CERT-UA: Russia-linked UAC-0125 abuses Cloudflare Workers to target Ukrainian army

The Computer Emergency Response Team of Ukraine (CERT-UA) warns that the threat actor UAC-0125 abuses Cloudflare Workers services to target the Ukrainian army with Malware.

The Computer Emergency Response Team of Ukraine (CERT-UA) warns that the threat actor UAC-0125 exploits Cloudflare Workers to target the Ukrainian military, spreading malware disguised as the mobile app Army+ app from Ukraine’s Ministry of Defence.

On December 17, 2024, MIL.CERT-UA experts notified the Ukraine CERT-UA regarding the detection of multiple websites mimicking the official page of the “Army+” app and were published through the Cloudlfare Workers service.

Upon visiting these websites, visitors are prompted to download the executable file “ArmyPlusInstaller-v.0.10.23722.exe” (name subject to change). The Windows executable is created using NSIS (Nullsoft Scriptable Install System), which, in addition to the .NET decoy file “ArmyPlus.exe”, contains Python interpreter files, an archive with Tor program files, and a PowerShell script “init.ps1”.

Opening “ArmyPlusInstaller-v.0.10.23722.exe” triggers a decoy file and a PowerShell script that sets up covert SSH access for attackers via Tor.

CERT-UA links UAC-0125 activity to the UAC-0002 cluster (Sandworm/APT44). Earlier 2024 attacks used trojanized Microsoft Office files to initiate deeper cyber intrusions.

“We emphasize that in the case of successful penetration and interest in the object of influence, attackers further develop a cyberattack on the organization’s information and communication system.” concludes the Computer Emergency Response Team of Ukraine, which also shared Cyber ​​threat indicators for this campaign.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Computer Emergency Response Team of Ukraine)