An unknown APT group is introducing Trojans into the systems of Russian state structures


Researchers from Malwarebytes have discovered an unknown APT group that has organized at least four targeted phishing campaigns against Russian state organizations since the beginning of the special operation in Ukraine. The attackers tried to introduce RAT Trojans into the victims’ systems and gain full control over them.

A quick look at each phishing campaign:

  • In the first, hackers distributed malware disguised as an interactive map of Ukraine (interactive_map_UA.exe ).

  • The second campaign began in March and was aimed at RT employees. The attackers tried to disguise the malware as an update for Log4j by sending a tar archive with the name Patch_Log4j.tar.gz .

  • In the third campaign, the APT group targeted the military-industrial conglomerate Rostec. The phishing messages contained a malicious file build_rosteh4.exe .

  • The fourth campaign took place in mid-April. The attackers used a Word document with a fake job advertisement for a “Strategy and Growth Analyst” at the Saudi Aramco oil and gas company as bait for the victims.

Experts cannot pinpoint the APT group behind these phishing campaigns. Attackers skillfully disguise themselves using the infrastructure and methods of other hacker groups. However, experts were able to find several clues:

  • Hackers used C&C servers of BL Networks company, which are often used by Chinese groups ;

  • The analyzed malware is very similar to the Sakula Rat software used by APT Deep Panda.

Based on current information, experts are uncertain about attributing phishing campaigns to Chinese hackers.

Recently we wrote about how Chinese hackers are spying on Rostec. The Twisted Panda group has been attacking holding companies within the conglomerate since at least June 2021, and the last attack attempt was seen in April 2022.