Cyber Incident Victim: KP in Ukraine

Ukrainian cyber defenders identified a cyberespionage campaign active since mid-2022 that compromised "several dozen" computers used by state agencies and media organizations. The State Service of Special Communications and Information Protection, through spokesperson Volodymyr Kondrashov, publicly disclosed the campaign via a June 2023 tweet, while CERT-UA issued a formal alert the preceding day. Attackers employed phishing emails and text messages to distribute malicious HTML applications, executables, file archives, and Windows shortcuts, tricking users into installing malware designated as LonePage. This PowerShell-based malware established contact with command-and-control servers to retrieve upgrade.txt—a file containing executable commands—and exfiltrated stolen data via HTTP connections. The campaign demonstrated persistent access by deploying additional tools including the Tor browser and Secure Shell clients, enabling interactive remote control of infected systems.

The attackers expanded their capabilities by deploying ThumbChop, an information stealer targeting Chrome and Opera browsers, alongside newly identified malware variants SeaGlow and OverJam. CERT-UA confirmed the malware suite facilitated keylogging, credential theft, and unrestricted remote access to compromised Windows machines. Impact assessments revealed data exfiltration from multiple high-value targets, though the exact nature of stolen information remained unspecified. In response, CERT-UA advised restricting user permissions to execute script.exe, cscript.exe, powershell.exe, and mshta.exe to limit further exploitation. The agency contextualized this incident within broader 2022 trends, having investigated 2,194 cyber incidents that year while noting a decline in phishing volume offset by sophisticated social engineering successes. Technical analysis of LonePage and ThumbChop contributed to Ukraine’s growing malware intelligence repository developed through sustained incident response operations.