Targeted attack against the Ukrainian military Archived: 2026-04-06 00:30:19 UTC One more targeted attack against Ukraine that used spear phishing to deliver the DarkTrack backdoor through a fake prescription of the Minister of Defense of Ukraine. The target is CERT in the military domain. The letter forces a receiver to download the prescription by the link until April 13, 2017. The domain 'fex.net' in the link has been actively used to distribute malware: The downloaded file 'розпорядження Полторак.docx.exe' is an obfuscated .NET application (MD5: 01fb11b245a6a2525da77aebd2879dcf). It copies itself as: https://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html Page 1 of 6 c:\Documents and Settings\\Templates\winlogon.exe And drops the clean Word document: c:\Documents and Settings\\Local Settings\Temp\Docum.doc (MD5: b77f006667dd0a68de9c8ea30f2c80fe) First, it executes 'C:\WINDOWS\system32\svchost.exe' and injects the Darktrack in the 'svchost.exe' process. Then, it opens clean 'Docum.doc' to take a user's attention away. The following message is shown on execution: Then, it opens the embedded document: https://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html Page 2 of 6 The malicious process injects the backdoor's code into the system 'svchost.exe':  https://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html Page 3 of 6 The backdoor is the Darktrack remote administration tool. https://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html Page 4 of 6 The client connects to the C&C's 1515 port. https://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html Page 5 of 6 The Darktrack client uses the proxy service 'hopto.org' to connect to the attacker's C&C. gordon6.hopto.org has been resolved to the following IPs: 95.46.151.68 62.76.106.236 92.38.37.15  All of the IPs are located at one place in Russia. Network IoCs: gordon6.hopto.org fex.net 95.46.151.68 62.76.106.236 92.38.37.15  Source: https://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html https://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html Page 6 of 6