CERT-UA

UAC-0001 (aka #APT28 or #FancyBear) exploits CVE-2026-21509 to target Ukraine and EU with COVENANT framework. Details (UA only): cert.gov.ua/article/6287250

Mid. confidence UAC-0190 (aka #VoidBlizzard or #LaundryBear) disguising as 'charitable foundations' to target Ukraine's Security and Defense Forces with Python-based PLUGGYAPE backdoor. Details (UA only): cert.gov.ua/article/6286942

UAC-0099's new tools: MATCHBOIL, MATCHWOK, DRAGSTARE Details: cert.gov.ua/article/6284949 (UA only)

New activity UAC-0001 (#APT28): #espionage using #BEARDSHELL and #SLIMAGENT Details: cert.gov.ua/article/6284080 (UA only)

Russian cyber operations: attack automation, espionage against the defense sector, and new tactics. Analysis for the Second Half of 2024 from CERT-UA. Read and download report 👉 bit.ly/42yWN0X

New activity UAC-0226: #espionage using #GIFTEDCROOK and #PowerShell reverse shell Details: cert.gov.ua/article/6282946 (UA only)

UAC-0219: Cyber Espionage using #PowerShell #stealer #WRECKSTEEL Details: cert.gov.ua/article/6282902 (UA only)

UAC-0173 targets notaries. Again Details: cert.gov.ua/article/6282536 (UA only)

UAC-0212 (subcluster of #Sandworm) targets transport and energy Details: cert.gov.ua/article/6282517 (UA only)

@smica83 @JAMESWT_MHT UAC-0050

#DarkPink infrastructure possibly used against #UKR LNK (using SMB mount): bazaar.abuse.ch/sample/330d36e… IoC: 77.105.161(.)194 @JAMESWT_MHT @_CERT_UA IP is now serving #Remcos RAT / C2: 101.99.94(.)69 Mutex: Rmc-UP4CTA

UAC-0125 (Sufficient confidence level #Sandworm) attack with fake Army+ application. Details: cert.gov.ua/article/6281701 (UA only)

New TTPs of UAC-0099 #LONEPAGE #WinRar #Malware Details: cert.gov.ua/article/6281681 (UA only)

UAC-0050 engages in fincrime using LITEMANAGER. Details: cert.gov.ua/article/6281202 (UA only)

3/4 LonePage?

1/4 #UAC0099 New sample ZIP containing 3 LNK files + .NET EXE: facf500f0bf6b30e5309f5714f9f4238 51e3ca874009e9f41df3931470f518079728bbf1 cd6159681a89ab30d99894b08ff8a8ccca774fb3ca3ef2702757e2eb74758868 @_CERT_UA @SSSCIP @JAMESWT_MHT

Moderate confidence UAC-0001 (#APT28) PowerShell in clipboard, METASPLOIT, Roundcube vulnerability and more. Details in new post: cert.gov.ua/article/6281123

CERT-UA in collab w/ @MsftSecIntel investigated UAC-0024 (susp. #Turla) using CAPIBAR & KAZUAR to target UA GOV entities. Details: cert.gov.ua/article/5213167 (UA only)

@cyber__sloth Here is brief blog: cert.gov.ua/article/5105791 (UA only). Thanks @cyber__sloth, @BushidoToken

Interesting #phishing campaign that uses browser-in-the-browser technique and targets users of ukr.net. Possible #russian #APT targeting #ukraine. The sample was uploaded from UA. C2: 62.4.36[.]126:8880 hash: cef772f121afb26a057b7232bba6bc94

Recorded Future’s Insikt Group in collaboration with @_CERT_UA, has detected a campaign exploiting vulnerable Roundcube servers in #Ukraine, cross-correlated with a spearfishing campaign uncovered by Recorded Future’s Network Traffic Intelligence.

Thrilled to see our very first partner in Ukraine @_CERT_UA in Kyiv last week. Their work on unmasking threat actors, publishing deep reports on malware/ TTPs, and being an incredible sharer of intelligence is a role model for all national CERTs around the world - thank you @VZhora+team!

UAC-0063 to #cyberespionage against UA,KZ,KG,TJ,IN,IL using VBScript encoded loader HATVIBE, C++ file stealer STILLARCH (aka DownEx) as well as PyArmor/Themida-protected keylogger LOGPIE and backdoor CHERRYSPY. Details: cert.gov.ua/article/4697016 (UA).