open directories hosting SmokeLoader malware samples and lure documents targeting Ukraine's automotive and banking sectors. Two servers were identified, containing Windows executables and PDF files posing as invoices from Ukrainian companies. The malware injects into expl…
phishing
malware distribution
ukraine
banking
smokeloader
automotive
open directories
2025-02-07
financial lures
Published: February 7, 2025
Downloadable IOCs: 27

Tracking Adversaries: Ghostwriter APT Infrastructure

This analysis examines the infrastructure used by the Ghostwriter APT group, focusing on their phishing campaign targeting Ukrainian military. By pivoting on overlapping indicators of compromise (IOCs) from multiple threat reports, a cluster of malicious domains was identified. These domains share …
apt
belarus
cobalt strike
ukraine
2025-01-24
Published: January 24, 2025
Linked vulnerabilities : CVE-2022-30190
Downloadable IOCs: 25

Frequent freeloader: Russian actor using tools of other groups to attack Ukraine

Russian nation-state actor Secret Blizzard has been observed using tools and infrastructure from other threat actors to compromise targets in Ukraine. Between March and April 2024, Secret Blizzard utilized the Amadey bot malware associated with cybercriminal activity to deploy its custom Tavdig and…
ukraine
amadey
secret blizzard
2024-12-13
kazuarv2
Published: December 13, 2024
Downloadable IOCs: 0

Zoom-In: A Closer Look into the Malware Artifacts, Behaviors and Network Communications

FrostyGoop, an operational technology (OT) malware, disrupted critical infrastructure in Ukraine in early 2024, affecting heating systems for over 600 apartment buildings. It is the first OT-centric malware to use Modbus TCP communications for such an impact. The malware can operate both within com…
ukraine
golang
critical infrastructure
2024-11-19
ot-malware
industrial control systems
bustleberm
modbus tcp
frostygoop
Published: November 19, 2024
Linked vulnerabilities : CVE-2024-0012 (CVSS 9.8), CVE-2023-33538, CVE-2023-50358
Downloadable IOCs: 25

Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails

A newly discovered vulnerability in Windows NT LAN Manager (NTLM) has been exploited by suspected Russian hackers in cyber attacks against Ukraine. The flaw, identified as CVE-2024-43451, allows attackers to steal NTLMv2 hashes through minimal user interaction with malicious files. The exploit chai…
rat
phishing
windows
russia
ukraine
zero-day
CVE-2024-43451
2024-11-14
ntlm
spark rat
pass-the-hash
hash stealing
Published: November 14, 2024
Downloadable IOCs: 24

Russian Hackers Attacking Ukraine Military With Malware Via Telegram

Russian hackers, identified as UNC5812, are targeting the Ukrainian military through a sophisticated cyber operation. The attackers use a deceptive Telegram channel and website posing as a civil defense service to distribute malware for both Windows and Android devices. The Windows attack deploys P…
malware
social engineering
android
windows
russia
ukraine
information theft
telegram
cyber-espionage
pronsis loader
sunspinner
craxsrat
purestealer
2024-10-31
Published: October 31, 2024
Downloadable IOCs: 7

Hybrid Russian Espionage and Influence Campaign Aims to Compromise Ukrainian Military Recruits and Deliver Anti-Mobilization Narratives

A Russian hybrid espionage and influence operation, dubbed UNC5812, targets potential Ukrainian military recruits through a Telegram persona called 'Civil Defense'. The campaign delivers Windows and Android malware, including SUNSPINNER, PURESTEALER, and CRAXSRAT, while simultaneously spreading ant…
espionage
ukraine
influence
telegram
russian
recruitment
2024-10-28
military
pronsis loader
sunspinner
craxsrat
purestealer
Published: October 28, 2024
Linked vulnerabilities : CVE-2024-47575 (CVSS 9.8)
Downloadable IOCs: 3

Malicious RDP Files Identified in Latest Attack on Ukrainian Entities

CERT-UA has uncovered a new malicious email campaign targeting Ukrainian government agencies, enterprises, and military entities. The campaign uses RDP configuration files to establish remote connections, enabling data theft and further malware deployment. Attributed to UAC-0215 and linked to APT29…
phishing
apt28
ukraine
rdp
aws
2024-10-26
uac-0218
uac-0215
domain seizure
homesteel
cert-ua
Published: October 26, 2024
Downloadable IOCs: 0

Ukrainian and Polish entities targeted with RomCom malware variants

A Russian-speaking threat group, UAT-5647, has been conducting attacks against Ukrainian government entities and Polish targets since late 2023. The group has evolved its toolset to include four distinct malware families: RustClaw and MeltingClaw downloaders, DustyHammock backdoor, and ShadyHammock…
russia
ukraine
poland
romcom
2024-10-17
singlecamper
dustyhammock
shadyhammock
rustclaw
rustyclaw
meltingclaw
Published: October 17, 2024
Downloadable IOCs: 0

Report on Ukraine government attack campaign

Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfusca…
malware
powershell
data theft
ukraine
exfiltration
government
spectr
2024-08-23
firmachagent
Published: August 23, 2024
Downloadable IOCs: 33

Armageddon is more than a Grammy-nominated album

This report details a Russia-linked threat actor targeting Ukraine, employing various obfuscation techniques. The malicious activity involves dropping a compressed file disguised as a RAR archive, which fetches a remote image likely for tracking execution. The payload employs mshta.exe to execute r…
russia
ukraine
geopolitics
2024-06-26
Published: June 26, 2024
Downloadable IOCs: 102

Targets Ukraine's Defense Forces using SPECTR malware alongside legitimate SyncThing

The report describes a cyber attack campaign by the UAC-0020 (Vermin) threat group targeting Ukraine's Defense Forces. The attackers utilized the SPECTR malware in tandem with the legitimate SyncThing software to exfiltrate sensitive data. The malicious payload was delivered via a password-protecte…
ukraine
exfiltration
defense
2024-06-07
spectr
syncthing
Published: June 7, 2024
Downloadable IOCs: 33

DarkCrystal RAT Cyber Attacks Targeting Government Officials in Ukraine

This intelligence document outlines targeted cyber attacks against government officials, military personnel, and defense industry representatives in Ukraine using the DarkCrystal RAT malware. The malware is distributed through the Signal messaging app, disguised as messages from existing contacts o…
rat
ukraine
cyber
2024-06-06
darkcrystal rat
darkcrystal
targeted
Published: June 6, 2024
Downloadable IOCs: 14

Excel File Deploys Cobalt Strike at Ukraine

A sophisticated multi-stage cyberattack was identified, utilizing an Excel file embedded with a VBA macro designed to deploy a DLL file. The attacker employed various evasion techniques and a multi-stage malware strategy to deliver the notorious 'Cobalt Strike' payload, establishing communication w…
malware
evasion
ukraine
2024-06-04
excel
Published: June 4, 2024
Downloadable IOCs: 10

Disrupting FlyingYeti's campaign targeting Ukraine

This report details Cloudforce One's real-time effort to detect, deny, degrade, disrupt, and delay a phishing campaign by the Russia-aligned threat actor FlyingYeti targeting Ukraine. The campaign aimed to capitalize on anxiety over potential loss of housing and utilities by enticing targets to ope…
malware
phishing
russia
ukraine
2024-05-31
CVE-2023-38831
cookbox
Published: May 31, 2024
Linked vulnerabilities : CVE-2023-38831
Downloadable IOCs: 8

Spring Exacerbation: UAC-0006 increased cyberattacks

This report aims to provide insights into the ongoing cyber operations targeting Ukraine. It analyzes the tactics, techniques, and procedures employed by threat actors in their malicious campaigns. The document offers a comprehensive overview of the cybersecurity landscape in Ukraine, highlighting …
powershell
ukraine
2024-05-22
smokeloader
uac-0006
taleshot
Published: May 22, 2024
Downloadable IOCs: 31

Uncorking Old Wine: Zero-Day from 2017 + Loader in Unholy Alliance

An analysis uncovered a suspected malicious campaign targeting entities in Ukraine. The attack employed an old vulnerability from 2017, CVE-2017-8570, as the initial entry vector. The operation utilized a customized loader to deliver the Cobalt Strike Beacon payload. While the specific threat actor…
apt
cobalt strike
ukraine
malicious document
cobalt strike beacon
zero-day
CVE-2017-8570
Published: April 29, 2024
Downloadable IOCs: 6
Click here to see more Attack Reports