{
	"id": "01d0d673-9f16-452d-977e-e8fc36842059",
	"created_at": "2026-04-06T00:22:35.412974Z",
	"updated_at": "2026-04-10T13:11:58.518121Z",
	"deleted_at": null,
	"sha1_hash": "0a0c9e6440aa54263b6e62b259ecc59122ef009c",
	"title": "Operation Groundbait: Espionage in Ukrainian war zones",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 284806,
	"plain_text": "Operation Groundbait: Espionage in Ukrainian war zones\r\nBy Robert LipovskyAnton Cherepanov\r\nArchived: 2026-04-02 12:29:04 UTC\r\nCybercrime\r\nAfter BlackEnergy and Operation Potao Express, ESET researchers have uncovered another cyberespionage\r\noperation in Ukraine: Operation Groundbait.\r\n18 May 2016  •  , 2 min. read\r\nIn addition to the armed conflict in eastern Ukraine, in recent years the country has been facing a significantly\r\nhigher number of targeted cyberattacks, or so-called advanced persistent threats (APTs).\r\nAfter BlackEnergy, which has, most infamously, facilitated attacks that resulted in power outages for hundreds of\r\nthousands of Ukrainian civilians, and Operation Potao Express, where attackers went after sensitive TrueCrypt-protected data from high value targets, ESET researchers have uncovered another cyberespionage operation in\r\nUkraine: Operation Groundbait.\r\nCyber-surveillance focusing on separatists\r\nThe main point that sets Operation Groundbait apart from the other attacks is that it has mostly been targeting\r\nanti-government separatists in the self-declared Donetsk and Luhansk People's Republics.\r\nWhile the attackers seem to be more interested in separatists and the self-declared governments in eastern\r\nUkrainian war zones, there have also been a large number of other targets, including, among others, Ukrainian\r\ngovernment officials, politicians and journalists..\r\nGroundbait?\r\nThese cyberespionage activities have been carried out using a malware family that ESET detects as\r\nWin32/Prikormka. The malware has until now eluded the attention of anti-malware researchers since at least 2008.\r\nThe infection vector for spreading the malware was mostly through spear-phishing emails (which is somewhat the\r\nnorm for targeted attacks). During our research, we have observed a large number of samples, each with its\r\ndesignated campaign ID, an appealing file name to spark the target’s interest, and decoy documents with various\r\nthemes related to the current Ukrainian geopolitical situation and the war in Donbass.\r\nWe chose the name Groundbait – the translation of the Russian word Prikormka (Прикормка) – because of a\r\npuzzling theme used in one campaign that stood out among the others, which used themes related to the armed\r\nconflict. The malware file name was prikormka.exe and it displayed a pricelist of fishing groundbait, a choice of\r\ndecoy document that we have so far been unable to explain.\r\nhttp://www.welivesecurity.com/2016/05/18/groundbait\r\nPage 1 of 3\n\nFigure 1 – Decoy document with groundbait pricelist\r\nFrom a technical perspective, the malware features a modular architecture, allowing the attackers to expand its\r\nfunctionality and steal various types of sensitive information and files from the cyber-surveillance targets.\r\nFurther technical details of the malware, as well as additional information on the ongoing cyberespionage\r\noperation, can be found in our comprehensive whitepaper.\r\nSo who’s behind it?\r\nAs is usual in the world of cybercrime and APTs, attributing the source of the attack is tricky as conclusive\r\nevidence is difficult to find. Our research into the attacks has shown that the attackers most likely operate from\r\nwithin Ukraine.\r\nhttp://www.welivesecurity.com/2016/05/18/groundbait\r\nPage 2 of 3\n\nWhoever they are, based on the types of targets chosen – mostly separatists in the self-declared Donetsk and\r\nLuhansk People's Republics – it is probably fair to assume that this cyber-surveillance operation is politically\r\nmotivated.\r\nApart from that, any further attempt at attribution would at this point be speculative. It is important to note that in\r\naddition to separatists, the targets of this campaign include Ukrainian government officials, politicians and\r\njournalists. The possibility of false flags must be considered too.\r\nOur comprehensive whitepaper includes more information on the Operation Groundbait campaigns and technical\r\ndetails of the Prikormka malware. Indicators of Compromise (IOC) that can be used to identify an infection can\r\nalso be found in the whitepaper or on github.\r\nFor any inquiries, or to make sample submissions related to the subject, contact us at: threatintel@eset.com\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: http://www.welivesecurity.com/2016/05/18/groundbait\r\nhttp://www.welivesecurity.com/2016/05/18/groundbait\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://www.welivesecurity.com/2016/05/18/groundbait"
	],
	"report_names": [
		"groundbait"
	],
	"threat_actors": [
		{
			"id": "4a892faf-3d4d-4615-b7b6-cdbc2ce42d8d",
			"created_at": "2022-10-25T16:07:23.99045Z",
			"updated_at": "2026-04-10T02:00:04.824683Z",
			"deleted_at": null,
			"main_name": "Operation Potao Express",
			"aliases": [],
			"source_name": "ETDA:Operation Potao Express",
			"tools": [
				"FakeTC",
				"Patao"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "4989a6be-779c-49fa-9732-51f44b269ee2",
			"created_at": "2023-01-06T13:46:38.573168Z",
			"updated_at": "2026-04-10T02:00:03.027853Z",
			"deleted_at": null,
			"main_name": "Groundbait",
			"aliases": [],
			"source_name": "MISPGALAXY:Groundbait",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "73446bf0-6d25-4f73-ab37-78c41d19ade9",
			"created_at": "2022-10-25T16:07:23.961856Z",
			"updated_at": "2026-04-10T02:00:04.809181Z",
			"deleted_at": null,
			"main_name": "Operation Groundbait",
			"aliases": [],
			"source_name": "ETDA:Operation Groundbait",
			"tools": [
				"Prikormka"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434955,
	"ts_updated_at": 1775826718,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0a0c9e6440aa54263b6e62b259ecc59122ef009c.pdf",
		"text": "https://archive.orkl.eu/0a0c9e6440aa54263b6e62b259ecc59122ef009c.txt",
		"img": "https://archive.orkl.eu/0a0c9e6440aa54263b6e62b259ecc59122ef009c.jpg"
	}
}