The Governmental Computer Emergency Response Team of Ukraine (CERT-UA) has reported a series of targeted cyberattacks aimed at Ukrainian government officials, military personnel, and defense industry representatives. The attacks involve the use of the DarkCrystal Remote Access Trojan (RAT), which is being distributed through the Signal messenger app.
The attackers are using contacts from the victim's own list or members of mutual groups to send the malware, to increase the credibility and trustworthiness of the messages. The malicious communication typically includes an archive file, a password, and instructions urging the recipient to open the file on a computer.
The provided archive often contains an executable file (with extensions such as ".pif" or ".exe"), which is a self-extracting RAR archive. This archive includes a VBE file, a BAT file, and an EXE file. Once executed, the files deploy the DarkCrystal RAT on the victim's computer, granting the attacker unauthorized and hidden access to the system.
The activity related to these cyberattacks is being tracked under the identifier UAC-0200.
CERT-UA said it has observed an increase in cyberattacks leveraging messaging apps and compromised legitimate accounts. In these scenarios, the victims are often manipulated into opening files on their computers.