The Ukrainian government’s Computer Emergency Response Team (CERT-UA) has observed an increasing number of targeted cyberattacks aimed at employees within the defense-industrial complex and select representatives of the Ukrainian Armed Forces. The attacks, which have been ongoing, have been detected across several different platforms, including the popular messaging application Signal.
Throughout March 2025, CERT-UA detected malicious messages distributed on Signal, containing archived files purportedly related to meeting summaries. In some cases, these messages were sent from compromised accounts of known contacts to increase the trustworthiness of the communications.
The archives typically contain a file with a ".pdf" extension and an executable file identified as DarkTortilla. The tool is classified as a cryptor/loader, which is designed to decrypt and execute remote access tools (RATs), particularly the DarkCrystal RAT (DCRAT). The tool is commonly used by cybercriminals to gain remote control over infected systems, allowing attackers to gather sensitive data and potentially disrupt operations.
This particular cyber activity has been tracked under the identifier UAC-0200 since at least the summer of 2024. However, beginning in February 2025, the content of these phishing messages has shifted to focus on topics such as drones (UAVs), electronic warfare (EW) systems, and other sensitive military technologies.
