Full Report
The Computer Emergency Response Team of Ukraine (CERT-UA) has disclosed that a threat actor it tracks as UAC-0125 is leveraging Cloudflare Workers service to trick military personnel in the country into downloading malware disguised as Army+, a mobile app that was introduced by the Ministry of Defence back in August 2024 in an effort to make the armed forces go paperless. Users who visit the
Analysis Summary
# Threat Actor: UAC-0125
## Attribution & Identity
**Attribution:** Associated with APT44 (also known as FROZENBARENTS, Sandworm, Seashell Blizzard, and Voodoo Bear), which is linked to **Unit 74455 within the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU)**.
**Known Aliases/Associated Groups:** UAC-0002, APT44, FROZENBARENTS, Sandworm, Seashell Blizzard, Voodoo Bear.
## Activity Summary
UAC-0125 is observed leveraging the Cloudflare Workers service to deliver malware to military personnel in Ukraine. The actor is using phishing lures that impersonate "Army+," a legitimate mobile application introduced by the Ministry of Defence of Ukraine for paperless operations. Users visiting the fake Cloudflare Workers websites are tricked into downloading a Windows executable.
## Tactics, Techniques & Procedures
- **Impersonation/Disguise:** Disguising malware payloads as legitimate software ("Army+").
- **Delivery Mechanism:** Hosting phishing infrastructure on legitimate third-party services (Cloudflare Workers).
- **Installer Creation:** Using Nullsoft Scriptable Install System (NSIS) to create malicious installers.
- **Post-Infection Payload Execution:** Executing an embedded PowerShell script upon opening the decoy file.
- **Persistence/Configuration:** Installing OpenSSH on the infected host.
- **Credential/Key Exfiltration:** Generating RSA cryptographic keys and exfiltrating the private key to attacker-controlled infrastructure via the TOR anonymity network.
- **Remote Access:** Establishing remote access capability through the installation of OpenSSH and authorized keys.
- **MITRE ATT&CK IDs (Implied/Related):** T1566 (Phishing), T1204.002 (Malicious File), T1059.001 (PowerShell), T1133 (External Remote Services).
## Targeting
- **Sectors:** Military personnel/Armed Forces.
- **Geography:** Ukraine.
- **Victims:** Military personnel attempting to download the "Army+" application.
## Tools & Infrastructure
- **Malware Families Used:** Custom Windows executable created using NSIS.
- **Infrastructure (C2, domains, IPs):**
- **Delivery Infrastructure:** Cloudflare Workers service used to host phishing websites.
- **Exfiltration Infrastructure:** Attacker-controlled server accessed via the TOR anonymity network.
## Implications
This campaign demonstrates the actor's use of legitimate cloud services (Cloudflare Workers) to evade detection and conduct spear-phishing against critical Ukrainian military targets. The goal is not just credential theft but establishing long-term, persistent, encrypted remote access via OpenSSH, likely for espionage or maintaining a foothold within Ukrainian defense networks. The association with APT44/Sandworm suggests this activity is part of broader, state-sponsored operations against Ukraine emanating from the GRU.
## Mitigations
- Enhance vigilance regarding software downloads promoted via unverified links, even when impersonating trusted government applications like "Army+."
- Restrict the execution of downloaded executables, especially those created via NSIS installers.
- Monitor endpoints for unauthorized installations of OpenSSH, unsolicited RSA key generation, and outbound network traffic utilizing the TOR network for data exfiltration.
- Review and restrict PowerShell usage where possible, or use application control solutions to limit script execution from unusual locations.