Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

Ukraine Phishing Campaign (Trojan) – Malware

February 12, 2025
Reading Time: 3 mins read
in Malware
Ukraine Phishing Campaign (Trojan) – Malware

Ukraine Phishing Campaign

Type of Malware

Trojan

Country of Origin

Russia

Targeted Countries

Ukraine

Date of Initial Activity

2024

Associated Groups

UAC-0198

Motivation

Cyberwarfare

Attack Vectors

Phishing

Targeted Systems

Windows

Overview

On August 12, 2024, Ukraine’s government computer emergency response team, CERT-UA, raised an alarming cybersecurity warning regarding a widespread phishing campaign that has been targeting Ukrainian government entities and local authorities. This campaign, which appears to be an attempt to gain unauthorized access to sensitive government systems, involves emails masquerading as communications from the Security Service of Ukraine (SSU). The emails contain a link leading to a malicious file named “Documents.zip,” which, when opened, triggers the download and execution of a Remote Access Trojan (RAT) known as ANONVNC, a modified version of the MESHAGENT malware.

Targets

Individuals Information Public Administration

How they operate

At the core of this phishing campaign is a social engineering technique that preys on the trust of Ukrainian government personnel. The malicious email, appearing to be sent from an official SSU address, entices recipients to click on a link. This link directs the user to a cloud storage service, where they are prompted to download a compressed file named “Documents.zip.” This file, once opened, reveals an MSI file (e.g., “Scan_docs#40562153.msi”), which is executed on the target machine. The MSI installer contains the malicious payload, which, when run, installs ANONVNC (MESHAGENT) malware on the system. ANONVNC, like its precursor MESHAGENT, is a remote access tool that facilitates hidden, unauthorized access to compromised machines. It is capable of creating a secure, persistent backdoor into infected systems, allowing attackers to monitor and control the device remotely. Upon execution, the malware generates a configuration file formatted similarly to MESHAGENT, suggesting that the threat actors may have borrowed or modified open-source code available on GitHub. The configuration file allows the malware to establish communication with the attacker’s command-and-control (C2) servers, typically hosted on domains like “hiddenvnc.com” and “anonvnc.com.” Once the malware is installed, it can execute a variety of functions to maintain persistence on the system. It drops malicious executables into critical system directories, such as the Start Menu and Program Files, ensuring that the malware is executed every time the system is rebooted. For example, the malware may place a file named “32x.exe” in the “%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup” folder, ensuring it is launched on system startup. Furthermore, ANONVNC has the ability to hide its presence by using legitimate-looking file names and creating decoy processes, making it difficult for standard antivirus or endpoint protection software to detect. The threat actors behind this campaign appear to have gone to great lengths to obscure their operations, utilizing cloud-based file hosting services like pCloud to distribute the malware and using domains registered under anonymous services like Cloudflare to hide their true identities. This tactic complicates the detection of the malicious infrastructure, as legitimate cloud services and trusted domain providers are frequently used to mask the origin of the attack. The malware’s communication with its C2 servers over encrypted channels (such as HTTPS) further adds to the complexity of detection, making it more difficult for traditional network monitoring systems to identify and block the malicious traffic. In addition to the ability to maintain persistence and remote access, ANONVNC allows attackers to exfiltrate data from infected systems. This can include sensitive documents, credentials, or other critical government information. The malware’s covert nature and ability to bypass traditional security mechanisms underscore the growing threat of advanced persistent threats (APT), particularly in conflict zones like Ukraine, where state-sponsored cyberattacks are a frequent concern.  
References:
  • UAC-0198: Mass distribution of ANONVNC (MESHAGENT) among Ukrainian government organizations (CERT-UA#10647)
Tags: ANONVNCCERT-UAMalwareMeshAgentPhishingRussiaTrojansUAC-0198UkraineUkraine Phishing CampaignWinndows
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

X Scam Targets Crypto Users with Fake Ads

FBI Warns Cybercriminals Exploit Routers

FreeDrain Phishing Steals Crypto Funds

CoGUI Targets Consumer and Finance Brands

COLDRIVER Hackers Target Sensitive Data

Cisco Fixes Flaw in IOS Wireless Controller

Subscribe to our newsletter

    Latest Incidents

    LockBit Ransomware Data Leaked After Hack

    Spanish Consumer Group Faces Cyberattack

    Education Giant Pearson Hit by Data Breach

    Masimo Cyberattack Disrupts Manufacturing

    Cyberattack Targets Tepotzotlán Facebook

    West Lothian Schools Hit by Ransomware

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial