Monday, December 4, 2023

Hackers Use Trojanized Windows 10 Installer To Attack Against Government Entities

Mandiant recently identified that in a targeted attack on Ukrainian government entities, trojanized ISO files were used by threat actors to cloak malicious programs posing as legitimate Windows 10 installers for the first step in compromising their networks.

Malicious installers are delivering malware that could perform a wide range of malicious activities, including:-

  • Monitoring compromised computers for the purpose of collecting data
  • The deployment of additional malicious tools
  • Data exfiltration to servers controlled by attackers

Trojanized Windows 10 Installer

An ISO that was part of the campaign was hosted on the Ukrainian torrent tracker “toloka[.]to” has been found to be created in May 2022 by a user that is delivered in this campaign.

Here below we have mentioned the key security features of Windows that are disabled by the ISO file since it comes pre-configured with such abilities:-

  • Disable security telemetry 
  • Block automatic updates 
  • Disable license verification
Fake Page

As far as the motives for the intrusions are concerned, there is no indication that they were financial. Since there is no trace of any:-

  • The theft of monetizable information
  • The deployment of ransomware
  • The deployment of cryptominers

The Mandiant security team also discovered several scheduled tasks that were set up in mid-July 2022 to receive commands prepared for execution via PowerShell while analyzing multiple devices that are found to be infected on the networks of the Ukrainian Government.

As a result of initial reconnaissance, analysts have also discovered additional payloads such as:-


This cluster of threat activity is being monitored by Mandiant as UNC4166, which is the number assigned to it. At the outset of the war, UNC4166’s target organizations overlapped with those targeted by GRU-related clusters with wipers aimed at other organizations in the region.

APT28, a Russian state-sponsored actor widely recognized for its disruptive wiper attacks, has been accused of launching intrusions against organizations that have been previously targeted by disruptive wiper attacks and have not been able to establish any kind of link to them.

Moreover, there has been an operation of APT28 on behalf of the Russian GRU’s intelligence service since at least 2004.

The Ukrainian government and military organizations have been the targets of multiple phishing campaigns which have been flagged by Google, Microsoft, and Ukraine’s CERT as APT28 operations since Russia’s invasion of Ukraine began.

Secure Web Gateway – Web Filter Rules, Activity Tracking & Malware Protection – Download Free E-Book


Latest articles

Hackers Use Weaponized Documents to Attack U.S. Aerospace Industry

An American aerospace company has been the target of a commercial cyberespionage campaign dubbed...

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles