Ukraine’s CERT team has shared technical details and Indicators of Compromise (IoCs) associated with a new phishing campaign that impersonates the Security Service of Ukraine (SBU) to deploy remote access software onto target systems.

The attacks start from a phishing email containing a RAR archive named “Електронна вимога СБУ України.rar” (“The digital requirement of the SBU”) that includes another similarly named archive. Once opened, this archive leads to the installation of the Remcos remote access trojan (RAT) on the victim’s system.

CERT-UA has attributed this malicious activity to a threat actor it tracks as UAC-0050.

Earlier this month, cybersecurity company Mandiant published details of a previously unreported campaign by the Russia-linked threat actor Sandworm that targeted one of the power plants in Ukraine.

In October, Ukraine’s CERT revealed that at least 11 telecommunications service providers in Ukraine have been hit with destructive Sandworm attacks between May and September 2023.

Additionally, Ukraine's National Cyber Security Coordination Center (NCSСС) warned that suspected Russian cybercrime groups have been increasingly targeting state and financial institutions in Ukraine with the SmokeLoader malware.