Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Ukrainian government impersonation SVG phishing campaign

Campaign
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

A phishing campaign impersonating Ukrainian government agencies is delivering CountLoader, raising the risk of stealer and cryptominer infections for targeted government recipients. The operation uses malicious SVG attachments and a staged download chain to push Amatera Stealer and PureMiner. It matters because the lure combines government impersonation with fileless malware delivery to increase the chance of successful compromise.

Related Happenings

Operation MoneyMount-ISO Phantom Stealer phishing campaign targeting Russian finance entities

Campaign
First: 15.12.2025 11:24 Last: 15.12.2025 11:24 Sources 1

About this happening: The **Operation MoneyMount-ISO** phishing campaign is actively targeting organizations in **Russia**, and it matters because the emails deliver **Phantom Stealer** through **malic...

Open Happening

Ukraine Police Impersonators fileless phishing campaign targeting Ukrainian government Windows systems

Campaign
First: 29.09.2025 17:49 Last: 29.09.2025 17:49 Sources 1

About this happening: A **fileless phishing campaign** impersonating the **National Police of Ukraine** is delivering **Amatera Stealer** and **PureMiner**, putting **government Windows systems in Ukra...

Open Happening

CountLoader malware loader used by Russian ransomware gangs for payload delivery

Malware Activity
First: 18.09.2025 15:56 Last: 18.09.2025 15:56 Sources 1

How related: A new campaign has been observed impersonating Ukrainian government agencies in phishing attacks to deliver CountLoader, which is then used to drop Amatera Stealer and PureMiner.

About this happening: **CountLoader** is being used in **active ransomware operations** to deliver **AdaptixC2** worldwide, with analysts linking the loader to the malware’s deployment and a **DFIR** c...

Latest development: 19.12.2025 17:34

A new CountLoader campaign abuses cracked software distribution sites and MediaFire ZIP archives to deliver CountLoader 3.2, using Setup.exe, mshta.exe, scheduled-task persistence, removable USB spread, and in-memory execution to install ACR Stealer on infected Windows hosts.

Open Happening

Timeline

  1. 26.09.2025 19:40 2 articles · 8mo ago

    Ukrainian government impersonation SVG phishing campaign

    Initial Disclosure

    A phishing campaign impersonates Ukrainian government agencies and sends emails that claim to be notices from the National Police of Ukraine. The messages carry malicious Scalable Vector Graphics (SVG) attachments that trigger a download chain to a password-protected ZIP archive containing a Compiled HTML Help (CHM) file; when launched, the CHM file deploys CountLoader, which then drops Amatera Stealer and PureMiner. The payloads are described as fileless threats that can be executed via .NET Ahead-of-Time (AOT) compilation, process hollowing, or PythonMemoryModule.

    Show sources
    Open in new tab