Hackers target Ukraine with malicious emails disguised as Amazon and Microsoft integration

Hackers target Ukraine with malicious emails disguised as Amazon and Microsoft integration

The Ukrainian Computer Emergency Response Team (CERT-UA) has detected a large-scale phishing campaign targeting government bodies, key industrial enterprises, and military formations in Ukraine. The emails, masked as official communications related to “integration” with Amazon and Microsoft services, and promoting Zero Trust Architecture (ZTA) initiatives, have been part of a broader cyberattack campaign tracked under the identifier UAC-0215.

According to CERT-UA, the emails contain maliciousl attachments, specifically configuration files for Remote Desktop Protocol(".rdp" files). When executed, these files establish a direct RDP connection to servers controlled by the attackers. Once connected, the malicious servers gain access not only to the victim's local disks, network resources, printers, COM ports, audio devices, and clipboard but also potentially create technical conditions for executing additional tools or scripts on the victim's machine.

The attack's wide geographic scope has been confirmed by cybersecurity organizations in other countries, suggesting that the cyber infrastructure for this campaign has been in preparation since at least August 2024, CERT-UA said.

An analysis of associated domain names and IP addresses revealed indicators of compromise, although CERT-UA warns that some listed IP addresses and domains may not be directly related to this specific incident.

To mitigate the risks of similar attacks, CERT-UA advises organizations to implement the following technical measures:

  • Block ".rdp" files at the email gateway.

  • Restrict users' ability to execute ".rdp" files, with exceptions only for authorized use.

  • Configure firewalls to block Remote Desktop connections (mstsc.exe) to external network resources.

  • Apply group policy settings to disable resource redirection during RDP sessions ("Remote Desktop Services" -> "Remote Desktop Session Host" -> "Device and Resource Redirection" -> "Do not allow...").

Additionally, CERT-UA recommends organizations review their network logs for any signs of suspicious activity involving the listed IP addresses and domains, especially focusing on outbound connections over port 3389/tcp. Any unexplained connections should be thoroughly investigated to determine potential compromises.

Back to the list

Latest Posts

Ukrainian cyberpolice dismantled phishing group behind illegal property deregistrations

Ukrainian cyberpolice dismantled phishing group behind illegal property deregistrations

The group used phishing emails to infect targets with malware granting remote access to the devices.
14 April 2025
New precision-validating phishing scheme targeting high-value accounts

New precision-validating phishing scheme targeting high-value accounts

The technique is designed to engage only with verified, legitimate email addresses.
14 April 2025
Pakistan-linked threat actor expands targeting in India with new CurlBack RAT

Pakistan-linked threat actor expands targeting in India with new CurlBack RAT

The group has also moved from using HTA files to MSI packages as the primary method for deploying the malware.
14 April 2025
Popular Posts
Featured vulnerabilities
Missing release of memory after effective lifetime in Juniper Junos OS
Medium Patched | 15 Apr, 2025
Improper handling of length parameter inconsistency in Juniper Junos OS
Medium Patched | 14 Apr, 2025
Null pointer dereference in Juniper Junos OS
Medium Patched | 14 Apr, 2025
Heap-based buffer overflow in Juniper Junos OS
Medium Patched | 14 Apr, 2025
Buffer access with incorrect length value in Juniper Junos OS
Medium Patched | 14 Apr, 2025