This threat involves a multi-stage Remote Access Trojan (RAT) delivered through a spearphishing campaign targeting NGOs and Ukrainian government administrations engaged in war relief efforts. Attackers impersonated the Ukrainian President's Office in emails containing weaponized PDF attachments. Upon opening, victims were redirected to a fake Cloudflare captcha page, which served as a loader to execute the malware payload. The final payload is a WebSocket-based RAT that establishes a persistent, encrypted communication channel with the command and control (C2) server, enabling remote command execution, system reconnaissance, credential theft, and data exfiltration. The campaign also included a mobile attack vector using fake Android applications designed to collect sensitive data from infected devices. The attackers exhibited high operational security, preparing infrastructure over six months but limiting its active use to a single day, minimizing exposure and detection risk. Indicators of compromise include multiple file hashes, IP addresses, and suspicious domains linked to the infrastructure. The campaign leverages PowerShell scripts and various Windows commands to maintain persistence and evade defenses. No CVE or public exploit is associated, and no widespread exploitation has been observed. The campaign's sophistication and targeting suggest a state-sponsored or highly skilled threat actor focused on intelligence gathering and disruption related to the ongoing conflict in Ukraine.

For European organizations, especially NGOs, government agencies, and entities supporting Ukrainian relief efforts, this threat could lead to significant data breaches, loss of sensitive operational information, and disruption of critical humanitarian activities. The WebSocket RAT's ability to execute arbitrary commands and exfiltrate data threatens confidentiality and integrity of internal communications and documents. The mobile vector increases risk by targeting Android devices, potentially compromising personnel communications and location data. Compromise could result in loss of trust, operational delays, and exposure of strategic plans or donor information. Given the campaign's short active window and sophisticated infrastructure, detection may be difficult, increasing the risk of stealthy, prolonged espionage. European organizations with direct or indirect involvement in Ukraine-related activities are at heightened risk, potentially impacting cross-border cooperation and aid delivery.

Beyond standard phishing awareness training, organizations should implement advanced email filtering with attachment sandboxing to detect weaponized PDFs and suspicious redirects. Deploy network monitoring focused on WebSocket traffic anomalies and unusual outbound connections to known malicious IPs and domains listed in the indicators. Employ endpoint detection and response (EDR) solutions capable of identifying PowerShell abuse and suspicious script execution. Mobile device management (MDM) policies should restrict installation of unverified applications and enforce app vetting to prevent Android malware infection. Conduct regular threat hunting exercises using the provided hashes, IPs, and domains to identify potential compromises. Implement strict segmentation and least privilege access to limit lateral movement if infected. Incident response plans should include rapid containment and forensic analysis to address short-lived but high-impact campaigns. Collaboration with national cybersecurity centers and sharing of threat intelligence related to this campaign will improve detection and response capabilities.