{
	"id": "a015cd40-219a-4616-88f9-ef0919d04c0c",
	"created_at": "2026-04-06T01:29:28.141145Z",
	"updated_at": "2026-04-10T13:12:18.394118Z",
	"deleted_at": null,
	"sha1_hash": "9e4be9640388dc0f6912ad3ed32d31d5f1a9ae51",
	"title": "Targeted attack against the Ukrainian military",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 763392,
	"plain_text": "Targeted attack against the Ukrainian military\r\nArchived: 2026-04-06 00:30:19 UTC\r\nOne more targeted attack against Ukraine that used spear phishing to deliver the DarkTrack backdoor through a\r\nfake prescription of the Minister of Defense of Ukraine. The target is CERT in the military domain.\r\nThe letter forces a receiver to download the prescription by the link until April 13, 2017.\r\nThe domain 'fex.net' in the link has been actively used to distribute malware:\r\nThe downloaded file 'розпорядження Полторак.docx.exe' is an obfuscated .NET application (MD5:\r\n01fb11b245a6a2525da77aebd2879dcf). It copies itself as:\r\nhttps://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html\r\nPage 1 of 6\n\nc:\\Documents and Settings\\\u003cUSER\u003e\\Templates\\winlogon.exe\r\nAnd drops the clean Word document:\r\nc:\\Documents and Settings\\\u003cUSER\u003e\\Local Settings\\Temp\\Docum.doc (MD5:\r\nb77f006667dd0a68de9c8ea30f2c80fe)\r\nFirst, it executes 'C:\\WINDOWS\\system32\\svchost.exe' and injects the Darktrack in the 'svchost.exe' process.\r\nThen, it opens clean 'Docum.doc' to take a user's attention away.\r\nThe following message is shown on execution:\r\nThen, it opens the embedded document:\r\nhttps://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html\r\nPage 2 of 6\n\nThe malicious process injects the backdoor's code into the system 'svchost.exe': \r\nhttps://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html\r\nPage 3 of 6\n\nThe backdoor is the Darktrack remote administration tool.\r\nhttps://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html\r\nPage 4 of 6\n\nThe client connects to the C\u0026C's 1515 port.\r\nhttps://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html\r\nPage 5 of 6\n\nThe Darktrack client uses the proxy service 'hopto.org' to connect to the attacker's C\u0026C.\r\ngordon6.hopto.org has been resolved to the following IPs:\r\n95.46.151.68\r\n62.76.106.236\r\n92.38.37.15 \r\nAll of the IPs are located at one place in Russia.\r\nNetwork IoCs:\r\ngordon6.hopto.org\r\nfex.net\r\n95.46.151.68\r\n62.76.106.236\r\n92.38.37.15 \r\nSource: https://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html\r\nhttps://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html"
	],
	"report_names": [
		"targeted-attack-against-ukrainian.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775438968,
	"ts_updated_at": 1775826738,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9e4be9640388dc0f6912ad3ed32d31d5f1a9ae51.pdf",
		"text": "https://archive.orkl.eu/9e4be9640388dc0f6912ad3ed32d31d5f1a9ae51.txt",
		"img": "https://archive.orkl.eu/9e4be9640388dc0f6912ad3ed32d31d5f1a9ae51.jpg"
	}
}