Ukrainian Officials Targeted in Sophisticated Cyber-Espionage Campaign, Says CERT-UA

A cyber-espionage group has been targeting Ukrainian institutions and a number of journalists in an attack aimed at stealing sensitive data and undermining national security, according to Ukraine’s cyber defense agency.

Computer Emergency Response Team (CERT-UA) says the group, also identified as UAC-0099, has been carrying out these attacks since 2022 by using fake emails and malware to break into computers and collect information surreptitiously.

They made it personal

Like in many similar covert attacks registered in Ukraine since the beginning of the war, the attackers didn’t rely on brute force or high-end exploits. They instead focused on social engineering, deploying well-crafted messages that felt urgent, familiar, or emotionally charged. Their goal was simple – to persuade people to click on links.

For example, in one campaign, the group impersonated a humanitarian organization and sent emails asking journalists for information that would help them identify wounded soldiers.

Of course, the message sounded genuine and urgent, mentioning specific cities like Kryvyi Rih. Attached to these emails were files with names like “List of Wounded – Kryvyi Rih”, which seemed to be real documents. But they weren’t. Once the victim opened the attachment, they unknowingly installed malware on their device.

In another situation, the emails seemed more technical. Some mimicked system update notifications or file-sharing services. To increase their chances of success, the attackers tailored these messages to the Ukrainian context. The messages were written in fluent Ukrainian and used domain names that resembled government or NGO addresses,

A set of dangerous tools

Once the victim opened the attachment or clicked the link, a chain of malware began with a program called LonePage, that downloaded more dangerous components. That software didn’t just sit idle. It opened the door for data theft, surveillance, and full remote control.

Another tool, named ThumbChop, searched the device for browser passwords and login credentials. Then came ClopFlag, which logged keystrokes, took screenshots, and even copied text from the clipboard.

Not just random hacks

The authorities say that the campaign points to long-term surveillance, not quick financial gain. CERT-UA says that the malware even checks the language settings of the device before fully activating. If the system uses Russian, the malware often stops running.