{
	"id": "24320ced-2b66-4622-93d5-7e336e0c47de",
	"created_at": "2026-04-06T00:08:14.422617Z",
	"updated_at": "2026-04-10T03:37:09.200756Z",
	"deleted_at": null,
	"sha1_hash": "6fcec594d6b01914eda3dea5dcfd0ebd3152d456",
	"title": "Sandworm-linked hackers target users of Ukraine’s military app in new spying campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 80136,
	"plain_text": "Sandworm-linked hackers target users of Ukraine’s military app in\r\nnew spying campaign\r\nBy Daryna Antoniuk\r\nPublished: 2024-12-19 · Archived: 2026-04-05 17:18:57 UTC\r\nUkrainian soldiers have become the target of a new espionage campaign linked to the notorious Russian state-sponsored threat actor Sandworm, according to a recent report.\r\nAs part of the operation, the hackers create fraudulent websites that mimic the official page of a Ukrainian\r\nmilitary app, Army+, tricking users into downloading an executable file disguised as an app installation package.\r\nArmy+ has received significant attention from Ukraine’s government recently. The app, introduced earlier this\r\nyear, aims to digitize bureaucratic tasks for soldiers, such as submitting reports to commanders.\r\nAccording to a report from Ukraine’s military computer emergency response team (MIL.CERT-UA), the fake\r\nArmy+ websites are hosted on a “serverless” platform, Cloudflare Workers, that deploys applications. Hackers\r\noften exploit legitimate services to obscure their operations and make fraudulent websites appear more convincing\r\nto potential victims.\r\nThe executable file delivered through the malicious Army+ app is an installer crafted with NSIS (Nullsoft\r\nScriptable Install System), a tool frequently used by developers to create software installation packages. \r\nWhen executed, the file activates a malicious program that grants hackers hidden access to the computer, sends\r\nconfidential data through the anonymized Tor network, and allows the hackers to further compromise the targeted\r\nsystems.\r\nThe hacker group behind this recent campaign is tracked by CERT-UA as UAC-0125 and is “highly likely” to be\r\nlinked to the notorious Russian threat actor APT44, also known as Sandworm, MIL.CERT-UA said.\r\nSandworm is responsible for major cyberattacks targeting Ukraine, including the 2015 disruption of the country’s\r\npower grid using BlackEnergy malware, the 2017 destructive attack against Ukrainian government agencies,\r\nenergy companies, and critical infrastructure with NotPetya malware, and the 2023 hack of Ukraine’s largest\r\ntelecom operator, Kyivstar. Sandworm hackers are believed to be associated with Russia’s military intelligence\r\nservice (GRU).\r\nUkrainian researchers have not provided many details about the Army+ hack, likely due to the sensitivity of the\r\ntopic. It remains unclear how the malicious websites were distributed, how successful the attack was, how many\r\nusers were affected, and what the ultimate goal of the operation is.\r\nUkrainian soldiers and the services they use have become a popular target for hackers associated with Russia,\r\nincluding Sandworm.\r\nhttps://therecord.media/ukraine-military-app-espionage-russia-sandworm\r\nPage 1 of 3\n\nGoogle-owned Mandiant discovered earlier this year that Sandworm hackers established an infrastructure\r\nallowing Russian military forces to exfiltrate encrypted Telegram and Signal communications from mobile devices\r\ncaptured on the battlefield.\r\nIn October, Ukrainian researchers described a new Russia-linked cyber campaign targeting Ukrainian draft-age\r\nmen with information-stealing malware. As part of this campaign, the hackers promoted “free software programs”\r\npurportedly designed to help potential Ukrainian conscripts view and share crowdsourced locations of military\r\nrecruiters. Once installed, these programs delivered malware alongside a decoy app, tracked as Sunspinner.\r\nEarlier in April, CERT-UA reported that hackers had increasingly attempted to plant data-stealing malware on\r\nmessaging apps used by the Ukrainian armed forces. To trick victims into opening malicious files, hackers\r\ndisguised them as fake court documents, videos from the frontlines, or archives.\r\nGet more insights with the\r\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/ukraine-military-app-espionage-russia-sandworm\r\nPage 2 of 3\n\nDaryna Antoniuk\r\nis a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in\r\nEastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for\r\nForbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.\r\nSource: https://therecord.media/ukraine-military-app-espionage-russia-sandworm\r\nhttps://therecord.media/ukraine-military-app-espionage-russia-sandworm\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://therecord.media/ukraine-military-app-espionage-russia-sandworm"
	],
	"report_names": [
		"ukraine-military-app-espionage-russia-sandworm"
	],
	"threat_actors": [
		{
			"id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df",
			"created_at": "2023-01-06T13:46:38.402513Z",
			"updated_at": "2026-04-10T02:00:02.959797Z",
			"deleted_at": null,
			"main_name": "Sandworm",
			"aliases": [
				"IRIDIUM",
				"Blue Echidna",
				"VOODOO BEAR",
				"FROZENBARENTS",
				"UAC-0113",
				"Seashell Blizzard",
				"UAC-0082",
				"APT44",
				"Quedagh",
				"TEMP.Noble",
				"IRON VIKING",
				"G0034",
				"ELECTRUM",
				"TeleBots"
			],
			"source_name": "MISPGALAXY:Sandworm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7bd810cb-d674-4763-86eb-2cc182d24ea0",
			"created_at": "2022-10-25T16:07:24.1537Z",
			"updated_at": "2026-04-10T02:00:04.883793Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"APT 44",
				"ATK 14",
				"BE2",
				"Blue Echidna",
				"CTG-7263",
				"FROZENBARENTS",
				"G0034",
				"Grey Tornado",
				"IRIDIUM",
				"Iron Viking",
				"Quedagh",
				"Razing Ursa",
				"Sandworm",
				"Sandworm Team",
				"Seashell Blizzard",
				"TEMP.Noble",
				"UAC-0082",
				"UAC-0113",
				"UAC-0125",
				"UAC-0133",
				"Voodoo Bear"
			],
			"source_name": "ETDA:Sandworm Team",
			"tools": [
				"AWFULSHRED",
				"ArguePatch",
				"BIASBOAT",
				"Black Energy",
				"BlackEnergy",
				"CaddyWiper",
				"Colibri Loader",
				"Cyclops Blink",
				"CyclopsBlink",
				"DCRat",
				"DarkCrystal RAT",
				"Fobushell",
				"GOSSIPFLOW",
				"Gcat",
				"IcyWell",
				"Industroyer2",
				"JaguarBlade",
				"JuicyPotato",
				"Kapeka",
				"KillDisk.NCX",
				"LOADGRIP",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"ORCSHRED",
				"P.A.S.",
				"PassKillDisk",
				"Pitvotnacci",
				"PsList",
				"QUEUESEED",
				"RansomBoggs",
				"RottenPotato",
				"SOLOSHRED",
				"SwiftSlicer",
				"VPNFilter",
				"Warzone",
				"Warzone RAT",
				"Weevly"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa",
			"created_at": "2022-10-25T16:47:55.919702Z",
			"updated_at": "2026-04-10T02:00:03.618194Z",
			"deleted_at": null,
			"main_name": "IRON VIKING",
			"aliases": [
				"APT44 ",
				"ATK14 ",
				"BlackEnergy Group",
				"Blue Echidna ",
				"CTG-7263 ",
				"ELECTRUM ",
				"FROZENBARENTS ",
				"Hades/OlympicDestroyer ",
				"IRIDIUM ",
				"Qudedagh ",
				"Sandworm Team ",
				"Seashell Blizzard ",
				"TEMP.Noble ",
				"Telebots ",
				"Voodoo Bear "
			],
			"source_name": "Secureworks:IRON VIKING",
			"tools": [
				"BadRabbit",
				"BlackEnergy",
				"GCat",
				"NotPetya",
				"PSCrypt",
				"TeleBot",
				"TeleDoor",
				"xData"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6",
			"created_at": "2022-10-25T15:50:23.339976Z",
			"updated_at": "2026-04-10T02:00:05.27483Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"Sandworm Team",
				"ELECTRUM",
				"Telebots",
				"IRON VIKING",
				"BlackEnergy (Group)",
				"Quedagh",
				"Voodoo Bear",
				"IRIDIUM",
				"Seashell Blizzard",
				"FROZENBARENTS",
				"APT44"
			],
			"source_name": "MITRE:Sandworm Team",
			"tools": [
				"Bad Rabbit",
				"Mimikatz",
				"Exaramel for Linux",
				"Exaramel for Windows",
				"GreyEnergy",
				"PsExec",
				"Prestige",
				"P.A.S. Webshell",
				"AcidPour",
				"VPNFilter",
				"Neo-reGeorg",
				"Cyclops Blink",
				"SDelete",
				"Kapeka",
				"AcidRain",
				"Industroyer",
				"Industroyer2",
				"BlackEnergy",
				"Cobalt Strike",
				"NotPetya",
				"KillDisk",
				"PoshC2",
				"Impacket",
				"Invoke-PSImage",
				"Olympic Destroyer"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434094,
	"ts_updated_at": 1775792229,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6fcec594d6b01914eda3dea5dcfd0ebd3152d456.pdf",
		"text": "https://archive.orkl.eu/6fcec594d6b01914eda3dea5dcfd0ebd3152d456.txt",
		"img": "https://archive.orkl.eu/6fcec594d6b01914eda3dea5dcfd0ebd3152d456.jpg"
	}
}