Fileless Phishing Campaign Targets Ukrainian Government Entities

First reported

29.09.2025 17:49

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A fileless phishing campaign impersonating the Ukrainian police targets government entities in Ukraine. The attack uses malicious SVG files in emails to deliver Amatera Stealer and PureMiner malware. The campaign harvests credentials, system data, and mines cryptocurrency from compromised systems. The phishing emails, disguised as official notices from the National Police of Ukraine, contain an SVG attachment named 'elektronni_zapit_NPU.svg'. This file includes an embedded HTML <iframe> element that redirects victims to download malicious payloads. The attack chain involves multiple stages, including the use of a Compiled HTML Help (CHM) file and an HTML Application (HTA) CountLoader, to deploy the final payloads. The malware targets various browsers, chat applications, and system information, and can take remote control of victim devices.

Timeline

29.09.2025 17:49 1 articles · 14h ago

Fileless Phishing Campaign Targets Ukrainian Government Entities
A fileless phishing campaign impersonating the Ukrainian police targets government entities in Ukraine. The attack uses malicious SVG files in emails to deliver Amatera Stealer and PureMiner malware. The campaign harvests credentials, system data, and mines cryptocurrency from compromised systems. The phishing emails, disguised as official notices from the National Police of Ukraine, contain an SVG attachment named 'elektronni_zapit_NPU.svg'. This file includes an embedded HTML <iframe> element that redirects victims to download malicious payloads. The attack chain involves multiple stages, including the use of a Compiled HTML Help (CHM) file and an HTML Application (HTA) CountLoader, to deploy the final payloads. The malware targets various browsers, chat applications, and system information, and can take remote control of victim devices.
Show sources

Ukrainian Cops Spoofed in Fileless Phishing Attacks on Kyiv — www.darkreading.com — 29.09.2025 17:49
Open in new tab

Information Snippets

The phishing campaign targets Microsoft Windows machines at government entities in Ukraine.
First reported: 29.09.2025 17:49

1 source, 1 article
Show sources
- Ukrainian Cops Spoofed in Fileless Phishing Attacks on Kyiv — www.darkreading.com — 29.09.2025 17:49
The emails contain malicious SVG files designed to trick recipients into opening harmful attachments.
First reported: 29.09.2025 17:49

1 source, 1 article
Show sources
- Ukrainian Cops Spoofed in Fileless Phishing Attacks on Kyiv — www.darkreading.com — 29.09.2025 17:49
The campaign delivers two malware payloads: Amatera Stealer and PureMiner.
First reported: 29.09.2025 17:49

1 source, 1 article
Show sources
- Ukrainian Cops Spoofed in Fileless Phishing Attacks on Kyiv — www.darkreading.com — 29.09.2025 17:49
Amatera Stealer harvests credentials, system data, application data, browser files, and cryptocurrency wallets.
First reported: 29.09.2025 17:49

1 source, 1 article
Show sources
- Ukrainian Cops Spoofed in Fileless Phishing Attacks on Kyiv — www.darkreading.com — 29.09.2025 17:49
PureMiner is a stealthy .NET cryptominer that collects hardware information and monitors system activity.
First reported: 29.09.2025 17:49

1 source, 1 article
Show sources
- Ukrainian Cops Spoofed in Fileless Phishing Attacks on Kyiv — www.darkreading.com — 29.09.2025 17:49
The attack chain uses fileless deployment techniques, including .NET Ahead-of-Time (AOT) compilation and PythonMemoryModule.
First reported: 29.09.2025 17:49

1 source, 1 article
Show sources
- Ukrainian Cops Spoofed in Fileless Phishing Attacks on Kyiv — www.darkreading.com — 29.09.2025 17:49
The campaign is rated as high-severity by Fortiguard Labs.
First reported: 29.09.2025 17:49

1 source, 1 article
Show sources
- Ukrainian Cops Spoofed in Fileless Phishing Attacks on Kyiv — www.darkreading.com — 29.09.2025 17:49