{ "id": "7e64d343-c5e4-4ac5-b193-89247ec755f0", "created_at": "2026-04-06T00:09:56.300685Z", "updated_at": "2026-04-10T13:12:33.982006Z", "deleted_at": null, "sha1_hash": "5f13a07f6362d64002c67f0e9cc812ee3516de6a", "title": "RiskIQ Threat Intelligence Roundup: Campaigns Targeting Ukraine and Global Malware Infrastructure | RiskIQ", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48215, "plain_text": "RiskIQ Threat Intelligence Roundup: Campaigns Targeting\r\nUkraine and Global Malware Infrastructure | RiskIQ\r\nPublished: 2022-03-15 · Archived: 2026-04-05 17:27:14 UTC\r\nThe cybersecurity community has published impactful research uncovering and tracking cyberattacks against\r\nUkrainian citizens, refugees, and armed forces. RiskIQ is leveraging our global telemetry to add to this research\r\nhowever we can, including shining light on new tactics and threat infrastructure and publishing as many new\r\nthreat indicators as we can.  \r\nThis roundup will highlight our researchers' focus on these campaigns, including analyzing phishing attacks\r\ntargeting Ukrainian refugees. We'll also add insight to other threat campaigns worldwide, including malware\r\ncampaigns, nation-state threat infrastructure, and Magecart digital credit card skimming, all of which can be found\r\nin the RiskIQ Threat Intelligence Portal (TIP).\r\nA Closer Look at Campaigns Targeting Ukraine\r\nFraudulent Website Spoofing UNHCR for Ukrainian Refugees Seeks Bitcoin Donations: RiskIQ researchers\r\nidentified a fraudulent domain (unhcr-ukraine[.]org) spoofing the UN High Commission for Refugees for Ukraine\r\nwebsite. The attackers used HTTrack, a popular method of copying legitimate sites—often for malicious purposes.\r\nIn this case, HTTrack was used to emulate the legitimate UNHCR website to trick people into \"donating\" Bitcoin\r\nin support of refugees.  \r\nTwo QR codes were on the donation page for the fraudulent UNHCR website, generated for Binance and\r\nEthereum. The threat actor attempted to lure users to this fraudulent website via Reddit forums. Their username,\r\n'asetinzjr,' spammed many different Subreddits with the same post, seeking donations via the phony site.  \r\nUNC1151/GhostWriter Phishing Attacks Target Ukrainian Soldiers: RiskIQ researchers analyzed domains\r\npublished by CERT-UA known to be used by UNC-1151, also known as GhostWriter, for phishing attacks against\r\nUkrainian soldiers. They uncovered dozens more probable phishing domains tied to the group, with several still\r\nactive and resolving to known IPs. \r\nBased on overlaps in actor infrastructure, RiskIQ has also identified 38 additional historical and active domains\r\nassociated with this group based on WHOIS registration. Of those 38 domains, some are still active and resolving\r\nto IP addresses in the RiskIQ PDNS database. You can read more about this campaign in Dark Reading.  \r\nConti Ransomware Operation Leaks: The Conti ransomware operation targeted a massive data leak in late\r\nFebruary and early March, exposing over 160,000 messages between Conti operators, source code for the\r\nransomware, raw data files, and proof of Conti's direct connection with Trickbot malware operations. The group\r\nbehind the Conti operation made public announcements supporting Russia's invasion of Ukraine, which appear to\r\nhave triggered the leaks. Wizard Spider, the threat group behind Conti and Ryuk ransomware, originates from\r\nEastern Europe and Russia and has known associations with the Russian government.  \r\nhttps://web.archive.org/web/20220527112908/https://www.riskiq.com/blog/labs/ukraine-malware-infrastructure/\r\nPage 1 of 2\n\nAn anonymous pro-Ukrainian security researcher, likely with inside connections to the Conti group, doxxed\r\nTrickbot and Conti operation members by leaking personal information and private messages to the public. They\r\nalso released a decryptor for the ransomware decoy \"HermeticRansom,\" used against Ukrainian entities. The\r\ntroves of leaked information amounting to tens of thousands of indicators, including C2 infrastructure for Conti\r\nand Trickbot operations. RiskIQ has worked to aggregate many of these from open sources and will continue to\r\nupdate reporting related to this leak, Conti operations, Trickbot malware, and other Wizard Spider activity.\r\nMalware Rundown\r\nMalware Linked to Upwork Post Seeking Content Writer for a \"Newly Developed Application\" Deploys\r\nDCRat: Discord's free infrastructure continues to be leveraged by threat actors to support their campaigns.\r\nRecently, RiskIQ detected a trojan file hosted on Discord's CDN that contacts multiple URLs that eventually drop\r\nDCRat, an open-source remote access tool posted to GitHub.  \r\nVirusTotal provided a second file name for this malware file, also hosted on Discord's CDN. An open-source\r\nsearch on this second filename revealed a job post seeking a content writer for a \"newly developed application\" on\r\nthe freelancing website Upwork. As of February 28, the Upwork posting indicated 5-10 people had submitted\r\nproposals for the project. Via infrastructure analysis, via RiskIQ's Threat Intelligence Graph, researchers\r\nconnected more than 52 files and domains to this campaign listed in the RiskIQ TIP. \r\nAnalysis of C2 Servers Related to \"SunSeed\" Malware Campaign: Proofpoint released an analysis of\r\nspearphishing attacks targeting European governments through a compromised email account belonging to a\r\nUkrainian armed services member. The Principal Threat Analyst at Microsoft's Threat Intelligence Center\r\n(MSTIC), Ben Koehl, subsequently tweeted a list of IP addresses related to the reported activity. RiskIQ analysis\r\nof responses from these servers coupled with VirusTotal data yields potential additional infrastructure associated\r\nwith this threat actor. \r\nMagecart Injected URLs and C2 Domains: RiskIQ technology detected 176 Magecart and skimmer injected\r\nURLs and detected 214 unique C2 domains used by known Magecart threat actors. Note that many of these URLs\r\nare legitimate, compromised websites and that some C2 domains may be compromised but legitimate.   \r\nStay Up to Date with the RiskIQ TIP\r\nRiskIQ's Threat Intelligence Portal (TIP) sources hundreds of OSINT and original RiskIQ research articles\r\nenriched with indicators from the RiskIQ Global Collection Network, which spans over 2,500 networks globally\r\nand generates billions of events daily from open and closed sources. We'll continue to update the TIP with daily\r\ninsights on existing and emerging campaigns and threat groups to give users more timely and actionable\r\nintelligence as current threat actors and campaigns evolve, and new ones emerge.   \r\nBe sure to sign up today so you can stay up to speed on this rapidly evolving global threat landscape.   \r\nSource: https://web.archive.org/web/20220527112908/https://www.riskiq.com/blog/labs/ukraine-malware-infrastructure/\r\nhttps://web.archive.org/web/20220527112908/https://www.riskiq.com/blog/labs/ukraine-malware-infrastructure/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://web.archive.org/web/20220527112908/https://www.riskiq.com/blog/labs/ukraine-malware-infrastructure/" ], "report_names": [ "ukraine-malware-infrastructure" ], "threat_actors": [ { "id": "f29188d8-2750-4099-9199-09a516c58314", "created_at": "2025-08-07T02:03:25.068489Z", "updated_at": "2026-04-10T02:00:03.827361Z", "deleted_at": null, "main_name": "MOONSCAPE", "aliases": [ "TA445 ", "UAC-0051 ", "UNC1151 " ], "source_name": "Secureworks:MOONSCAPE", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "119c8bea-816e-4799-942b-ff375026671e", "created_at": "2022-10-25T16:07:23.957309Z", "updated_at": "2026-04-10T02:00:04.807212Z", "deleted_at": null, "main_name": "Operation Ghostwriter", "aliases": [ "DEV-0257", "Operation Asylum Ambuscade", "PUSHCHA", "Storm-0257", "TA445", "UAC-0051", "UAC-0057", "UNC1151", "White Lynx" ], "source_name": "ETDA:Operation Ghostwriter", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "HALFSHELL", "Impacket", "RADIOSTAR", "VIDEOKILLER", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "8a33d3ac-14ba-441c-92c1-39975e9e1a73", "created_at": "2023-01-06T13:46:39.195689Z", "updated_at": "2026-04-10T02:00:03.243054Z", "deleted_at": null, "main_name": "Ghostwriter", "aliases": [ "UAC-0057", "UNC1151", "TA445", "PUSHCHA", "Storm-0257", "DEV-0257" ], "source_name": "MISPGALAXY:Ghostwriter", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434196, "ts_updated_at": 1775826753, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5f13a07f6362d64002c67f0e9cc812ee3516de6a.pdf", "text": "https://archive.orkl.eu/5f13a07f6362d64002c67f0e9cc812ee3516de6a.txt", "img": "https://archive.orkl.eu/5f13a07f6362d64002c67f0e9cc812ee3516de6a.jpg" } }