{
	"id": "fa174c8f-0f77-43a3-a416-aada32e4936a",
	"created_at": "2026-04-06T00:19:55.056008Z",
	"updated_at": "2026-04-10T03:22:49.663633Z",
	"deleted_at": null,
	"sha1_hash": "5209e52c0a7ef33e20a25a7c727c29222394b0a0",
	"title": "Cyber Attackers Leverage Russia-Ukraine Conflict in Multiple Spam Campaigns | Trustwave",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1232726,
	"plain_text": "Cyber Attackers Leverage Russia-Ukraine Conflict in Multiple\r\nSpam Campaigns | Trustwave\r\nBy Trustwave SpiderLabs\r\nPublished: 2022-03-25 · Archived: 2026-04-05 17:33:29 UTC\r\nMarch 25, 2022 4 Minute Read\r\nThe Trustwave SpiderLabs email security team has been monitoring the ongoing Russia-Ukraine crisis to ensure\r\nthat our clients are protected and aware of any imminent threats. This research blog captures some of the phishing\r\nemail threats we have discovered.\r\nWhenever there is a global event, threat actors are sure to take advantage of the situation. As the war between\r\nRussia and Ukraine continues, cybercriminals are pumping out spam emails that use the crisis as a lure.\r\nWe have observed attackers sending various spam types ranging from crypto scams, malware emails, and\r\nphishing.\r\nThis activity is not unusual. Over the years, we have seen social engineering emails attempt to take advantage of\r\nworld events such as the Olympics, the COVID-19 pandemic, natural disasters and more. So, it is not surprising\r\nthat Trustwave SpiderLabs researchers are coming across phishing emails that use the Russian-Ukrainian war as a\r\nlure.\r\nOver the first several weeks of the conflict, we uncovered several attack schemes. Some emails intend to spread\r\nmalware, while others gather personally identifiable information (PII). In all cases, the phishing attempts try to\r\ntake advantage of the empathy the world has for the human suffering that is taking place in Ukraine.\r\nPhishing in a Time of War\r\nThe invasion has caused a humanitarian disaster and displaced millions of Ukrainian citizens from their homes. In\r\nresponse, people from around the world responded by organizing aid and donations. Scammers, unfortunately,\r\nhave taken note of this activity and, in an attempt to take advantage of these good-hearted people, are sending\r\nfraudulent emails asking for donations via cryptocurrency. \r\nScammers are playing with people’s emotions and are using fake heart-wrenching cries for help in this example\r\nbelow:\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cyber-attackers-leverage-russia-ukraine-conflict-in-multiple-spam-campaigns\r\nPage 1 of 7\n\nThis message appears to be sent by a Ukrainian who has fled to Poland. The sender details the agonizing\r\nexperience their family has suffered and falsely claims that Poland is charging refugees an entry fee to enter the\r\ncountry. The email also states that Bitcoin is their only means of acquiring financial assistance. One indicator that\r\nthis email is fraudulent is that the sender address is from a free email service in Ukraine, but the reply-to field\r\ncontains an entirely different email address. Upon closer inspection, we can see that the sender's IP came from the\r\nUnited States.\r\nAnother scam attempts to take advantage of the refugees fleeing the war zone. In this case, a social engineering\r\nscheme was designed to take advantage of the very real evacuations now taking place throughout Ukraine by\r\npassing along fake evacuation information in an attempt to obtain personal information.\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cyber-attackers-leverage-russia-ukraine-conflict-in-multiple-spam-campaigns\r\nPage 2 of 7\n\nEvacuation plan from: SBU\r\n(Urgent) -28.02.2022\r\noriginal: 399029\r\nSecurity Service of Ukraine\r\nGood afternoon, you need to get acquainted with the electronic evacuation plan from March 1, 2022,\r\nprovide data on the number of staff, fill out the document on the form 198 \\ 00-22 SBU-98.\r\nTo ensure the confidentiality of transmitted data, the password is set to the attachment: 2267903645\r\nOne of the most common tactics threat actors use while conducting phishing campaigns is brand impersonation.\r\nHere an email is used to impersonate a trusted entity. By disguising the message as coming from a recognizable\r\norganization, attackers are more likely to trick the users into divulging information or transferring money to a\r\nfraudulent account.\r\nIn the examples below, the message appears to be sent by the Ukrainian government.\r\nThe sender appears to have a legitimate government email address, but a further examination of the email header\r\nshows that the email originated from Lithuania. Another red flag is the fact that the domain “Ukraine.gov” is not\r\nofficially listed under the ownership of the Ukrainian government.\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cyber-attackers-leverage-russia-ukraine-conflict-in-multiple-spam-campaigns\r\nPage 3 of 7\n\nInvestment Scam\r\nAside from the crypto scam, attackers are sending fraudulent messages regarding investment schemes. These\r\nspam messages are basically a spin-off of the classic “Nigerian Prince” scam and offer the victim the false\r\npromise of investment or inheritance to trick them into disclosing their bank information or remitting money\r\ndirectly to the scammers. \r\nOn the surface, this message appears to be sent by a Ukrainian who fled the country for safety. The person is\r\nasking for help to transfer a considerable amount of money to the recipient's country for investment purposes.\r\nThe email contains several tells that it is fake, besides the story itself.\r\nThe email address in the \"from\" field belongs to a company that is not based in Ukraine. The email also contains a\r\nseparate email address, which is entirely different from the sender's address and instead belongs to a free mail\r\nservice. This particular red flag is a common scammer tactic. The scammer spoofs the sender's address because\r\npeople are more likely to engage with the content of the email if the sender appears to be legitimate. The attacker\r\nalso created a false sense of urgency as the sender claims to be in danger.\r\nMalware Attachments in Spam Emails\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cyber-attackers-leverage-russia-ukraine-conflict-in-multiple-spam-campaigns\r\nPage 4 of 7\n\nAlong with scam emails, malware-related spam is also being sent out to users. A common pretext being used in\r\nthese messages is the cancellation or postponement of business transactions due to the shutdown of many\r\nUkrainian establishments.\r\nThe email shown above uses an order shipment suspension to bait the user into opening the attachment. The\r\nattached Excel file supposedly contains the details of the transaction that they want to suspend.\r\nThe malicious Excel file exploits a vulnerability in Microsoft Office Equation editor called CVE-2017-11882. It\r\ndownloads an executable from http://136[.]144[.]41[.]109/HRE[.]exe. Finally, this executable file downloads the\r\nfinal payload, which is Remcos. Remcos is a remote access Trojan (RAT) that can give an attacker full control\r\nover its target’s system.\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cyber-attackers-leverage-russia-ukraine-conflict-in-multiple-spam-campaigns\r\nPage 5 of 7\n\nIOC\r\nSUCT220002.xlsx\r\n4907309437e12932d437f8c3ae03fbfde7d4e196b6f1dc7f2d98e3a388ce585c\r\nhttp://136[.]144[.]41[.]109/HRE[.]exe\r\nfaef8505886bc30e045f0eb3f1422528cdab1fedc8e02c601605b41bd205d348\r\n0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799\r\nLog-In Attempt Phishing Emails\r\nAmidst the news of cyberattacks conducted by groups backing Russia, threat actors are pushing out phishing\r\nemails disguised as a sign-in attempt notification.\r\nIn this sample, the sender, who claims to be from the victim’s email security team, says there was a sign-in attempt\r\noriginating from Russia. The victim is required to verify their account and activate two-step verification. First, the\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cyber-attackers-leverage-russia-ukraine-conflict-in-multiple-spam-campaigns\r\nPage 6 of 7\n\nattackers mimic the victim’s company domain and forges the sender's address making it appears like a legitimate\r\nnotification email.\r\nThe embedded URL belongs to a web hosting platform and leads to a fake login site, also known as a Chameleon\r\nphishing page, that can mimic the logo of the company domain of the victim’s email address. It even has a\r\ncountdown timer to heighten the sense of urgency of the victim and make them divulge their credentials.\r\nThe Very Real Threat of Phishing Attacks\r\nOnce an employee clicks on a link in a phishing email, malicious activities can occur that could affect an\r\norganization – malware, ransomware, credential theft and more.\r\nFor example, Trustwave has spotted attackers distributing malware, including AgentTesla, through phishing\r\ncampaigns focused on Ukraine. AgentTesla has several features. A threat actor can use it as a keylogger, a\r\ndownloader, a password-stealer, and a screen-capturing malware. These abilities give it the power to record\r\nvarious data, including login credentials, or download and execute malware.\r\nTrustwave MailMarshal Secure Email Gateway can block these types of phishing and scam emails.\r\nThe Trustwave SpiderLabs Email Security Team Continues to Stay Vigilant\r\nCertainly, these Ukrainian-related malicious mails won’t be the last that we’ll see. Cybercriminals will always\r\npiggyback on the current global crisis to make their profits. As always, we strongly advise users to never open\r\nemails, access links or click on attachments from unknown or unsolicited sources.\r\nSource: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cyber-attackers-leverage-russia-ukraine-conflict-in-multiple-spam-c\r\nampaigns\r\nhttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cyber-attackers-leverage-russia-ukraine-conflict-in-multiple-spam-campaigns\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cyber-attackers-leverage-russia-ukraine-conflict-in-multiple-spam-campaigns"
	],
	"report_names": [
		"cyber-attackers-leverage-russia-ukraine-conflict-in-multiple-spam-campaigns"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434795,
	"ts_updated_at": 1775791369,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5209e52c0a7ef33e20a25a7c727c29222394b0a0.pdf",
		"text": "https://archive.orkl.eu/5209e52c0a7ef33e20a25a7c727c29222394b0a0.txt",
		"img": "https://archive.orkl.eu/5209e52c0a7ef33e20a25a7c727c29222394b0a0.jpg"
	}
}