216.73.217.80

Cyberattack: UAC-0125 using the theme "Army+" (CERT-UA#12559)

· Published 20/12/2024 14:25 · Modified 20/12/2024 14:41

Export JSON

Essential information

Published
20/12/2024 14:25
Modified
20/12/2024 14:41
Tags
2024-12-20 apt44 army+ cloudflare workers nsis openssh sandworm tor uac-0125
Related entities
6 observables, 1 intrusion sets (apt), 7 techniques (mitre), 1 others

Description

A cyber attack attributed to has been identified, involving websites mimicking the official 'Army+' app page. These sites, hosted on , prompt users to download a malicious executable. The EXE file, an installer, contains a decoy .NET file, Python interpreter, files, and a PowerShell script. When executed, it installs an server, generates RSA keys, and sets up remote hidden access to the victim's computer via . This activity is associated with UAC-0002 (/). Previous incidents in early 2024 used trojanized Microsoft Office packages as the initial compromise vector. The attackers may further expand their attack on the organization's IT infrastructure if successful.

External references