The recent warning issued by the Government Computer Emergency Response Team (CERT-UA) regarding targeted cyberattacks on Ukraine’s defense-industrial complex and Armed Forces has raised significant concerns in the cybersecurity community. These attacks, identified as UAC-0200 and utilizing the DarkCrystal RAT (DCRAT), represent a troubling escalation in espionage activities aimed at gaining unauthorized access to sensitive information.
Since the summer of 2024, these cyberattacks have been ongoing, employing sophisticated tactics to infiltrate systems within the defense sector. One of the primary tactics involves the use of the Signal messaging app to distribute malicious messages disguised as meeting reports. These messages often contain compressed archive files that harbor a PDF document and an executable file known as DarkTortilla, which serves as a cryptor/loader for launching DCRAT on the victim’s system.
DCRAT is a potent remote access tool that enables cybercriminals to take full control of infected systems, allowing them to exfiltrate sensitive data, manipulate information, and deploy additional malicious payloads. The use of DarkTortilla as a loader conceals the malicious nature of the file, making detection more challenging for users.
In February 2025, the focus of these attacks shifted towards unmanned aerial vehicles (UAVs) and electronic warfare systems, indicating a targeted interest in specific defense technologies to gather intelligence on Ukraine’s military capabilities. Social engineering techniques play a crucial role in these cyberattacks, with attackers leveraging trusted communication channels like Signal to manipulate victims into opening malicious attachments from compromised accounts.
The CERT-UA team has been actively monitoring these threats and advises individuals in the defense sector to remain vigilant against suspicious messages and files. In response, CERT-UA has released indicators of compromise (IOCs) to help organizations identify and respond to the threat, including specific file hashes and network addresses associated with the attack. The listed archive files and network addresses are key components in detecting and mitigating the threat posed by the UAC-0200 campaign.
The use of sophisticated malware like DCRAT underscores the growing cybersecurity risks facing Ukraine’s defense sector. As cybercriminals continue to advance their tactics, constant vigilance and proactive cybersecurity measures are essential for defense against such threats, especially social engineering tactics that exploit communication platforms. Collaboration between government and private sectors is crucial in bolstering defenses to safeguard Ukraine’s critical defense infrastructure and national security.
In conclusion, the ongoing monitoring and rapid response by CERT-UA are vital in addressing these cyber threats, but individual awareness and reporting of suspicious activities are equally important. With the increasing sophistication of cyberattacks, a united effort is needed to enhance cybersecurity defenses and protect Ukraine’s national security interests.