The Computer Emergency Response Team of Ukraine (CERT-UA) has issued a warning about new cyberattacks from the criminal group UAC-0173 targeting the country’s notary system. Beginning in mid-January 2025, attackers have been deploying DCRat (DarkCrystal RAT) malware through sophisticated phishing campaigns.

## Attack Methodology

The attackers send phishing emails purportedly from the Ministry of Justice of Ukraine, containing links to malicious executables hosted on Cloudflare’s R2 cloud storage. Once victims download and run these files, their systems become infected with DCRat remote access trojan.

After establishing initial access, the threat actors deploy additional tools including:

– RDPWRAPPER: Enables parallel RDP sessions
– BORE: Facilitates direct RDP connections from the internet
– FIDDLER: Intercepts authentication data from state registry web interfaces
– NMAP: Performs network scanning
– XWorm: Steals credentials and clipboard content

The compromised systems are then used to propagate the attack further using the SENDMAIL utility to distribute more malicious emails.

## Related Threat Activity

This campaign follows recent CERT-UA reports of Sandworm subgroup (UAC-0212) activity exploiting CVE-2024-38213 in Microsoft Windows. These attacks, occurring between July 2024 and February 2025, targeted companies in Serbia, the Czech Republic, and Ukraine—particularly those involved in automated process control systems, electrical works, and transportation.

The Sandworm attacks deployed various payloads including SECONDBEST (EMPIREPAST), SPARK, and the CROOKBAG Golang loader. Microsoft tracks this threat actor as BadPilot.