The Computer Emergency Response Team of Ukraine (CERT-UA) has detected a new cyber-espionage campaign that is delivering the GammaLoad malware via phishing emails allegedly containing information related to Ukraine’s Kherson region, which has been occupied by Russia since February 2022.

The CERT-UA attributes this campaign to the Russia-linked Armageddon APT (aka Gamaredon, Primitive Bear, Armageddon, Winterflounder, or Iron Tilden), a group with a long history of conducting cyberattacks against critical infrastructure in Ukraine.

In this recent attack threat actor has been observed sending phishing emails with the subject ‘About holding a revenge protest campaign in Kherson!’ containing an attachment in the form of an HTM file named “Plan Kherson.htm.”

This file creates a rar archive named “Herson.rar” on a victim’s computer containing a lnk file, which, when opened, will download and execute several additional files (precarious.xml, desktop.txt, user.txt") that will fetch the GammaLoad espionage tool.

Earlier this month, security researchers reported about a series of phishing attacks carried out by Armageddon against the Ukrainian government organizations and entities in the European Union.

Cybersecurity Help statement on the critical situation in Ukraine

On February 24, people in many cities and towns across Ukraine woke up to the sounds of explosions and artillery fire, as the Russian Federation launched a full-scale invasion of the country. Such actions are unacceptable, political ambitions of any man aren’t worth of blood, tears, and destruction of millions of lives. We give our full support to the Ukrainian people in these hard times. No more war! Слава Україні!