The Computer Emergency Response Team of Ukraine (CERT-UA) has issued security advisories warning of phishing attacks attributed to the Russia-linked Armageddon (aka Gamaredon, Primitive Bear) advanced persistent threat (APT) group. In two separate cases the group launched phishing campaigns against Ukrainian government organizations and entities in European Union.

In attacks aimed at Ukraine, the treat actor distributed phishing emails ostensibly containing “Information on war criminals of the Russian Federation.” The emails, sent from “vadim_melnik88@i[.]ua”, contain an HTML attachment, which, when opened, would ultimately infect a victim’s device with espionage malware (GammaLoad.PS1).

The malicious campaign targeting various EU government officials, involved RAR archive attachments named “Assistance.rar”, and “Necessary_military_assistance.rar,” both containing malicious files named “List of necessary things for the provision of military humanitarian assistance to Ukraine.lnk”, “Providing military humanitarian assistance to Ukraine.lnk.” As in the case described above, opening those files would infect a victim’s device with malware.

Armageddon has been linked to the Russian Federal Security Service and has a long history of cyberattacks against Ukraine. According to the Security Service of Ukraine, since the Russian aggression in 2014, the group has carried out over 5,000 cyberattacks and attempted to infect over 1,500 Ukraine’s government computer systems.

Cybersecurity Help statement on the critical situation in Ukraine

On February 24, people in many cities and towns across Ukraine woke up to the sounds of explosions and artillery fire, as the Russian Federation launched a full-scale invasion of the country. Such actions are unacceptable, political ambitions of any man aren’t worth of blood, tears, and destruction of millions of lives. We give our full support to the Ukrainian people in these hard times. No more war! Слава Україні!