The Government Computer Emergency Response Team (CERT-UA) issued an important warning about a series of targeted cyberattacks aimed at employees within Ukraine’s defense-industrial complex and members of the Armed Forces. These attacks have been tracked under the identifier UAC-0200, marking a concerning escalation in espionage activities leveraging the DarkCrystal RAT (DCRAT).
According to CERT-UA, the attacks, which have been ongoing since at least the summer of 2024, employ sophisticated tactics to gain unauthorized access to sensitive information. One of the primary techniques identified involves the use of the Signal messaging app, where malicious actors have been spreading messages disguised as meeting reports.
Also Read: UAC-0173 Resumes Cyberattacks Against Ukrainian Notary Offices Using DARKCRYSTALRAT Malware
These deceptive messages often contain compressed archive files, which include a PDF document and an executable file, classified as DarkTortilla. The DarkTortilla file serves as a cryptor/loader designed to decrypt and launch the DarkCrystal RAT (DCRAT) on the infected system.
How the DarkCrystal RAT Works
DarkCrystal RAT (DCRAT) is a powerful remote access tool that allows cybercriminals to control infected systems from a distance. Once installed, it grants the attackers complete control over the victim’s device, enabling them to exfiltrate sensitive information, manipulate data, and even deploy additional malicious payloads. The use of DarkTortilla as a loader is particularly concerning as it hides the malicious intent behind a seemingly innocuous file, making it more difficult for users to detect.
The CERT-UA team further emphasized that starting in February 2025, the focus of these attacks shifted toward topics related to unmanned aerial vehicles (UAVs) and electronic warfare systems. This shift suggests that the attackers are now targeting more specific defense technologies, likely to gather intelligence on Ukraine’s military capabilities.
Leveraging Social Engineering Tactics for Cyberattacks
One of the key features of these cyberattacks is the use of social engineering techniques to manipulate victims into opening malicious attachments. The use of Signal, a popular messaging platform, broadens the attack surface, providing cybercriminals with a relatively unregulated channel through which to spread their payloads.
Messages often appear to come from trusted sources, such as colleagues or business partners, whose accounts have already been compromised. This method of attack makes it harder for traditional security systems to detect and block malicious activity, as the attackers exploit legitimate communication channels to deliver their payloads.
CERT-UA’s Ongoing Monitoring and Response
The CERT-UA team has been closely monitoring these threats, and they urge all individuals working in the defense sector to remain vigilant. In the event of receiving suspicious messages or files, CERT-UA encourages immediate reporting to the authorities through all available means.
As part of its ongoing efforts, CERT-UA has released a list of indicators of compromise (IOCs) to help organizations identify and respond to the threat. These IOCs include specific file hashes and network addresses associated with the attack.
The listed files include archive files such as “Звіт 10.03.25.rar” and “Наказ 17.02.2025.pdf,” which contain the malicious executables linked to the DarkCrystal RAT.
The identified network addresses linked to the attacks include:
- 45[.]130.214.237
- 62[.]60.235.190
- 87[.]249.50.64
- 217[.]25.91.61
- 83[.]147.253.138
Additionally, there are several URLs associated with the compromised network infrastructure, which are used to facilitate the attack and maintain communication between the infected systems and the attackers’ servers.
The UAC-0200 attack campaign highlights the growing cybersecurity risks faced by Ukraine’s defense sector. The use of sophisticated malware like DarkCrystal RAT (DCRAT) highlights the need for stronger security, especially against social engineering tactics that exploit communication tools such as Signal. As cybercriminals become more advanced, constant vigilance and proactive cybersecurity measures are essential.
CERT-UA’s ongoing monitoring plays a crucial role in managing these threats, but individuals must also stay alert and report suspicious activity. With cyberattacks becoming more advanced, it’s vital for both government and private sectors to collaborate in strengthening defenses to protect Ukraine’s defense infrastructure and national security.
