- CISA Adds Four Vulnerabilities to Catalog for Federal Enterprise
- ARK Invest's Big Ideas 2025: AI agents will significantly improve employee productivity
- How to make ChatGPT provide better sources and citations
- Firefox expands access to popular AI chatbots right from the sidebar
- This prism-shaped power bank I tested looks odd, but it makes so much sense
Sophisticated Phishing Campaign Targets Ukraine’s Largest Bank
A new phishing campaign orchestrated by the financially motivated threat group UAC-0006 has been discovered targeting customers of PrivatBank, Ukraine’s largest state-owned financial institution.
Cybersecurity analysts from CloudSEK identified an ongoing attack that employs password-protected archives containing malicious JavaScript, VBScript or LNK files to evade detection.
Attack Methods and Payloads
UAC-0006 has been observed deploying payment-themed phishing lures since November 2024, leveraging:
- Malicious email attachments disguised as invoices
- JavaScript and VBScript files executing PowerShell commands
- SmokeLoader malware for command-and-control (C2) communication
These techniques facilitate unauthorized access, payload execution and persistent control over compromised systems.
The latest attack begins with a phishing email containing a password-protected ZIP or RAR file. Once opened, the extracted JavaScript or VBScript file initiates a series of processes that inject malicious code into legitimate Windows binaries.
Tactical Evolution and Attribution
Recent forensic analysis indicates that UAC-0006 has adopted LNK files as a new attack vector, mirroring tactics previously associated with the Russian advanced persistent threat (APT) group FIN7.
These changes suggest an operational overlap with EmpireMonkey and Carbanak, both known for financial cybercrime. The use of PowerShell, process injection and non-standard C2 communication techniques aligns with the group’s historical modus operandi.
Phishing campaigns pose several risks including data compromise, following which stolen credentials and financial information can be used for fraud or sold on the dark web. It also facilitates credential harvesting, as it enables unauthorized access to banking and corporate accounts.
Additionally, PrivatBank and other entities impersonated in phishing emails may experience reputational damage. The impersonation of financial service providers increases downstream risks within the supply chain.
Read more on supply chain risks: CISA Urges Improvements in US Software Supply Chain Transparency
Recommended Mitigation Strategies
To counteract these threats, cybersecurity experts recommend:
- Blocking malicious indicators: Monitor and blacklist URLs, IPs and file hashes linked to UAC-0006
- Security awareness training: Educate employees to identify phishing attempts
- Incident response measures: Establish protocols for detecting and mitigating attacks before damage occurs
UAC-0006’s continued evolution underscores the growing sophistication of financially motivated cybercrime groups. Vigilance, proactive defense strategies and user awareness remain critical in mitigating these threats.
