The Computer Emergency Response Team of Ukraine (CERT-UA) is warning about a new information-stealing campaign targeting Ukraine’s government entities with the MerlinAgent malware.
The attacks were first spotted in July 2023, according to a security alert.
The new campaign involves malicious messages purportedly sent from CERT-UA that contain an attachment in the form of a CHM file named “Внутрішні кіберзагрози” (Internal Cyber Threats).
Upon opening, the file will trigger the execution of a JavaScript code and a PowerShell script meant to download and unzip a GZIP archive named “ctlhost.exe.tmp” containing an executable file (ctlhost.exe). When executed, this file will download the MerlinAgent malware onto the compromised system.
CERT-UA is tracking this malicious activity as UAC-0154.
