Sunday, May 11, 2025
HomeCyber AttackRussian APT Hackers Group Attack Government & Military Network Using Weaponized Word...

Russian APT Hackers Group Attack Government & Military Network Using Weaponized Word Documents

Published on

SIEM as a Service

Follow Us on Google News

Researchers discovered a new malicious activity that involved by Russian APT hackers to attack Government and Military officials in Ukrainian entities.

The attacker’s targets are not limited but they also infect various individuals who is part of the government and Law enforcement, Journalists, Diplomats, NGO and the Ministry of Foreign Affairs.

Researchers believe that the campaign attributed to Gamaredon activity in which attackers using Dynamic Domain Name Server as C2 server, VBA macro, and VBA script as a part of this attack.

- Advertisement - Google News

Threat actors using weaponized DOCX files during the intelligence collection in the target and its distributed via spearphishing emails.

Gamaredon is using weaponized documents, sometimes retrieved from legitimate sources as the initial infection vector.

Researchers observed the malicious sample that reveals the APT activity from at least September 2019 to November 25, 2019.

Malware infection Process

Researchers observed some of the lure documents that contain various indications of body contents that include the document that appears to discuss requirements instituted by the Chief of the General Staff, the Nongovernmental Organization (NGO) media watchdog organization and some of the other fake claims to trick victims to gain attention.

These malicious documents appear in phishing emails that contain a malicious attachment that doesn’t contain any VBA macros, instead, attackers using the Template Injection technique to downloads a Document Template (.dot) from a remote location.

Russian APT
Template file (.dot) downloaded from remote URL

The downloaded template file contains VBA macros, which are automatically get executed in the background.

Russian APT
Infection chain

The VBA Macro writes a VBScript file to the startup folder to be executed on startup and it tries to change the registry that disables the Macro security warnings in the future.

According to Anomali research ” A file will only be sent if the actor determines that the now infected target is worthy of a second-stage payload, otherwise, the file deletion continues on its loop to remove evidence of the actor’s activity.”

“Russian-sponsored cyber capabilities have been well-documented over numerous malicious campaigns found and attributed by the security community, and this activity observed by ATR indicates the risk posed to entities by APT threat groups.”

APT hacker group activities are continuously evolving in wide. very recently we have reported, Lazarus and OceanLotus APT hackers activities.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Sophisticated PhaaS Phish Toolkits are Now Genetrating Realistic Fake Phishing Pages

Cybersecurity experts are raising alarms over the proliferation of increasingly sophisticated phishing techniques that...

Critical Azure and Power Apps Vulnerabilities Allow Attackers to Exploit RCE

Microsoft has patched four critical security vulnerabilities affecting its Azure cloud services and Power...

How to Detecting Backdoors in Enterprise Networks

In today’s rapidly evolving cybersecurity landscape, enterprise networks face a particularly insidious threat: backdoors,...

Securing Windows Endpoints Using Group Policy Objects (GPOs): A Configuration Guide

Securing Windows endpoints is a top priority for organizations seeking to protect sensitive data...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Cyberattackers Targeting IT Help Desks for Initial Breach

Cybercriminals are increasingly impersonating IT support personnel and trusted authorities to manipulate victims into...

New Stealthy .NET Malware Hiding Malicious Payloads Within Bitmap Resources

Cybersecurity researchers at Palo Alto Networks' Unit 42 have uncovered a novel obfuscation method...

Hackers Weaponizing Facebook Ads to Deploy Multi-Stage Malware Attacks

A persistent and highly sophisticated malvertising campaign on Facebook has been uncovered by Bitdefender...