{ "id": "d048531f-007a-46d4-8e26-3c2f177781c4", "created_at": "2026-04-06T01:32:08.357646Z", "updated_at": "2026-04-10T03:37:04.186078Z", "deleted_at": null, "sha1_hash": "78dca40a65171320d01fabb3160ece81b44f27ef", "title": "Cyberattacks are Prominent in the Russia-Ukraine Conflict", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3058474, "plain_text": "Cyberattacks are Prominent in the Russia-Ukraine Conflict\r\nBy Trend Micro Research ( words)\r\nPublished: 2022-03-03 · Archived: 2026-04-06 00:57:16 UTC\r\nCyber Threats\r\nAs Russia invaded Ukraine, our researchers have also observed a number of alleged cyberattacks perpetrated by\r\ndifferent groups. Our research teams have verified and validated internal data and external reports to provide\r\naccurate information that can be used to strengthen defenses against these attacks. We will continuously update\r\nthis blog with validated threats as more events unfold.\r\nBy: Trend Micro Research Mar 03, 2022 Read time: 8 min (2238 words)\r\nSave to Folio\r\nUpdate as of March 8, 2022: Added new information about spam email spreading NEGASTEAL malware. The\r\nIOC document has been updated to add indicators.\r\nUpdate as of March 4, 2022: IOC document has been updated to add more indicators.\r\nRussia's invasion of Ukraine that started on February 24 has been in focus in the news. Alongside the physical\r\nbattles that are on the ground, there have also been alleged cyberattacks perpetrated by different individuals, threat\r\nactors, and possibly even state-sponsored groups. \r\nThe extensive amount of information that has been making the rounds has made it difficult to ascertain the\r\nveracity of these cyberattacks, let alone accurately attribute them to a particular individual or group. It’s easy to\r\nspread misinformation online, and there is plenty of incentive for many parties to do so considering the important\r\nroles that information and intelligence play in this conflict. It is also possible that some threat actors are\r\ncapitalizing on the situation despite not being directly involved in the conflict. \r\nWe have compiled all the materials that our research teams have verified and validated in this blog entry to\r\nprovide our customers with accurate information that they can use for their benefit and protection. It’s important\r\nto note that we will continuously update this blog with validated threats as more events unfold. \r\nConti’s statement of support for the Russian government \r\nOn February 25, 2022, the Conti ransomware groupopen on a new tab announced both its “full support” of the\r\nRussian government and its intention to strike back at anyone who organizes cyberattacks or war activities against\r\nRussia. This message was posted on the Conti News leak website. \r\nA few hours after posting this statement, the group softened its stance, though it is unclear why. Conti is one of the\r\nmost professional groups among the criminal organized crime gangs (OCGs), and it has dedicated subgroups akin\r\nhttps://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html\r\nPage 1 of 14\n\nto departments in a traditional business. It is therefore possible that some members did not resonate with the\r\ngroup’s initial statement and pushed back. \r\nFigure 1. Initial statement of the Conti ransomware group professing its support for the Russian\r\ngovernment\r\nFigure 2. The updated statement from Conti\r\nThe Conti intrusion set, which Trend Micro tracks under the moniker Water Goblin, has remained active despite\r\nother well-established ransomware groups shutting down in the wake of government sanctions. We also observed\r\na spike in the volume of activity for the BazarLoader malware — a key enabler for Conti attacks — since early\r\nFebruary 2022. \r\nConti chat logs leaked \r\nMeanwhile, external sources have reported on the chats of Conti operators being leaked by a Ukrainian security\r\nresearcher who had access to the back end of Conti's XMPP chat server. Trend Micro Research extracted the logs\r\nhttps://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html\r\nPage 2 of 14\n\nand found some artifacts that can be used to map some indicators of compromise (IOCs), which we list in a later\r\nsection of this blog. \r\nThe messages, which included ransom negotiations and Bitcoin addresses, can be used by security companies and\r\nlaw enforcement to identify the attack techniques and tools used by the Conti gang. \r\nConti’s onion site (contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion) is also currently active.\r\nBased on this, we identified some recent Conti files as Ransom.Win32.CONTI.SMYXBLD. \r\nStormous gang supports Russia\r\nWe are seeing some encouraging malicious deeds against both Ukrainians and Russians, but some groups do\r\nchoose to stand behind only one. The Stormous ransomware gang, known for website defacement and information\r\ntheft, represents itself as a group of Arabic-speaking hackers. The group has been active since 2021, and recently\r\nit officially announced its support for the Russian government and its intention to target Ukrainian government\r\ninstitutionsopen on a new tab such as the Ukrainian foreign ministry.\r\nhttps://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html\r\nPage 3 of 14\n\nFigure 3. The Stormous group’s announcement of its intent to target Ukraine, as seen on this\r\nsecurity researcher’s Twitter: https://twitter.com/Cyberknow20/status/1498434090206314498\r\nUpon analyzing a sample of the malware from the group, we found that after infiltration, the malware enables the\r\nactor to access and deploy different custom payloads to the affected server via remote upload and open-source\r\nhttps://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html\r\nPage 4 of 14\n\nresources like Pastebin. Its capabilities, which include dropping malware, encryption, and sending a ransom note,\r\ncan be hard to identify since the actor can modify  encryption and decryption keys, as well as copy ransom\r\nmessages in the wild. Additionally, since the actor’s backdoor or ransomware is PHP-based, it can be modified on\r\nthe fly with minimal effort.\r\nFigure 4. Panels used by the Stormous ransomware group, with two selections: \"Backdoor\" and\r\n\"Python Ransomware\"\r\nOther notable findings \r\nIn addition, the Emotet botnets (Epochs 4 and 5) have remained highly active since Emotet’s resurgence in\r\nNovember 2021, with a few sporadic periods of inactivity. Both families continue to actively drop Cobalt Strike\r\nbeacons. \r\nBoth BazarLoader and Emotet continue to drop Cobalt Strike beacons as part of their second stage infections.\r\nWith respect to Conti, we are tracking the regular deployment of new command-and-control (C\u0026C) infrastructure\r\nfor Cobalt Strike command beacons. It’s worth noting that we have not yet observed a Conti attack following an\r\nEmotet infection since November 2021. \r\nWe also have a snapshot of malicious activity showing how some actors may be trying to capitalize on the crisis.\r\nWe compared our January and February data and saw that malicious URLs and emails trying to lure users with the\r\nsubject of “Ukraine” increased steeply in the latter part of February.\r\nhttps://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html\r\nPage 5 of 14\n\nFigure 5. Malicious online and email activity referencing Ukraine in February 2022\r\nUkraine-related spam emails \r\nWe are seeing new scams and variants of older threats appear daily. Using our honeypot, we also found Ukraine-related spam emails that aim to take advantage of the situation via donations and other scams. These spam emails\r\nalso drop the Ave Maria malware. We provide IOCs in the relevant section of this blog.\r\nWe provide some examples here via the following screenshots:\r\nhttps://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html\r\nPage 6 of 14\n\nhttps://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html\r\nPage 7 of 14\n\nFigure 6. Examples of scams aiming to take advantage of the conflict\r\nTrend Micro continues to actively find and detect these threats before they can inflict damage on our customers.\r\nAnalyzing reports from CERT-UA\r\nReports from outside Trend Micro have provided valuable insights into the alleged cyberattacks. In particular, the\r\nComputer Emergency Response Team of Ukraine or CERT-UAopen on a new tab released important details on the\r\nattacks launched against Ukrainian targets. Our own threat researchers have also analyzed and investigated the\r\nlatest information. Below is a timeline of significant attacks recorded by CERT-UA.  \r\nhttps://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html\r\nPage 8 of 14\n\nFigure 7. Security incidents in Ukraine reported from January 2022 onward\r\nHostile activities in cyberspace are likely to increase as tension increases. Cyberattacks aimed at Ukraine might\r\nalso inadvertently extend to other countries and unsuspecting targets might experience ricochets of attacks, similar\r\nto stray bulletsopen on a new tab. Therefore, it is important for everyone — regardless of geographical location —\r\nto be aware of incidents occurring in Ukraine. \r\nThe following sections provide both an analysis and an evaluation, conducted by Trend Micro, of three\r\ncyberattacks reported by CERT-UA.\r\nCyberattack using WhisperGate\r\nCERT-UA reportedopen on a new tab that between January 13 and 14, 2022, approximately 70 Ukraine\r\ngovernment agency websites were attacked, resulting in the modification of website content and system\r\ncorruption. Supply chain attacks, OctoberCMS (a self-hosted content management system used by enterprises),\r\nand the Log4j vulnerabilityopen on a new tab are suspected to be the points of entry.\r\nSome of these attacks involved system corruption by malware. The diagram in Figure 8 illustrates the infection\r\nchain of the malware observed in the attack. We list the malware names as identified by CERT-UA here.\r\nhttps://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html\r\nPage 9 of 14\n\nFigure 8. Relational diagram of malware seen in a cyberattack using WhisperGate\r\nBootPatch: This malware destroys the Master Boot Record (MBR) to make computers unbootable.\r\nWhisperGate: This malware downloads and executes additional payload from the C\u0026C server constructed\r\non Discord. \r\nWhisperKill: This malware, downloaded by WhisperGate, destroys files with specific extensions.\r\nWhisperKill is designed to destroy and rename files in connected drives that match the file extensions shown in\r\nFigure 9. It then terminates and removes itself. WhisperKill enumerates drives A to Z and destroys files on drives\r\nthat are either Type 3 (DRIVE_FIXED) or 4 (DRIVE_REMOTE), as shown in Figure 10.\r\nFigure 9. List of file extension targets for destruction, defined in a malware sample\r\nhttps://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html\r\nPage 10 of 14\n\nFigure 10. File overwrite instruction\r\nOn February 24, there were also reportsopen on a new tab of another more sophisticated wiper malware with the\r\nability to destroy the MBR and files in drives. The malware is called HermeticWiper (also known as FoxBlade).\r\nCyberattacks using SaintBot \r\nIn January 2022, there were reportsopen on a new tab of a series of cyberattacks that started from spear-phishing\r\nemails disguised as messages from the National Healthcare Service of Ukraine. The emails were attached with a\r\ndocument and two shortcut files, where one shortcut file downloads and executes the OutSteel malware using\r\nPowerShell. The OutSteel malware then downloads and executes the SaintBot malware. In February 2022, spear-phishing emails aiming to distribute the SaintBot malware disguised as messages from the Ukraine Police were\r\nalso reportedopen on a new tab. \r\nThe SaintBot malware is designed to be inactive when the Language Code Identifier (LCID) of the infected device\r\nis Russia, Ukraine, Belarus, Armenia, Kazakhstan, or Moldova (as seen in Figure 11). The intent behind this is\r\nunclear, and the inclusion of Ukraine might be a mistake considering that the spear-phishing emails are clearly\r\ntargeting Ukraine.\r\nFigure 11. Instruction to check LCID\r\nThis malware sample attempts to bypass user account control (UAC) by exploiting Fodhelper, which is introduced\r\nfrom the Windows 10 platform. By executing Fodhelper and adding a registry entry (shown in Figure 12),\r\nSaintBot is able to execute its own copy in a startup folder with administrative privilege.\r\nFigure 12. Registry entry that enables UAC bypass by exploiting Fodhelper\r\nhttps://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html\r\nPage 11 of 14\n\nUpon callback, SaintBot collects information from the infected computers, then encrypts and encodes the data\r\nwith XOR and BASE64. The data is attached to a prefix and sent to the C\u0026C server with a POST request.\r\nThis malware sample holds the following C\u0026C servers:\r\nhxxp://8003659902[.]space/wp-adm/gate.php \r\nhxxp://smm2021[.]net/wp-adm/gate.php \r\nhxxp://8003659902[.]site/wp-adm/gate.php\r\nCyberattack conducted by Gamaredon\r\nGamaredon is a threat actor said to be active since 2013. In March 2020, attacks were observed in Japan and were\r\nconsidered stray bullets. In November 2021, the Security Service of Ukraine made a public announcementopen on\r\na new tab that attributed Gamaredon to the Federal Security Service of the Russian Federation (FSB). The\r\nSecurity Service of Ukraine also publishedopen on a new tab details of attack methodologies and a wiretap voice.\r\nTrend Micro observed similar attack methodologies. \r\nAttacks start from spear-phishing emails with document files that cause a Remote Template Injection. In a\r\ncyberattack observedopen on a new tab on the February 1, 2022, a document template was downloaded that\r\nincluded an obfuscated malicious macro. The macro stealthily opens a document (~~AddFromString) where the\r\n“VZ01” function is executed (Application.Run \"VZ01\") then closes it. This is illustrated in Figure 13. \r\nThis method, where a malicious macro is inserted into another document, was observed in a past incident said to\r\nbe conducted by Gamaredon.\r\nFigure 13. Code that inserts and executes Virtual Basic for Applications (VBA) code to a newly\r\nopened Word document\r\nhttps://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html\r\nPage 12 of 14\n\nThe decoded and inserted macro drops VBScript at %APPDATA%:define (ADS), and then a scheduled task to\r\nexecute the script is registered. This script downloads and executes an additional payload from the C\u0026C server,\r\nsimilar to other attacks observed. The callback contains an infected PC ID in User Agent, which is disguised to be\r\na Yandex browser.\r\nThe following is the URL where the additional payload is requested:\r\nhxxp://\u003cIP address of deep.deserts.coagula[.]online\u003e/barefooted.cfg\u003cCurrent Time + 1 second\u003e (e.g.\r\nhxxp://10.172.0[.]3/barefooted.cfg2022/02/03%2020:49:31)\r\nIf the response content size is over 16,965 bytes, the downloaded content is stored as\r\n“%USERPROFILE%\\Downloads\\demand.exe.tmp” and is executed after being renamed as\r\n“%USERPROFILE%\\Downloads\\demand.exe”. \r\nFor specific mitigation measures against the cyberattacks listed previously, see our post hereopen on a new tab.\r\nSecurity recommendations and best practices \r\nMalicious activity continues to spread, and actors are using new tools and tricks to lure victims. In this section, we\r\ndiscuss mitigation measures to help prepare for a broad range of attacks:\r\nAvoid exposing infrastructure to the internet unless necessary.  \r\nEnsure that multifactor authentication (MFA) is enabled for all accounts, not just the important ones.\r\nEnsure the timely deployment of patches, prioritizing internet-facing infrastructure and sensitive systems\r\nsuch as domain controllers. \r\nImmediately activate incident response measures in case there are red flags that indicate BazarLoader,\r\nEmotet, and Cobalt Strike activities.   \r\nFor more guidance on how to manage cyber risks, please see our earlier blog post hereopen on a new tab.    \r\nConclusion\r\nIn these tense circumstances, information is sent from conflicting viewpoints. Additionally, even if the same facts\r\nare reported correctly, impressions delivered might vary due to a difference in perspectives. \r\nIt is also worth noting that the issuance of false information is always a possibility — whether or not this is done\r\nintentionally. As a result of such information, unnecessary confusion and further division might ensue. The\r\nfollowing are some measures that our researchers take in order to understand information as correctly as possible:\r\nBe aware of the possibility of having assumptions (biases) and mistakes within the truth that we believe. \r\nBe aware that we might be at the center of propaganda.\r\nRecognize that there is no such thing as a completely neutral and impartial source of information.\r\nDistinguish between “facts” and “opinions” or “assumptions” within information.\r\nWhen possible, trace the primary source of important information. One way to do this would be to check\r\nthe source of quoted articles and review their full content and the context of their statements.\r\nRefer to a reliable source of information, such as articles reviewed by multiple experts before release, as\r\nwell as articles written by specialists.\r\nhttps://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html\r\nPage 13 of 14\n\nFor a full list of IOCs, please download this documentopen on a new tab.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html\r\nhttps://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html\r\nPage 14 of 14\n\nWhisperKill is designed Figure 9. It then terminates to destroy and rename and removes files in connected itself. WhisperKill enumerates drives that match drives A the file extensions to Z and destroys shown in files on drives\nthat are either Type 3 (DRIVE_FIXED) or 4 (DRIVE_REMOTE), as shown in Figure 10.\nFigure 9. List of file extension targets for destruction, defined in a malware sample\n Page 10 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/22/c/cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html" ], "report_names": [ "cyberattacks-are-prominent-in-the-russia-ukraine-conflict.html" ], "threat_actors": [ { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775439128, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/78dca40a65171320d01fabb3160ece81b44f27ef.pdf", "text": "https://archive.orkl.eu/78dca40a65171320d01fabb3160ece81b44f27ef.txt", "img": "https://archive.orkl.eu/78dca40a65171320d01fabb3160ece81b44f27ef.jpg" } }