A sophisticated cyber espionage campaign targeting employees of defense industrial complex enterprises and representatives of the Defense Forces of Ukraine has been uncovered.
The attackers are using the popular Signal messenger app to distribute malicious archives that purportedly contain meeting reports, exploiting the trusted nature of the platform to bypass security measures.
The malicious campaign, tracked under the identifier UAC-0200, has been active since at least summer 2024 but has intensified during March 2025.
In some instances, the threat actors compromised existing contacts’ accounts to enhance the credibility of their messages.
Computer Emergency Response Team of Ukraine analysts noted that the distributed archives typically contain a PDF file alongside an executable file classified as DarkTortilla.
This cryptor/loader is designed to decrypt and launch the Dark Crystal RAT (DCRAT) remote control tool, providing attackers with comprehensive access to victims’ systems.
Since February 2025, the decoy messages have specifically focused on topics related to UAVs, electronic warfare equipment, and other defense-related technologies.
Security researchers warn that the use of popular instant messengers on both mobile devices and computers significantly expands the potential attack surface by creating communication channels that often bypass organizational security controls.
The malicious files employ sophisticated techniques to evade detection while establishing persistence on infected systems.
The campaign utilizes a multi-stage infection chain, and the infection chain from Signal message to DCRAT deployment.
Initial archives contain executables with file sizes between 200-500KB, with names like “material.exe,” “pdfDecod.exe,” and “Office2025version46-v.exe.” When executed, these files deploy the DarkCrystal RAT payload.
Network analysis reveals communication with multiple command and control servers, including IP addresses 45.130.214.237, 62.60.235.190, and 87.249.50.64.
CERT-UA urges vigilance and immediate reporting of suspicious messages to prevent further compromise of sensitive defense industry systems.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
A sophisticated new red team tool called RedExt has recently been released, combining a Manifest…
Cybersecurity has rapidly evolved from a back-office technical concern to a boardroom imperative. As digital…
Ransomware has evolved into one of the most formidable threats to organizations worldwide, and 2025…
Third-party vendors are indispensable to modern enterprises, offering specialized services, cost efficiencies, and scalability. However,…
A critical vulnerability in the FastCGI library could allow attackers to execute arbitrary code on…
Significant security flaws have been discovered in React Router, a widely-used routing library for React…