A threat actor has been observed targeting Ukraine’s military with phishing attacks that use lures themed as drone or unmanned aerial vehicles (UAVs) service manuals to infect targets with the MerlinAgent malware.

The campaign, dubbed ‘STARK#VORTEX’ by Securonix researchers has been attributed to a threat cluster tracked as UAC-0154.

The malicious file comes in the form of a Microsoft Help file (.chm file) named “Інфо про навчання по БПЛА для військових.v2.2.chm” (“info on UAV training for the military.” When opened, this file runs a JavaScript code embedded inside one of the HTML pages to execute PowerShell code designed to download an obfuscated binary payload from a remote server, which extracts the Merlin agent info-stealer.

“Files and documents used in the attack chain are very capable of bypassing defenses, scoring 0 detections for the malicious .chm file. Typically receiving a Microsoft help file over the internet would be considered unusual. However, the attackers framed the lure documents to appear as something an unsuspecting victim might expect to appear in a help-themed document or file,” the researchers said.

In August, the Computer Emergency Response Team of Ukraine (CERT-UA) shared details about a similar campaign by the same threat actor that targeted Ukraine’s government entities with the MerlinAgent info-stealer.

Earlier this week, Ukraine’s State Service for Special Communications and Information Protection (SSSCIP) published a report highlighting the tactics, objectives and capacities of Russian state-sponsored hacker groups.