Last week, unknown individuals carried out a targeted cyberattack on the editor of Babel, Gleb Gusev. The attackers attempted to gain full remote access to his work device using a specially designed Trojan program capable of recording sound, streaming video from the camera, and stealing confidential correspondence.
Last week, unknown individuals carried out a targeted cyberattack on the editor of Babel, Gleb Gusev. The attackers attempted to gain full remote access to his work device using a specially designed Trojan program capable of recording sound, streaming video from the camera, and stealing confidential correspondence.
This was reported by the editorial office of Babel, citing an official investigation by the government’s computer emergency response team CERT-UA, which works under the State Special Communications Service. Experts classified the incident as «Malicious program code» with the identifier CERT-UA#22689.
The hacking attempt took place on June 18, 2026. The editor received a message from an unidentified person offering to spread information about alleged abuses in one of the military units. The message included a link to a file sharing site for downloading «evidence.»
The link contained an archive called «Photos+Lists.zip» with the files «Lists.xlsm» and «Photos.docm». The documents used a blurred image as a bait, imitating screenshots of correspondence. Clicking on the image or activating macros would download a spy script to the device.
According to CERT-UA, the malware is called SKELYAAGENT. This program allows attackers to create hidden communication channels through the Cloudflare infrastructure, record keystrokes, intercept browser data, Wi-Fi passwords, and also hijack authentication sessions of popular messengers — Signal, WhatsApp, and Telegram. In addition, the software is able to silently listen to the room through the microphone and record from the webcam.
The editorial office notes that the cyberattack occurred against the backdrop of journalists' work on several sensitive investigations. One of them concerns the activities of a large unit of the Armed Forces of Ukraine’s assault forces, the name of which partially coincides with the name of the malicious script. At the same time, other versions of who ordered the crime are also being considered.
In particular, journalists mention the parallel activity of MP Yaroslav Zheleznyak, who, between June 16 and 18, published four posts on his Telegram channel with a public request regarding the media ownership structure. However, experts warn that the script name or metadata may be a deliberate «deception» aimed at misleading the victim.
CERT-UA experts add that the recorded hacking activity is local in nature and is tracked under the identifier UAC-0272. Similar attacks have been recorded since at least the end of May 2026. To mask the code, attackers intensively use artificial intelligence and leave specific text markers in the metadata, such as Ruslan4ik0^^, serva4ok, and muzhichok.
According to Article 361 of the Criminal Code of Ukraine, unauthorized interference in the operation of information systems during martial law is punishable by imprisonment for a term of 10 to 15 years. CERT-UA has now taken the necessary measures to neutralize the threat.
Recall that Ukraine is consistently at the epicenter of cyberattacks and is one of the key targets for attackers in Eastern Europe amid growing geopolitical instability in early 2026. This was stated in the first Cyber Pulse report from Mastercard, dedicated to studying the cyber threat landscape in the EEMEA region (Eastern Europe, Middle East and Africa).
