{ "id": "c722ca65-2272-4c99-8cb5-7225f0c85d6d", "created_at": "2026-04-06T00:22:02.249862Z", "updated_at": "2026-04-10T03:37:04.42957Z", "deleted_at": null, "sha1_hash": "b342f2bbd658a4ed7ec83b893ea2315fa25884ff", "title": "Ukraine: Russian Armageddon phishing targets EU govt agencies", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4990886, "plain_text": "Ukraine: Russian Armageddon phishing targets EU govt agencies\r\nBy Bill Toulas\r\nPublished: 2022-04-05 · Archived: 2026-04-05 20:02:05 UTC\r\nThe Computer Emergency Response Team of Ukraine (CERT-UA) has spotted new phishing attempts attributed to the\r\nRussian threat group tracked as Armageddon (Gamaredon).\r\nThe malicious emails attempt to trick the recipients with lures themed after the war in Ukraine and infect the target systems\r\nwith espionage-focused malware.\r\nCERT-UA has identified two separate cases, one targeting Ukrainian organizations and the other focusing on government\r\nagencies in the European Union.\r\nhttps://www.bleepingcomputer.com/news/security/ukraine-spots-russian-linked-armageddon-phishing-attacks/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/ukraine-spots-russian-linked-armageddon-phishing-attacks/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nWho is Armageddon\r\nArmageddon is a Russian state-sponsored threat actor who has been targeting Ukraine since at least 2014 and is considered\r\npart of the FSB (Russian Federal Security Service).\r\nAccording to a detailed technical report published by the Ukrainian secret service in November 2021, Armageddon has\r\nlaunched at least 5,000 cyber-attacks against 1,500 critical entities in the country.\r\nThe Ukrainian forces have previously identified members of the Armageddon cyber-force, exposed their toolset, and traced\r\ncustom malware development efforts to Russian hacking forums.\r\nAs such, even in chaotic wartime situations where cyber-response teams have limited resources and time, some attributions\r\ncan be made with greater confidence due to the extensive identification efforts that took place in the past.\r\nUkraine-focused campaign\r\nArmageddon’s Ukraine-targeting campaign distributes emails on “Information on war criminals of the Russian\r\nFederation,” to various government agencies in the country.\r\nThe emails, sent from “vadim_melnik88@i[.]ua”, contain an HTML attachment that CERT-UA says has low detections by\r\nsecurity software at this time.\r\nIf opened, a RAR file is automatically created and dropped on the computer, supposedly containing the identification details\r\nof those responsible for war crimes in Ukraine in a shortcut file (.lnk).\r\nHowever, clicking on this LNK file will download another HTA file laced with VBScript code that runs a PowerShell script\r\nto fetch the final payload.\r\nDetails of the Ukraine-targeting campaign (CERT-UA)\r\nEU campaign\r\nIn the campaign targeting various EU government officials, Armageddon uses RAR archive attachments named\r\n“Assistance” and “Necessary_military_assistance”.\r\nThose archives contain shortcut files (.lnk) that supposedly include lists of things needed for military and humanitarian\r\nassistance to Ukraine. Opening that file triggers the same malware infection chain described in the previous section.\r\nThe sender’s address is “info@military-ukraine[.]site”, which may pass as legitimate, while the signee is supposedly the\r\nDeputy Commander for Armaments and Major General in Ukraine.\r\nhttps://www.bleepingcomputer.com/news/security/ukraine-spots-russian-linked-armageddon-phishing-attacks/\r\nPage 3 of 5\n\nDetails of the EU phishing campaign (CERT-UA)\r\nThe CERT-UA has confirmed at least one case of these emails reaching the inbox of the Latvian government. As such, the\r\nsame campaign is likely targeting more European governments.\r\nThis report is in line with other recent findings of Russia-originating attacks targeting EU entities, like last week's Google\r\nTAG phishing campaign report, the deployment of wiper-malware against the KA-SAT satellite service, GPS system\r\ninterference in the Baltic region, and phishing attacks against those aiding with the refugee crisis.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nhttps://www.bleepingcomputer.com/news/security/ukraine-spots-russian-linked-armageddon-phishing-attacks/\r\nPage 4 of 5\n\nSource: https://www.bleepingcomputer.com/news/security/ukraine-spots-russian-linked-armageddon-phishing-attacks/\r\nhttps://www.bleepingcomputer.com/news/security/ukraine-spots-russian-linked-armageddon-phishing-attacks/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/ukraine-spots-russian-linked-armageddon-phishing-attacks/" ], "report_names": [ "ukraine-spots-russian-linked-armageddon-phishing-attacks" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434922, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b342f2bbd658a4ed7ec83b893ea2315fa25884ff.pdf", "text": "https://archive.orkl.eu/b342f2bbd658a4ed7ec83b893ea2315fa25884ff.txt", "img": "https://archive.orkl.eu/b342f2bbd658a4ed7ec83b893ea2315fa25884ff.jpg" } }