Ddos 
Image: CERT-UA
The Computer Emergency Response Team of Ukraine (CERT-UA) has issued a security alert regarding a series of targeted cyberattacks aimed at employees of defense industry enterprises and representatives of the Defence Forces of Ukraine.
According to CERT-UA, these attacks have been ongoing, with increased activity observed in March 2025. The attackers are leveraging the Signal messenger to spread phishing messages containing malicious archives. “Throughout March 2025, attackers were spreading phishing messages containing malicious archives in the Signal messenger,” the alert states.
The attackers are using social engineering tactics to deceive their targets. They disguise attached files as reports on the results of meetings. In a particularly insidious tactic, “in some cases, to increase trust in the message, it was sent on behalf of familiar contacts whose accounts had been previously hacked by the attackers.” This tactic of sending messages from compromised accounts adds a layer of credibility to the phishing attempts, making it more likely that recipients will fall victim.
The phishing archives typically contain a lure file with a “.pdf” extension and an executable file. This executable file is identified as DarkTortilla, “a crypter/loader that decrypts and launches the remote administration tool DarkCrystal RAT (DCRAT).” This malware combination allows attackers to gain remote access and control over compromised systems.
CERT-UA has been tracking this malicious activity under the identifier UAC-0200 since at least the summer of 2024. The alert highlights the evolving nature of the attacks, noting that “since February 2025, the content of the lure messages has concerned UAVs, electronic warfare equipment, and other military technologies.” This indicates that the attackers are focusing on sensitive topics related to current military concerns.
CERT-UA emphasizes the security risks associated with using popular messenger applications. “CERT-UA reminds everyone that using popular messengers such as Signal, WhatsApp, Telegram, and Viber, both on mobile devices and computers, significantly expands the attack surface. They create uncontrolled channels for information exchange, which makes it difficult to detect threats using standard cybersecurity tools.” This warning underscores the need for heightened vigilance and security awareness when using these platforms, especially in sensitive contexts.
Related Posts:
- Russia-Linked Threat Actors Exploiting Signal Messenger to Eavesdrop on Sensitive Communications
- Cybercriminals Exploit AnyDesk to Impersonate CERT-UA in Sophisticated Phishing Campaign
- Sandworm Targets Ukraine’s Critical Infrastructure with New Attack Wave
- Signal Desktop Application Exists Code Injection Vulnerability
- The DaVinci Group: Russia’s Cyber Mercenaries Target Ukraine
💙 Support SecurityOnline.info
If this article helped you stay informed, please consider supporting us below.
PayPal