Cyberattack: UAC-0125 using the theme "Army+" (CERT-UA#12559)

SUMMARY :

A cyber attack attributed to UAC-0125 has been identified, involving websites mimicking the official 'Army+' app page. These sites, hosted on Cloudflare Workers, prompt users to download a malicious executable. The EXE file, an NSIS installer, contains a decoy .NET file, Python interpreter, Tor files, and a PowerShell script. When executed, it installs an OpenSSH server, generates RSA keys, and sets up remote hidden access to the victim's computer via Tor. This activity is associated with UAC-0002 (APT44/Sandworm). Previous incidents in early 2024 used trojanized Microsoft Office packages as the initial compromise vector. The attackers may further expand their attack on the organization's IT infrastructure if successful.

OPENCTI LABELS :

tor,sandworm,openssh,cloudflare workers,nsis,uac-0125,apt44,army+


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Cyberattack: UAC-0125 using the theme "Army+" (CERT-UA#12559)