Hackers are using fake drone contracts to infect Ukrainian defense enterprises

Ukrainian defense enterprises have again become a target of hackers who sent them malicious emails disguised as drone procurement contracts, according to a recent report from the country’s cyber agency.

The emails contained a zip archive and a PDF document with an infected link that installed malware named Glueegg and a loader named Dropclue on the victims’ computers.

With the help of these tools, the hackers downloaded and installed on the infected devices a legitimate program called Atera, which was used for remote control.

Ukraine’s computer emergency response team, CERT-UA, is tracking the group behind the campaign as UAC-0180. They haven’t attributed it to a specific country and didn’t provide any specific details about the goal of the attacks.

“Despite the wide geography of its attacks, the group does not stop trying to obtain unauthorized access to the computers of employees of Ukrainian defense enterprises,” CERT-UA said Thursday.

The hackers have infected devices with various malicious programs — including Acrobait, Rosebloom, Rosethorn, Glueegg, and Dropclue — and are constantly updating their toolset, the agency said.

Ukrainian military and defense enterprises are common targets for hackers, usually with links to Russia. In a campaign in June, the group known as Vermin attacked Ukrainian armed forces with Spectr malware to steal sensitive information from their devices.

In the same period, researchers warned of attacks on Ukraine’s Ministry of Defence by the Belarusian state-sponsored hackers known as Ghostwriter.

Earlier, CERT-UA also warned about cyberattacks against Ukrainian military personnel and defense services using DarkCrystal malware, which could allow attackers to gain remote access to a victim’s device.