25 December 2024

Sandworm-linked hackers target users of Ukraine’s military app in new spying campaign

Daryna Antoniuk

Ukrainian soldiers have become the target of a new espionage campaign linked to the notorious Russian state-sponsored threat actor Sandworm, according to a recent report.

As part of the operation, the hackers create fraudulent websites that mimic the official page of a Ukrainian military app, Army+, tricking users into downloading an executable file disguised as an app installation package.

Army+ has received significant attention from Ukraine’s government recently. The app, introduced earlier this year, aims to digitize bureaucratic tasks for soldiers, such as submitting reports to commanders.

According to a report from Ukraine’s military computer emergency response team (MIL.CERT-UA), the fake Army+ websites are hosted on a “serverless” platform, Cloudflare Workers, that deploys applications. Hackers often exploit legitimate services to obscure their operations and make fraudulent websites appear more convincing to potential victims.

The executable file delivered through the malicious Army+ app is an installer crafted with NSIS (Nullsoft Scriptable Install System), a tool frequently used by developers to create software installation packages.

No comments: