Invoice-themed phishing campaign and destructive attacks are targeting a Ukrainian government organization

Ukraine’s Cybersecurity and Infrastructure Security Agency (CERT-UA) has issued an alert warning of an ongoing phishing campaign targeting Ukrainian organizations using invoice-themed lures. The phishing campaign, which is attributed to a financially motivated group known as UAC-0006, aims to distribute the SmokeLoader malware according to CERT-UA.

Invoice-themed phishing campaign distributing SmokeLoader malware

The phishing emails, sent using compromised accounts, come with a ZIP archive containing a JavaScript file. The JavaScript code is used to launch an executable that paves the way for the execution of the SmokeLoader malware. Once installed, SmokeLoader downloads additional malware such as password stealers and other banking Trojans.

CERT-UA has attributed the activity to UAC-0006, a group that has previously distributed various types of malware, including ransomware and banking Trojans. The agency recommends that organizations remain vigilant and take necessary precautions to protect against this ongoing threat.

UAC-0165: Group’s Destructive Attacks Against Ukrainian Public Sector Organizations

In addition to the SmokeLoader malware campaign, CERT-UA has also revealed details of destructive attacks orchestrated by UAC-0165, a group accused of targeting Ukrainian public sector organizations. These attacks, which have been characterized as having a high level of sophistication, aim to cause significant damage to targeted systems and networks. In the latest attack, which targeted an unnamed state organization, the attackers used a new batch script-based wiper malware called RoarBAT.

RoarBAT is a destructive tool designed to overwrite files with zero bytes, rendering them unusable. Simultaneously, the attackers used a bash script to compromise Linux systems using the dd utility. The result was impaired operability of electronic computers, according to CERT-UA.

CERT-UA has attributed UAC-0165 with moderate confidence to the notorious Sandworm group, which has been linked to several high-profile attacks, including the Ukraine power grid outage in 2015. Sandworm is a Russian state-sponsored group known for its aggressive cyber campaigns targeting government organizations, critical infrastructure, and industrial sectors.

CERT-UA has issued a warning regarding APT28’s targeting of Ukrainian government entities

This alert comes a week after CERT-UA cautioned Ukrainian government entities about phishing attacks carried out by the Russian state-sponsored group APT28. According to the agency, these attacks aim to steal login credentials and other sensitive information from government officials.

APT28, also known as Fancy Bear, is a sophisticated hacking group with links to Russian military intelligence. The group has previously been accused of several attacks, including the 2016 Democratic National Committee hack, the 2018 Pyeongchang Winter Olympics cyber-attack, and the 2017 French election hack.

The recent alerts from CERT-UA highlight the growing cyber threats faced by Ukrainian organizations and government entities. As cyber threats become more sophisticated and complex, organizations must remain vigilant and take necessary cybersecurity measures to protect their systems, networks, and sensitive information. These measures include regular software updates, employee training on identifying and reporting phishing attacks, and the implementation of advanced threat detection and response capabilities. By taking proactive cybersecurity steps, Ukrainian organizations can better protect themselves against these ongoing threats.

Explore more

Ethereum Uses AI Swarms to Proactively Patch Network Flaws

The architectural integrity of global decentralized networks has reached a pivotal juncture where the speed of malicious exploitation often outpaces the traditional cadence of human-led security audits. To address this widening gap, The Ethereum Foundation has fundamentally transitioned its security strategy from a reactive model to an automated, proactive defense paradigm that leverages the power of machine learning. This shift

How Is ERP Modernization Driving DLA to Audit Readiness?

The Defense Logistics Agency currently manages an intricate global supply chain that serves as the backbone for the United States military, requiring an unprecedented level of financial precision and operational transparency to meet modern oversight requirements. This massive undertaking involves a transition from aging, siloed legacy systems to a unified Enterprise Resource Planning environment designed to provide real-time visibility into

What Makes Odyssey Infostealer a Global Threat to macOS?

The long-standing myth that macOS remains immune to sophisticated cyberattacks has been decisively shattered by the emergence of the Odyssey infostealer, a highly specialized malware variant engineered to bypass modern system integrity protections. This transition represents a fundamental shift in the threat landscape, where the historical security-by-obscurity advantage once enjoyed by Apple users has entirely vanished. As the adoption of

Can AI Secure Windows Without Compromising Stability?

The sheer scale of modern software development has reached a point where manual code review is no longer sufficient to protect the billions of devices running Windows across the globe. As lines of code multiply and interdependencies become more complex, traditional security measures are struggling to keep pace with the rapid evolution of sophisticated digital threats. In response to this

Xero Launches JAX to Redefine Accounting with Agentic AI

Small business owners have historically spent an exhausting amount of time tethered to spreadsheets and receipts, but the emergence of agentic AI is finally turning those static records into a living, breathing financial command center that operates with minimal human oversight. With more than five million global subscribers now integrated into its ecosystem, Xero is spearheading a movement toward Accountable