7 August 2023

Hackers targeting Ukrainian orgs with MerlinAgent info stealer


Hackers targeting Ukrainian orgs with MerlinAgent info stealer

The Computer Emergency Response Team of Ukraine (CERT-UA) is warning about a new information-stealing campaign targeting Ukraine’s government entities with the MerlinAgent malware.

The attacks were first spotted in July 2023, according to a security alert.

The new campaign involves malicious messages purportedly sent from CERT-UA that contain an attachment in the form of a CHM file named “Внутрішні кіберзагрози” (Internal Cyber Threats).

Upon opening, the file will trigger the execution of a JavaScript code and a PowerShell script meant to download and unzip a GZIP archive named “ctlhost.exe.tmp” containing an executable file (ctlhost.exe). When executed, this file will download the MerlinAgent malware onto the compromised system.

CERT-UA is tracking this malicious activity as UAC-0154.


Back to the list

Latest Posts

North Korean Lazarus Group targets software devs in Operation 99 campaign

North Korean Lazarus Group targets software devs in Operation 99 campaign

Operation 99 aims to steal sensitive information, including source code, configuration files, API keys, and crypto wallet credentials.
20 January 2025
Threat actors impersonating Ukraine’s CERT using AnyDesk

Threat actors impersonating Ukraine’s CERT using AnyDesk

In these cases, threat actors sent requests to connect via AnyDesk, falsely claiming to represent CERT-UA.
20 January 2025
Europol's largest-ever operation seizes millions in criminal assets worldwide

Europol's largest-ever operation seizes millions in criminal assets worldwide

The global operation uncovered 83 crypto wallets and addresses linked to criminal organizations.
20 January 2025