Cyber Incident Victim: Government of Ukraine

Ukrainian cyber defenders identified an ongoing cyberespionage campaign active since mid-2022, publicly warning about the threat in June 2023. The State Service of Special Communications and Information Protection reported unauthorized access to "several dozen" computers belonging to Ukrainian government agencies and media organizations. Attackers employed phishing emails and text messages to deliver malicious payloads disguised as HTML applications, executables, file archives, and Windows shortcuts. These distribution methods aimed to trick users into installing malware called LonePage, a PowerShell script designed to establish command-and-control communication. The campaign specifically targeted Microsoft Windows systems used by critical Ukrainian entities, with initial compromises occurring through social engineering tactics.

The LonePage malware contacted a remote server to retrieve an "upgrade.txt" file containing executable commands, enabling data exfiltration over HTTP protocols. Attackers supplemented this with ThumbChop, an information stealer targeting credentials and data from Chrome and Opera browsers. The operation deployed additional malicious tools including the Tor browser and Secure Shell clients to establish persistent remote access channels. CERT-UA also identified two supplementary malware variants named SeaGlow and OverJam being used in the campaign, though their specific functions weren't detailed. In response, Ukraine's computer emergency team issued technical advisories recommending restrictions on executing script.exe, cscript.exe, powershell.exe, and mshta.exe applications to limit attack vectors. The incident demonstrated continued targeting of Ukrainian infrastructure through multi-stage malware deployments combining credential theft, remote access capabilities, and data exfiltration mechanisms.