The Ukrainian Government Computer Emergency Response Team (CERT-UA), in collaboration with the Ministry of Defense's Joint Response Team (MILCERT), has identified and analyzed two cyberattacks aimed at Ukrainian military personnel. The attacks involved the dissemination of messages via Signal, containing links to download APK files that were disguised as military systems Griselda and the surveillance system called “Eyes.”
In the first case, threat actors created a fake version of the official Griselda project website. Griselda is an automated system for data entry, processing, and transmission using artificial intelligence.
The site prompted users to download a “mobile version” of the Griselda application—a software that does not actually exist. Instead, the APK file contained the HYDRA malware, capable of stealing session data (HTTP Cookies), contacts, performing keylogging, and more.
In the second case, the attackers exploited a Google Drive link to distribute an APK file, which appeared to be a legitimate version of the Eyes surveillance system. However, this APK was modified to include malicious code designed to steal users' login credentials and passwords, as well as to track and transmit the GPS coordinates of the device. It is believed that the attackers added a third-party JAVA class to the legitimate software and implemented its invocation within the relevant blocks of code.
CERT-UA tracks this activity as UAC-0210.
