{ "id": "33a92ef1-f56f-426e-b7a3-22d6d66f4440", "created_at": "2026-04-06T00:15:18.44536Z", "updated_at": "2026-04-10T13:11:35.059011Z", "deleted_at": null, "sha1_hash": "0da0a92f2429c2614a5d8e649c090fa757df3d11", "title": "Russia-Ukraine war exploited as lure for malware distribution", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3800599, "plain_text": "Russia-Ukraine war exploited as lure for malware distribution\r\nBy Bill Toulas\r\nPublished: 2022-03-04 · Archived: 2026-04-05 21:08:12 UTC\r\nThreat actors are distributing malware using phishing themes related to the invasion of Ukraine, aiming to infect their targets\r\nwith remote access trojans (RATs) such as Agent Tesla and Remcos.\r\nIt is common for malware distributors to take advantage of trending global events to trick the recipient into opening email\r\nattachments, and at this time, there is nothing more closely watched than Russia's invasion of Ukraine.\r\nUsing this theme, threat actors are sending malicious emails that install RATs on target systems to gain remote access, steal\r\nsensitive information, conduct network reconnaissance, disable security software, and generally prepare the ground for more\r\npotent payloads.\r\nhttps://www.bleepingcomputer.com/news/security/russia-ukraine-war-exploited-as-lure-for-malware-distribution/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/russia-ukraine-war-exploited-as-lure-for-malware-distribution/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nThe report of the latest malicious operations comes from Bitdefender Labs, whose researchers have been tracking two\r\ndistinct phishing campaigns since March 01, 2022.\r\nTargeting manufacturers\r\nUkraine is a manufacturing hub for various parts, and the current conflict has forced factories to close, inevitably creating\r\nsupply chain problems and shortages.\r\nThe first campaign spotted by Bitdefender attempts to exploit these concerns by targeting manufacturers with a ZIP\r\nattachment that supposedly contains a survey that they are required to fill out to help their customers develop backup plans.\r\nPhishing email used in the first campaign (Bitdefender)\r\nHowever, the ZIP archive contains the Agent Tesla RAT, which has been heavily used in various phishing campaigns in the\r\npast.\r\nMost (83%) of the phishing emails in this campaign originated from the Netherlands, while the targets are based in the\r\nCzech Republic (14%), South Korea (23%), Germany (10%), the UK (10%), and the US (8%).\r\nFake order holds\r\nThe second campaign involves the impersonation of a South Korean healthcare company that manufactures in-vitro\r\ndiagnostic systems.\r\nThe message to targets claims that all orders have been put on hold due to flight and shipment restrictions from Ukraine.\r\nhttps://www.bleepingcomputer.com/news/security/russia-ukraine-war-exploited-as-lure-for-malware-distribution/\r\nPage 3 of 6\n\nPhishing email used in the second campaign (Bitdefender)\r\nThe attached Excel document supposedly contains more details about the order, but in reality, it’s a macro-laced file that\r\nexploits the always popular four-years-old Microsoft Office Equation Editor bug tracked as CVE-2017-11882 vulnerability\r\nto deliver the Remcos RAT on the system.\r\n89% of these emails originate from German IP addresses, while the recipients are based in Ireland (32%), India (17%), and\r\nthe US (7%).\r\nCrypto-donation scams on the rise\r\nBitdefender also reports seeing an explosion in the number of scammers who attempt to convince users they are legitimate\r\ncharities collecting donations to support Ukraine.\r\nThese scams have intensified, with malicious actors impersonating the Ukrainian government, the Act for Peace, UNICEF,\r\nand the Ukraine Crisis Relief Fund.\r\nhttps://www.bleepingcomputer.com/news/security/russia-ukraine-war-exploited-as-lure-for-malware-distribution/\r\nPage 4 of 6\n\nCrypto-donations scam email (Bitdefender)\r\nSome example subject lines used by the scammers are: \r\nStand with the people of Ukraine. Now accepting cryptocurrency donations. Bitcoin, Ethereum, and USDT.\r\nHELP UKRAINE stop the war!\r\nUkraine Humanitarian Donation\r\nDonate to Ukraine, Help save a life: Please read\r\nUrgent! Help Children in Ukraine\r\nSubject: Help Ukraine\r\nStay safe\r\nIn general, but especially during periods of turbulence and uncertainty, avoid clicking on links or downloading attachments\r\narriving at your inbox via unsolicited communications.\r\nIf you want to donate to Ukraine, consider donating directly to the Save Life organization or the Ukrainian Red Cross. Also,\r\nthe official Ukraine government has published the following cryptocurrency addresses to use for donations.\r\nStand with the people of Ukraine. Now accepting cryptocurrency donations. Bitcoin, Ethereum and USDT.\r\nBTC - 357a3So9CbsNfBBgFYACGvxxS6tMaDoa1P\r\nETH and USDT (ERC-20) - 0x165CD37b4C644C2921454429E7F9358d18A45e14\r\n— Ukraine / Україна (@Ukraine) February 26, 2022\r\nFor protection against phishing emails and other online threats, the Romanian National Cyber Security Directorate (DNSC)\r\nand Bitdefender offer free protection for citizens and companies alike and extend the trial period of 'Total Security' to 90\r\ndays.\r\nhttps://www.bleepingcomputer.com/news/security/russia-ukraine-war-exploited-as-lure-for-malware-distribution/\r\nPage 5 of 6\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/russia-ukraine-war-exploited-as-lure-for-malware-distribution/\r\nhttps://www.bleepingcomputer.com/news/security/russia-ukraine-war-exploited-as-lure-for-malware-distribution/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/russia-ukraine-war-exploited-as-lure-for-malware-distribution/" ], "report_names": [ "russia-ukraine-war-exploited-as-lure-for-malware-distribution" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434518, "ts_updated_at": 1775826695, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0da0a92f2429c2614a5d8e649c090fa757df3d11.pdf", "text": "https://archive.orkl.eu/0da0a92f2429c2614a5d8e649c090fa757df3d11.txt", "img": "https://archive.orkl.eu/0da0a92f2429c2614a5d8e649c090fa757df3d11.jpg" } }