13 May 2022

Russia-linked Armageddon APT using occupied Kherson as a lure in attacks targeting Ukraine


Russia-linked Armageddon APT using occupied Kherson as a lure in attacks targeting Ukraine

The Computer Emergency Response Team of Ukraine (CERT-UA) has detected a new cyber-espionage campaign that is delivering the GammaLoad malware via phishing emails allegedly containing information related to Ukraine’s Kherson region, which has been occupied by Russia since February 2022.

The CERT-UA attributes this campaign to the Russia-linked Armageddon APT (aka Gamaredon, Primitive Bear, Armageddon, Winterflounder, or Iron Tilden), a group with a long history of conducting cyberattacks against critical infrastructure in Ukraine.

In this recent attack threat actor has been observed sending phishing emails with the subject ‘About holding a revenge protest campaign in Kherson!’ containing an attachment in the form of an HTM file named “Plan Kherson.htm.”

This file creates a rar archive named “Herson.rar” on a victim’s computer containing a lnk file, which, when opened, will download and execute several additional files (precarious.xml, desktop.txt, user.txt") that will fetch the GammaLoad espionage tool.

Earlier this month, security researchers reported about a series of phishing attacks carried out by Armageddon against the Ukrainian government organizations and entities in the European Union.

Cybersecurity Help statement on the critical situation in Ukraine

On February 24, people in many cities and towns across Ukraine woke up to the sounds of explosions and artillery fire, as the Russian Federation launched a full-scale invasion of the country. Such actions are unacceptable, political ambitions of any man aren’t worth of blood, tears, and destruction of millions of lives. We give our full support to the Ukrainian people in these hard times. No more war! Слава Україні!


Back to the list

Latest Posts

Cyber security week in review: August 5, 2022

Cyber security week in review: August 5, 2022

The cybersecurity world in brief: Two crypto platforms targeted in multimillion-dollar attacks, hackers exploited an Atlassian Confluence bug to install a never-before-seen backdoor, and more.
5 August 2022
Threat actors exploit Atlassian Confluence bug to install a never-before-seen backdoor

Threat actors exploit Atlassian Confluence bug to install a never-before-seen backdoor

Ljl Backdoor is a fully-featured malware designed to gather files and user accounts, as well as system information.
4 August 2022
Thousands of Solana wallets drained in yet another multimillion exploit

Thousands of Solana wallets drained in yet another multimillion exploit

More than 8,000 wallets have been affected in the hack.
3 August 2022