Ukrainian cybersecurity officials have identified a new malware campaign specifically targeting the country’s defense infrastructure, according to an alert from the Computer Emergency Response Team of Ukraine (CERT-UA).
This development comes amid controversy about Signal’s cooperation with Ukrainian authorities. According to The Record, Signal allegedly stopped responding to requests from Ukrainian law enforcement regarding Russian cyber threats.
What’s Happening
The campaign, detected this month, targets both defense industry enterprise employees and individual Ukrainian Defense Forces personnel through Signal messages containing what appear to be meeting minutes.
Attackers distribute archive files containing a legitimate-looking PDF alongside malware. The archives deploy DarkTortilla, a .NET-based crypter that ultimately launches DCRat, a remote access trojan capable of executing commands, stealing information, and establishing remote control over infected systems.
CERT-UA has attributed the campaign to threat actor UAC-0200, active since mid-2024.
The bottom Line
We have already reported that DCRAT is widely spread across Ukraine, Russia, and Belarus, often distributed through platforms like YouTube and various forums where pirated content is discussed or shared. Now, CERT-UA has confirmed that it is being used by Russian threat actors.
Given the ongoing Russia-Ukraine conflict, both sides are also engaged in a digital cyberwarfare, and this is just one part of it. There is much more happening every day in the shadows of this ongoing war.
IOC
- hXXp://45[.]130.214.237/cdn/7Temp/updateexternalprotonAsync/multiImagepythoncdn/Sqlwp/ProtectTo/AsyncTempjavascript/Image4/Base7trafficCentral/2LinuxJavascriptProcessor/trafficwordpressLine/defaultwp7/Multi/VmrequestPacketSqlPublicdownloads[.]php
- hXXp://62[.]60.235.190/mariadb9Php/videogameApiserver[.]php
- hXXp://87[.]249.50.64/Php05default/localGeowordpress/track/eternalWindows4Image/Linux/Proton/Flowerto4Js/windowsTrack/Trafficsecure94/41/LowLinux/Serverserver81/phpauthdump/HttpprocessCdn/74geoPoll/pythonbaseGeneratorlocal[.]php
- hXXp://217[.]25.91.61/Wp9local/JavascriptlongpollproviderTemporary/91pipeexternal/Bigloadpoll9/Pythondump/Image/dbCpu/cpugame/ExternalDlewp/sqlflowerprivateUploads[.]php
- hXXp://83[.]147.253.138/hostdata[.]txt
- hXXps://imgurl[.]ir/download.php?file=q68235_labodtarinog.txt
- 45[.]130.214.237
- 62[.]60.235.190
- 87[.]249.50.64
- 217[.]25.91.61
- 83[.]147.253.138
Source: hxxps[://]cert[.]gov[.]ua/article/6282737
Follow us on X and Linkedin for the latest cybersecurity news.
