Attackers have been impersonating the National Police of Ukraine in a fileless phishing campaign that delivers two data-stealing payloads and a cryptominer to Microsoft Windows systems used by government entities, according to reporting that cites FortiGuard Labs research. The FortiGuard analysis revealed the campaign in a recent blog post.
The campaign begins with forged emails that include a malicious Scalable Vector Graphics (SVG) attachment named “elektronni_zapit_NPU.svg” containing an embedded HTML iframe. If a recipient opens the attachment, it displays a spoofed Adobe Reader interface with a Ukrainian-language message that the document is loading, then redirects the user to a download page hosting a password-protected archive. The archive contains a Compiled HTML Help (CHM) file that triggers an HTML Application (HTA) CountLoader, according to FortiGuard Labs researcher Yurren Wan.
The final payloads identified in the analysis are Amatera Stealer and PureMiner. FortiGuard reported that Amatera harvests system information, credentials from numerous browsers (including Firefox, Chrome, Edge and Brave), application data and cryptocurrency wallets, and can collect chat application data and clipboard contents. PureMiner collects adapter-specific hardware information and can deploy CPU- or GPU-based mining modules depending on attacker configuration, the analysis said.
FortiGuard described the delivery as fileless in part because the attackers either use .NET ahead-of-time (AOT) compilation with process hollowing or load components directly into memory using PythonMemoryModule to execute the final payloads. FortiGuard Labs rated the fileless phishing campaign as high-severity and provided indicators of compromise, including domains, IP addresses and file names, to help defenders detect and block the activity.
The reporting noted that cyberattacks against public and private targets in Ukraine have continued since Russia’s 2022 invasion, and that this campaign is one of several efforts attempting to compromise citizens, government agencies and critical infrastructure. FortiGuard and the article advised organizations and users to remain vigilant and to apply the provided IoCs to security controls where possible.