Multi-Stage WebSocket RAT Targets Ukraine in Single-Day Spearphishing Operation

SUMMARY :

A coordinated spearphishing campaign targeted NGOs and Ukrainian government administrations involved in war relief efforts. The attack used emails impersonating the Ukrainian President's Office with weaponized PDFs, employing a fake Cloudflare captcha page to execute malware. The final payload was a WebSocket RAT enabling remote command execution and data exfiltration. Despite six months of preparation, the attackers' infrastructure was only active for one day, indicating sophisticated planning and operational security. An additional mobile attack vector was discovered, using fake applications to collect data from Android devices. The campaign demonstrated extensive operational planning, compartmentalized infrastructure, and deliberate exposure control.

OPENCTI LABELS :

powershell,ukraine,android,spearphishing,captcha,ngos,coldriver,websocket rat


AI COMMENTARY :

1. Introduction The recent discovery of a sophisticated spearphishing campaign targeting NGOs and Ukrainian government administrations involved in war relief efforts underscores the evolving threat landscape in Eastern Europe. Adversaries leveraged social engineering tactics by impersonating the Ukrainian President’s Office, sending weaponized PDFs to unsuspecting recipients. This blog article delves into the multi-stage WebSocket Remote Access Trojan (RAT) campaign, examining how attackers executed their plan over a single day while demonstrating meticulous operational security.

2. Spearphishing Attack Vector The attackers crafted highly convincing emails, complete with official-looking letterheads and contextually relevant messaging to lure recipients into opening a malicious PDF attachment. Once opened, the PDF exploited a vulnerability to deliver a payload that redirected victims to a fake Cloudflare captcha page. Under the guise of browser verification, the page downloaded and executed further scripts, often leveraging PowerShell to stage the next phase of the attack without raising suspicion among security tools.

3. Deployment of the WebSocket RAT After the initial compromise, the campaign deployed a custom WebSocket RAT designed for remote command execution and data exfiltration. This RAT established a bi-directional communication channel over WebSocket, enabling the attackers to interact with victim systems in real time. Researchers noted that the RAT’s commands could enumerate files, capture screenshots, and exfiltrate sensitive documents, granting adversaries broad control over targeted machines in NGOs and government networks.

4. Infrastructure and Operational Security Remarkably, the attackers prepared their infrastructure over six months but only activated it for a single day. This approach minimized the risk of detection and takedown by hosting servers for the shortest feasible period. The campaign’s compartmentalized architecture, complete with rotating domains and ephemeral command-and-control endpoints, highlights advanced operational security practices aimed at eluding defenders and law enforcement agencies.

5. Mobile Attack Vector In parallel with the desktop assault, researchers uncovered a mobile component targeting Android devices. The attackers distributed fake applications masquerading as legitimate tools for war relief coordination. Once installed, these apps harvested contacts, messages, call logs, and device metadata before transmitting the data to remote servers. This dual-pronged approach maximized the adversaries’ ability to gather intelligence from both workstation and mobile environments within the same operational timeline.

6. Implications for Threat Intelligence The campaign demonstrates the importance of integrating threat intelligence practices into organizational defenses. Indicators such as suspicious Cloudflare captcha pages, unusual PowerShell invocations, and WebSocket connections to unknown domains should trigger immediate investigation. Regular security awareness training can help employees recognize spearphishing attempts, while endpoint protection solutions can detect and block anomalous script execution and unauthorized network traffic.

7. Conclusion The single-day activation of a multi-stage WebSocket RAT campaign against Ukrainian NGOs and government entities exemplifies the increasing sophistication of modern cyber threats. Adversaries’ use of compartmentalized infrastructure, combined desktop and mobile infection chains, and advanced OPSEC measures, underscores the need for continuous vigilance. By analyzing this operation’s tactics, techniques, and procedures, security teams can better anticipate similar attacks and strengthen their defensive posture against future spearphishing campaigns.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Multi-Stage WebSocket RAT Targets Ukraine in Single-Day Spearphishing Operation