Pierluigi Paganini@Security Affairs
//
The Russia-linked cyber espionage group Shuckworm, also known as Gamaredon or Armageddon, is actively targeting a Western country's military mission based in Ukraine. The campaign, which began in February 2025 and continued through March, involves the deployment of an updated, PowerShell-based version of its GammaSteel infostealer malware. This latest wave of activity underscores Shuckworm's persistent focus on Ukrainian targets, with the group believed to be operating on behalf of Russia's Federal Security Service (FSB). They have historically concentrated their efforts on government, military, and law enforcement targets in Ukraine.
The initial infection vector in this campaign appears to be infected removable drives. Evidence from the Windows Registry's UserAssist key suggests that the infection was triggered from such an external drive. The attack chain is multi-staged and designed to minimize detection. It involves the execution of obfuscated VBScript and PowerShell scripts stored in the registry. This shift towards PowerShell-based tools allows Shuckworm to improve obfuscation and store scripts directly within the Windows Registry, making file-based detection more challenging.
GammaSteel, the malware deployed in this campaign, now has enhanced reconnaissance features. It is capable of capturing screenshots, gathering system information, and enumerating desktop contents and user documents. The malware targets specific file types such as documents, spreadsheets, and PDFs. Shuckworm's exfiltration methods have also become more sophisticated, utilizing PowerShell web requests or cURL with Tor proxies to extract sensitive data stealthily. This campaign demonstrates an increase in sophistication for Shuckworm, with the group leveraging legitimate web services to lower the risk of detection.
Recommended read:
References :
- bsky.app: The Russian state-backed hacking group Gamaredon (aka "Shuckworm") has been
targeting a military mission of a Western country in Ukraine in attacks likely deployed from removable drives.
- cyberpress.org: Shuckworm Deploys PowerShell-Based GammaSteel Malware in Precision Attacks
- gbhackers.com: Shuckworm Group Leverages GammaSteel Malware in Targeted PowerShell Attacks
- The Hacker News: Shuckworm targets Western military mission
- Broadcom Software Blogs: Shuckworm Targets Foreign Military Mission Based in Ukraine
- gbhackers.com: The Russia-linked cyber-espionage group known as Shuckworm (also identified as Gamaredon or Armageddon) has been observed targeting a Western country’s military mission located within Ukraine, employing an updated, PowerShell-based version of its GammaSteel infostealer malware.
- securityonline.info: Russia-linked espionage group Shuckworm (also known as Gamaredon or Armageddon) has launched a renewed and more sophisticated cyber campaign targeting a foreign military mission based in Ukraine, according to a detailed report by the Symantec Threat Hunter Team. This latest wave of activity, which began in February 2025 and continued through March, underscores Shuckworm’s relentless […]
- BleepingComputer: The Russian state-backed hacking group Gamaredon (aka "Shuckworm") has been targeting a military mission of a Western country in Ukraine in attacks likely deployed from removable drives. [...]
- securityonline.info: Shuckworm’s Sophisticated Cyber Campaign Targets Ukraine Military Mission
- Cyber Security News: Shuckworm Deploys PowerShell-Based GammaSteel Malware in Precision Attacks
- The Hacker News: Gamaredon Uses Infected Removable Drives to Breach Western Military Mission in Ukraine
- www.bleepingcomputer.com: Russian hackers attack Western military mission using malicious drive
- www.csoonline.com: Russian Shuckworm APT is back with updated GammaSteel malware
- securityaffairs.com: Gamaredon targeted the military mission of a Western country based in Ukraine
- The DefendOps Diaries: Explore Gamaredon's evolving cyber tactics targeting Western military missions with advanced evasion techniques and PowerShell tools.
- www.sentinelone.com: Police arrest SmokeLoader malware customers, AkiraBot abuses AI to bypass CAPTCHAs, and Gamaredon delivers GammaSteel via infected drives.
- PCMag UK security: A suspected state-sponsored Russian group may have developed the 'GammaSteel' attack to help them spy on and steal data from a military mission in Ukraine. A malware-laden storage drive may have helped Russia spy on military activities in Ukraine.
- www.scworld.com: Infected removable drives were used to spread the malware.
- Metacurity: Cybersecurity industry is mum on SentinelOne EO, Comptroller of the Currency lacked MFA on hacked email account, Morocco confirms massive cyber attack, Gamaredon is targeting Western military mission in Ukraine, Ethical hacker stole $2.6m from Morpho Labs, Sex chatbots leak information, much more
- www.metacurity.com: Cybersecurity industry is mum on SentinelOne EO, Comptroller of the Currency lacked MFA on hacked email account, Morocco confirms massive cyber attack, Gamaredon is targeting Western military mission in Ukraine, Ethical hacker stole $2.6m from Morpho Labs, Sex chatbots leak information, much more
- ciso2ciso.com: Gamaredon Uses Infected Removable Drives to Breach Western Military Mission in Ukraine – Source:thehackernews.com
- ciso2ciso.com: The group targeted the military mission of a Western country, per the report. Infected removable drives have been used by the group.
- Metacurity: Before you head out for a much-deserved weekend break after this insane week, check out today's Metacurity for the most critical infosec developments you should know, including --China acknowledged US cyberattacks at a secret meeting, report --Cybersecurity industry is mum on SentinelOne EO, --Comptroller of the Currency lacked MFA on hacked email account, --Morocco confirms massive cyber attack, --Gamaredon is targeting Western military mission in Ukraine, --Ethical hacker stole $2.6m from Morpho Labs, --Sex chatbots leak information, --much more
- Security Risk Advisors: 🚩Shuckworm Compromises Western Military Mission in Ukraine Using Updated PowerShell GammaSteel Malware
- Security Latest: For the past decade, this group of FSB hackers—including “traitorâ€Â Ukrainian intelligence officers—has used a grinding barrage of intrusion campaigns to make life hell for their former countrymen and cybersecurity defenders.
SC Staff@scmagazine.com
//
A new cyberespionage campaign, attributed to the hacking group UAC-0226, is actively targeting Ukrainian organizations. The campaign, ongoing since February 2025, focuses on stealing sensitive information from military formations, law enforcement agencies, and local government bodies, particularly those near the country's eastern border with Russia. The hackers are exploiting trust by impersonating Ukrainian state agencies and drone manufacturers in their attacks.
The UAC-0226 group employs spear-phishing tactics, using malicious Microsoft Excel files (.xlsm) as the primary attack vector. These files often reference sensitive topics such as landmine clearance, administrative fines, drone production, and compensation for destroyed property. When opened and macros are enabled, the files deploy malware, including a PowerShell script and a new stealer malware dubbed GIFTEDCROOK. GIFTEDCROOK is designed to steal browser data like cookies, browsing history, and saved passwords from Chrome, Edge, and Firefox, before exfiltrating it via Telegram.
CERT-UA (Computer Emergency Response Team of Ukraine) has issued warnings and recommendations to remain vigilant against these attacks. They advise system administrators and security teams to enhance email and web server log monitoring to identify and mitigate malicious activity, especially phishing attempts originating from compromised accounts. CERT-UA has been tracking this activity since February, but has not yet attributed the campaign to any known hacker group.
Recommended read:
References :
- The Hacker News: UAC-0226 Deploys GIFTEDCROOK Stealer via Malicious Excel Files Targeting Ukraine
- www.scworld.com: Ukraine subjected to new cyberespionage campaign
- The Record: Hackers impersonating drone manufacturers have targeted Ukraine’s armed forces, law enforcement agencies and local government bodies — especially those near the country’s eastern border, close to Russia.
- therecord.media: Hackers impersonating drone manufacturers have targeted Ukraine’s armed forces, law enforcement agencies and local government bodies — especially those near the country’s eastern border, close to Russia.
- cyberpress.org: GIFTEDCROOK: New Stealer Malware Hits Government Agencies to Steal Sensitive Data
Veronika Telychko@SOC Prime Blog
//
The Computer Emergency Response Team of Ukraine (CERT-UA) has reported a series of ongoing cyberattacks targeting Ukrainian state administration bodies and critical infrastructure. These attacks, attributed to the hacking group UAC-0219, have been ongoing since late 2024 and involve the use of the WRECKSTEEL PowerShell stealer to harvest data from infected computers. The attackers are distributing malware via phishing emails containing links to file-sharing platforms such as DropMeFiles and Google Drive, often disguised as research invitations or important documents like employee lists.
The multi-stage infection process begins with victims unknowingly downloading a VBScript loader from these links. Once executed, the loader deploys a PowerShell script that searches for and exfiltrates sensitive files, including documents, spreadsheets, presentations, and images. CERT-UA's analysis indicates that UAC-0219 has been refining its techniques over time. Indicators of compromise (IOCs) have been shared publicly to aid detection efforts, and CERT-UA urges organizations to remain vigilant and report any signs of compromise immediately.
Recommended read:
References :
- Cyber Security News: UAC-0219 Hackers Use WRECKSTEEL PowerShell Stealer to Harvest Data from Infected Computers
- Cyber Security News: UAC-0219 Hackers Using PowerShell Stealer WRECKSTEEL to Steal Information from Computers
- SOC Prime Blog: UAC-0219 Attack Detection: A New Cyber-Espionage Campaign Using a PowerShell Stealer WRECKSTEEL
- The Hacker News: Reports Cyberattacks Targeting Ukrainian State Systems with WRECKSTEEL Malware
- The Hacker News: The Computer Emergency Response Team of Ukraine (CERT-UA) has revealed that no less than three cyber attacks were recorded against state administration bodies and critical infrastructure facilities in the country with an aim to steal sensitive data. The campaign, the agency said, involved the use of compromised email accounts to send phishing messages containing links pointing to legitimate
- gbhackers.com: In a concerning development, CERT-UA, Ukraine’s Computer Emergency Response Team, has reported a series of cyberattacks attributed to the hacker group identified as UAC-0219. These attacks, which have been ongoing since the fall of 2024, utilize an advanced PowerShell-based malware tool named WRECKSTEEL to infiltrate computers and extract sensitive data.
- securityaffairs.com: Discussion of the UAC-0219 attacks against Ukrainian state entities and critical infrastructure.
- cert.europa.eu: CERT-UA reported three cyberattacks targeting Ukraine’s state agencies and critical infrastructure to steal sensitive data.
- Matthias Schulze: CERT-UA Reports Cyberattacks Targeting Ukrainian State Systems with WRECKSTEEL Malware
- SOC Prime Blog: Gamaredon Campaign Detection: russia-backed APT Group Targets Ukraine Using LNK Files to Spread Remcos Backdoor
- www.scworld.com: Ukraine subjected to new cyberespionage campaign
Pierluigi Paganini@Security Affairs
//
Russia-linked Gamaredon is actively targeting Ukrainian users with a phishing campaign designed to deploy the Remcos Remote Access Trojan (RAT). This ongoing cyber campaign, uncovered by Cisco Talos, utilizes malicious LNK files disguised as Microsoft Office documents within ZIP archives. The filenames of these files often reference troop movements and other sensitive geopolitical themes related to the conflict in Ukraine, demonstrating a deliberate attempt to exploit the current situation to lure victims.
The attack chain begins with the execution of a PowerShell downloader embedded within the LNK file. This downloader then contacts geo-fenced servers located in Russia and Germany to retrieve a second-stage ZIP payload that contains the Remcos backdoor. The downloaded payload employs DLL sideloading techniques to execute the backdoor. Cisco Talos assesses that the threat actor, Gamaredon, is affiliated with Russia's Federal Security Service (FSB) and known for targeting Ukrainian organizations for espionage and data theft since at least 2013.
Recommended read:
References :
- Cisco Talos Blog: Cisco Talos is actively tracking an ongoing campaign, targeting users in Ukraine with malicious LNK files which run a PowerShell downloader since at least November 2024.
- Cyber Security News: A sophisticated cyber espionage campaign targeting Ukrainian entities has been uncovered, revealing the latest tactics of the Russia-linked Gamaredon threat actor group.
- Christoffer S.: Gamaredon APT Targets Ukraine with Remcos Backdoor Using War-Themed Lures Cisco Talos is tracking a campaign targeting Ukrainian users with malicious LNK files that deliver the Remcos backdoor.
- gbhackers.com: Cisco Talos has uncovered an ongoing cyber campaign by the Gamaredon threat actor group, targeting Ukrainian users with malicious LNK files to deliver the Remcos backdoor.
- buherator's timeline: Cisco Talos is tracking a campaign targeting Ukrainian users with malicious LNK files that deliver the Remcos backdoor. The campaign, attributed with medium confidence to the Gamaredon APT group, uses Russian-language lures related to troop movements in Ukraine.
- securityonline.info: A new targeted malware campaign linked to the Russian state-aligned group Gamaredon is exploiting Windows shortcut (.LNK) files
- The Hacker News: Entities in Ukraine have been targeted as part of a phishing campaign designed to distribute a remote access trojan called Remcos RAT. "The file names use Russian words related to the movement of troops in Ukraine as a lure," Cisco Talos researcher Guilherme Venere said in a report published last week. "The PowerShell downloader contacts geo-fenced servers located in Russia and Germany to
- securityaffairs.com: Russia-Linked Gamaredon Uses Troop-Related Lures to Deploy Remcos RAT in Ukraine
- Virus Bulletin: Cisco Talos researcher Guilherme Venere analyses an ongoing campaign targeting users in Ukraine with malicious LNK files which run a PowerShell downloader. The downloader contacts geo-fenced servers located in Russia & Germany to deploy the second stage Zip file containing the Remcos backdoor.
- OODAloop: Entities in Ukraine have been targeted as part of a phishing campaign designed to distribute a remote access trojan called Remcos RAT. The activity has been attributed with moderate confidence to a Russian hacking group known as Gamaredon.
- Vulnerable U: Russian Hackers Target Ukraine With Stealthy Malware Attack
- Cisco Talos Blog: Talos researchers warn that Russia-linked APT group Gamaredon targets Ukraine with a phishing campaign.
- securityaffairs.com: Russia-linked Gamaredon targets Ukraine with a phishing campaign using troop-related lures to deploy the Remcos RAT via PowerShell downloader.
- www.scworld.com: Ongoing Gamaredon phishing campaign targets Ukraine with Remcos RAT
- securityaffairs.com: Russia-linked Gamaredon targets Ukraine with a phishing campaign using troop-related lures to deploy the Remcos RAT via PowerShell downloader.
- Virus Bulletin: Cisco Talos researcher Guilherme Venere analyses an ongoing campaign targeting users in Ukraine with malicious LNK files which run a PowerShell downloader.
- Industrial Cyber: Russian-linked UAC-0219 group escalates attacks on Ukraine government, critical infrastructure
- The Hacker News: CERT-UA Reports Cyberattacks Targeting Ukrainian State Systems with WRECKSTEEL Malware
- SOC Prime Blog: UAC-0219 Attack Detection: A New Cyber-Espionage Campaign Using a PowerShell Stealer WRECKSTEEL
@www.silentpush.com
//
A sophisticated phishing campaign, suspected to be backed by Russian Intelligence Services, has been uncovered targeting individuals sympathetic to Ukraine, including Russian citizens and informants. The operation involves creating fake websites impersonating organizations such as the CIA, the Russian Volunteer Corps (RVC), Legion Liberty, and "Hochuzhit" ("I Want to Live"), an appeals hotline for Russian service members operated by Ukrainian intelligence. These deceptive sites aim to collect personal information from unsuspecting visitors, exploiting anti-war sentiment within Russia, where such activities are illegal and punishable by law.
Researchers at Silent Push discovered four distinct phishing clusters using tactics such as static HTML, JavaScript, and Google Forms to steal data. The threat actors are utilizing a bulletproof hosting provider, Nybula LLC, to host the fake websites, which are designed to mimic legitimate organizations. The goal is to gather intelligence and potentially identify dissidents within Russia. The campaign highlights the ongoing digital dimension of the Russia-Ukraine conflict and underscores the need for increased vigilance and improved digital hygiene among potential targets.
Recommended read:
References :
- gbhackers.com: reports on the Russian attempts to steal Ukraine Defense Intelligence data
- hackread.com: Russian Phishing Uses Fake CIA Sites to Target Anti-war, Ukraine Supporters
- www.silentpush.com: Russian Intelligence Service-backed Campaigns Impersonate the CIA to Target Ukraine Sympathizers, Russian Citizens and Informants
- Cyber Security News: In a sophisticated cyber espionage campaign recently uncovered, Russian hackers have been impersonating the U.S. Central Intelligence Agency (CIA) and other organizations to harvest sensitive information from Ukrainian sympathizers and potential Russian defectors.
- securityonline.info: Silent Push Threat Analysts uncover a multi-cluster phishing operation leveraging fake CIA and anti-Putin group websites to harvest
- Vulnerable U: Russian Hackers Target Ukraine With Stealthy Malware Attack
do son@securityonline.info
//
Cybercriminals are actively exploiting the Signal messaging application to distribute an information-stealing Remote Access Trojan (RAT), raising serious privacy concerns. According to a recently published report, a cybercriminal group identified as UNC-200 is behind the campaign, which involves targeting high-value individuals within Ukraine's defense sector. The Computer Emergency Response Team of Ukraine (CERT-UA) has issued warnings about this campaign, which utilizes the Dark Crystal RAT (aka DCRat) to compromise systems.
This malicious activity involves distributing messages via Signal that contain what appears to be meeting minutes. These messages are sent from compromised accounts to enhance credibility, enticing unsuspecting users to download malicious archive files. The archives contain a decoy PDF and an executable that deploys the DCRat malware, giving attackers remote access and control, stealing valuable information and executing arbitrary commands. CERT-UA attributes this activity to UAC-0200, active since summer 2024, who noted that the use of popular messengers increases the attack surface, including due to the creation of uncontrolled information exchange channels.
Recommended read:
References :
- cyberinsider.com: Ukraine Warns Signal Used for Spreading RATs on High-Value Targets
- securityonline.info: CERT-UA Alert: DarkCrystal RAT Deployed via Signal in Ukraine
- SOC Prime Blog: Detect UAC-0200 Attacks Using DarkCrystal RAT
- The DefendOps Diaries: Russian Cyber Espionage Targets Ukrainian Military via Signal
- BleepingComputer: Ukrainian military targeted in new Signal spear-phishing attacks
- BleepingComputer: Ukraine's Computer Emergency Response Team (CERT-UA) is warning about highly targeted attacks employing compromised Signal accounts to send malware to employees of defense industry firms and members of the country's army forces.
- securityaffairs.com: CERT-UA warns of cyber espionage against the Ukrainian defense industry using Dark Crystal RAT
- The Hacker News: CERT-UA Warns: Dark Crystal RAT Targets Ukrainian Defense via Malicious Signal Messages
- BleepingComputer: Ukraine's Computer Emergency Response Team (CERT-UA) is warning about highly targeted attacks employing compromised Signal accounts to send malware to employees of defense industry firms and members of the country's army forces.
- Sam Bent: Report: Cybercriminals Leverage Signal App to Deploy Info-Stealing RAT, Raising Privacy Concerns
- bsky.app: CERT-UA warns of cyber espionage against the Ukrainian defense industry using Dark Crystal RAT
- www.scworld.com: Attackers, tracked under the UAC-0200 threat cluster, leveraged the Signal messaging app to deliver messages purportedly containing minutes of the meeting reports as archive files.
Veronika Telychko@SOC Prime Blog
//
Criminal group UAC-0173 is actively targeting Ukrainian notaries in a series of cyberattacks. These attacks, which have been ongoing since mid-January 2025, involve the use of DARKCRYSTALRAT malware. The cybercriminals are exploiting RDP tools to breach Ukraine's notarial offices, aiming to manipulate state registers. CERT-UA has issued an alert, CERT-UA#13738, regarding these activities.
SOC Prime has released Sigma rules to detect UAC-0173 attacks leveraging DARKCRYSTALRAT malware, providing cybersecurity professionals with tools to identify and mitigate these threats. These attacks by UAC-0173 highlight the ongoing cyber warfare impacting critical infrastructure and organizations within Ukraine.
CERT-UA reports Hackers Exploit RDP Tools to Breach Ukraine’s Notarial Offices.
Recommended read:
References :
- SOC Prime Blog: UAC-0173 Activity Detection: Hackers Launch Phishing Attacks Against Ukrainian Notaries Using the DARKCRYSTALRAT Malware
- thecyberexpress.com: Hackers Exploit RDP Tools to Breach Ukraine’s Notarial Offices, CERT-UA Reports
- securityaffairs.com: Criminal group UAC-0173 targets the Notary Office of Ukraine
- The Hacker News: CERT-UA Warns of UAC-0173 Attacks Deploying DCRat to Compromise Ukrainian Notaries
- Talkback Resources: Cyble article describing CERT-UA Warns of UAC-0173 Attacks Deploying DCRat to Compromise Ukrainian Notaries
- Talkback Resources: Report that a criminal group UAC-0173 targets the Notary Office of Ukraine
Arda Büyükkaya@EclecticIQ Blog
//
The Russian Sandworm group, a cyber-espionage unit with ties to the Russian military, is actively targeting Windows users in Ukraine. They are distributing malicious Microsoft Key Management Service (KMS) activators and fake Windows updates, compromising systems in the process. This campaign, which likely started in late 2023, showcases the ongoing cyber warfare efforts targeting Ukraine.
EclecticIQ threat analysts have linked these attacks to Sandworm based on overlapping infrastructure, consistent tactics, techniques, and procedures (TTPs), and the use of ProtonMail accounts to register domains used in the attacks. The attackers are also deploying a BACKORDER loader to deliver DarkCrystal RAT (DcRAT) malware. This malicious tool abuses legitimate Windows processes to evade detection, such as using `wmic` to add Microsoft Defender exclusions and `reg` to gather information about Defender's status, mimicking the behavior of legitimate KMS activators, while injecting malicious payloads onto compromised systems.
Recommended read:
References :
- bsky.app: The Sandworm Russian military cyber-espionage group is targeting Windows users in Ukraine with trojanized Microsoft Key Management Service (KMS) activators and fake Windows updates.
- BleepingComputer: Sandworm Russian military cyber-espionage group is targeting Windows users in Ukraine with trojanized Microsoft Key Management Service (KMS) activators and fake Windows updates.
- www.bleepingcomputer.com: Russian military hackers deploy malicious Windows activators in Ukraine
- Know Your Adversary: EclecticIQ analysts presented a report on recent Sandworm campaign, where the threat actors used trojanized Microsoft KMS activation tools to deliver BACKORDER loader.
- EclecticIQ Blog: Sandworm APT Targets Ukrainian Users With Trojanized Microsoft KMS Activation Tools In Cyber Espionage Campaigns
- Anonymous ???????? :af:: Details about the malicious Microsoft KMS activation tools used in a recent Sandworm campaign.
- MSSP feed for Latest: Reports that attacks involving malicious Microsoft Key Management Service activators and bogus Windows updates have been deployed.
- securityaffairs.com: Report highlights that a Sandworm subgroup exploited trojanized Microsoft KMS activation tools.
- ciso2ciso.com: Source: socprime.com – Author: Daryna Olyniychuk For over a decade, russia-backed Sandworm APT group (also tracked as UAC-0145, APT44) has consistently targeted Ukrainian organizations, with a primary focus on state bodies and critical infrastructure.
- www.microsoft.com: Details of the BadPilot operation conducted by the Sandworm subgroup, targeting critical organizations and governments.
- ciso2ciso.com: Sandworm APT Attacks Detection: russian State-Sponsored Hackers Deploy Malicious Windows KMS Activators to Target Ukraine
– Source: socprime.com
- securityonline.info: Discussion of the campaign, the methods used by the attackers and potential consequences.
- BleepingComputer: A subgroup of the Russian state-sponsored hacking group APT44, also known as 'Seashell Blizzard' and 'Sandworm', has been targeting critical organizations and governments in a multi-year campaign dubbed 'BadPilot.'
- : Microsoft : Microsoft Threat Intelligence reports on a subgroup within Russian APT Seashell Blizzard (aka Sandworm, APT44) and their multiyear [sic] initial access operation (tracked as the "BadPilot campaign"). This blog details this subgroup's recently observed tactics, techniques, and procedures (TTPs), and describes three of its distinct exploitation patterns. The geographical targeting to a near-global scale of this campaign expands Seashell Blizzard's scope of operations beyond Eastern Europe. Additionally, the opportunistic access methods outlined in this campaign will continue to offer Russia opportunities for niche operations and activities. Indicators of compromise and Yara rules are listed.
- socprime.com: Sandworm APT Attacks Detection: russian State-Sponsored Hackers Deploy Malicious Windows KMS Activators to Target Ukraine
- securityaffairs.com: Microsoft Threat Intelligence has published research on a subgroup of the Russia-linked APT group Seashell Blizzard behind the global BadPilot campaign, which compromises infrastructure to support Russian cyber operations. Seashell Blizzard (aka Sandworm, BlackEnergy and TeleBots) has been active in the cybersecurity arena for more than a decade.
|
|