The Computer Emergency Response Team of Ukraine (CERT-UA) has revealed a new set of cyber attacks targeting Ukrainian institutions with information-stealing malware.
The activity is aimed at military formations, law enforcement agencies, and local self-government bodies, particularly those located near Ukraine’s eastern border, the agency said.
The attacks involve distributing phishing emails containing a macro-enabled Microsoft Excel spreadsheet (XLSM), which, when opened, facilities the deployment of two pieces of malware, a PowerShell script taken from the PSSW100AVB (“Powershell Scripts With 100% AV Bypass”) GitHub repository that opens a reverse shell, and a previously undocumented stealer dubbed GIFTEDCROOK.
“File names and email subject lines reference relevant and sensitive issues such as demining, administrative fines, UAV production, and compensation for destroyed property,” CERT-UA said.
“These spreadsheets contain malicious code which, upon opening the document and enabling macros, automatically transforms into malware and executes without the user’s knowledge.”
Written in C/C++, GIFTEDCROOK facilitates the theft of sensitive data from web browsers like Google Chrome, Microsoft Edge, and Mozilla Firefox, such as cookies, browsing history, and authentication data.
The email messages are sent from compromised accounts, often via the web interface of email clients, to lend the messages a veneer of legitimacy, and trick prospective victims into opening the documents. CERT-UA has attributed the activity to a threat cluster UAC-0226, although it has not been linked to a specific country.
The development comes as a suspected Russia-nexus espionage actor dubbed UNC5837 has been linked to a phishing campaign targeting European government and military organizations in October 2024.
“The campaign employed signed .RDP file attachments to establish Remote Desktop Protocol (RDP) connections from victims’ machines,” the Google Threat Intelligence Group (GTIG) said.
“Unlike typical RDP attacks focused on interactive sessions, this campaign creatively leveraged resource redirection (mapping victim file systems to the attacker servers) and RemoteApps (presenting attacker-controlled applications to victims).”
It’s worth noting that the RDP campaign was previously documented by CERT-UA, Amazon Web Services, and Microsoft in October 2024 and subsequently by Trend Micro in December. CERT-UA is tracking the activity under the name UAC-0215, while the others have attributed it to the Russian state-sponsored hacking group APT29.
The attack is also notable for the likely use of an open-source tool called PyRDP to automate malicious activities such as file exfiltration and clipboard capture, including potentially sensitive data like passwords.
“The campaign likely enabled attackers to read victim drives, steal files, capture clipboard data (including passwords), and obtain victim environment variables,” the GTIG said in a Monday report. “UNC5837’s primary objective appears to be espionage and file stealing.”
In recent months, phishing campaigns have also been observed using fake CAPTCHAs and Cloudflare Turnstile to distribute Legion Loader (aka Satacom), which then serves as a conduit to drop a malicious Chromium-based browser extension named “Save to Google Drive.”
“The initial payload is spread via a drive-by download infection that starts when a victim searches for a specific document and is lured to a malicious website,” Netskope Threat Labs said. “The downloaded document contains a CAPTCHA that, once clicked by the victim, will redirect it to a Cloudflare Turnstile CAPTCHA and then eventually to a notification page.”
The page prompts users to allow notifications on the site, after which the victims are redirected to a second Cloudflare Turnstile CAPTCHA that, upon completion, is redirected again to a page that provides ClickFix-style instructions to download the document they are looking for.
In reality, the attack paves the way for the delivery and execution of an MSI installer file that’s responsible for launching Legion Loader, which, in turn, performs a series of steps to download and run interim PowerShell scripts, ultimately adding the rogue browser extension to the browser.
The PowerShell script also terminates the browser session for the extension to be enabled, turns on developer mode in the settings, and relaunches the browser. The end goal is to capture a wide range of sensitive information and exfiltrate it to the attackers.
