Threats Tagged 'ukraine'

A newly identified threat group, designated as GhostShell, has been conducting cyber operations against Ukraine's unmanned aerial vehicle supply chain since February 2026. The attackers employ malicious archives containing decoy documents that impersonate Besomar, a Ukrainian manufacturer of high-precision interceptor drones, to compromise defense and procurement networks. The attack chain deploys three distinct payloads: a custom backdoor (122.exe) utilizing mTLS client certificates for screen capture and command execution, an in-memory stager (update.exe) disguised as a Windows Health Service that fetches next-stage payloads via Telegram, and a proxy launcher (22.exe) that tunnels traffic through Xray Core to deploy the Vidar v2 information stealer. The targeting strongly suggests a Russian cyber operation, though analysts employ the SOLBIT framework to avoid attribution based on easily forgeable indicators.

MediumMalwareUkraine#ghostshell#uav#ukraine

This analysis examines Gamaredon's (UAC-0010, Armagedon) advanced espionage operations targeting Ukrainian government, military, and critical infrastructure. The FSB-operated group deploys GammaSteel, a sophisticated stealer operating almost entirely from memory using Windows DPAPI encryption and storing 71 distinct payload functions in the HKCU\Printers registry key. The malware employs three concurrent data acquisition mechanisms: timed drive scans, USB monitoring for air-gapped systems, and real-time file surveillance. Exfiltration occurs via legitimate S3-compatible cloud storage (Tebi.io) with fallback to operator-controlled servers. The infection chain extensively uses VBScript for evasion, Dead Drop Resolvers on platforms like Telegram and Mastodon for C2 configuration, and includes bidirectional backdoor capabilities enabling arbitrary remote code execution. Infrastructure demonstrates high automation with servers rotated approximately every 24 hours.

MediumMalwareUkraine#vbscript#gammaworm#cyberespionage