In a recent development, CERT-UA, the Governmental Computer Emergency Response Team of Ukraine, has raised an alarm about the resurgence of the notorious cybercriminal group UAC-0173. This group, known for orchestrating targeted cyberattacks on critical Ukrainian state infrastructure, has shifted its focus to Ukraine’s notary offices, aiming to gain unauthorized access to notary computers and manipulate state registers for financial gain.
The Ministry of Justice of Ukraine and the State Special Communications Service have been actively working to defend against these attacks, which are part of a broader cyber-espionage campaign aimed at destabilizing Ukraine’s public records systems. The attacks involve the use of sophisticated malware, advanced system exploitation tools, and various techniques to bypass security measures like User Account Control (UAC).
The UAC-0173 group first emerged in late January 2025, initially targeting Ukrainian notary systems through email messages disguised as official communications from the Ministry of Justice. These emails contained links to malicious files that, when opened, deployed the DARKCRYSTALRAT (DCRAT) malware, allowing the attackers to establish initial access. Subsequently, additional malicious software, such as RDPWRAPPER, was installed to enable multiple Remote Desktop Protocol (RDP) sessions and facilitate direct access to compromised computers.
The attackers also utilized tools like FIDDLER to intercept login credentials from state registers’ web interfaces and XWORM stealer to capture usernames, passwords, and keystrokes. CERT-UA, in collaboration with the Cybersecurity Commission of the Notarial Chamber of Ukraine, identified compromised systems across six regions of Ukraine and swiftly isolated and secured them to prevent further malicious activities.
Despite the proactive measures taken to secure notary systems and provide guidance to notaries on system configurations, the demand for services to alter state registers remains high, making it likely that UAC-0173 will continue targeting notarial systems in the future. CERT-UA emphasized the importance of vigilance and prompt reporting of any suspicious activities by notaries to combat cybercriminal threats effectively.
The attackers deployed a range of advanced tools, including DCRAT and XWORM malware families, to exfiltrate data, monitor victim activities, and compromise systems further. The use of tools like RDPWRAPPER facilitated parallel RDP sessions, enhancing their control over compromised systems. Malicious files like RDPWInst.exe, install.bat, HAKA3.exe, bore.exe, and xupwork3.exe were identified by CERT-UA, indicating the varied methods employed in the attack campaign, including email attachments and direct downloads from compromised websites.
Moreover, CERT-UA identified indicators of compromise (IOCs), such as suspicious file names and URLs, to track the activities of UAC-0173 and aid in the detection and mitigation of ongoing attacks. By monitoring these IOCs, cybersecurity teams can strengthen their defense mechanisms and safeguard Ukrainian state institutions from potential breaches.
The deployment of RDPWRAPPER underscored the attackers’ sophistication, allowing them to bypass security protocols and gain persistent access to notary systems, ultimately enabling malicious activities like altering state registers. As the collaboration between CERT-UA, the Ministry of Justice of Ukraine, and law enforcement agencies plays a pivotal role in countering cyber threats, the continuous efforts to enhance cybersecurity measures and secure notarial systems are imperative to mitigate risks and prevent further breaches. Notaries are urged to maintain vigilance and report any suspicious activity promptly to facilitate a timely and effective response.