The Computer Emergency Response Team of Ukraine (CERT-UA) has recently identified a surge in targeted cyberattacks against employees of the defense-industrial complex and members of the Defense Forces of Ukraine.
These attacks involve the misuse of the Signal messenger app to distribute malware, specifically the DarkCrystal RAT (DCRAT), which is a remote access trojan capable of executing arbitrary commands, stealing sensitive data, and establishing persistent control over infected systems.
Phishing Tactics and Malware Distribution
Attackers are using compromised Signal accounts to send phishing messages that appear as meeting reports.
These messages contain malicious archives, typically ZIP or RAR files, which include a decoy PDF file and an executable file known as DarkTortilla.
DarkTortilla acts as a cryptor/loader that decrypts and launches the DCRAT malware.
This tactic exploits the trust associated with familiar contacts, increasing the likelihood that recipients will open the malicious files.
The campaign, tracked under the identifier UAC-0200, has been active since at least the summer of 2024, with recent phishing lures focusing on unmanned aerial vehicles (UAVs), electronic warfare systems, and other military technologies.
The use of popular messengers like Signal significantly expands the attack surface by creating uncontrolled channels for information exchange.
This makes it challenging to detect threats using standard cyber protection tools.
CERT-UA emphasizes the importance of vigilance and encourages users to report suspicious messages immediately.
The agency also highlights the need for enhanced security measures to counter such sophisticated attacks.
Recommendations for Enhanced Security
According tot the Report, To mitigate these threats, it is crucial for users to be cautious when receiving messages with attachments, especially from compromised accounts.
Turning off automatic downloads of attachments and regularly checking linked devices can help prevent unauthorized access.
Additionally, keeping software up-to-date and enabling two-factor authentication can provide an extra layer of protection against such targeted attacks.
As the threat landscape continues to evolve, CERT-UA’s warnings underscore the importance of proactive cybersecurity measures in the defense sector.
 has recently identified a surge in targeted cyberattacks.){kind=link}