The Computer Emergency Response Team of Ukraine (CERT-UA) has issued a warning about new cyberattacks targeting Ukrainian institutions. These attacks primarily target military formations, law enforcement, and local self-government bodies, especially those near the eastern border. The attackers distribute phishing emails that contain macro-enabled Excel files. Once opened, the files deploy two types of malware: a PowerShell script and a new data-stealing malware called GIFTEDCROOK.
GIFTEDCROOK, written in C/C++, steals sensitive data from web browsers like Chrome, Edge, and Firefox.
It captures cookies, browsing history, and authentication data. The phishing emails come from compromised accounts, making the messages look legitimate. CERT-UA has attributed this activity to a threat cluster called UAC-0226, though the specific country behind the attacks remains unclear.
In addition to these attacks, a Russian-linked espionage actor named UNC5837 has been connected to phishing campaigns targeting European government and military organizations. This campaign used signed Remote Desktop Protocol (RDP) files to establish connections with victim machines. Unlike typical RDP attacks, UNC5837 leveraged resource redirection and RemoteApps to control victim systems.
These methods allowed attackers to exfiltrate files and capture clipboard data, including passwords.
Another recent phishing campaign utilized fake CAPTCHAs and Cloudflare Turnstile to deliver a malware payload called Legion Loader. This drive-by download infection starts when victims search for specific documents and are redirected to malicious websites. The attacker uses a fake CAPTCHA to trick the victim into allowing notifications. Once completed, the malware is delivered, ultimately installing a rogue browser extension that captures and exfiltrates sensitive data from victims.
