{ "id": "54688de0-f5ca-4945-a518-63b286f17d92", "created_at": "2026-04-06T00:19:35.562463Z", "updated_at": "2026-04-10T13:12:55.951936Z", "deleted_at": null, "sha1_hash": "923ef021def5a8e58da1bc92c7193b16d209b783", "title": "Ukraine CERT-UA warns of new attacks launched by Russia-linked Armageddon APT - Security Affairs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 56737, "plain_text": "Ukraine CERT-UA warns of new attacks launched by Russia-linked Armageddon APT - Security Affairs\r\nBy Pierluigi Paganini\r\nPublished: 2022-05-15 · Archived: 2026-04-05 13:30:07 UTC\r\nUkraine Computer Emergency Response Team (CERT-UA) reported a phishing\r\ncampaign conducted by Armageddon APT using GammaLoad.PS1_v2 malware.\r\nUkraine Computer Emergency Response Team (CERT-UA) reported a phishing campaign using messages with\r\nsubject “On revenge in Kherson!” and containing the “Plan Kherson.htm” attachment.\r\nThe HTM-file will decode and create an archive named “Herson.rar”, which contains a file-shortcut named “Plan\r\nof approach and planting explosives on the objects of critical infrastructure of Kherson.lnk”.\r\nUkraine CERT-UA\r\nUpon clicking on the link file, the HTA-file “precarious.xml” is loaded and executed leading to the creation and\r\nexecution of files “desktop.txt” and “user.txt”.\r\nIn the last stage of the attack chain, the GammaLoad.PS1_v2 malware is downloaded and executed on the victim’s\r\ncomputer.\r\nThe government experts attributes the attack to the Russia-linked Armageddon APT (UAC-0010)\r\n(aka Gamaredon, Primitive Bear, Armageddon, Winterflounder, or Iron Tilden) which was involved in a long\r\nstring of attacks against the local state organizations. \r\n“As a result, the malicious program GammaLoad.PS1_v2 will be downloaded to the computer (the mechanism of\r\ntaking a screenshot and sending it to the management server has been implemented).” reads the advisory\r\npublished by CERT-UA. “The activity is carried out by the group UAC-0010 (Armageddon).”\r\nThe Ukrainian CERT shared the indicators of compromise (IoCs) for this campaign.\r\nPlease vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 –\r\nVOTE FOR YOUR WINNERS\r\nVote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and\r\n“The Tech Whizz – Best Technical Blog” and others of your choice.\r\nTo nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  \r\nFollow me on Twitter: @securityaffairs and Facebook\r\nhttps://securityaffairs.co/wordpress/131296/breaking-news/cert-ua-warns-armageddon-apt.html\r\nPage 1 of 2\n\n[adrotate banner=”9″] [adrotate banner=”12″]\r\nPierluigi Paganini\r\n(SecurityAffairs – hacking, CERT-UA)\r\n[adrotate banner=”5″]\r\n[adrotate banner=”13″]\r\nSource: https://securityaffairs.co/wordpress/131296/breaking-news/cert-ua-warns-armageddon-apt.html\r\nhttps://securityaffairs.co/wordpress/131296/breaking-news/cert-ua-warns-armageddon-apt.html\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://securityaffairs.co/wordpress/131296/breaking-news/cert-ua-warns-armageddon-apt.html" ], "report_names": [ "cert-ua-warns-armageddon-apt.html" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434775, "ts_updated_at": 1775826775, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/923ef021def5a8e58da1bc92c7193b16d209b783.pdf", "text": "https://archive.orkl.eu/923ef021def5a8e58da1bc92c7193b16d209b783.txt", "img": "https://archive.orkl.eu/923ef021def5a8e58da1bc92c7193b16d209b783.jpg" } }