Since the second half of September 2025, the National Cybersecurity Response Team of Ukraine (CERT-UA) has observed a new wave of targeted cyberattacks against Ukrainian defense forces and local government institutions.
These attacks have been attributed to the UAC-0239 group, believed to be operating on behalf of or in cooperation with Russian threat actors.
The attackers use social engineering themes related to “countering Russian sabotage and reconnaissance groups,” impersonating the Security Service of Ukraine (SBU) to gain trust.
Fraudulent emails contain links or attachments masquerading as official documents issued by the SBU.
Initial Infection Vector
The malicious campaigns rely on emails sent from Ukr.net and Gmail accounts.
These messages include:
- a link to an archive file (sometimes password-protected), or
- a direct attachment in VHD format (Virtual Hard Drive).
When the VHD file is opened, it typically contains:
- a malicious executable, and
- several decoy documents, usually PDF files mimicking SBU notices or directives.
Once executed, the malware initiates a multi-stage infection chain leading to data exfiltration and remote control of the compromised host.
Tools Used: OrcaC2 and FILEMESS
OrcaC2 Command & Control Framework
OrcaC2 is an open-source command-and-control (C2) framework written in Go, available on GitHub.
Although originally developed for legitimate cybersecurity research, it has been weaponized by UAC-0239 for malicious purposes.
Observed capabilities include:
- remote command execution;
- interactive shell access;
- file upload/download;
- screen capture and keylogging;
- process management and memory dumps;
- UAC (User Account Control) bypass;
- code injection into other processes;
- multi-protocol communication (RUDP, TCP, QUIC, SSH, SMB, SOCKS, etc.);
- tunneling, proxy configuration, and port scanning;
- brute-force password attacks.
Persistence is achieved via:
- scheduled tasks,
- registry entries under the
Runkey, or - Windows services.
FILEMESS Stealer
FILEMESS is a file-stealing malware also developed in Go.
Its primary goal is to locate, collect, and exfiltrate sensitive files from the infected host.
Behavioral analysis shows:
- Recursive scanning of
Desktop,Downloads, andDocumentsdirectories, as well as logical drives D–Z. - Filtering files by extension: office documents (ODT, DOCX, XLSX, PDF), images (JPG, PNG, TIFF), archives (ZIP, RAR), and text files.
- Calculating an MD5 hash for each file.
- Exfiltrating collected data via the Telegram Bot API.
Telegram authentication tokens are XOR-encrypted and Base64-encoded.
Persistence is maintained by creating a registry entry in:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Indicators of Compromise (IoCs)
Malicious Files
| File Name | Type | SHA-256 | Description |
|---|---|---|---|
| Звернення_начальника_УСБУ_в_Харкiвскiй_області_Куц_О_И.exe | FILEMESS executable | 85e304af49dada022bbd6799c3cda1f2 | Go-based stealer |
| GoogleUpdate.exe | Orca Puppet | 0028c3d0de0a982706cf61f62c3e92e6 | OrcaC2 agent |
| gupdate.vbs | Script | eb2c906f9d0605c97522420bcf986026 | Secondary downloader |
| Звернення.pdf | Decoy document | 48665e539496ed859a216bea8bd32124 | Fake SBU communication |
Network Infrastructure
| Domain / IP | Function | Notes |
|---|---|---|
| ssu-gov[.]com | Phishing | Fake SBU domain |
| promoukrnet[.]xyz | FILEMESS C2 | TCP port 2264 |
| sbufiles[.]cloud | Hosting | Malicious PDFs and payloads |
| 185[.]186.26.98 | OrcaC2 C2 server | Active control node |
| api.telegram[.]org/bot7437010550 | Exfiltration | Telegram bot used for data theft |
| paste.c-net[.]org | Script distribution | Hosts LeatherBlending and PasadenaDeepest payloads |
Typical Infection Chain
An infection sequence observed on September 26, 2025, proceeded as follows:
- The victim receives a phishing email impersonating the SBU.
- The user downloads a VHD file from Google Drive or a spoofed SBU domain.
- The victim opens a PDF decoy document.
- A VBS script (
gupdate.vbs) is executed through PowerShell. - The script downloads and runs
GoogleUpdate.exe(Orca Puppet). - The infected system establishes C2 communication with promoukrnet[.]xyz or ssu-gov[.]com.
- FILEMESS exfiltrates local documents via Telegram API.
CERT-UA Security Recommendations
The Ukrainian CERT recommends the following mitigation steps:
- Do not open or mount VHD files received via email.
- Monitor network traffic for the listed domains and IP addresses.
- Block outbound connections to identified IoCs.
- Inspect affected hosts for the following files and registry keys:
%PUBLIC%\Downloads\GoogleUpdate.exe %PUBLIC%\Downloads\gupdate.vbs HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - Report incidents or suspicious activity to: incidents@cert.gov.ua.
Official Sources
- CERT-UA — Official Report No. 17691 (October 14, 2025)
“UAC-0239 conducts cyberattacks using the OrcaC2 framework and FILEMESS stealer”
https://cert.gov.ua/article/6285731 - GitHub — OrcaC2 framework: https://github.com/Ptkatz/OrcaC2
