CERT-UA published Indicators of Compromise related to a new malicious campaign by a financially motivated threat actor tracked as UAC-0006 targeting government entities in Ukraine. The team said that between 2-6 October 2023 the attackers launched at least four waves of attacks.

The SmokeLoader malware is delivered via phishing emails in the form of a ZIP archive or a PDF document. The malware’s command-and-control server is hosted in Russia, according to CERT-UA.

The cyber defenders believe that the goal of this campaign is to steal login credentials such as logins, passwords and certificate keys from accounting software used by government agencies and/or modify banking details in financial documents in remote banking systems to steal money.

CERT-UA notes that between August and September 2023, UAC-0006 attempted to steal millions of hryvnias from organizations. The team didn’t say if any of these attempts were successful.