Russian APT28 targets government entities in Ukraine in new phishing campaign

Russian APT28 targets government entities in Ukraine in new phishing campaign

The Government Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new phishing campaign targeting local government entities.

The campaign, attributed to the Russian military hacking unit APT 28 aka Fancy Bear and UAC-0001, is utilizing emails with the subject line "Table Replacement" and links resembling a Google Sheets document. Upon clicking the link, users are redirected to a page mimicking a reCAPTCHA verification, attempting to trick them into executing a malicious PowerShell command.

The malicious page prompts users to click a checkbox labeled "I'm not a robot." Once clicked, a PowerShell command is copied to the user’s clipboard. The accompanying instructions urge recipients to open the Windows Run dialog with the "Win+R" keyboard shortcut, paste the command with "Ctrl+V," and press "Enter." This action would execute the PowerShell command, leading to the download and launch of a malicious HTA file named "browser.hta" and a PowerShell script "Browser.ps1."

CERT-UA warns that the primary purpose of the attack is establishing an SSH tunnel for exfiltrating data such as authentication and other sensitive information from browsers like Chrome, Edge, Opera, and Firefox. The attackers then deploy the Metasploit framework for further exploitation and system control.

The incident follows a September 2024 phishing attack in which a threat actor exploited a vulnerability in the Roundcube email client (CVE-2023-43770) to harvest authentication credentials and create a filter named "SystemHealthCheck" using the "ManageSiev" plugin. This filter redirected emails from the compromised accounts to an attacker-controlled inbox.

Both phishing attacks have been linked to a compromised command-and-control (C2) server, which was identified during investigations. CERT-UA discovered that this server facilitated access to over ten compromised government email accounts. Attackers used these accounts to automate data exfiltration and distribute phishing emails, including those containing exploits, targeting defense organizations globally.


Back to the list

Latest Posts

Coordinated brute-force campaign targets Apache Tomcat Manager interfaces

Coordinated brute-force campaign targets Apache Tomcat Manager interfaces

The campaign, first observed on June 5, involves brute-force login attempts originating from hundreds of unique IP addresses.
12 June 2025
ConnectWise rotates digital certificates due to security risks

ConnectWise rotates digital certificates due to security risks

The company said that this is a preventive action and not related to any recent security incident.
11 June 2025
Major police crackdown takes down 20K malicious IPs and domains linked to info-stealers

Major police crackdown takes down 20K malicious IPs and domains linked to info-stealers

Dubbed ‘Operation Secure’, the effort ran from January to April 2025 and targeted cybercriminal infrastructure worldwide.
11 June 2025
Popular Posts
Featured vulnerabilities
Multiple vulnerabilities in Autel Energy MaxiCharger AC Elite Business 50A
High Patched | 13 Jun, 2025
IBM Robotic Process Automation for Cloud Pak update for Babel
Low Patched | 13 Jun, 2025
IBM Robotic Process Automation for Cloud Pak update for libxml2
High Patched | 13 Jun, 2025
IBM Robotic Process Automation for Cloud Pak update for Apache Active MQ NMS
High Patched | 13 Jun, 2025
IBM Robotic Process Automation for Cloud Pak update for axios
Medium Patched | 13 Jun, 2025