Digital Security Lab Ukraine

Threat actors are adapting @signalapp phishing campaigns: Ukrainian users now receive messages allegedly from Signal about “mandatory 2FA” due to ongoing attacks. No codes are requested yet – this is a trust-building step before attempts to steal login codes and hijack accounts.

IOCs: Domains: www[.]saas[.]successint[.]org pub-f2449c7fa66a473db1ad9323672392cf[.]r2[.]dev rushdayz[.]com URL paths: /pta/grd /index.html?eta= /z/api.php?action=save

🔎 New analysis of a credential phishing campaign It leverages domain-adaptive infrastructure to evade detection and increase the success rate of account compromise. Details: dslua.org/publications/a…

IOCs: 🔺Domains: ln[.]run badge-verified0903261[.]vercel[.]app 🔺URLs: hxxps://ln[.]run/badge-verified0903261 hxxps://badge-verified0903261[.]vercel[.]app/index1[.]html Detailed analysis and more IOCs: dslua.org/publications/m…

Large-scale phishing attacks keep evolving, abusing trusted platforms like Google, Cloudflare, Vercel, and Telegram. Pre-built kits enable massive scaling. A new “Meta Verified” tactic steals credentials and bypasses 2FA in real time via Telegram exfiltration.

SHA-256: 4362f67ab65cca32fb610e62745aac7d8587a7bac46e5a6c89db8b4a9c7e9458 f78944a2699b21fb34fc9c1c7c0ae7ca16c709bf72cbc15ad0cdaa66bec8d1bd ad8a491018f5c5edecfc75ec3a3627aa04a26019ce87c8f236bb400ec35c3244 a0e709c0df0e38b30a2283dc5c1667c852d212952cc4db18c364d35a70ca0c96

IOCs: 46.4.92[.]6 64.20.61[.]146 pixeldrain[.]com id[.]remoteutilities[.]com Payload: Remote Utilities rutserv.exe, rfusclient.exe

Today we observed an active phishing campaign linked to Russia-aligned threat actors. Emails impersonated Ukrainian government institutions and delivered malicious attachments. The campaign is aimed at infecting Windows endpoints and establishing persistent remote access.

Find more domains on @ValidinLLC : CERT_FINGERPRINT-HOST: 1fa3e6f0a65b7429219022eee3a7976f6761aba0 HOST-JARM: 27d27d27d00027d00042d43d00041df04c41293ba84f6efe3a613b22f983e6

https://support-958[.]ubpages[.]com/2dc0e7fc-1/ More IOCs: pastebin.com/07nZKT9u

DSLU is tracking a phishing campaign targeting Facebook accounts. Attackers are abusing Meta Business Suite invites and using two attack vectors: a link to a phishing website and a link prompting users to join a fake Facebook page.

👉 More IOCs: pastebin.com/EgQAM4Lw 👉 Track IOCs in VT: entity:domain ukr-one.* AND jarm:"00000000000000000042d43d00041da8040ca1d7d1b3e955a3535eb361ef06"

👉 IOCs: ukr-one[.]ors-oc[.]info ukr-one[.]connect-all[.]org ukr-one[.]2dotz[.]org ukr-one[.]naturalbd[.]org ukr-one[.]seateur[.]info ukr-one[.]mirrisunkov[.]cyou

⚠️ Attackers are using hacked Telegram accounts to spread fake invitations to “vote for kids in a drawing contest.” The links lead to phishing sites stealing account credentials.

🚨 Six months of prep. One day targeting Ukraine’s humanitarian networks including individuals from the @ICRC, @UNICEF, and @NRC_Norway. New from @LabsSentinel and the @DSLab_Ukraine: A one-day spearphishing operation — PhantomCaptcha — that targeted humanitarian organizations in Ukraine using a fake Cloudflare captcha page to deliver a WebSocket RAT. s1.ai/pcapt

SentinelLABS, together with Digital Security Lab of Ukraine, has uncovered a coordinated spear-phishing campaign targeting organizations critical to Ukraine’s war relief efforts. sentinelone.com/labs/phantomca…

4/ The PhantomCaptcha campaign highlights a highly capable adversary collecting intelligence on humanitarian and reconstruction operations in Ukraine. ➡️ Full details in report: bit.ly/4hluj0m

3/ Despite six months of preparation, the attackers’ infrastructure was active for only one day – reflecting meticulous planning, compartmentalized setup, and strong operational security.

🚨 @SentinelLabs, together with the Digital Security Lab of Ukraine, has uncovered a coordinated spearphishing campaign targeting members of the Red Cross, Norwegian Refugee Council, UNICEF, and other NGOs supporting Ukraine, as well as regional government officials.