The Government Response Team on Computer Security Incidents of Ukraine (CERT-UA) has warned of a targeted cyberattack aimed at infecting the computer systems used by the Armed Forces of Ukraine with the Cookbox backdoor.

According to CERT-UA, an unidentified individual distributed an XLS document named “1_ф_5.39-2024.xlsm” via the Signal messenger among several military personnel, claiming to have issues with report formation. The said file contained additional VBA script that triggered the download and execution of a PowerShell script named “mob2002.data.”

The PowerShell script downloaded from GitHub makes some changes in the OS registry. More specifically, it drops a base64-encoded payload in ‘HKEY_CURRENT_USER\SOFTWARE\Microsoft\XboxCache,’ which ultimately executes the Cookbox malware.

Cookbox is a PowerShell script that implements functionality for downloading and executing PowerShell cmdlets.

Dynamic DNS services (such as gotdns.ch, myftp.biz) and Cloudflare Workers are utilized for the operation of command and control servers.

The described activity, tracked as UAC-0149, has been ongoing since at least autumn 2023, CERT-UA said.

Last week, Recorded Future’s Insikt Group reported that the Russia-linked Winter Vivern cyberespionage group has been abusing an XSS vulnerability in the popular RoundCube webmail software in a cyberespionage campaign targeting government, military, and national infrastructure-related entities across Europe, including Ukraine, Poland and Georgia.

Additionally, security researchers at ESET uncovered a disinformation campaign aimed at Ukrainian speakers both within Ukraine and abroad. Dubbed “Operation Texonto,” the campaign employs a variety of tactics aimed at sowing seeds of doubt and spreading false information among the Ukrainian populace.