Ukrainian authorities have issued a warning that cybercriminals have been targeting notaries to gain unauthorized access to government databases.
Since mid-January 2025, CERT-UA (the Ukrainian Computer Emergency Response Team) has been observing a resurgence in activity from the organized criminal group UAC-0173. On commission and for financial reward, the group has been conducting cyberattacks to establish covert remote access to notaries' computers, with the ultimate goal of making unauthorized alterations to state registries.
The latest incident involved a batch of phishing emails appearing to come from a regional department of the Ukrainian Ministry of Justice. The emails contained malicious links designed to download executable files, such as "HAKA3.exe," "Ministry of Justice Order No. 43613.1-03.exe," and "Notice.exe." Opening these attachments infects the targeted computer with the Darkcrystalrat (DCRAT) malware, enabling cybercriminals to gain initial access to the automated workstations of notaries.
Once access is obtained, the attackers proceed to install additional tools, including Rdpwrapper, which enables parallel RDP (Remote Desktop Protocol) sessions. When used in combination with the BORE utility, it allows the hackers to establish RDP connections directly to the victim's computer over the internet.
In addition, the attackers have been observed deploying tools to bypass User Account Control (UAC), using the NMAP network scanner, the FIDDLER proxy/sniffer tool (to intercept authentication data entered in the government registry's web interface), and the XWORM stealer (which can capture login credentials, passwords, and data from the clipboard and keystrokes). In some cases, the compromised machines were used to send additional phishing emails, further spreading the malware.
Earlier this month, CERT-UA warned of a malicious campaign against the information and communication systems (ICS) of nearly twenty energy, water, and heating supply companies across ten regions of Ukraine.
The targeted attacks, that has been ongoing since the first quarter of 2024, were orchestrated by the threat actor identified as UAC-0212, a subcluster of the notorious UAC-0002 (Sandworm, APT44, Seashell Blizzard).