{ "id": "1b302582-33a0-4b06-b9b5-1c001e2f6fb0", "created_at": "2026-04-06T00:21:45.725213Z", "updated_at": "2026-04-10T03:37:50.209658Z", "deleted_at": null, "sha1_hash": "f09c4ad6eb7c75c3b518720c972f6f226d20b282", "title": "Hackers use fake \u0026lsquo;Windows Update\u0026rsquo; guides to target Ukrainian govt", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3277442, "plain_text": "Hackers use fake \u0026lsquo;Windows Update\u0026rsquo; guides to target\r\nUkrainian govt\r\nBy Bill Toulas\r\nPublished: 2023-04-30 · Archived: 2026-04-05 13:21:16 UTC\r\nThe Computer Emergency Response Team of Ukraine (CERT-UA) says Russian hackers are targeting various government\r\nbodies in the country with malicious emails supposedly containing instructions on how to update Windows as a defense\r\nagainst cyber attacks.\r\nCERT-UA believes that the Russian state-sponsored hacking group APT28 (aka Fancy Bear) sent these emails and\r\nimpersonated system administrators of the targeted government entities to make it easier to trick their targets.\r\nFor this purpose, the attackers created @outlook.com email addresses using real employee names acquired via unknown\r\nmeans in the preparatory stages of the attack.\r\nhttps://www.bleepingcomputer.com/news/security/hackers-use-fake-windows-update-guides-to-target-ukrainian-govt/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/hackers-use-fake-windows-update-guides-to-target-ukrainian-govt/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nInstead of legitimate instructions on upgrading Windows systems, the malicious emails advise the recipients to run a\r\nPowerShell command.\r\nThis command downloads a PowerShell script on the computer, simulating a Windows updating process while downloading\r\na second PowerShell payload in the background.\r\nThe second-stage payload is a basic information harvesting tool that abuses the 'tasklist' and 'systeminfo' commands to\r\ngather data and send them to a Mocky service API via an HTTP request.\r\nMocky is a legitimate application that helps users generate custom HTTP responses, which APT28 abused in this case for\r\ndata exfiltration.\r\nCERT-UA recommends that system administrators restrict the ability to launch PowerShell on critical computers and\r\nmonitor network traffic for connections to the Mocky service API.\r\nInstructions sent to targets (CERT-UA)\r\nAPT28 attacks on Ukraine\r\nGoogle's Threat Analysis Group reported recently that roughly 60% of all phishing emails targeting Ukraine in the first\r\nquarter of 2023 originated from Russian threat actors, highlighting APT28 as a major contributor to this malicious activity.\r\nEarlier in the month, US and UK intelligence services and Cisco warned about APT28 actively exploiting a zero-day flaw\r\naffecting the company's routers to deploy a malware named 'Jaguar Tooth' to collect intelligence from US and EU-based\r\ntargets.\r\nIn March 2023, Microsoft patched an Outlook zero-day vulnerability tracked as CVE-2023-23397, which APT28 has\r\nexploited since April 2022 to breach the networks of European government, military, energy, and transportation\r\norganizations.\r\nInterestingly, Chinese hackers also used Windows updates as a lure to drop malicious executables in attacks against Russian\r\ngovernment agencies last year.\r\nhttps://www.bleepingcomputer.com/news/security/hackers-use-fake-windows-update-guides-to-target-ukrainian-govt/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/hackers-use-fake-windows-update-guides-to-target-ukrainian-govt/\r\nhttps://www.bleepingcomputer.com/news/security/hackers-use-fake-windows-update-guides-to-target-ukrainian-govt/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/hackers-use-fake-windows-update-guides-to-target-ukrainian-govt/" ], "report_names": [ "hackers-use-fake-windows-update-guides-to-target-ukrainian-govt" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434905, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f09c4ad6eb7c75c3b518720c972f6f226d20b282.pdf", "text": "https://archive.orkl.eu/f09c4ad6eb7c75c3b518720c972f6f226d20b282.txt", "img": "https://archive.orkl.eu/f09c4ad6eb7c75c3b518720c972f6f226d20b282.jpg" } }