The Ukrainian national cybersecurity team (CERT-UA) has spotted a new wave of targeted cyberattacks since mid-September 2025, primarily aimed at Ukraine's Defense Forces and local government entities across several regions. The campaign, attributed to the threat actor group UAC-0239, leverages the OrcaC2 command-and-control framework and a custom file stealer known as Filemess.
The attackers are using emails, allegedly sent on behalf of the Security Service of Ukraine (SBU), with the lure using the theme of countering Russian sabotage and reconnaissance groups. The phishing messages are distributed through services such as Ukr.net and Gmail, containing links or attachments leading to password-protected archives that include a Virtual Hard Drive (VHD) file.
Once opened, the VHD file reveals an executable and decoy PDF documents. Upon execution, the malware executes payload, which includes components from OrcaC2, a multifunctional tool available on GitHub, and Filemess, designed specifically to search for and exfiltrate files.
Filemess, developed in the Go programming language, conducts a recursive search for files with specific extensions within the Desktop, Downloads, and Documents folders, as well as on logical drives D through Z. The files are hashed using the MD5 algorithm and then exfiltrated via the Telegram API. Credentials for Telegram access are obfuscated using XOR encryption and Base64 encoding. To ensure persistence, the malware creates entries in the Windows registry under the Run key.
OrcaC2 comes with capabilities such as remote command execution, file transfers, keylogging, screenshot capture, process injection, UAC bypass, traffic tunneling, port scanning, and more. The agent component, Orca Puppet, also supports various proxy protocols (RUDP, TCP, QUIC, etc.) and traffic tunneling methods (SSH, SMB).
