The Computer Emergency Response Team of Ukraine ( CERT-UA) issued a warning on Tuesday about renewed activity from an organized criminal organization it claims to be affiliated with UAC-0173, which involves infecting computers with a remote access trojan called ( also known as DarkCrystal RAT ).
The most recent strike wave, according to the Russian cybersecurity authority, started in the middle of January 2025. The Notary of Ukraine is the goal of the action.
The disease network leverages phishing emails that claim to be sent on behalf of the Ministry of Justice of Ukraine, urging recipients to access an file, which, when launched, leads to the implementation of the DCRat malware. The binaries is hosted in cloud storage services.
” Having therefore provided key access to the notary’s automatic workplace, the attackers take measures to install additional equipment, in particular, RDPWRAPPER, which implements the functionality of parallel RDP classes, which, in combination with the use of the BORE utility, allows you to establish RDP links from the Internet directly to the computer”, CERT-UA .
Other tools and malware families, such as FIDDLER and NMAP for network scanning, and XWorm for stealing sensitive data, such as credentials and clipboard content, are also used in the attacks.
Additionally, the compromised systems are used as a means of using the SENDMAIL console utility to draft and send malicious emails to spread the attacks even further.
The development comes days after CERT-UA attributed a sub-cluster within the Sandworm hacking group (aka APT44, Seashell Blizzard, and UAC-0002 ) to the exploitation of a now-patched security flaw in Microsoft Windows ( , CVSS score: 6.5 ) in the second half of 2024 via booby-trapped documents.
The attack chains have been discovered to execute PowerShell commands that launch additional payloads in the background, including SECONDBEST (aka EMPIREPAST ), SPARK, and a Golang loader named CROOKBAG.
The activity, to UAC-0212, targeted supplier companies from Serbia, the Czech Republic, and Ukraine between July 2024 and February 2025, with some of them recorded against more than two dozen Ukrainian enterprises specializing in development of automated process control systems (ACST ), electrical works, and freight transportation.
and Microsoft, which are tracking the threat group under the name , have both documented some of these attacks.