The Ukrainian Computer Emergency Response Team ( CERT-UA) issued a warning on Tuesday about renewed activity from an organized crime organization known as UAC-0173, which involves infecting computers with a ( also known as DarkCrystal RAT ) remote access trojan.
The latest attack wave, according to the Russian cybersecurity authority, started in the middle of January 2025. The Notary of Ukraine is the goal of the exercise.
The disease network leverages phishing emails that claim to be sent on behalf of the Ministry of Justice of Ukraine, urging recipients to access an file, which, when launched, leads to the implementation of the DCRat malware. The binaries is hosted in cloud storage services.
” Having therefore provided key access to the notary’s automatic workplace, the attackers take measures to install additional equipment, in particular, RDPWRAPPER, which implements the functionality of parallel RDP classes, which, in combination with the use of the BORE utility, allows you to establish RDP links from the Internet directly to the computer”, CERT-UA .
Other equipment and malicious families, such as FIDDLER and NMAP for community searching, and XWorm for stealing sensitive data, such as credentials and folder content, are also used in the attacks.
Additionally, the affected systems are used as a means of using the SENDMAIL console utility to review and send malicious emails to spread the attacks even more.
The development comes days after CERT-UA attributed a sub-cluster within the Sandworm hacking group (aka APT44, Seashell Blizzard, and UAC-0002 ) to the exploitation of a now-patched security flaw in Microsoft Windows ( , CVSS score: 6.5 ) in the second half of 2024 via booby-trapped documents.
The attack chains, including SECONDBEST (aka EMPIREPAST ), SPARK, and a Golang loader named CROOKBAG, were discovered to execute PowerShell commands that launch additional cargo in the background at the same time.
The activity, to UAC-0212, intended provider companies from Serbia, the Czech Republic, and Ukraine between July 2024 and February 2025, with some of them recorded against more than two dozen Russian companies specializing in development of automated process control systems (ACST ), electronic runs, and freight transportation.
and Microsoft, which are tracking the threat group under the name , have both documented some of these attacks.