{ "id": "90be83a8-68b8-48ea-91fc-9b2cd86d0b49", "created_at": "2026-04-06T00:21:28.0251Z", "updated_at": "2026-04-10T03:37:50.123786Z", "deleted_at": null, "sha1_hash": "9292b872d0c5097538b23db96f98eebd61ec3eba", "title": "Russian govt hackers hit Ukraine with Cobalt Strike, CredoMap malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5683134, "plain_text": "Russian govt hackers hit Ukraine with Cobalt Strike, CredoMap\r\nmalware\r\nBy Bill Toulas\r\nPublished: 2022-06-21 · Archived: 2026-04-05 15:23:59 UTC\r\nThe Ukrainian Computer Emergency Response Team (CERT) is warning that Russian hacking groups are exploiting the\r\nFollina code execution vulnerability in new phishing campaigns to install the CredoMap malware and Cobalt Strike\r\nbeacons.\r\nThe APT28 hacking group is believed to be sending emails containing a malicious document name \"Nuclear Terrorism A\r\nVery Real Threat.rtf.\". The threat actors selected the topic of this email to entice recipients to open it, exploiting the fear\r\nthat's spread among Ukrainians about a potential nuclear attack.\r\nThreat actors also used a similar tactic in May 2022, when CERT-UA identified the dissemination of malicious documents\r\nwarning about a chemical attack.\r\nhttps://www.bleepingcomputer.com/news/security/russian-govt-hackers-hit-ukraine-with-cobalt-strike-credomap-malware/\r\nPage 1 of 6\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/russian-govt-hackers-hit-ukraine-with-cobalt-strike-credomap-malware/\r\nPage 2 of 6\n\nVisit Advertiser websiteGO TO PAGE\r\nThe RTF document used in the APT28 campaign attempts to exploit CVE-2022-30190, aka \"Follina,\" to download and\r\nlaunch the CredoMap malware (docx.exe) on a target's device.\r\nCredoMap infection process (CERT-UA)\r\nThis vulnerability is a flaw in the Microsoft Diagnostic Tool, exploited in the wild since at least April 2022, triggering\r\nmalicious downloads by simply opening a document file, or in the case of RTFs, merely viewing it in the Windows preview\r\npane.\r\nCredoMap is an unknown malware strain detected by several AV engines on Virus Total, with numerous vendors classifying\r\nit as a password-stealing Trojan.\r\nVirus Total scan results for CredoMap\r\nIn an associated report published by Malwarebytes today, the security analysts clarify that the payload is an info-stealer that\r\nAPT28 used against Ukrainian targets in May.\r\nhttps://www.bleepingcomputer.com/news/security/russian-govt-hackers-hit-ukraine-with-cobalt-strike-credomap-malware/\r\nPage 3 of 6\n\nMalware featuring minor changes compared to the variant sampled in May (Malwarebytes)\r\nThe malware aims to steal information stored in Chrome, Edge, and Firefox web browsers, like account credentials and\r\ncookies.\r\nFinally, the malware exfiltrates the stolen data using the IMAP email protocol, sending everything to the C2 address, which\r\nis hosted on an abandoned Dubai-based site.\r\nAccording to cybersecurity researcher MalwareHunterteam, who discovered this campaign yesterday, the malware uses\r\nhard-coded IMAP credentials, potentially allowing any researcher to access the stolen data.\r\nCERT-UA warned about CVE-2022-30190 exploitation by Russian hackers of the Sandworm group last week, but this time,\r\nthe threat actors responsible for the attacks are identified as the APT28 group.\r\nAPT28 (aka STRONTIUM, Fancy Bear, and Sofacy) is a Russian hacking group focusing on cyber espionage and is\r\nbelieved to have ties to the Russian government.\r\nThe group has been active since 2007, targeting governments, military, and security organizations.\r\nCobalt Strike campaign also underway\r\nIn parallel to the above activity, the CERT-UA has also identified a different campaign by a threat actor tracked as UAC-0098, also using CVE-2022-30190 to infect the target with minimal interaction.\r\nIn this case, CERT-UA says the threat actor uses a DOCX file named \"Imposition of penalties.docx\", and the payload\r\nfetched from a remote resource is a Cobalt Strike beacon (ked.dll) with a recent compilation date.\r\nhttps://www.bleepingcomputer.com/news/security/russian-govt-hackers-hit-ukraine-with-cobalt-strike-credomap-malware/\r\nPage 4 of 6\n\nCobalt Strike campaign details (CERT-UA)\r\nThe sent emails supposedly come from the State Tax Service of Ukraine, with the subject: \"Notice of non-payment of tax.\"\r\nSince Ukraine is at war with Russia and many citizens have naturally neglected their regular tax-paying obligations towards\r\nthe state, the lure might be effective against many people in this case.\r\nCERT-UA advises employees in critical organizations to remain vigilant against email-delivered threats, as the number of\r\nspear-phishing attacks remains high.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nhttps://www.bleepingcomputer.com/news/security/russian-govt-hackers-hit-ukraine-with-cobalt-strike-credomap-malware/\r\nPage 5 of 6\n\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/russian-govt-hackers-hit-ukraine-with-cobalt-strike-credomap-malware/\r\nhttps://www.bleepingcomputer.com/news/security/russian-govt-hackers-hit-ukraine-with-cobalt-strike-credomap-malware/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/russian-govt-hackers-hit-ukraine-with-cobalt-strike-credomap-malware/" ], "report_names": [ "russian-govt-hackers-hit-ukraine-with-cobalt-strike-credomap-malware" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434888, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9292b872d0c5097538b23db96f98eebd61ec3eba.pdf", "text": "https://archive.orkl.eu/9292b872d0c5097538b23db96f98eebd61ec3eba.txt", "img": "https://archive.orkl.eu/9292b872d0c5097538b23db96f98eebd61ec3eba.jpg" } }