{ "id": "8d36889c-a90c-4bdf-bef2-501e50b720ae", "created_at": "2026-04-06T00:08:00.010821Z", "updated_at": "2026-04-10T03:24:58.565194Z", "deleted_at": null, "sha1_hash": "b55a7d51aed657febdae0fbb7b480a30d183e8be", "title": "Ukraine cyber officials warn of a ‘surge’ in Smokeloader attacks on financial, government entities", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 77284, "plain_text": "Ukraine cyber officials warn of a ‘surge’ in Smokeloader attacks\r\non financial, government entities\r\nBy Daryna Antoniuk\r\nPublished: 2023-10-24 · Archived: 2026-04-05 20:04:38 UTC\r\nSuspected Russian cybercriminals have increased their attacks against Ukrainian financial and government\r\norganizations using Smokeloader malware, according to Ukrainian cybersecurity officials.\r\nSince May of this year, the malware operators have targeted Ukrainian organizations with intense phishing\r\nattacks, primarily attempting to infiltrate their systems and steal sensitive information, according to research\r\npublished Tuesday by Ukraine's National Cyber Security Coordination Center (NCSСС).\r\nSmokeloader is a highly complex malware primarily functioning as a loader, which downloads stealthier or more\r\neffective malicious software into the system. However, because of its modular design, Smokeloader can perform a\r\nwide range of functions, including stealing credentials, executing distributed denial-of-service (DDoS) attacks,\r\nand intercepting keystrokes.\r\nThe price for this malicious toolkit varies, with options ranging from $400 for the basic bot to $1,650 for the\r\ncomplete package, featuring all available plugins and functions.\r\nThe researchers did not attribute this campaign to a specific hacker group, but they noted that the prevalence of\r\nRussian domain registrars suggests potential connections to Russian cybercriminal operations.\r\nBack in May, Ukraine's Computer Emergency Response Team (CERT-UA) linked the Smokeloader activity to a\r\nthreat actor they identified as UAC-0006. CERT-UA described it as a financially motivated operation aiming to\r\nsteal credentials and execute unauthorized fund transfers.\r\nThe researchers from the NCSCC said that the attacks on Ukrainian organizations by both financially motivated\r\ncybercriminals and state-sponsored hackers indicate that the threat landscape in Ukraine 'has evolved into a\r\nmultifaceted arena.”\r\nSmokeloader attacks on Ukraine\r\nIn their recent campaign, the hackers used Smokeloader to attack state, private, and financial institutions, with a\r\nparticular focus on accounting departments, the NCSCC told Recorded Future News.\r\nThe hackers used “meticulously crafted” financially-themed emails to trick victims into downloading malicious\r\nattachments. Financial themes created a sense of urgency and relevance for recipients, researchers said.\r\nThe hackers concealed Smokeloader under layers of seemingly harmless financial documents. Most of these files\r\nwere legitimate and were stolen from organizations that had been previously compromised.\r\nhttps://therecord.media/surge-in-smokeloader-malware-attacks-targeting-ukrainian-financial-gov-orgs\r\nPage 1 of 2\n\nSmokeloader uses various evasion strategies to slip through security measures undetected. After finally gaining\r\naccess to the system, it can extract crucial device information, including operating system details and location\r\ndata.\r\nIn recent attacks, attackers also compromised money transfer processes, redirecting funds to their own accounts by\r\nreplacing legitimate account details.\r\nSuch cases highlight cybercriminals' evolving tactics, which now include manipulating financial processes to\r\ndivert and steal resources, the researchers said.\r\nDaryna Antoniuk\r\nis a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in\r\nEastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for\r\nForbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.\r\nSource: https://therecord.media/surge-in-smokeloader-malware-attacks-targeting-ukrainian-financial-gov-orgs\r\nhttps://therecord.media/surge-in-smokeloader-malware-attacks-targeting-ukrainian-financial-gov-orgs\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://therecord.media/surge-in-smokeloader-malware-attacks-targeting-ukrainian-financial-gov-orgs" ], "report_names": [ "surge-in-smokeloader-malware-attacks-targeting-ukrainian-financial-gov-orgs" ], "threat_actors": [ { "id": "078f7b2a-4e1c-4843-b7cd-353331cd2260", "created_at": "2023-11-21T02:00:07.359148Z", "updated_at": "2026-04-10T02:00:03.467054Z", "deleted_at": null, "main_name": "UAC-0006", "aliases": [], "source_name": "MISPGALAXY:UAC-0006", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434080, "ts_updated_at": 1775791498, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/b55a7d51aed657febdae0fbb7b480a30d183e8be.pdf", "text": "https://archive.orkl.eu/b55a7d51aed657febdae0fbb7b480a30d183e8be.txt", "img": "https://archive.orkl.eu/b55a7d51aed657febdae0fbb7b480a30d183e8be.jpg" } }