Threat actors target Ukrainian government agencies in new wave of SmokeLoader attacks

Threat actors target Ukrainian government agencies in new wave of SmokeLoader attacks

CERT-UA published Indicators of Compromise related to a new malicious campaign by a financially motivated threat actor tracked as UAC-0006 targeting government entities in Ukraine. The team said that between 2-6 October 2023 the attackers launched at least four waves of attacks.

The SmokeLoader malware is delivered via phishing emails in the form of a ZIP archive or a PDF document. The malware’s command-and-control server is hosted in Russia, according to CERT-UA.

The cyber defenders believe that the goal of this campaign is to steal login credentials such as logins, passwords and certificate keys from accounting software used by government agencies and/or modify banking details in financial documents in remote banking systems to steal money.

CERT-UA notes that between August and September 2023, UAC-0006 attempted to steal millions of hryvnias from organizations. The team didn’t say if any of these attempts were successful.


Back to the list

Latest Posts

Cyber Security Week in Review: July 25, 2025

Cyber Security Week in Review: July 25, 2025

In brief: Microsoft SharePoint zero-days exploited in widespread attacks, the Russian aerospace and defense industries targeted in Operation CargoTalon, and more.
25 July 2025
Microsoft warns of Warlock ransomware attacks exploiting SharePoint flaws

Microsoft warns of Warlock ransomware attacks exploiting SharePoint flaws

The attackers are using the flaws to deploy a malicious web shell named spinstall0.aspx.
24 July 2025
Lumma infostealer returns after May police crackdown

Lumma infostealer returns after May police crackdown

Lumma has shifted away from previous use of Cloudflare and is now leveraging alternative cloud services, particularly the Russian provider Selectel.
23 July 2025