@securityonline.info
//
North Korean state-sponsored threat group Konni, also known as Opal Sleet or TA406, has been observed actively targeting Ukrainian government entities in cyber espionage campaigns. These operations focus on gathering strategic intelligence related to the ongoing conflict between Russia and Ukraine. The group utilizes phishing campaigns to collect information on the trajectory of the Russian invasion, indicating North Korea's sustained interest in the geopolitical dynamics and its willingness to leverage cyber capabilities for strategic advantage.
TA406's cyber espionage activities involve sophisticated social engineering tactics, often impersonating fictitious think tanks, such as the "Royal Institute of Strategic Studies." These phishing emails are laced with lure content relevant to current Ukrainian political events, particularly those surrounding former military leader Valeriy Zaluzhnyi. The attackers use password-protected RAR files hosted on MEGA, containing .CHM files with embedded PowerShell scripts, or HTML files and LNK shortcuts to initiate the infection.
Once a target is compromised, PowerShell scripts are executed to gather extensive system information, including network configurations, system details, and WMI queries. This collected data is then Base64-encoded and transmitted to external servers, enabling the attackers to gain a comprehensive understanding of the targeted systems. The group employs various persistence mechanisms, such as installing batch files as autorun files and utilizing scheduled tasks to ensure continued access to compromised machines.
Recommended read:
References :
- thehackernews.com: North Korean Konni APT Targets Ukraine with Malware to track Russian Invasion Progress
- BleepingComputer: North Korea ramps up cyberspying in Ukraine to assess war risk
- BleepingComputer: The state-backed North Korean threat group Konni (Opal Sleet, TA406) was observed targeting Ukrainian government entities in intelligence collection operations.
- securityonline.info: In a recently disclosed campaign, TA406, a North Korean state-aligned threat actor, has expanded its cyber-espionage efforts by The post appeared first on SecurityOnline.
- securityonline.info: TA406 Cyber Campaign: North Korea’s Focus on Ukraine Intelligence
@www.volexity.com
//
Russian threat actors have been actively targeting Microsoft 365 accounts belonging to individuals and organizations with connections to Ukraine and human rights causes. These malicious actors are exploiting legitimate OAuth 2.0 authentication workflows to gain unauthorized access. Researchers at Volexity have been monitoring these campaigns since early March 2025, observing a shift in tactics from previous device code phishing attempts to methods that rely more heavily on direct interaction with targets. These new attacks involve convincing victims to click on links and provide Microsoft-generated codes.
These campaigns involve sophisticated social engineering techniques, where attackers impersonate officials from various European nations and, in one instance, utilized a compromised Ukrainian Government account. The attackers are using messaging apps like Signal and WhatsApp to contact their targets, inviting them to join fake video calls or register for private meetings with European political figures or Ukraine-related events. The goal is to lure victims into clicking links hosted on Microsoft 365 infrastructure, ultimately tricking them into sharing Microsoft Authorization codes.
Volexity is tracking at least two suspected Russian threat actors, identified as UTA0352 and UTA0355, believed to be behind these attacks. The primary tactic involves requesting Microsoft Authorization codes from victims, which then allows the attackers to join attacker-controlled devices to Entra ID (formerly Azure AD) and download emails and other account-related data. This activity demonstrates a continuous effort by Russian threat actors to refine their techniques and circumvent security measures, highlighting the ongoing threat to individuals and organizations associated with Ukraine and human rights.
Recommended read:
References :
- cyberpress.org: Cybersecurity firm Volexity has identified a series of sophisticated cyberattacks orchestrated by Russian threat actors abusing Microsoft’s OAuth 2.0 authentication workflows.
- securityonline.info: Russian Hackers Abuse Microsoft 365 OAuth in Sophisticated Phishing Attacks
- The Hacker News: Russian Hackers Exploit Microsoft OAuth to Target Ukraine Allies via Signal and WhatsApp
- www.volexity.com: Volexity blog on Russian Threat Actors Target Microsoft 365 Using OAuth Authorization Code Theft
- Virus Bulletin: Volexity researchers observed multiple Russian threat actors targeting individuals & organizations with ties to Ukraine and human rights. These recent attacks use a new technique aimed at abusing legitimate Microsoft OAuth 2.0 Authentication workflows.
- bsky.app: Russian threat actors have been abusing legitimate OAuth 2.0 authentication workflows to hijack Microsoft 365 accounts of employees of organizations related to Ukraine and human rights.
- Security Risk Advisors: Russian Threat Actors Target Microsoft 365 Using OAuth Authorization Code Theft
- The DefendOps Diaries: Learn how cybercriminals exploit OAuth 2.0 to hijack Microsoft 365 accounts and discover strategies to mitigate these sophisticated threats.
- Email Security - Blog: Detailed analysis of the phishing technique.
- Virus Bulletin: Russian APTs targeting Ukraine supporters with sophisticated Microsoft 365 OAuth phishing.
- www.helpnetsecurity.com: Attackers phish OAuth codes, take over Microsoft 365 accounts
- gbhackers.com: Russian Hackers Exploit Microsoft OAuth 2.0 to Target Organizations
- BleepingComputer: Russian hackers abuse OAuth 2.0 workflows to hijack Microsoft 365 accounts
- Cyber Security News: CyberPress on Russian Hackers Abuse Microsoft OAuth 2.0 to Breach Organizations
- www.sentinelone.com: AI empowers organizations to optimize detection, Russia-nexus actors exploit MS OAuth workflows, and cybercrime hit $16B in losses in 2024.
- slashnext.com: Technical details and vulnerabilities highlighted.
- www.scworld.com: Explanation of the tool used in the attack.
Pierluigi Paganini@Security Affairs
//
The Russia-linked cyber espionage group Shuckworm, also known as Gamaredon or Armageddon, is actively targeting a Western country's military mission based in Ukraine. The campaign, which began in February 2025 and continued through March, involves the deployment of an updated, PowerShell-based version of its GammaSteel infostealer malware. This latest wave of activity underscores Shuckworm's persistent focus on Ukrainian targets, with the group believed to be operating on behalf of Russia's Federal Security Service (FSB). They have historically concentrated their efforts on government, military, and law enforcement targets in Ukraine.
The initial infection vector in this campaign appears to be infected removable drives. Evidence from the Windows Registry's UserAssist key suggests that the infection was triggered from such an external drive. The attack chain is multi-staged and designed to minimize detection. It involves the execution of obfuscated VBScript and PowerShell scripts stored in the registry. This shift towards PowerShell-based tools allows Shuckworm to improve obfuscation and store scripts directly within the Windows Registry, making file-based detection more challenging.
GammaSteel, the malware deployed in this campaign, now has enhanced reconnaissance features. It is capable of capturing screenshots, gathering system information, and enumerating desktop contents and user documents. The malware targets specific file types such as documents, spreadsheets, and PDFs. Shuckworm's exfiltration methods have also become more sophisticated, utilizing PowerShell web requests or cURL with Tor proxies to extract sensitive data stealthily. This campaign demonstrates an increase in sophistication for Shuckworm, with the group leveraging legitimate web services to lower the risk of detection.
Recommended read:
References :
- bsky.app: The Russian state-backed hacking group Gamaredon (aka "Shuckworm") has been
targeting a military mission of a Western country in Ukraine in attacks likely deployed from removable drives.
- cyberpress.org: Shuckworm Deploys PowerShell-Based GammaSteel Malware in Precision Attacks
- gbhackers.com: Shuckworm Group Leverages GammaSteel Malware in Targeted PowerShell Attacks
- The Hacker News: Shuckworm targets Western military mission
- Broadcom Software Blogs: Shuckworm Targets Foreign Military Mission Based in Ukraine
- gbhackers.com: The Russia-linked cyber-espionage group known as Shuckworm (also identified as Gamaredon or Armageddon) has been observed targeting a Western country’s military mission located within Ukraine, employing an updated, PowerShell-based version of its GammaSteel infostealer malware.
- securityonline.info: Russia-linked espionage group Shuckworm (also known as Gamaredon or Armageddon) has launched a renewed and more sophisticated cyber campaign targeting a foreign military mission based in Ukraine, according to a detailed report by the Symantec Threat Hunter Team. This latest wave of activity, which began in February 2025 and continued through March, underscores Shuckworm’s relentless […]
- BleepingComputer: The Russian state-backed hacking group Gamaredon (aka "Shuckworm") has been targeting a military mission of a Western country in Ukraine in attacks likely deployed from removable drives. [...]
- securityonline.info: Shuckworm’s Sophisticated Cyber Campaign Targets Ukraine Military Mission
- Cyber Security News: Shuckworm Deploys PowerShell-Based GammaSteel Malware in Precision Attacks
- The Hacker News: Gamaredon Uses Infected Removable Drives to Breach Western Military Mission in Ukraine
- www.bleepingcomputer.com: Russian hackers attack Western military mission using malicious drive
- www.csoonline.com: Russian Shuckworm APT is back with updated GammaSteel malware
- securityaffairs.com: Gamaredon targeted the military mission of a Western country based in Ukraine
- The DefendOps Diaries: Explore Gamaredon's evolving cyber tactics targeting Western military missions with advanced evasion techniques and PowerShell tools.
- www.sentinelone.com: Police arrest SmokeLoader malware customers, AkiraBot abuses AI to bypass CAPTCHAs, and Gamaredon delivers GammaSteel via infected drives.
- PCMag UK security: A suspected state-sponsored Russian group may have developed the 'GammaSteel' attack to help them spy on and steal data from a military mission in Ukraine. A malware-laden storage drive may have helped Russia spy on military activities in Ukraine.
- www.scworld.com: Infected removable drives were used to spread the malware.
- Metacurity: Cybersecurity industry is mum on SentinelOne EO, Comptroller of the Currency lacked MFA on hacked email account, Morocco confirms massive cyber attack, Gamaredon is targeting Western military mission in Ukraine, Ethical hacker stole $2.6m from Morpho Labs, Sex chatbots leak information, much more
- www.metacurity.com: Cybersecurity industry is mum on SentinelOne EO, Comptroller of the Currency lacked MFA on hacked email account, Morocco confirms massive cyber attack, Gamaredon is targeting Western military mission in Ukraine, Ethical hacker stole $2.6m from Morpho Labs, Sex chatbots leak information, much more
- ciso2ciso.com: Gamaredon Uses Infected Removable Drives to Breach Western Military Mission in Ukraine – Source:thehackernews.com
- ciso2ciso.com: The group targeted the military mission of a Western country, per the report. Infected removable drives have been used by the group.
- Metacurity: Before you head out for a much-deserved weekend break after this insane week, check out today's Metacurity for the most critical infosec developments you should know, including --China acknowledged US cyberattacks at a secret meeting, report --Cybersecurity industry is mum on SentinelOne EO, --Comptroller of the Currency lacked MFA on hacked email account, --Morocco confirms massive cyber attack, --Gamaredon is targeting Western military mission in Ukraine, --Ethical hacker stole $2.6m from Morpho Labs, --Sex chatbots leak information, --much more
- Security Risk Advisors: 🚩Shuckworm Compromises Western Military Mission in Ukraine Using Updated PowerShell GammaSteel Malware
- Security Latest: For the past decade, this group of FSB hackers—including “traitorâ€Â Ukrainian intelligence officers—has used a grinding barrage of intrusion campaigns to make life hell for their former countrymen and cybersecurity defenders.
SC Staff@scmagazine.com
//
A new cyberespionage campaign, attributed to the hacking group UAC-0226, is actively targeting Ukrainian organizations. The campaign, ongoing since February 2025, focuses on stealing sensitive information from military formations, law enforcement agencies, and local government bodies, particularly those near the country's eastern border with Russia. The hackers are exploiting trust by impersonating Ukrainian state agencies and drone manufacturers in their attacks.
The UAC-0226 group employs spear-phishing tactics, using malicious Microsoft Excel files (.xlsm) as the primary attack vector. These files often reference sensitive topics such as landmine clearance, administrative fines, drone production, and compensation for destroyed property. When opened and macros are enabled, the files deploy malware, including a PowerShell script and a new stealer malware dubbed GIFTEDCROOK. GIFTEDCROOK is designed to steal browser data like cookies, browsing history, and saved passwords from Chrome, Edge, and Firefox, before exfiltrating it via Telegram.
CERT-UA (Computer Emergency Response Team of Ukraine) has issued warnings and recommendations to remain vigilant against these attacks. They advise system administrators and security teams to enhance email and web server log monitoring to identify and mitigate malicious activity, especially phishing attempts originating from compromised accounts. CERT-UA has been tracking this activity since February, but has not yet attributed the campaign to any known hacker group.
Recommended read:
References :
- The Hacker News: UAC-0226 Deploys GIFTEDCROOK Stealer via Malicious Excel Files Targeting Ukraine
- www.scworld.com: Ukraine subjected to new cyberespionage campaign
- The Record: Hackers impersonating drone manufacturers have targeted Ukraine’s armed forces, law enforcement agencies and local government bodies — especially those near the country’s eastern border, close to Russia.
- therecord.media: Hackers impersonating drone manufacturers have targeted Ukraine’s armed forces, law enforcement agencies and local government bodies — especially those near the country’s eastern border, close to Russia.
- cyberpress.org: GIFTEDCROOK: New Stealer Malware Hits Government Agencies to Steal Sensitive Data
Veronika Telychko@SOC Prime Blog
//
The Computer Emergency Response Team of Ukraine (CERT-UA) has reported a series of ongoing cyberattacks targeting Ukrainian state administration bodies and critical infrastructure. These attacks, attributed to the hacking group UAC-0219, have been ongoing since late 2024 and involve the use of the WRECKSTEEL PowerShell stealer to harvest data from infected computers. The attackers are distributing malware via phishing emails containing links to file-sharing platforms such as DropMeFiles and Google Drive, often disguised as research invitations or important documents like employee lists.
The multi-stage infection process begins with victims unknowingly downloading a VBScript loader from these links. Once executed, the loader deploys a PowerShell script that searches for and exfiltrates sensitive files, including documents, spreadsheets, presentations, and images. CERT-UA's analysis indicates that UAC-0219 has been refining its techniques over time. Indicators of compromise (IOCs) have been shared publicly to aid detection efforts, and CERT-UA urges organizations to remain vigilant and report any signs of compromise immediately.
Recommended read:
References :
- Cyber Security News: UAC-0219 Hackers Use WRECKSTEEL PowerShell Stealer to Harvest Data from Infected Computers
- Cyber Security News: UAC-0219 Hackers Using PowerShell Stealer WRECKSTEEL to Steal Information from Computers
- SOC Prime Blog: UAC-0219 Attack Detection: A New Cyber-Espionage Campaign Using a PowerShell Stealer WRECKSTEEL
- The Hacker News: Reports Cyberattacks Targeting Ukrainian State Systems with WRECKSTEEL Malware
- The Hacker News: The Computer Emergency Response Team of Ukraine (CERT-UA) has revealed that no less than three cyber attacks were recorded against state administration bodies and critical infrastructure facilities in the country with an aim to steal sensitive data. The campaign, the agency said, involved the use of compromised email accounts to send phishing messages containing links pointing to legitimate
- gbhackers.com: In a concerning development, CERT-UA, Ukraine’s Computer Emergency Response Team, has reported a series of cyberattacks attributed to the hacker group identified as UAC-0219. These attacks, which have been ongoing since the fall of 2024, utilize an advanced PowerShell-based malware tool named WRECKSTEEL to infiltrate computers and extract sensitive data.
- securityaffairs.com: Discussion of the UAC-0219 attacks against Ukrainian state entities and critical infrastructure.
- cert.europa.eu: CERT-UA reported three cyberattacks targeting Ukraine’s state agencies and critical infrastructure to steal sensitive data.
- Matthias Schulze: CERT-UA Reports Cyberattacks Targeting Ukrainian State Systems with WRECKSTEEL Malware
- SOC Prime Blog: Gamaredon Campaign Detection: russia-backed APT Group Targets Ukraine Using LNK Files to Spread Remcos Backdoor
- www.scworld.com: Ukraine subjected to new cyberespionage campaign
Pierluigi Paganini@Security Affairs
//
Russia-linked Gamaredon is actively targeting Ukrainian users with a phishing campaign designed to deploy the Remcos Remote Access Trojan (RAT). This ongoing cyber campaign, uncovered by Cisco Talos, utilizes malicious LNK files disguised as Microsoft Office documents within ZIP archives. The filenames of these files often reference troop movements and other sensitive geopolitical themes related to the conflict in Ukraine, demonstrating a deliberate attempt to exploit the current situation to lure victims.
The attack chain begins with the execution of a PowerShell downloader embedded within the LNK file. This downloader then contacts geo-fenced servers located in Russia and Germany to retrieve a second-stage ZIP payload that contains the Remcos backdoor. The downloaded payload employs DLL sideloading techniques to execute the backdoor. Cisco Talos assesses that the threat actor, Gamaredon, is affiliated with Russia's Federal Security Service (FSB) and known for targeting Ukrainian organizations for espionage and data theft since at least 2013.
Recommended read:
References :
- Cisco Talos Blog: Cisco Talos is actively tracking an ongoing campaign, targeting users in Ukraine with malicious LNK files which run a PowerShell downloader since at least November 2024.
- Cyber Security News: A sophisticated cyber espionage campaign targeting Ukrainian entities has been uncovered, revealing the latest tactics of the Russia-linked Gamaredon threat actor group.
- Christoffer S.: Gamaredon APT Targets Ukraine with Remcos Backdoor Using War-Themed Lures Cisco Talos is tracking a campaign targeting Ukrainian users with malicious LNK files that deliver the Remcos backdoor.
- gbhackers.com: Cisco Talos has uncovered an ongoing cyber campaign by the Gamaredon threat actor group, targeting Ukrainian users with malicious LNK files to deliver the Remcos backdoor.
- buherator's timeline: Cisco Talos is tracking a campaign targeting Ukrainian users with malicious LNK files that deliver the Remcos backdoor. The campaign, attributed with medium confidence to the Gamaredon APT group, uses Russian-language lures related to troop movements in Ukraine.
- securityonline.info: A new targeted malware campaign linked to the Russian state-aligned group Gamaredon is exploiting Windows shortcut (.LNK) files
- The Hacker News: Entities in Ukraine have been targeted as part of a phishing campaign designed to distribute a remote access trojan called Remcos RAT. "The file names use Russian words related to the movement of troops in Ukraine as a lure," Cisco Talos researcher Guilherme Venere said in a report published last week. "The PowerShell downloader contacts geo-fenced servers located in Russia and Germany to
- securityaffairs.com: Russia-Linked Gamaredon Uses Troop-Related Lures to Deploy Remcos RAT in Ukraine
- Virus Bulletin: Cisco Talos researcher Guilherme Venere analyses an ongoing campaign targeting users in Ukraine with malicious LNK files which run a PowerShell downloader. The downloader contacts geo-fenced servers located in Russia & Germany to deploy the second stage Zip file containing the Remcos backdoor.
- OODAloop: Entities in Ukraine have been targeted as part of a phishing campaign designed to distribute a remote access trojan called Remcos RAT. The activity has been attributed with moderate confidence to a Russian hacking group known as Gamaredon.
- Vulnerable U: Russian Hackers Target Ukraine With Stealthy Malware Attack
- Cisco Talos Blog: Talos researchers warn that Russia-linked APT group Gamaredon targets Ukraine with a phishing campaign.
- securityaffairs.com: Russia-linked Gamaredon targets Ukraine with a phishing campaign using troop-related lures to deploy the Remcos RAT via PowerShell downloader.
- www.scworld.com: Ongoing Gamaredon phishing campaign targets Ukraine with Remcos RAT
- securityaffairs.com: Russia-linked Gamaredon targets Ukraine with a phishing campaign using troop-related lures to deploy the Remcos RAT via PowerShell downloader.
- Virus Bulletin: Cisco Talos researcher Guilherme Venere analyses an ongoing campaign targeting users in Ukraine with malicious LNK files which run a PowerShell downloader.
- Industrial Cyber: Russian-linked UAC-0219 group escalates attacks on Ukraine government, critical infrastructure
- The Hacker News: CERT-UA Reports Cyberattacks Targeting Ukrainian State Systems with WRECKSTEEL Malware
- SOC Prime Blog: UAC-0219 Attack Detection: A New Cyber-Espionage Campaign Using a PowerShell Stealer WRECKSTEEL
@www.silentpush.com
//
A sophisticated phishing campaign, suspected to be backed by Russian Intelligence Services, has been uncovered targeting individuals sympathetic to Ukraine, including Russian citizens and informants. The operation involves creating fake websites impersonating organizations such as the CIA, the Russian Volunteer Corps (RVC), Legion Liberty, and "Hochuzhit" ("I Want to Live"), an appeals hotline for Russian service members operated by Ukrainian intelligence. These deceptive sites aim to collect personal information from unsuspecting visitors, exploiting anti-war sentiment within Russia, where such activities are illegal and punishable by law.
Researchers at Silent Push discovered four distinct phishing clusters using tactics such as static HTML, JavaScript, and Google Forms to steal data. The threat actors are utilizing a bulletproof hosting provider, Nybula LLC, to host the fake websites, which are designed to mimic legitimate organizations. The goal is to gather intelligence and potentially identify dissidents within Russia. The campaign highlights the ongoing digital dimension of the Russia-Ukraine conflict and underscores the need for increased vigilance and improved digital hygiene among potential targets.
Recommended read:
References :
- gbhackers.com: reports on the Russian attempts to steal Ukraine Defense Intelligence data
- hackread.com: Russian Phishing Uses Fake CIA Sites to Target Anti-war, Ukraine Supporters
- www.silentpush.com: Russian Intelligence Service-backed Campaigns Impersonate the CIA to Target Ukraine Sympathizers, Russian Citizens and Informants
- Cyber Security News: In a sophisticated cyber espionage campaign recently uncovered, Russian hackers have been impersonating the U.S. Central Intelligence Agency (CIA) and other organizations to harvest sensitive information from Ukrainian sympathizers and potential Russian defectors.
- securityonline.info: Silent Push Threat Analysts uncover a multi-cluster phishing operation leveraging fake CIA and anti-Putin group websites to harvest
- Vulnerable U: Russian Hackers Target Ukraine With Stealthy Malware Attack
do son@securityonline.info
//
Cybercriminals are actively exploiting the Signal messaging application to distribute an information-stealing Remote Access Trojan (RAT), raising serious privacy concerns. According to a recently published report, a cybercriminal group identified as UNC-200 is behind the campaign, which involves targeting high-value individuals within Ukraine's defense sector. The Computer Emergency Response Team of Ukraine (CERT-UA) has issued warnings about this campaign, which utilizes the Dark Crystal RAT (aka DCRat) to compromise systems.
This malicious activity involves distributing messages via Signal that contain what appears to be meeting minutes. These messages are sent from compromised accounts to enhance credibility, enticing unsuspecting users to download malicious archive files. The archives contain a decoy PDF and an executable that deploys the DCRat malware, giving attackers remote access and control, stealing valuable information and executing arbitrary commands. CERT-UA attributes this activity to UAC-0200, active since summer 2024, who noted that the use of popular messengers increases the attack surface, including due to the creation of uncontrolled information exchange channels.
Recommended read:
References :
- cyberinsider.com: Ukraine Warns Signal Used for Spreading RATs on High-Value Targets
- securityonline.info: CERT-UA Alert: DarkCrystal RAT Deployed via Signal in Ukraine
- SOC Prime Blog: Detect UAC-0200 Attacks Using DarkCrystal RAT
- The DefendOps Diaries: Russian Cyber Espionage Targets Ukrainian Military via Signal
- BleepingComputer: Ukrainian military targeted in new Signal spear-phishing attacks
- BleepingComputer: Ukraine's Computer Emergency Response Team (CERT-UA) is warning about highly targeted attacks employing compromised Signal accounts to send malware to employees of defense industry firms and members of the country's army forces.
- securityaffairs.com: CERT-UA warns of cyber espionage against the Ukrainian defense industry using Dark Crystal RAT
- The Hacker News: CERT-UA Warns: Dark Crystal RAT Targets Ukrainian Defense via Malicious Signal Messages
- BleepingComputer: Ukraine's Computer Emergency Response Team (CERT-UA) is warning about highly targeted attacks employing compromised Signal accounts to send malware to employees of defense industry firms and members of the country's army forces.
- Sam Bent: Report: Cybercriminals Leverage Signal App to Deploy Info-Stealing RAT, Raising Privacy Concerns
- bsky.app: CERT-UA warns of cyber espionage against the Ukrainian defense industry using Dark Crystal RAT
- www.scworld.com: Attackers, tracked under the UAC-0200 threat cluster, leveraged the Signal messaging app to deliver messages purportedly containing minutes of the meeting reports as archive files.
Veronika Telychko@SOC Prime Blog
//
Criminal group UAC-0173 is actively targeting Ukrainian notaries in a series of cyberattacks. These attacks, which have been ongoing since mid-January 2025, involve the use of DARKCRYSTALRAT malware. The cybercriminals are exploiting RDP tools to breach Ukraine's notarial offices, aiming to manipulate state registers. CERT-UA has issued an alert, CERT-UA#13738, regarding these activities.
SOC Prime has released Sigma rules to detect UAC-0173 attacks leveraging DARKCRYSTALRAT malware, providing cybersecurity professionals with tools to identify and mitigate these threats. These attacks by UAC-0173 highlight the ongoing cyber warfare impacting critical infrastructure and organizations within Ukraine.
CERT-UA reports Hackers Exploit RDP Tools to Breach Ukraine’s Notarial Offices.
Recommended read:
References :
- SOC Prime Blog: UAC-0173 Activity Detection: Hackers Launch Phishing Attacks Against Ukrainian Notaries Using the DARKCRYSTALRAT Malware
- thecyberexpress.com: Hackers Exploit RDP Tools to Breach Ukraine’s Notarial Offices, CERT-UA Reports
- securityaffairs.com: Criminal group UAC-0173 targets the Notary Office of Ukraine
- The Hacker News: CERT-UA Warns of UAC-0173 Attacks Deploying DCRat to Compromise Ukrainian Notaries
- Talkback Resources: Cyble article describing CERT-UA Warns of UAC-0173 Attacks Deploying DCRat to Compromise Ukrainian Notaries
- Talkback Resources: Report that a criminal group UAC-0173 targets the Notary Office of Ukraine
|
|
FlagThis - #ukraine