Cybercriminals created fake Army+ application sites: they use malware to access computers through the Tor network

CERT-UA cyber experts have received information about an active cyberattack targeting Army+ users. The attackers have created a number of fake websites that mimic the official page of the application.

How attackers operate

• When visiting these fake sites, users are prompted to download an executable file called «ArmyPlusInstaller-v.0.10.23722.exe» (the name may change).
• When downloading and running the file, the user unknowingly activates a program that opens access to their computer for attackers.
• The malware then establishes covert access to the computer and sends sensitive data through the Tor network, creating the opportunity for covert control of the computer.

Who is behind the attack

CERT-UA is tracking this hostile activity under the identifier UAC-0125. There is good reason to believe that this attack is related to the well-known hacker group UAC-0002 (Sandworm), which has previously carried out similar attacks. In the first half of 2024, they used Trojan files disguised as Microsoft Office programs to infect computers.

Read the country’s main IT news in our Telegram

On the topic

Read the country’s main IT news in our Telegram

Russian hackers are using the infrastructure of other cybercriminals to access Ukrainian Armed Forces devices connected to Starlink, Microsoft reports

On the topic

Russian hackers are using the infrastructure of other cybercriminals to access Ukrainian Armed Forces devices connected to Starlink, Microsoft reports

New cyberattack against defense enterprises and the military: hackers send phishing emails on behalf of the Ukrainian Union of Industrialists and Entrepreneurs

On the topic

New cyberattack against defense enterprises and the military: hackers send phishing emails on behalf of the Ukrainian Union of Industrialists and Entrepreneurs