The actor of the threat behind the malicious software, which is at the threat, made significant updates to turn the malicious program from the main theft of the browser data on a powerful intelligence tool.
“The latest companies in June 2025 demonstrate the advanced ability of gifted qualification to the expulsion of wide range of sensitive documents from the target devices, including potentially own files and secrets,” Arctic Wolf Labs – Note In a report published this week.
“This shift in the functionality combined with the content of phishing posts (…) suggests that strategic emphasis on the collection of exploration from the Ukrainian government and military entities.”
Adolkerk was First documented In early April 2025, the emergency emergency team (CERT-UA) in connection with the campaign aimed at military structures, law enforcement agencies and local self-government bodies.
The activity attributed to the hacking, it tracks both the UAC-0226, involves the use of phishing sheets containing Macrosoft Excel Macrosoft Microsoft, which acts as a pipeline for deployment.
Information theft on its basis, malicious software designed for stealing chicks, viewing history and authentication from popular web browsers such as Google Chrome, Microsoft Edge and Mozilla Firefox.
Analysis of the Wolf Arctic on Artifacts showed that the theft began as a demo in February 2025 before getting new features with versions 1.2 and 1.3.
These new iterations include the ability to collect documents and files below 7 MB, in particular, looking for created or modified files in the last 45 days. Malicious software specifically looking for the following extensions: .Docx, .docx, .rtf, .PPTX, .PSV, .xls, .xls,.
E-mail companies use PDF military theme to lure users to press on a mega-free link to the repository if the recipient includes macros. Many users do not understand how common Excel macro files are phishing attacks. They are promoting the defense because people often expect spreadsheets in electronic letters-specials that look official or government-related.
The captured information is included in the ZIP archive and stands out to the telegram controlled by the attacker. If the total archive size exceeds 20 MB, it is broken into several parts. By sending stolen ZIP archives in small pieces, a gift, avoiding detection and skipped around traditional network filters. At the final stage, a package scenario was performed for erasing traces of the theft from the broken master.
It is not just about theft of passwords or tracking on the Internet – target cyber -spying. The new ability of malicious programs to sift the latest files and capture documents such as PDFs, spreadsheets and even VPN, indicates a great purpose: Intelligence. For those who work in the role in the public sector or referral with sensitive internal reports, this kind of theft of documents is a real risk – not only for the person, but for the whole network with which they are connected.
“The terms of companies discussed in this report demonstrate a clear alignment with geopolitical events, especially the recent negotiations between Ukraine and Russia in Istanbul,” Arctic Wolf said.
“Progress from simple accruals in the gifted version 1, to an exhaustive document and data exports in versions 1.2 and 1.3, reflects coordinated development efforts when malicious programs have adhered to the geopolitical goals to enhance data from violated systems in Ukraine.”
