On Tuesday, an emergency response group (Cert-Ua) warned an updated activity of an organized criminal group that it tracks both UAC-0173 Endkrat (AKA Darkcrystal rat).
The Ukrainian cybersecurity administration stated that it had observed the last wave of the attack since mid -January 2025.
The infection network uses phishing sheets to be sent on behalf of the Ministry of Justice of Ukraine, urging the recipients to download the executable file, which when launch leads to the deployment of malicious DCRAT software. Binary placed in R2 Cloudflare’s R2 Cloud storage service.
“So, by providing basic access to the automated notary workplace, attackers take measures to install additional tools, in particular RDPWrapper, which implements the functionality of parallel RDP sessions, which, in conjunction with utilities, allow you to set the connection RDP from the Internet directly to the computer . “Certain-Ua – Note.
The attacks are also characterized by the use of other tools and malware, such as Fiddler to intercept authentication data entered into the public registers, NMAP for scanning network and Xwomm for theft of sensitive data such as credentials and a mass boards buffer.
In addition, compromised systems are used as a pipeline to develop and send malicious sheets using the SENDMAIL console utility to further spread the attacks.
Development comes a few days after Cert-Ua attributed a subclass within Hacking Group Sandworm (AKA APT44, Seashell Blizzard and UAC -0002) with the exploitation of now requested lack of security in Microsoft Windows (Cve-2024-38213.
The attack chains were found to perform PowerShell commands responsible for displaying the bait file while starting additional useful loads in the background, including SecondBest (aka Empepast), Spark and Golang Loader called Crookbag.
Activity attributed In UAC-0212, focused suppliers from Serbia, Czech Republic and Ukraine between July 2024 and February 2025, some of them recorded more than two dozen Ukrainian enterprises specializing in the development of automated process control systems (ACST), electrical of work and freight transport.
Some of these attacks were recorded Strikeready Labs and Microsoft, the last of which tracks a group of threats nicknamed Badpilot.
