{ "id": "03e98440-aa50-4e93-bc93-2840cbf1d0d4", "created_at": "2026-04-06T00:22:28.799274Z", "updated_at": "2026-04-10T03:30:30.919862Z", "deleted_at": null, "sha1_hash": "bb7eab5ede5e5576b6a05d1a4907bef037bd115e", "title": "Russian hackers start targeting Ukraine with Follina exploits", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4208510, "plain_text": "Russian hackers start targeting Ukraine with Follina exploits\r\nBy Bill Toulas\r\nPublished: 2022-06-13 · Archived: 2026-04-05 23:35:14 UTC\r\nUkraine's Computer Emergency Response Team (CERT) is warning that the Russian hacking group Sandworm may be\r\nexploiting Follina, a remote code execution vulnerability in Microsoft Windows Support Diagnostic Tool (MSDT) currently\r\ntracked as CVE-2022-30190.\r\nThe security issue can be triggered by either opening or selecting a specially crafted document and threat actors have been\r\nexploiting it in attacks since at least April 2022.\r\nIt is worth noting that Ukraine's agency assesses with medium confidence that behind the malicious activity is the\r\nSandworm hacker group.\r\nhttps://www.bleepingcomputer.com/news/security/russian-hackers-start-targeting-ukraine-with-follina-exploits/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/russian-hackers-start-targeting-ukraine-with-follina-exploits/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nTargeting media orgs\r\nCERT-UA says that Russian hackers launched a new malicious email campaign leveraging Follina and targeted more than\r\n500 recipients at various media organizations in Ukraine, including radio stations and newspapers.\r\nThe emails have the subject “LIST of links to interactive maps”, and carry a .DOCX attachment with the same name. When\r\nopening the file, JavaScript code executes to fetch a payload named \"2.txt,\" which CERT-UA classified as \"malicious\r\nCrescentImp.\"\r\nInfection chain dropping CrescentImp malware (CERT-UA)\r\nCERT-UA has provided a short set of indicators of compromise to help defenders detect CrescentImp infections. However, it\r\nis unclear what type of malware family CrescentImp belongs to or its functionality.\r\nThe hashes from CERT-UA show no detection at the moment on the Virus Total scanning platform.\r\nSandworm activity in Ukraine\r\nSandworm has been targeting Ukraine constantly over the past few years, and the frequency of attacks increased after the\r\nRussian invasion into Ukraine.\r\nIn April, it was discovered that Sandworm attempted to take down a large Ukrainian energy provider by targeting its\r\nelectrical substations with a new variant of the Industroyer malware.\r\nIn February, security researchers discovered that Sandworm was the group responsible for creating and operating the\r\nCyclops Blink botnet, a highly persistent malware relying on firmware manipulation.\r\nAt the end of April, the U.S. set a reward of $10,000,000 for anyone who could help locate six individuals believed to be\r\nmembers of the notorious hacking group.\r\nhttps://www.bleepingcomputer.com/news/security/russian-hackers-start-targeting-ukraine-with-follina-exploits/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/russian-hackers-start-targeting-ukraine-with-follina-exploits/\r\nhttps://www.bleepingcomputer.com/news/security/russian-hackers-start-targeting-ukraine-with-follina-exploits/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/russian-hackers-start-targeting-ukraine-with-follina-exploits/" ], "report_names": [ "russian-hackers-start-targeting-ukraine-with-follina-exploits" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434948, "ts_updated_at": 1775791830, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bb7eab5ede5e5576b6a05d1a4907bef037bd115e.pdf", "text": "https://archive.orkl.eu/bb7eab5ede5e5576b6a05d1a4907bef037bd115e.txt", "img": "https://archive.orkl.eu/bb7eab5ede5e5576b6a05d1a4907bef037bd115e.jpg" } }