Since the beginning of the year, CERT-UA specialists have recorded mass mailing of emails allegedly on behalf of central executive authorities and regional administrations.
Since the beginning of the year, CERT-UA specialists have recorded mass mailing of emails allegedly on behalf of central executive authorities and regional administrations.
The government's computer emergency response team CERT-UA under the State Service for Special Communications has warned of a new wave of cyberattacks. In these messages, attackers urge users to urgently "update" mobile applications of widely used civilian and military systems.
The attack, tracked by the identifier UAC-0252, is implemented through two main scenarios:
Dangerous archive: The email contains an attachment with an executable file (EXE). Running it immediately infects the system with malware.
Vulnerable link: The email contains a link to a legitimate website that is vulnerable to XSS (Cross-site scripting).
Visiting such a site activates hidden JavaScript code that automatically downloads a virus to the victim's computer. Hackers use GitHub to host their scripts and executables to avoid being blocked by antiviruses.
During January-February, experts confirmed the use of several malicious programs by hackers at once:
SHADOWSNIFF (data stealer downloaded from GitHub)
SALATSTEALER (Malware-as-a-Service information theft program)
DEAFTICK (a primitive backdoor written in Go)
In addition, while researching repositories on GitHub, experts discovered a ransomware program (working title "AVANGARD ULTIMATE v6.0"), as well as an archive with a ready-made exploit for using a vulnerability in the popular archiver WinRAR (CVE-2025-8088).
A detailed study of the tools and attack methods allowed CERT-UA specialists to link this activity to a hacker group whose activities are publicly covered in the Russian Telegram channel "PalachPro".
As a reminder, dev.ua spoke with Alerts Bar CEO Dmytro Ashkinazi, who told us how the market for stolen data on the darknet currently works and why 80% of it is caused by infostylers.
