216.73.217.64

Multi-Stage WebSocket RAT Targets Ukraine in Single-Day Spearphishing Operation

· Published 22/10/2025 19:45 · Modified 22/10/2025 20:27

Export JSON

Essential information

Published
22/10/2025 19:45
Modified
22/10/2025 20:27
Tags
2025-10-22 android captcha coldriver ngos powershell spearphishing ukraine websocket rat
Related entities
24 observables, 1 intrusion sets (apt), 14 techniques (mitre), 2 malware, 3 others

Description

A coordinated campaign targeted and Ukrainian government administrations involved in war relief efforts. The attack used emails impersonating the Ukrainian President's Office with weaponized PDFs, employing a fake Cloudflare page to execute malware. The final payload was a enabling remote command execution and data exfiltration. Despite six months of preparation, the attackers' infrastructure was only active for one day, indicating sophisticated planning and operational security. An additional mobile attack vector was discovered, using fake applications to collect data from devices. The campaign demonstrated extensive operational planning, compartmentalized infrastructure, and deliberate exposure control.

External references