Ddos 
In early March 2025, Armenia became the focal point of a sophisticated spear-phishing campaign that leveraged encrypted messaging platform Signal—a notable shift from traditional email-based attacks. According to a report by CyberHUB-AM, the campaign targeted key figures across Armenia’s civil society and government sectors, employing tactics and infrastructure attributed to UNC5792, a threat actor previously identified by Mandiant.
The attackers crafted a highly convincing persona—“Armine Poghosyan,” a fictional employee of Armenia’s Ministry of High-Technological Industry. Under this identity, they contacted victims via Signal, inviting them to join an “information platform” purportedly focused on political forecasts relevant to Armenia. The goal was to exploit contextual trust and lure recipients into clicking malicious URLs.
“Recipients were invited to join a newly formed ‘information platform’ described as providing strategic forecasts on global events and their impact on Armenian politics,” the report explained.
The campaign was narrowly focused on high-profile targets with political and institutional influence:
- NGOs engaged in legislative reform and election monitoring
- A national-level security analyst
- Members of the Armenian Electoral Commission
This highly selective targeting indicates an intent to collect sensitive intelligence or influence internal affairs, especially during politically charged periods.
“These targets suggest an intent to collect intelligence or exert influence within Armenian public affairs,” the report stated.
The phishing campaign utilized a sequence of temporary URLs hosted on malicious domains, including:
add-group.tech
group-add.com
signal-groups-add.com
Each URL was verified as malicious by VirusTotal, Mandiant, and Google Threat Intelligence. The infrastructure’s short-lived nature made forensic analysis difficult.
“The original URL had already expired, indicating that the threat actor employed infrastructure designed for short-lived accessibility.”
One of the most striking revelations was the attacker’s real-time adaptability. During observation, a researcher impersonating a target informed the attacker that the link had expired. Within moments, the attacker provided a fresh, active URL, revealing live monitoring and engagement.
“This behavior confirms that the attacker was actively monitoring communication and managing the phishing infrastructure in an agile manner.”
Donate