{
	"id": "d323e89b-10b1-428a-8d52-88348159fb24",
	"created_at": "2026-04-06T00:13:01.918457Z",
	"updated_at": "2026-04-10T03:22:05.273949Z",
	"deleted_at": null,
	"sha1_hash": "a06cc14ddc51a07beb016c0b721851b6ec822fad",
	"title": "Bitdefender Labs Sees Increased Malicious and Scam Activity Exploiting the War in Ukraine",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 443617,
	"plain_text": "Bitdefender Labs Sees Increased Malicious and Scam Activity\r\nExploiting the War in Ukraine\r\nBy Alina BÎZGĂ\r\nArchived: 2026-04-05 15:06:57 UTC\r\nAs the war in Ukraine intensifies, researchers at Bitdefender Labs are picking up waves of fraudulent and\r\nmalicious emails exploiting the humanitarian crisis and charitable spirit of recipients across the globe. What we’ve\r\nseen so far:\r\nMalspam campaigns deliver Agent Tesla and Remcos RATs\r\nSince March 1, Bitdefender Labs have been tracking two phishing campaigns attempting to infect recipients with\r\ntwo well-known remote access Trojans – Agent Tesla and Remcos.\r\nCampaign 1:\r\nThe first malspam campaign appears to be targeting organizations in the manufacturing industry via a .zip\r\nattachment ‘REQ Supplier Survey’. The attackers ask recipients to fill out a survey concerning their backup plans\r\nin response to the war in Ukraine.\r\nAccording to our threat researchers, the malicious payload is downloaded and deployed from a Discord link\r\ndirectly on the victim’s machine. Interestingly though, interacting with the malicious file will also download a\r\nclean version of Chrome on the users’ device – most likely an attempt at diverting users.\r\nhttps://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine\r\nPage 1 of 10\n\nAgent Tesla is an infamous Malware-as-a-service (MaaS) RAT and data stealer that has been prevalent in\r\nnumerous email-based cyberattacks during the health crisis. Perpetrators use Agent Tesla to exfiltrate sensitive\r\ninformation including credentials, keystrokes and clipboard data from their targets.\r\nAccording to our analysis, the attacks seemingly originated from IP addresses in the Netherlands (86%) and\r\nHungary (3%). The malicious emails have reached recipients worldwide including South Korea (23%), Germany\r\n(10%), the UK (10%), the US (8%), the Czech Republic (14%), Ireland (5%), Hungary (3%), Sweden (3%) and\r\nAustralia (2%).\r\nBitdefender customers are already protected against Agent Tesla attacks. The attached file REQ Supplier\r\nSurvey.zip, detected as Gen:NN.ZemsilCO.34232.cm0@aKLKBXo, is detected and blocked by both our\r\nconsumer and enterprise solutions.\r\nCampaign 2:\r\nOur researchers spotted a separate malspam campaign on March 2, where attackers impersonate a South Korean-based healthcare company that specializes in in-vitro diagnostics analyzers to deliver the Remcos RAT via an\r\nExcel attachment (SUCT220002.xlsx).\r\nhttps://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine\r\nPage 2 of 10\n\nThe message cites the ongoing conflict in Ukraine and asks recipients if they want to put one of their orders on\r\nhold until shipments and flights reopen. Cyber attackers mainly deploy Remcos RAT via malicious documents or\r\narchives to gain full control over their victims’ systems. Once inside, they can capture keystrokes, screenshots,\r\ncredentials, or other sensitive system information and exfiltrate it directly to their servers.\r\nEighty-nine percent of the malicious emails appear to originate from IP addresses in Germany and 19% from the\r\nUS. The attackers’ focus in on recipients in Ireland (32%), India (17%), the US (7%), the UK (4%), Germany\r\n(4%), Vietnam (4%), Russia (2%), South Africa (2%) and Australia (2%).\r\n“Although the recent cyberattacks were not specifically aimed at Ukrainian infrastructure or civilian population,\r\nthe global tension generated by the ongoing war will likely materialize in more targeted attacks that could deter\r\nemergency response services and humanitarian aid efforts in the country,\" said Alexandru Maximciuc, threat\r\nresearcher at Bitdefender Labs.\r\n\"We've already seen mass DDoS attacks and wiper malware that hit financial institutions and organizations in\r\nUkraine. Considering the extended economic sanctions imposed by western nations in response to the Russian\r\ninvasion, digital aggressions aimed at disrupting critical infrastructures should not be dismissed in the current\r\nthreat landscape.”\r\nhttps://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine\r\nPage 3 of 10\n\nBitdefender consumer and business solutions detect the malicious attachment SUCT220002.xlsx delivering the\r\nRemcos RAT as Exploit.CVE-2017-11882.Gen.\r\nCharity crypto scams are intensifying\r\nOn Feb 25, Bitdefender Antispam Lab reported the first signs of scammers exploiting the Russian invasion of\r\nUkraine and news of Ukrainian citizens fleeing the country. As expected, fraudsters continue to leverage the\r\nongoing humanitarian crisis for their own financial gains.\r\nWithin hours after the invasion, the Ukrainian government announced it accepts BTC and ETH cryptocurrency\r\ndonations, and the global community did not disappoint. According to the latest analysis of blockchain\r\ntransactions, the ETH wallet received over 18,524 transactions totaling over $9.7 million, while the BTC wallet\r\nshows more than 9,300 transactions with a value of $9.4 million.\r\nThere’s no doubt about it; individuals, organizations, and governments are picking sides, and cybercriminals have\r\nto intensify their efforts to redirect any financial aid into their pockets.\r\n“Major global events and crises are known to trigger malicious spam campaigns that exploit human emotion and\r\npeople's desire to help,” said Adrian Miron, Antispam Research Manager at Bitdefender.\r\n“So far, we've noticed that the attackers reacted very quickly to legitimate announcements of Ukraine and other\r\norganizations by mimicking the format of their messages. We expect the variety of phishing and malware\r\ncampaigns, as well as the volume of messages sent daily, to increase steadily, and the attackers to adapt their\r\npersuasion methods accordingly.”\r\nBitdefender Labs is actively monitoring fraudulent donation emails luring recipients to donate money. Scammers\r\nare impersonating the Ukrainian government, international humanitarian agency Act for Peace, UNICEF, and\r\nother donation projects such as the Ukraine Crisis Relief Fund to deliver their pleas for financial assistance to\r\nhelp the Ukrainian army and millions of civilians and children caught in the military conflict.\r\nSubject lines are as follows:\r\nStand with the people of Ukraine. Now accepting cryptocurrency donations. Bitcoin, Ethereum and USDT.\r\nHELP UKRAINE stop the war!\r\nUkraine Humanitarian Donation\r\nDonate to Ukraine, Help save a life: Please read\r\nUrgent! Help Children in Ukraine\r\nSubject: Help Ukraine\r\nThe emails play on users’ emotions citing the impact on communities in Ukraine and the growing number of\r\nrefugees that are fleeing the country and in great need of supplies and housing.\r\nEmail-based charity scams peaked on March 2, according to Bitdefender Antispam Lab.\r\nhttps://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine\r\nPage 4 of 10\n\nOne particular campaign, using the subject line “Stand with the people of Ukraine. Now accepting cryptocurrency\r\ndonations. Bitcoin, Ethereum and USDT” originating from IP addresses in China has reached tens of thousands of\r\ninboxes on March 2nd. Twenty-five percent of the scam emails were directed to users in the UK, 14% in the US,\r\n10% in South Korea, 8% in Japan, 7% in Germany, 4% in Romania, and 2% each in Greece, Finland and Italy.\r\nAdditional crypto charity scam samples can be seen below:\r\nhttps://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine\r\nPage 5 of 10\n\nhttps://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine\r\nPage 6 of 10\n\nhttps://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine\r\nPage 7 of 10\n\nNigerian Prince-style email schemes\r\nBitdefender spam filters have also noticed a Ukraine variation of the Nigerian Prince scam. The email, allegedly\r\nsent by a renowned businessman from Ukraine seeks your assistance to transfer $10 million until he is able to\r\nrelocate somewhere safe.\r\nFraudsters behind this particular scam are sending emails from IP addresses in Botswana (83%), Germany (10%)\r\nand France 5%. Their main audience are users in Germany (42%), Turkey (16%), the US (16%), Ireland (8%) and\r\nPoland (3%).\r\nUnfortunately, users who respond to this email will get in touch with the scammer who will ask for personal\r\ninformation to help transfer the money out of the country. Although the email does not promise recipients any\r\nfinancial awards for their help, the con artist will likely specify remuneration for helping him finalize the transfer.\r\nMost often the scammer will ask recipients to pay administration fees, often associated with moving large sums.\r\nUpon deceiving the victim, the scammer will either disappear with the money or, worse, drain their bank account\r\nin the process.\r\nhttps://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine\r\nPage 8 of 10\n\nSample 7\r\nBitdefender’s focus on cybersafety\r\nThe fact that cybercriminals and scammers are using the crisis in Ukraine to steal users’ money and spread\r\nmalicious payloads comes as no surprise to cybersecurity experts.  Although the war in Ukraine may be thousands\r\nof miles away from many of us, people’s suffering triggers a strong emotional response to users worldwide who\r\nwish to lend a hand to refugees fleeing the war-struck European country.\r\nWe urge all internet users to be extra vigilant during these troubled times and practice good cyber hygiene to\r\nensure that their hard-earned money does not end up in the wrong hands:\r\nNever click on links or attachments in emails or messages that ask you to donate urgently\r\nDonate exclusively via official and trusted charities, non-profit organizations and fundraisers\r\nCheck your financial accounts regularly for any suspicious activity or unauthorized charges\r\nSet up unique passwords for all online accounts\r\nFor more tips, please check our dedicated cybersecurity guide in armed conflict zones.\r\nIn response to the military crisis and increased cybercriminal activity, Bitdefender \u0026 the Romanian National\r\nCyber Security Directorate (DNSC) are offering free cybersecurity protection for any Ukrainian citizen,\r\ncompany or institution, as long as necessary.\r\nAdditionally, users across the globe can also boost their cyber resilience and fend off online scams and e-threats\r\nwith our extended Bitdefender Total Security trial, free of charge for 90-days. With Bitdefender Total Security,\r\nyou get the best anti-malware protection against e-threats across all major operating systems. The real-time\r\nprotection feature included in our security software offers continuous protection against all e-threats, including\r\nviruses, worms, Trojans, ransomware, zero-day exploits, rootkits, and spyware to keep you and your data safe.\r\nNote: This article is based on technical information provided courtesy of Bitdefender Labs\r\nStay Safe!\r\nhttps://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine\r\nPage 9 of 10\n\nSource: https://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-u\r\nkraine\r\nhttps://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bitdefender.com/blog/hotforsecurity/bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine"
	],
	"report_names": [
		"bitdefender-labs-sees-increased-malicious-and-scam-activity-exploiting-the-war-in-ukraine"
	],
	"threat_actors": [],
	"ts_created_at": 1775434381,
	"ts_updated_at": 1775791325,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a06cc14ddc51a07beb016c0b721851b6ec822fad.pdf",
		"text": "https://archive.orkl.eu/a06cc14ddc51a07beb016c0b721851b6ec822fad.txt",
		"img": "https://archive.orkl.eu/a06cc14ddc51a07beb016c0b721851b6ec822fad.jpg"
	}
}