13 May 2022

Russia-linked Armageddon APT using occupied Kherson as a lure in attacks targeting Ukraine


Russia-linked Armageddon APT using occupied Kherson as a lure in attacks targeting Ukraine

The Computer Emergency Response Team of Ukraine (CERT-UA) has detected a new cyber-espionage campaign that is delivering the GammaLoad malware via phishing emails allegedly containing information related to Ukraine’s Kherson region, which has been occupied by Russia since February 2022.

The CERT-UA attributes this campaign to the Russia-linked Armageddon APT (aka Gamaredon, Primitive Bear, Armageddon, Winterflounder, or Iron Tilden), a group with a long history of conducting cyberattacks against critical infrastructure in Ukraine.

In this recent attack threat actor has been observed sending phishing emails with the subject ‘About holding a revenge protest campaign in Kherson!’ containing an attachment in the form of an HTM file named “Plan Kherson.htm.”

This file creates a rar archive named “Herson.rar” on a victim’s computer containing a lnk file, which, when opened, will download and execute several additional files (precarious.xml, desktop.txt, user.txt") that will fetch the GammaLoad espionage tool.

Earlier this month, security researchers reported about a series of phishing attacks carried out by Armageddon against the Ukrainian government organizations and entities in the European Union.

Cybersecurity Help statement on the critical situation in Ukraine

On February 24, people in many cities and towns across Ukraine woke up to the sounds of explosions and artillery fire, as the Russian Federation launched a full-scale invasion of the country. Such actions are unacceptable, political ambitions of any man aren’t worth of blood, tears, and destruction of millions of lives. We give our full support to the Ukrainian people in these hard times. No more war! Слава Україні!


Back to the list

Latest Posts

Interpol arrests suspected leader of Nigerian cybercrime gang involved in BEC attacks

Interpol arrests suspected leader of Nigerian cybercrime gang involved in BEC attacks

The suspect registered 240 domains, 50 of which were used as command-and-control domains for the ISRStealer, Pony, and LokiBot malware.
26 May 2022
US automaker General Motors hit with credential stuffing attack

US automaker General Motors hit with credential stuffing attack

Social Security numbers and driver’s license details weren’t compromised, the company said.
25 May 2022
Popular Python and PHP libraries altered to steal AWS keys

Popular Python and PHP libraries altered to steal AWS keys

In both cases the attacker appears to have taken over packages that have not been updated in a while.
25 May 2022