{
	"id": "c48c7416-7894-4ee6-8c99-a41e0fc33958",
	"created_at": "2026-04-06T00:11:54.370391Z",
	"updated_at": "2026-04-10T03:20:52.068034Z",
	"deleted_at": null,
	"sha1_hash": "4b19d9ec9abeb8d2714659d3c9d84db80dd4d7b3",
	"title": "Ukraine Hit with Novel ‘FoxBlade’ Trojan Hours Before Invasion",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 77485,
	"plain_text": "Ukraine Hit with Novel ‘FoxBlade’ Trojan Hours Before Invasion\r\nBy Lisa Vaas\r\nPublished: 2022-03-01 · Archived: 2026-04-05 17:55:02 UTC\r\nMicrosoft detected cyberattacks launched against Ukraine hours before Russia’s tanks and missiles began to\r\npummel the country last week.\r\n“As tanks rolled into Ukraine, so did malware,” summarized humanitarian author Andreas Harsono, referring to\r\nthe novel malware that Microsoft has named FoxBlade.\r\nOn Monday, the company reported that its Threat Intelligence Center (MSTIC) had detected cyberattacks\r\nlaunched against Ukraine’s digital infrastructure hours before Russia’s tanks and missiles began to pummel the\r\ncountry on Thursday.\r\n“Several hours before the launch of missiles or movement of tanks on February 24, Microsoft’s Threat\r\nIntelligence Center (MSTIC) detected a new round of offensive and destructive cyberattacks directed against\r\nUkraine’s digital infrastructure,” Microsoft President and Vice-Chair Brad Smith said.\r\n“We immediately advised the Ukrainian government about the situation, including our identification of the use of\r\na new malware package (which we denominated FoxBlade), and provided technical advice on steps to prevent the\r\nmalware’s success.”\r\nSmith said that within three hours of discovering FoxBlade, Microsoft had added new signatures to its Defender\r\nanti-malware service to detect the exploit.\r\nFoxBlade Specifics\r\nMicrosoft has issued a Security Intelligence advisory about FoxBlade, which is a novel trojan.\r\nWhile the company shared neither technical specifics nor details about how FoxBlade achieves initial access on\r\ntargeted machines, the advisory did explain that “This trojan can use your PC for distributed denial-of-service\r\n(DDoS) attacks without your knowledge.”\r\nSuch attacks topped thousands daily in Q3 and were expected to keep growing, Kaspersky researchers reported in\r\nNovember 2021.\r\nBeyond launching DDoS attacks, FoxBlade also downloads and installs other programs – including other malware\r\n– onto infected systems, Microsoft advised.\r\n‘Precisely Targeted’\r\nhttps://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/\r\nPage 1 of 3\n\nThe cyberattacks – which were ongoing as of Monday, Smith said – have been “precisely targeted,” unlike the\r\nindiscriminate malware splattered in the NotPetya attack. The NotPetya cyberattack targeted hundreds of firms\r\nand hospitals worldwide in 2017, including Ukraine’s power grid.\r\nIn 2020, the U.S. Department of Justice (DOJ) charged six Russian nationals for their alleged part in the Ukraine\r\nand other cyberattacks.\r\nRegardless of the targeted nature of the current cyberattacks on Ukraine, Smith said Microsoft is still “especially\r\nconcerned” about recent cyberattacks aimed at Ukrainian civilian digital targets that have been more wide-ranging, including those fired at the financial sector, agriculture sector, emergency response services, humanitarian\r\naid efforts, and energy sector organizations and enterprises.\r\n“These attacks on civilian targets raise serious concerns under the Geneva Convention, and we have shared\r\ninformation with the Ukrainian government about each of them,” Smith said.\r\nMicrosoft has also advised the Ukrainian government about recent cyber efforts to steal a range of personally\r\nidentifiable information (PII), including PII related to health, insurance, transportation and other government data.\r\nMicrosoft has also passed on threat intelligence and defensive strategies to Ukraine’s government so that it could\r\nbetter defend against attacks on military institutions and manufacturers and several other Ukrainian government\r\nagencies.\r\n“This work is ongoing,” Smith said.\r\nThe Ongoing Cyberwar\r\nMicrosoft’s news about FoxBlade comes as just one of a continuing barrage of cyber assaults targeting both\r\nUkraine and Russia: a barrage that’s included the Conti ransomware gang proclaiming that it’s pro-Russia. Last\r\nweek, it, the extortionists blared out a warning on their blog, threatening to use Conti’s “full capacity” to retaliate\r\nin the face of “Western warmongers attempt to target critical infrastructure in Russia or any Russian-speaking\r\nregion of the world.”\r\nA pro-Ukraine Conti ransomware gang member subsequently spilled 13 months of the ransomware group’s chats,\r\npromising more still to come.\r\nAs well, ESET and Broadcom’s Symantec last week said that they had discovered a new data wiper malware\r\ndubbed HermeticWiper, that’s been used against hundreds of machines in Ukraine. One of the malware samples\r\nwas compiled back on Dec. 28, pointing to the attacks having been readied two months ago.\r\nThen, on Jan. 13, a destructive wiper malware – posing as ransomware attacks – named WhisperGate began to\r\ntarget Ukrainian organizations: an attack that analysts said was likely part of Russia’s wider effort to undermine\r\nUkraine’s sovereignty.\r\nAs well, in mid-February, institutions central to Ukraine’s military and economy – including government and\r\nbanking websites – were slammed with a wave of DDoS attacks.\r\nhttps://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/\r\nPage 2 of 3\n\nCISA’s Take-Shelter Advice\r\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) last week warned that such attacks could spill\r\nover Ukraine’s borders.\r\n“Destructive malware can present a direct threat to an organization’s daily operations, impacting the availability of\r\ncritical assets and data,” CISA said. “Further disruptive cyberattacks against organizations in Ukraine are likely to\r\noccur and may unintentionally spill over to organizations in other countries.”\r\nOther threats related to the Ukraine/Russia crisis include the typical swarm of threat actors who jump into the fray\r\nto exploit the day’s headlines, which, in this situation, convey the haze and confusion of war. Case in point:\r\nMalwarebytes has uncovered a spate of malicious email bearing the subject line “Microsoft account unusual sign-in activity.”\r\nCISA provided this list of “Immediate Shields Up Actions” to protect against this wide range of cyber threats:\r\nPatch vulnerabilities.\r\nUse MFA.\r\nRun antivirus.\r\nEnable strong spam filters to prevent phishing emails from reaching end users.\r\nDisable ports and protocols that are not essential.\r\nStrengthen controls for cloud services.\r\nMoving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your\r\nassets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore\r\norganizations’ top risks and challenges, best practices for defense, and advice for security success in such a\r\ndynamic computing environment, including handy checklists.\r\nSource: https://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/\r\nhttps://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://threatpost.com/microsoft-ukraine-foxblade-trojan-hours-before-russian-invasion/178702/"
	],
	"report_names": [
		"178702"
	],
	"threat_actors": [],
	"ts_created_at": 1775434314,
	"ts_updated_at": 1775791252,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4b19d9ec9abeb8d2714659d3c9d84db80dd4d7b3.pdf",
		"text": "https://archive.orkl.eu/4b19d9ec9abeb8d2714659d3c9d84db80dd4d7b3.txt",
		"img": "https://archive.orkl.eu/4b19d9ec9abeb8d2714659d3c9d84db80dd4d7b3.jpg"
	}
}