A new phishing campaign is targeting Ukrainian military personnel by distributing malware-laced manuals for drones and other aircraft. Securonix researchers revealed that the hackers are using Microsoft Compiled HTML Help (CHM) files to distribute the open-source Merlin malware and seize control of infected systems.
The decoy drone manuals appeal to the Ukrainian forces’ reliance on unmanned aerial vehicles. Once victims open the CHM files, malicious JavaScript executes PowerShell code to download the malware payload. This campaign marks the first time Merlin has been deployed against Ukrainian government organizations.
Ukraine’s Computer Emergency Response Team (CERT-UA) has attributed similar attacks to a threat actor known as UAC-0154. As Russia’s invasion continues, state-sponsored groups like APT28 persist in cyber offensive operations against Ukraine’s critical infrastructure and military.
The resilience demonstrated by Ukraine’s cyber defenders is admirable, but constant vigilance is crucial. As this phishing campaign shows, Russian hackers are determined to undermine Ukraine’s defenses through social engineering and ingenious technical approaches.