The Computer Emergency Response Team of Ukraine (CERT-UA) has recently cautioned the public about a new phishing campaign that is currently active. This campaign impersonates the Security Service of Ukraine and is being used to distribute malware. The malware has the capability of gaining remote desktop access to infected systems.
Known as UAC-0198, the malicious campaign has impacted over 100 computers since its emergence in July 2024. Among the affected systems are those belonging to various government entities within Ukraine.
The attack involves email distribution of a ZIP archive file containing an MSI installer. When this file is opened, it triggers the installation of a remote access malware named ANONVNC.
ANONVNC, based on the open-source tool MeshAgent, enables unauthorized access to infected hosts stealthily.
CERT-UA has also tied UAC-0102 to phishing attacks using HTML attachments that mimic the UKR.NET login page to steal user credentials. Additionally, the agency has issued warnings about a rise in campaigns distributing the PicassoLoader malware, ultimately leading to the installation of Cobalt Strike Beacon on compromised systems. These attacks have been linked to UAC-0057.
“UAC-0057’s targets are likely specialists and employees of relevant local governments in Ukraine,” highlighted CERT-UA in a statement.