18 April 2024

Ukrainian military personnel targeted via messaging apps and dating sites


Ukrainian military personnel targeted via messaging apps and dating sites

The Ukrainian CERT-UA (Computer Emergency Response Team) has identified a surge in activity from a threat actor it tracks as UAC-0184 involving attacks targeting Ukrainian military with malware delivered through popular messaging apps and dating sites.

The attacks typically involve social engineering techniques, such as enticing messages with themes like opening executive proceedings or criminal cases, videos of combat actions, or requests for acquaintance via popular platforms.

The perpetrators start communicating with military personnel, eventually sending them a file (archive) asking to help open or process it.

The threat actor employs a range of software in their malicious activities, including both commercial programs and open-source tools, including IDAT (HijackLoader, Shadowladder, Ghostpulse), RemcosRAT, Viottokeyloager, Xworm, Sigtop, and Tusc.

The UAC-0184 group is known for its targeting members of the Ukrainian Armed Forces in an attempt to gain access to their computers and steal sensitive documents and data from messaging apps.

In January, the threat actor was observed using phishing lures linked to themes of war and military operations to deploy the RemcosRAT and ReverSessh malware.


Back to the list

Latest Posts

Threat actors abusing Foxit PDF Reader flaw to deploy multiple malware variants

Threat actors abusing Foxit PDF Reader flaw to deploy multiple malware variants

The flaw involves Foxit PDF Reader's handling of pop-up messages.
20 May 2024
China-linked APT group uses malware to spy on commercial shipping

China-linked APT group uses malware to spy on commercial shipping

Mustang Panda infiltrated the computer systems of cargo shipping companies in Norway, Greece, and the Netherlands.
20 May 2024
The Grandoreiro malware is back up and running after January disruption

The Grandoreiro malware is back up and running after January disruption

Grandoreiro now targets over 1,500 banks worldwide, spanning more than 60 countries across Central and South America, Africa, Europe, and the Indo-Pacific region.
20 May 2024