The Governmental Computer Emergency Response Team of Ukraine (CERT-UA) has reported a significant increase in activity from the financially motivated threat actor it tacks as UAC-0006. Since May 20, 2024, the threat actors have launched at least two distinct malware distribution campaigns, the team said.

According to CERT-UA, these campaigns involve the dissemination of the Smokeloader malware through phishing emails. The emails contain ZIP archives that house malicious files such as .IMG files containing executable (.exe) files and ACCDB documents (Microsoft Access) with embedded macros that execute PowerShell commands to download and run the exe files.

Once a system is initially compromised, additional malware such as Taleshot and RMS, among others, are subsequently downloaded and installed.

Currently, the botnet comprises several hundred infected computers. CERT-UA anticipates a resurgence in fraud schemes utilizing remote banking systems in the near future.