• Latest
  • Trending
Ukraine supporters in Germany targeted with PowerShell RAT malware

Ukraine supporters in Germany targeted with PowerShell RAT malware

May 18, 2022
Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

July 29, 2025
French Telco Orange Hit by Cyber-Attack

French Telco Orange Hit by Cyber-Attack

July 29, 2025
ATC Ghana supports Girls-In-ICT Program

ATC Ghana supports Girls-In-ICT Program

April 25, 2023
Vice President Dr. Bawumia inaugurates  ICT Hub

Vice President Dr. Bawumia inaugurates ICT Hub

April 2, 2023
Co-Creation Hub’s edtech accelerator puts $15M towards African startups

Co-Creation Hub’s edtech accelerator puts $15M towards African startups

February 20, 2023
Data Leak Hits Thousands of NHS Workers

Data Leak Hits Thousands of NHS Workers

February 20, 2023
EU Cybersecurity Agency Warns Against Chinese APTs

EU Cybersecurity Agency Warns Against Chinese APTs

February 20, 2023
How Your Storage System Will Still Be Viable in 5 Years’ Time?

How Your Storage System Will Still Be Viable in 5 Years’ Time?

February 20, 2023
The Broken Promises From Cybersecurity Vendors

Cloud Infrastructure Used By WIP26 For Espionage Attacks on Telcos

February 20, 2023
Instagram and Facebook to get paid-for verification

Instagram and Facebook to get paid-for verification

February 20, 2023
YouTube CEO Susan Wojcicki steps down after nine years

YouTube CEO Susan Wojcicki steps down after nine years

February 20, 2023
Inaugural AfCFTA Conference on Women and Youth in Trade

Inaugural AfCFTA Conference on Women and Youth in Trade

September 6, 2022
  • Consumer Watch
  • Kids Page
  • Directory
  • Events
  • Reviews
Friday, 17 July, 2026
  • Login
itechnewsonline.com
  • Home
  • Tech
  • Africa Tech
  • InfoSEC
  • Data Science
  • Data Storage
  • Business
  • Opinion
Subscription
Advertise
No Result
View All Result
itechnewsonline.com
No Result
View All Result

Ukraine supporters in Germany targeted with PowerShell RAT malware

by ITECHNEWS
May 18, 2022
in Infosec, Leading Stories
0 0
0
Ukraine supporters in Germany targeted with PowerShell RAT malware

An unknown threat actor is targeting German users interested in the Ukraine crisis, infecting them with a custom PowerShell RAT (remote access trojan) and stealing their data.

The malware campaign uses a decoy site to lure users into fake news bulletins that supposedly contain unreleased information about the situation in Ukraine.

YOU MAY ALSO LIKE

French Telco Orange Hit by Cyber-Attack

ATC Ghana supports Girls-In-ICT Program

These sites offer malicious documents that install a custom RAT that supports remote command execution and file operations.

The campaign was uncovered by threat analysts at Malwarebytes, who have provided all the details and indicators of compromise in their write-up.

Campaign details

The domain used in these attacks is “collaboration-bw[.]de,” which the threat actor registered when the domain expired and then cloned the look of the real site.

Real and fake site
Real and fake site (Malwarebytes)

Visitors of the site will find a file called “2022-Q2-Bedrohungslage-Ukraine,” promising information about the situation in Ukraine and offered for free download.

The news lure and the download button
The news lure and the download button (Malwarebytes)

The corresponding section on the site claims that the document is constantly updated with new information, so users are urged to get a fresh copy every day.

The downloaded ZIP archive contains a CHM file consisting of several compiled HTML files. If the victim opens it, they are served a bogus error message.

The error message served upon execution
The error message served upon execution (Malwarebytes)

In the background, however, the file triggers PowerShell that runs a Base64 deobfuscator leading to fetching and executing a malicious script from the fake site.

The script that fetches the payload
The script that fetches the payload (Malwarebytes)

The script eventually drops two files onto the victim’s computer, the RAT in .txt file form and a .cmd file that helps execute it through PowerShell.

PowerShell RAT

The custom PowerShell RAT that hides in “Status.txt” begins its malicious operation by collecting basic system information and assigning a unique client ID.

This information and anything else stolen from the host computers is exfiltrated to a German domain, “kleinm[.]de”.

To bypass Windows AMSI (Anti-malware Scan Interface), the RAT uses an AES-encrypted function named “bypass,” decrypted on the fly using a generated key.

Bypass function details
Bypass function details (Malwarebytes)

The main capabilities of the RAT are the following:

  • Download files from the C2 server
  • Upload files to the C2 server
  • Load and execute a PowerShell script
  • Execute a specific command

However, Malwarebytes does not give specific examples of how the threat actor used the RAT and its capabilities in the wild, so the campaign’s goals remain unknown.

“It is not easy to attribute this activity to a specific actor, and there are no solid indicators to support attribution,” explains Malwarebytes in the report.

“Based on motivation alone, we hypothesize that a Russian threat actor could be targeting German users, but without clear connections in infrastructure or similarities to known TTPs, such attribution is weak.”

The critical takeaway is to be cautious with file downloads from the web, as even known and previously trustworthy websites may have quietly changed hands.

When it comes to news sites like this one, offering stories in file format instead of hosting everything on a web page is rarely justified by legitimate reasons, so treat it as a red flag.

Source: Bill Toulas
Via: bleepingcomputer
Tags: Ukraine supporters in Germany targeted with PowerShell RAT malware
ShareTweet

Get real time update about this post categories directly on your device, subscribe now.

Unsubscribe

Search

No Result
View All Result

Recent News

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

July 29, 2025
French Telco Orange Hit by Cyber-Attack

French Telco Orange Hit by Cyber-Attack

July 29, 2025
ATC Ghana supports Girls-In-ICT Program

ATC Ghana supports Girls-In-ICT Program

April 25, 2023

About What We Do

itechnewsonline.com

We bring you the best Premium Tech News.

Recent News With Image

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa

July 29, 2025
French Telco Orange Hit by Cyber-Attack

French Telco Orange Hit by Cyber-Attack

July 29, 2025

Recent News

  • Absa and Visa Extend Strategic Partnership to Advance Growth and Innovation Across Africa July 29, 2025
  • French Telco Orange Hit by Cyber-Attack July 29, 2025
  • ATC Ghana supports Girls-In-ICT Program April 25, 2023
  • Vice President Dr. Bawumia inaugurates ICT Hub April 2, 2023
  • Home
  • InfoSec
  • Opinion
  • Africa Tech
  • Data Storage

© Copyright 2026, All Rights Reserved | iTechNewsOnline.Com - Powered by BackUPDataSystems

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In

Add New Playlist

No Result
View All Result
  • Home
  • Tech
  • Africa Tech
  • InfoSEC
  • Data Science
  • Data Storage
  • Business
  • Opinion

© Copyright 2026, All Rights Reserved | iTechNewsOnline.Com - Powered by BackUPDataSystems

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?
Go to mobile version