• Latest
  • Trending
Hackers target Russian govt with fake Windows updates pushing RATs

Hackers target Russian govt with fake Windows updates pushing RATs

May 25, 2022
Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

July 29, 2025
French Telco Orange Hit by Cyber-Attack

French Telco Orange Hit by Cyber-Attack

July 29, 2025
ATC Ghana supports Girls-In-ICT Program

ATC Ghana supports Girls-In-ICT Program

April 25, 2023
Vice President Dr. Bawumia inaugurates  ICT Hub

Vice President Dr. Bawumia inaugurates ICT Hub

April 2, 2023
Co-Creation Hub’s edtech accelerator puts $15M towards African startups

Co-Creation Hub’s edtech accelerator puts $15M towards African startups

February 20, 2023
Data Leak Hits Thousands of NHS Workers

Data Leak Hits Thousands of NHS Workers

February 20, 2023
EU Cybersecurity Agency Warns Against Chinese APTs

EU Cybersecurity Agency Warns Against Chinese APTs

February 20, 2023
How Your Storage System Will Still Be Viable in 5 Years’ Time?

How Your Storage System Will Still Be Viable in 5 Years’ Time?

February 20, 2023
The Broken Promises From Cybersecurity Vendors

Cloud Infrastructure Used By WIP26 For Espionage Attacks on Telcos

February 20, 2023
Instagram and Facebook to get paid-for verification

Instagram and Facebook to get paid-for verification

February 20, 2023
YouTube CEO Susan Wojcicki steps down after nine years

YouTube CEO Susan Wojcicki steps down after nine years

February 20, 2023
Inaugural AfCFTA Conference on Women and Youth in Trade

Inaugural AfCFTA Conference on Women and Youth in Trade

September 6, 2022
  • Consumer Watch
  • Kids Page
  • Directory
  • Events
  • Reviews
Friday, 17 July, 2026
  • Login
itechnewsonline.com
  • Home
  • Tech
  • Africa Tech
  • InfoSEC
  • Data Science
  • Data Storage
  • Business
  • Opinion
Subscription
Advertise
No Result
View All Result
itechnewsonline.com
No Result
View All Result

Hackers target Russian govt with fake Windows updates pushing RATs

by ITECHNEWS
May 25, 2022
in Infosec, Leading Stories
0 0
0
Hackers target Russian govt with fake Windows updates pushing RATs

Hackers are targeting Russian government agencies with phishing emails that pretend to be Windows security updates and other lures to install remote access malware.

The attacks are being conducted by a previously undetected APT (advanced persistent threat) group believed to be operating from China, who are linked to four separate spear-phishing campaigns.

YOU MAY ALSO LIKE

French Telco Orange Hit by Cyber-Attack

ATC Ghana supports Girls-In-ICT Program

These operations spanned between February and April 2022, coinciding with the Russian invasion of Ukraine. Its targets have been government entities of the Russian Federation.

In all four cases, the ultimate goal of the campaigns was to infect the targets with a custom remote access trojan (RAT) which most likely aided in espionage operations.

The discovery and report come from analysts at the Malwarebytes Threat Intelligence team, who noticed the threat actors’ distinctive attempts to spoof other hacking groups and pass undetected.

The phishing campaigns

The first of the four campaigns attributed to this new APT began in February 2022, mere days after the Russian invasion of Ukraine, distributing the RAT under the name “interactive_map_UA.exe”.

For the second wave, the APT had more time to prepare something more sophisticated. They used a tar.gz archive that was supposed to be a fix for the Log4Shell vulnerability sent by the Ministry of Digital Development, Telecommunications, and Mass Communications of the Russian Federation.

According to Malwarebytes, this campaign had a narrow targeting as most of the associated emails reached employees of the RT TV station, a state-owned Russian television network.

Those emails contained a PDF with instructions on installing the Log4j patch and even included advice like “not to open or reply to suspicious emails”.

“Taking into account the use by cybercriminals of certain software and server-type vulnerabilities to gain access to user information, a software patch was released to update a Windows 10 system that closes the vulnerability CVE-2021-44228 (severity level 10.0),” reads the translated phishing document, as shown below.

PDF containing instructions on how to install the malware
PDF containing instructions on how to install the malware
(Malwarebytes)

The third campaign spoofs Rostec, a Russian state-owned defense conglomerate, and the actors used newly registered domains like “Rostec.digital” and fake Facebook accounts to spread their malware while making it look like it comes from the known entity.

Fake company profile on Facebook
Fake company profile on Facebook (Malwarebytes)

Finally, in April 2022, the Chinese hackers switched to a macro-infected Word document containing a fake job advert by Saudi Aramco, a large oil and natural gas firm.

The document used remote template injection to fetch the malicious template and drop the VBS script onto candidates applying for the “Strategy and Growth Analyst” position.

The Aramco campaign infection chain
The Aramco campaign infection chain (Malwarebytes)

Stealthy custom payload

Malwarebytes was able to retrieve samples of the dropped payload from all four campaigns and reports that in all cases, it is essentially the same DLL using different names.

The malware features anti-analysis techniques such as control flow flattening via OLLVM and string obfuscation using XOR encoding.

Control flow flattening in the malware
Control flow flattening in the malware (Malwarebytes)

In terms of the commands that the C2 can request from the payload, these include the following:

  • getcomputername – profile the host and assign a unique ID
  • upload – receive a file from the C2 and write it onto the host’s disk
  • execute – execute a command-line instruction from the C2 and respond with the result
  • exit – terminate the malware process
  • ls – retrieve a list of all files under a specified directory and send it to the C2
The malware's upload command
The malware’s upload command (Malwarebytes)

The C2 domains discovered by Malwarebytes were “windowsipdate[.]com”, “microsoftupdetes[.]com”, and “mirror-exchange[.]com”.

Spoofing other hackers

The evidence that points to this new APT being a Chinese group stems from the infrastructure, but Malwarebytes’ confidence is low.

What is clear is the intention of the threat actor to hide its distinctive tracks by spoofing other hackers and using their malware tools.

For example, parts of the infrastructure used were previously linked to the Sakula RAT, used by the Deep Panda Chinese APT.

Another interesting finding is that the new APT used the same macro builder for the Saudi Aramco wave as TrickBot and BazarLoader.

Finally, there’s the deployment of the wolfSSL library, which is typically seen exclusively in Lazarus or Tropic Trooper campaigns.

Source: Bill Toulas
Via: bleepingcomputer
Tags: Hackers target Russian govt with fake Windows updates pushing RATs
ShareTweet

Get real time update about this post categories directly on your device, subscribe now.

Unsubscribe

Search

No Result
View All Result

Recent News

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

July 29, 2025
French Telco Orange Hit by Cyber-Attack

French Telco Orange Hit by Cyber-Attack

July 29, 2025
ATC Ghana supports Girls-In-ICT Program

ATC Ghana supports Girls-In-ICT Program

April 25, 2023

About What We Do

itechnewsonline.com

We bring you the best Premium Tech News.

Recent News With Image

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

July 29, 2025
French Telco Orange Hit by Cyber-Attack

French Telco Orange Hit by Cyber-Attack

July 29, 2025

Recent News

  • Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa July 29, 2025
  • French Telco Orange Hit by Cyber-Attack July 29, 2025
  • ATC Ghana supports Girls-In-ICT Program April 25, 2023
  • Vice President Dr. Bawumia inaugurates ICT Hub April 2, 2023
  • Home
  • InfoSec
  • Opinion
  • Africa Tech
  • Data Storage

© Copyright 2026, All Rights Reserved | iTechNewsOnline.Com - Powered by BackUPDataSystems

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

No Result
View All Result
  • Home
  • Tech
  • Africa Tech
  • InfoSEC
  • Data Science
  • Data Storage
  • Business
  • Opinion

© Copyright 2026, All Rights Reserved | iTechNewsOnline.Com - Powered by BackUPDataSystems

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?
Go to mobile version