{
	"id": "0c24090a-2dcd-4780-9bfd-c37b1b55c044",
	"created_at": "2026-04-06T00:22:24.404962Z",
	"updated_at": "2026-04-10T03:33:20.226862Z",
	"deleted_at": null,
	"sha1_hash": "5725f0c6a3d7d3148f4de364e2e2a530e70fb7cf",
	"title": "Disrupting FlyingYeti's campaign targeting Ukraine",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 113465,
	"plain_text": "Disrupting FlyingYeti's campaign targeting Ukraine\r\nArchived: 2026-04-05 15:16:07 UTC\r\nOverview\r\nIn April and May of 2024, Cloudforce One employed proactive defense measures to successfully prevent Russia-aligned threat actor FlyingYeti from launching their latest phishing campaign targeting Ukraine.\r\nCloudforce One is publishing the results of our investigation and real-time effort to detect, deny, degrade, disrupt,\r\nand delay threat activity by the Russia-aligned threat actor FlyingYeti during their latest phishing campaign\r\ntargeting Ukraine. At the onset of Russia’s invasion of Ukraine on February 24, 2022, Ukraine introduced a\r\nmoratorium on evictions and termination of utility services for unpaid debt. The moratorium ended in January\r\n2024, resulting in significant debt liability and increased financial stress for Ukrainian citizens. The FlyingYeti\r\ncampaign capitalized on anxiety over the potential loss of access to housing and utilities by enticing targets to\r\nopen malicious files via debt-themed lures. If opened, the files would result in infection with the PowerShell\r\nmalware known as COOKBOX, allowing FlyingYeti to support follow-on objectives, such as installation of\r\nadditional payloads and control over the victim’s system.\r\nSince April 26, 2024, Cloudforce One has taken measures to prevent FlyingYeti from launching their phishing\r\ncampaign – a campaign involving the use of Cloudflare Workers and GitHub, as well as exploitation of the\r\nWinRAR vulnerability CVE-2023-38831. Our countermeasures included internal actions, such as detections and\r\ncode takedowns, as well as external collaboration with third parties to remove the actor’s cloud-hosted malware.\r\nOur effectiveness against this actor prolonged their operational timeline from days to weeks. For example, in a\r\nsingle instance, FlyingYeti spent almost eight hours debugging their code as a result of our mitigations. By\r\nemploying proactive defense measures, we successfully stopped this determined threat actor from achieving their\r\nobjectives.\r\nExecutive summary\r\nOn April 18, 2024, Cloudforce One detected the Russia-aligned threat actor FlyingYeti preparing to launch\r\na phishing espionage campaign targeting individuals in Ukraine.\r\nWe discovered the actor used similar tactics, techniques, and procedures (TTPs) as those detailed in\r\nUkranian CERT's article on UAC-0149, a threat group that has primarily targeted Ukrainian defense\r\nentities with COOKBOX malware since at least the fall of 2023.\r\nFrom mid-April to mid-May, we observed FlyingYeti conduct reconnaissance activity, create lure content\r\nfor use in their phishing campaign, and develop various iterations of their malware. We assessed that the\r\nthreat actor intended to launch their campaign in early May, likely following Orthodox Easter.\r\nAfter several weeks of monitoring actor reconnaissance and weaponization activity (Cyber Kill Chain\r\nStages 1 and 2), we successfully disrupted FlyingYeti’s operation moments after the final COOKBOX\r\nhttps://www.cloudflare.com/threat-intelligence/research/report/disrupting-flyingyetis-campaign-targeting-ukrainev/\r\nPage 1 of 12\n\npayload was built.\r\nThe payload included an exploit for the WinRAR vulnerability CVE-2023-38831, which FlyingYeti will\r\nlikely continue to use in their phishing campaigns to infect targets with malware.\r\nWe offer steps users can take to defend themselves against FlyingYeti phishing operations, and also provide\r\nrecommendations, detections, and indicators of compromise.\r\nWho is FlyingYeti?\r\nFlyingYeti is the cryptonym given by Cloudforce One to the threat group behind this phishing campaign, which\r\noverlaps with UAC-0149 activity tracked by CERT-UA in February and April 2024. The threat actor uses dynamic\r\nDNS (DDNS) for their infrastructure and leverages cloud-based platforms for hosting malicious content and for\r\nmalware command and control (C2). Our investigation of FlyingYeti TTPs suggests this is likely a Russia-aligned\r\nthreat group. The actor appears to primarily focus on targeting Ukrainian military entities. Additionally, we\r\nobserved Russian-language comments in FlyingYeti’s code, and the actor’s operational hours falling within the\r\nUTC+3 time zone.\r\nCampaign background\r\nIn the days leading up to the start of the campaign, Cloudforce One observed FlyingYeti conducting\r\nreconnaissance on payment processes for Ukrainian communal housing and utility services:\r\nApril 22, 2024 – research into changes made in 2016 that introduced the use of QR codes in payment\r\nnotices\r\nApril 22, 2024 – research on current developments concerning housing and utility debt in Ukraine\r\nApril 25, 2024 – research on the legal basis for restructuring housing debt in Ukraine as well as debt\r\ninvolving utilities, such as gas and electricity\r\nCloudforce One judges that the observed reconnaissance is likely due to the Ukrainian government’s payment\r\nmoratorium introduced at the start of the full-fledged invasion in February 2022. Under this moratorium,\r\noutstanding debt would not lead to evictions or termination of provision of utility services. However, on January\r\n9, 2024, the government lifted this ban, resulting in increased pressure on Ukrainian citizens with outstanding\r\ndebt. FlyingYeti sought to capitalize on that pressure, leveraging debt restructuring and payment-related lures in\r\nan attempt to increase their chances of successfully targeting Ukrainian individuals.\r\nAnalysis of the Komunalka-themed phishing site\r\nThe disrupted phishing campaign would have directed FlyingYeti targets to an actor-controlled GitHub page at\r\nhxxps[:]//komunalka[.]github[.]io, which is a spoofed version of the Kyiv Komunalka communal housing site\r\nhttps://www.komunalka.ua. Komunalka functions as a payment processor for residents in the Kyiv region and\r\nallows for payment of utilities, such as gas, electricity, telephone, and Internet. Additionally, users can pay other\r\nfees and fines, and even donate to Ukraine’s defense forces.\r\nhttps://www.cloudflare.com/threat-intelligence/research/report/disrupting-flyingyetis-campaign-targeting-ukrainev/\r\nPage 2 of 12\n\nBased on past FlyingYeti operations, targets may be directed to the actor’s GitHub page via a link in a phishing\r\nemail or an encrypted Signal message. If a target accesses the spoofed Komunalka platform at\r\nhxxps[:]//komunalka[.]github[.]io, the page displays a large green button with a prompt to download the document\r\n“Рахунок.docx” (“Invoice.docx”), as shown in Figure 1. This button masquerades as a link to an overdue payment\r\ninvoice but actually results in the download of the malicious archive “Заборгованість по ЖКП.rar” (“Debt for\r\nhousing and utility services.rar”).\r\nFigure 1: Prompt to download malicious archive “Заборгованість по ЖКП.rar”\r\nA series of steps must take place for the download to successfully occur:\r\nThe target clicks the green button on the actor’s GitHub page hxxps[:]//komunalka.github[.]io\r\nThe target’s device sends an HTTP POST request to the Cloudflare\r\nWorker worker-polished-union-f396[.]vqu89698[.]workers[.]dev\r\nwith the HTTP request body set to “user=Iahhdr”\r\nThe Cloudflare Worker processes the request and evaluates the HTTP request body\r\nIf the request conditions are met, the Worker fetches the RAR file from\r\nhxxps[:]//raw[.]githubusercontent[.]com/\r\nkudoc8989/project/main/Заборгованість по ЖКП.rar, which is then downloaded\r\non the target’s device\r\nCloudforce One identified the infrastructure responsible for facilitating the download of the malicious RAR file\r\nand remediated the actor-associated Worker, preventing FlyingYeti from delivering its malicious tooling. In an\r\neffort to circumvent Cloudforce One's mitigation measures, FlyingYeti later changed their malware delivery\r\nmethod. Instead of the Workers domain fetching the malicious RAR file, it was loaded directly from GitHub.\r\nAnalysis of the malicious RAR file\r\nDuring remediation, Cloudforce One recovered the RAR file “Заборгованість по ЖКП.rar” and performed\r\nanalysis of the malicious payload. The downloaded RAR archive contains multiple files, including a file with a\r\nname that contains the unicode character “U+201F”. This character appears as whitespace on Windows devices\r\nand can be used to “hide” file extensions by adding excessive whitespace between the filename and the file\r\nextension. As highlighted in blue in Figure 2, this cleverly named file within the RAR archive appears to be a PDF\r\ndocument but is actually a malicious CMD file (“Рахунок на оплату.pdf[unicode character U+201F].cmd”).\r\nFigure 2: Files contained in the malicious RAR archive “Заборгованість по ЖКП.rar” (“Housing Debt.rar”)\r\nFlyingYeti included a benign PDF in the archive with the same name as the CMD file but without the unicode\r\ncharacter, “Рахунок на оплату.pdf” (“Invoice for payment.pdf”). Additionally, the directory name for the archive\r\nonce decompressed also contained the name “Рахунок на оплату.pdf”. This overlap in names of the benign PDF\r\nand the directory allows the actor to exploit the WinRAR vulnerability CVE-2023-38831. More specifically, when\r\nan archive includes a benign file with the same name as the directory, the entire contents of the directory are\r\nhttps://www.cloudflare.com/threat-intelligence/research/report/disrupting-flyingyetis-campaign-targeting-ukrainev/\r\nPage 3 of 12\n\nopened by the WinRAR application, resulting in the execution of the malicious CMD. In other words, when the\r\ntarget believes they are opening the benign PDF “Рахунок на оплату.pdf”, the malicious CMD file is executed.\r\nThe CMD file contains the FlyingYeti PowerShell malware known as COOKBOX. The malware is designed to\r\npersist on a host, serving as a foothold in the infected device. Once installed, this variant of COOKBOX will make\r\nrequests to the DDNS domain postdock[.]serveftp[.]com for C2, awaiting PowerShell cmdlets that the malware\r\nwill subsequently run.\r\nAlongside COOKBOX, several decoy documents are opened, which contain hidden tracking links using the\r\nCanary Tokens service. The first document, shown in Figure 3 below, poses as an agreement under which debt for\r\nhousing and utility services will be restructured.\r\nFigure 3: Decoy document Реструктуризація боргу за житлово комунальні послуги.docx\r\n(Debt restructuring for housing and utility services.docx)\r\nThe second document (Figure 4) is a user agreement outlining the terms and conditions for the usage of the\r\npayment platform komunalka[.]ua.\r\nFigure 4: Decoy document Угода користувача.docx (User Agreement.docx)\r\nThe use of relevant decoy documents as part of the phishing and delivery activity are likely an effort by FlyingYeti\r\noperators to increase the appearance of legitimacy of their activities.\r\nThe phishing theme we identified in this campaign is likely one of many themes leveraged by this actor in a larger\r\noperation to target Ukrainian entities, in particular their defense forces. In fact, the threat activity we detailed in\r\nthis blog uses many of the same techniques outlined in a recent FlyingYeti campaign disclosed by CERT-UA in\r\nmid-April 2024, where the actor leveraged United Nations-themed lures involving Peace Support Operations to\r\ntarget Ukraine’s military. Due to Cloudforce One’s defensive actions covered in the next section, this latest\r\nFlyingYeti campaign was prevented as of the time of publication.\r\nMitigating FlyingYeti activity\r\nCloudforce One mitigated FlyingYeti’s campaign through a series of actions. Each action was taken to increase the\r\nactor’s cost of continuing their operations. When assessing which action to take and why, we carefully weighed\r\nthe pros and cons in order to provide an effective active defense strategy against this actor. Our general goal was\r\nto increase the amount of time the threat actor spent trying to develop and weaponize their campaign.\r\nWe were able to successfully extend the timeline of the threat actor’s operations from hours to weeks. At each\r\ninterdiction point, we assessed the impact of our mitigation to ensure the actor would spend more time attempting\r\nto launch their campaign. Our mitigation measures disrupted the actor’s activity, in one instance resulting in eight\r\nadditional hours spent on debugging code.\r\nDue to our proactive defense efforts, FlyingYeti operators adapted their tactics multiple times in their attempts to\r\nlaunch the campaign. The actor originally intended to have the Cloudflare Worker fetch the malicious RAR file\r\nfrom GitHub. After Cloudforce One interdiction of the Worker, the actor attempted to create additional Workers\r\nhttps://www.cloudflare.com/threat-intelligence/research/report/disrupting-flyingyetis-campaign-targeting-ukrainev/\r\nPage 4 of 12\n\nvia a new account. In response, we disabled all Workers, leading the actor to load the RAR file directly from\r\nGitHub. Cloudforce One notified GitHub, resulting in the takedown of the RAR file, the GitHub project, and\r\nsuspension of the account used to host the RAR file. In return, FlyingYeti began testing the option to host the\r\nRAR file on the file sharing sites pixeldrain and Filemail, where we observed the actor alternating the link on the\r\nKomunalka phishing site between the following:\r\nhxxps://pixeldrain[.]com/api/file/ZAJxwFFX?download=one\r\nhxxps://1014.filemail[.]com/api/file/get?filekey=\r\ne_8S1HEnM5Rzhy_jpN6nL-GF4UAP533VrXzgXjxH1GzbVQZ\r\nvmpFzrFA\u0026pk_vid=a3d82455433c8ad1171\r\n5865826cf18f6\r\nWe notified GitHub of the actor’s evolving tactics, and in response GitHub removed the Komunalka phishing site.\r\nAfter analyzing the files hosted on pixeldrain and Filemail, we determined the actor uploaded dummy payloads,\r\nlikely to monitor access to their phishing infrastructure (FileMail logs IP addresses, and both file hosting sites\r\nprovide view and download counts). At the time of publication, we did not observe FlyingYeti upload the\r\nmalicious RAR file to either file hosting site, nor did we identify the use of alternative phishing or malware\r\ndelivery methods.\r\nA timeline of FlyingYeti’s activity and our corresponding mitigations can be found below.\r\nEvent timeline\r\nDate Event Description\r\n2024-04-18\r\n12:18\r\nThreat Actor (TA) creates a Worker to handle requests from a phishing site\r\n2024-04-18\r\n14:16\r\nTA creates phishing site komunalka[.]github[.]io on GitHub\r\n2024-04-25\r\n12:25\r\nTA creates a GitHub repo to host a RAR file\r\n2024-04-26\r\n07:46\r\nTA updates the first Worker to handle requests from users visiting komunalka[.]github[.]io\r\n2024-04-26\r\n08:24\r\nTA uploads a benign test RAR to the GitHub repo\r\nhttps://www.cloudflare.com/threat-intelligence/research/report/disrupting-flyingyetis-campaign-targeting-ukrainev/\r\nPage 5 of 12\n\nDate Event Description\r\n2024-04-26\r\n13:38\r\nCloudforce One identifies a Worker receiving requests from users visiting\r\nkomunalka[.]github[.]io, observes its use as a phishing page\r\n2024-04-26\r\n13:46\r\nCloudforce One identifies that the Worker fetches a RAR file from GitHub (the malicious\r\nRAR payload is not yet hosted on the site)\r\n2024-04-26\r\n19:22\r\nCloudforce One creates a detection to identify the Worker that fetches the RAR\r\n2024-04-26\r\n21:13\r\nCloudforce One deploys real-time monitoring of the RAR file on GitHub\r\n2024-05-02\r\n06:35\r\nTA deploys a weaponized RAR (CVE-2023-38831) to GitHub with their COOKBOX malware\r\npackaged in the archive\r\n2024-05-06\r\n10:03\r\nTA attempts to update the Worker with link to weaponized RAR, the Worker is immediately\r\nblocked\r\n2024-05-06\r\n10:38\r\nTA creates a new Worker, the Worker is immediately blocked\r\n2024-05-06\r\n11:04\r\nTA creates a new account (#2) on Cloudflare\r\n2024-05-06\r\n11:06\r\nTA creates a new Worker on account #2 (blocked)\r\n2024-05-06\r\n11:50\r\nTA creates a new Worker on account #2 (blocked)\r\nhttps://www.cloudflare.com/threat-intelligence/research/report/disrupting-flyingyetis-campaign-targeting-ukrainev/\r\nPage 6 of 12\n\nDate Event Description\r\n2024-05-06\r\n12:22\r\nTA creates a new modified Worker on account #2\r\n2024-05-06\r\n16:05\r\nCloudforce One disables the running Worker on account #2\r\n2024-05-07\r\n22:16\r\nTA notices the Worker is blocked, ceases all operations\r\n2024-05-07\r\n22:18\r\nTA deletes original Worker first created to fetch the RAR file from the GitHub phishing page\r\n2024-05-09\r\n19:28\r\nCloudforce One adds phishing page komunalka[.]github[.]io to real-time monitoring\r\n2024-05-13\r\n07:36\r\nTA updates the github.io phishing site to point directly to the GitHub RAR link\r\n2024-05-13\r\n17:47\r\nCloudforce One adds COOKBOX C2 postdock[.]serveftp[.]com to real-time monitoring for\r\nDNS resolution\r\n2024-05-14\r\n00:04\r\nCloudforce One notifies GitHub to take down the RAR file\r\n2024-05-15\r\n09:00\r\nGitHub user, project, and link for RAR are no longer accessible\r\n2024-05-21\r\n08:23\r\nTA updates Komunalka phishing site on github.io to link to pixeldrain URL for dummy\r\npayload (pixeldrain only tracks view and download counts)\r\nhttps://www.cloudflare.com/threat-intelligence/research/report/disrupting-flyingyetis-campaign-targeting-ukrainev/\r\nPage 7 of 12\n\nDate Event Description\r\n2024-05-21\r\n08:25\r\nTA updates Komunalka phishing site to link to FileMail URL for dummy payload (FileMail\r\ntracks not only view and download counts, but also IP addresses)\r\n2024-05-21\r\n12:21\r\nCloudforce One downloads PixelDrain document to evaluate payload\r\n2024-05-21\r\n12:47\r\nCloudforce One downloads FileMail document to evaluate payload\r\n2024-05-29\r\n23:59\r\nGitHub takes down Komunalka phishing site\r\n2024-05-30\r\n13:00\r\nCloudforce One publishes the results of this investigation\r\nCoordinating our FlyingYeti response\r\nCloudforce One leveraged industry relationships to provide advanced warning and to mitigate the actor’s activity.\r\nTo further protect the intended targets from this phishing threat, Cloudforce One notified and collaborated closely\r\nwith GitHub’s Threat Intelligence and Trust and Safety Teams. We also notified CERT-UA and Cloudflare\r\nindustry partners such as CrowdStrike, Mandiant/Google Threat Intelligence, and Microsoft Threat Intelligence.\r\nHunting FlyingYeti operations\r\nThere are several ways to hunt FlyingYeti in your environment. These include using PowerShell to hunt for\r\nWinRAR files, deploying Microsoft Sentinel analytics rules, and running Splunk scripts as detailed below. Note\r\nthat these detections may identify activity related to this threat, but may also trigger unrelated threat activity.\r\nPowerShell hunting\r\nConsider running a PowerShell script such as this one in your environment to identify exploitation of CVE-2023-\r\n38831. This script will interrogate WinRAR files for evidence of the exploit.\r\nCVE-2023-38831\r\nDescription:winrar exploit detection\r\nopen suspios (.tar / .zip / .rar) and run this script to check it\r\nhttps://www.cloudflare.com/threat-intelligence/research/report/disrupting-flyingyetis-campaign-targeting-ukrainev/\r\nPage 8 of 12\n\nfunction winrar-exploit-detect(){\r\n $targetExtensions = @(\".cmd\" , \".ps1\" , \".bat\")\r\n $tempDir = [System.Environment]::GetEnvironmentVariable(\"TEMP\")\r\n $dirsToCheck = Get-ChildItem -Path $tempDir -Directory -Filter \"Rar*\"\r\n foreach ($dir in $dirsToCheck) {\r\n $files = Get-ChildItem -Path $dir.FullName -File\r\n foreach ($file in $files) {\r\n $fileName = $file.Name\r\n $fileExtension = [System.IO.Path]::GetExtension($fileName)\r\n if ($targetExtensions -contains $fileExtension) {\r\n $fileWithoutExtension = [System.IO.Path]::GetFileNameWithoutExtension($fileName);\r\n $filename.TrimEnd() -replace '\\.$'\r\n $cmdFileName = \"$fileWithoutExtension\"\r\n $secondFile = Join-Path -Path $dir.FullName -ChildPath $cmdFileName\r\n if (Test-Path $secondFile -PathType Leaf) {\r\n Write-Host \"[!] Suspicious pair detected \"\r\n Write-Host \"[*] Original File:$($secondFile)\" -ForegroundColor Green\r\n Write-Host \"[*] Suspicious File:$($file.FullName)\" -ForegroundColor Red\r\n # Read and display the content of the command file\r\n $cmdFileContent = Get-Content -Path $($file.FullName)\r\n Write-Host \"[+] Command File Content:$cmdFileContent\"\r\n }\r\n }\r\n }\r\n}\r\n}\r\nwinrar-exploit-detect\r\nMicrosoft Sentinel\r\nIn Microsoft Sentinel, consider deploying the rule provided below, which identifies WinRAR execution via\r\ncmd.exe. Results generated by this rule may be indicative of attack activity on the endpoint and should be\r\nanalyzed.\r\nDeviceProcessEvents\r\n| where InitiatingProcessParentFileName has @\"winrar.exe\"\r\n| where InitiatingProcessFileName has @\"cmd.exe\"\r\n| project Timestamp, DeviceName, FileName, FolderPath, ProcessCommandLine, AccountName\r\n| sort by Timestamp desc\r\nSplunk\r\nConsider using this script in your Splunk environment to look for WinRAR CVE-2023-38831 execution on your\r\nMicrosoft endpoints. Results generated by this script may be indicative of attack activity on the endpoint and\r\nshould be analyzed.\r\nhttps://www.cloudflare.com/threat-intelligence/research/report/disrupting-flyingyetis-campaign-targeting-ukrainev/\r\nPage 9 of 12\n\n| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=E\r\n| `drop_dm_object_name(Processes)`\r\n| `security_content_ctime(firstTime)`\r\n| `security_content_ctime(lastTime)`\r\n| `winrar_spawning_shell_application_filter`\r\nCloudflare product detections\r\nCloudflare Email Security\r\nCloudflare Email Security (CES) customers can identify FlyingYeti threat activity with the following detections.\r\nCVE-2023-38831\r\nFLYINGYETI.COOKBOX\r\nFLYINGYETI.COOKBOX.Launcher\r\nFLYINGYETI.Rar\r\nRecommendations\r\nCloudflare recommends taking the following steps to mitigate this type of activity:\r\nImplement Zero Trust architecture foundations:\r\nDeploy Cloud Email Security to ensure that email services are protected against phishing, BEC and\r\nother threats\r\nLeverage browser isolation to separate messaging applications like LinkedIn, email, and Signal\r\nfrom your main network\r\nScan, monitor and/or enforce controls on specific or sensitive data moving through your network\r\nenvironment with data loss prevention policies\r\nEnsure your systems have the latest WinRAR and Microsoft security updates installed\r\nConsider preventing WinRAR files from entering your environment, both at your Cloud Email Security\r\nsolution and your Internet Traffic Gateway\r\nRun an Endpoint Detection and Response (EDR) tool such as CrowdStrike or Microsoft Defender for\r\nEndpoint to get visibility into binary execution on hosts\r\nSearch your environment for the FlyingYeti indicators of compromise (IOCs) shown below to identify\r\npotential actor activity within your network\r\nIf you’re looking to uncover additional Threat Intelligence insights for your organization or need bespoke Threat\r\nIntelligence information for an incident, consider engaging with Cloudforce One by contacting your Customer\r\nhttps://www.cloudflare.com/threat-intelligence/research/report/disrupting-flyingyetis-campaign-targeting-ukrainev/\r\nPage 10 of 12\n\nSuccess manager or filling out this form.\r\nIndicators of Compromise\r\nFilename SHA256 Hash Description\r\nЗаборгованість по\r\nЖКП.rar\r\na0a294f85c8a19be048ffcc05ede6fd5a7a\r\nc5e2f0032a3ca0050dc1ae960c314\r\nRAR archive\r\nахунок на оплату.pdf.cmd\r\n0cca8f795c7a81d33d36d5204fcd9bc73bd\r\nc2af7de315c1449cbc3551ef4fb59\r\nCOOKBOX Sample\r\n(contained in RAR\r\narchive)\r\nРеструктуризація боргу за\r\nжитлово комунальні\r\nпослуги.docx\r\n915721b94e3dffa6cef3664532b586be6c\r\nf989fec923b26c62fdaf201ee81d2c\r\nBenign Word Document\r\nwith Tracking Link\r\n(contained in RAR\r\narchive)\r\nУгода користувача.docx\r\n79a9740f5e5ea4aa2157d9d96df34ee49a\r\n32e2d386fe55fedfd1aa33e151c06d\r\nBenign Word Document\r\nwith Tracking Link\r\n(contained in RAR\r\narchive)\r\nРахунок на оплату.pdf\r\n19e25456c2996ded3e29577b609de54a\r\n2bef90dad8f868cdad795c18df05a79b\r\nRandom Binary Data\r\n(contained in RAR\r\narchive)\r\nЗаборгованість по ЖКП\r\nстаном на 26.04.24.docx\r\ne0d65e2d36afd3db1b603f10e0488cee3f\r\n58ade24d8abc6bee240314d8696708\r\nRandom Binary Data\r\n(contained in RAR\r\narchive)\r\nDomain / URL Description\r\nkomunalka[.]github[.]io Phishing page\r\nhxxps[:]//github[.]com/komunalka/komunalka[.]github[.]io Phishing page\r\nhttps://www.cloudflare.com/threat-intelligence/research/report/disrupting-flyingyetis-campaign-targeting-ukrainev/\r\nPage 11 of 12\n\nDomain / URL Description\r\nhxxps[:]//worker-polished-union-f396[.]vqu89698[.]workers[.]dev\r\nWorker that\r\nfetches\r\nmalicious\r\nRAR file\r\nhxxps[:]//raw[.]githubusercontent[.]com/kudoc8989/project/main/Заборгованість по\r\nЖКП.rar\r\nDelivery of\r\nmalicious\r\nRAR file\r\nhxxps[:]//1014[.]filemail[.]com/api/file/get?\r\nfilekey=e_8S1HEnM5Rzhy_jpN6nLGF4UAP533VrXzgXjxH1GzbVQZvmp\r\nFzrFA\u0026pk_vid=a3d82455433c8ad11715865826cf18f6\r\nDummy\r\npayload\r\nhxxps[:]//pixeldrain[.]com/api/file/ZAJxwFFX?download=\r\nDummy\r\npayload\r\nhxxp[:]//canarytokens[.]com/stuff/tags/ni1cknk2yq3xfcw2al3efs37m/payments.js Tracking link\r\nhxxp[:]//canarytokens[.]com/stuff/terms/images/k22r2dnjrvjsm e8680ojf5ccs/index.html Tracking link\r\nAbout Cloudforce One\r\nCloudflare’s mission is to help build a better Internet. And a better Internet can only exist with forces of good that\r\ndetect, disrupt and degrade threat actors who seek to erode trust and bend the Internet for personal or political\r\ngain. Enter Cloudforce One – Cloudflare’s dedicated team of world-renowned threat researchers, tasked with\r\npublishing threat intelligence to arm security teams with the necessary context to make fast, confident decisions.\r\nWe identify and defend against attacks with unique insight that no one else has.\r\nThe foundation of our visibility is Cloudflare’s global network – one of the largest in the world – which\r\nencompasses about 20% of the Internet. Our services are adopted by millions of users across every corner of the\r\nInternet, giving us unparalleled visibility into global events – including the most interesting attacks on the\r\nInternet. This vantage point allows Cloudforce One to execute real-time reconnaissance, disrupt attacks from the\r\npoint of launch, and turn intelligence into tactical success.\r\nSource: https://www.cloudflare.com/threat-intelligence/research/report/disrupting-flyingyetis-campaign-targeting-ukrainev/\r\nhttps://www.cloudflare.com/threat-intelligence/research/report/disrupting-flyingyetis-campaign-targeting-ukrainev/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://www.cloudflare.com/threat-intelligence/research/report/disrupting-flyingyetis-campaign-targeting-ukrainev/"
	],
	"report_names": [
		"disrupting-flyingyetis-campaign-targeting-ukrainev"
	],
	"threat_actors": [
		{
			"id": "a1c739f9-e0b5-4a58-a720-1d88b318641b",
			"created_at": "2024-04-23T02:00:04.251052Z",
			"updated_at": "2026-04-10T02:00:03.633106Z",
			"deleted_at": null,
			"main_name": "UAC-0149",
			"aliases": [],
			"source_name": "MISPGALAXY:UAC-0149",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7334c6d2-2582-4591-8c51-e7a170fbdbc9",
			"created_at": "2024-06-07T02:00:04.006593Z",
			"updated_at": "2026-04-10T02:00:03.64624Z",
			"deleted_at": null,
			"main_name": "FlyingYeti",
			"aliases": [
				"Flying Yeti",
				"Storm-1837"
			],
			"source_name": "MISPGALAXY:FlyingYeti",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434944,
	"ts_updated_at": 1775792000,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5725f0c6a3d7d3148f4de364e2e2a530e70fb7cf.pdf",
		"text": "https://archive.orkl.eu/5725f0c6a3d7d3148f4de364e2e2a530e70fb7cf.txt",
		"img": "https://archive.orkl.eu/5725f0c6a3d7d3148f4de364e2e2a530e70fb7cf.jpg"
	}
}