Russian APT28 targets government entities in Ukraine in new phishing campaign

Russian APT28 targets government entities in Ukraine in new phishing campaign

The Government Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new phishing campaign targeting local government entities.

The campaign, attributed to the Russian military hacking unit APT 28 aka Fancy Bear and UAC-0001, is utilizing emails with the subject line "Table Replacement" and links resembling a Google Sheets document. Upon clicking the link, users are redirected to a page mimicking a reCAPTCHA verification, attempting to trick them into executing a malicious PowerShell command.

The malicious page prompts users to click a checkbox labeled "I'm not a robot." Once clicked, a PowerShell command is copied to the user’s clipboard. The accompanying instructions urge recipients to open the Windows Run dialog with the "Win+R" keyboard shortcut, paste the command with "Ctrl+V," and press "Enter." This action would execute the PowerShell command, leading to the download and launch of a malicious HTA file named "browser.hta" and a PowerShell script "Browser.ps1."

CERT-UA warns that the primary purpose of the attack is establishing an SSH tunnel for exfiltrating data such as authentication and other sensitive information from browsers like Chrome, Edge, Opera, and Firefox. The attackers then deploy the Metasploit framework for further exploitation and system control.

The incident follows a September 2024 phishing attack in which a threat actor exploited a vulnerability in the Roundcube email client (CVE-2023-43770) to harvest authentication credentials and create a filter named "SystemHealthCheck" using the "ManageSiev" plugin. This filter redirected emails from the compromised accounts to an attacker-controlled inbox.

Both phishing attacks have been linked to a compromised command-and-control (C2) server, which was identified during investigations. CERT-UA discovered that this server facilitated access to over ten compromised government email accounts. Attackers used these accounts to automate data exfiltration and distribute phishing emails, including those containing exploits, targeting defense organizations globally.


Back to the list

Latest Posts

ConnectWise rotates digital certificates due to security risks

ConnectWise rotates digital certificates due to security risks

The company said that this is a preventive action and not related to any recent security incident.
11 June 2025
Major police crackdown takes down 20K malicious IPs and domains linked to info-stealers

Major police crackdown takes down 20K malicious IPs and domains linked to info-stealers

Dubbed ‘Operation Secure’, the effort ran from January to April 2025 and targeted cybercriminal infrastructure worldwide.
11 June 2025
DanaBot malware dismantled after major flaw exposed operation

DanaBot malware dismantled after major flaw exposed operation

The vulnerability, dubbed ‘DanaBleed,’ stemmed from a memory leak in the malware's updated command-and-control protocol.
11 June 2025
Popular Posts
Featured vulnerabilities
Multiple vulnerabilities in Qlik Sense Enterprise for Windows
High Patched | 11 Jun, 2025
Authentication bypass in Qlik Alerting server
High Patched | 11 Jun, 2025
Stored cross-site scripting in BNS Featured Category plugin for WordPress
Low Not Patched | 11 Jun, 2025
Incorrect default permissions in Siemens Energy Services using Elspec G5DFR
High Not Patched | 11 Jun, 2025
Cleartext storage of sensitive information in Simple History plugin for WordPress
Low Patched | 11 Jun, 2025