Ukraine’s Computer Emergency Response Team (CERT-UA) has issued a warning about a sophisticated phishing campaign targeting defense companies and the country’s security forces. The attacks, attributed to the Russia-linked group UAC-0185 (UNC4221), use deceptive emails designed to mimic official correspondence from the Ukrainian League of Industrialists and Entrepreneurs. These emails falsely advertise a conference in Kyiv, purportedly focused on aligning domestic defense products with NATO standards, to lure recipients into engaging with malicious links.
The phishing emails contain URLs that claim to provide “important information” about the conference. However, clicking these links initiates the download of a Windows shortcut file, which triggers a chain of malicious activities. The shortcut file runs an HTML Application embedded with JavaScript, which executes PowerShell commands to deliver further payloads. These payloads include decoy files, ZIP archives, batch scripts, and an executable program designed to install MeshAgent, granting the attackers remote control of the compromised systems.
CERT-UA reported that the attackers aim to steal credentials from popular messaging applications like Signal, Telegram, and WhatsApp, as well as from military systems such as DELTA, Teneta, and Kropyva. The campaign also involves targeted attacks on the computers of employees within defense companies and members of Ukraine’s security forces. These activities are believed to support Russia’s efforts to gather battlefield-relevant intelligence and disrupt Ukrainian military operations.
This phishing campaign is part of a broader trend of cyber threats linked to UAC-0185, a group known for using Android malware and phishing operations disguised as military applications. According to Google-owned Mandiant, which highlighted the group’s activities earlier this year, their operations have consistently targeted Ukraine’s critical infrastructure and military systems. CERT-UA is urging heightened vigilance and robust cybersecurity measures to counter this ongoing threat.
Reference:
