The war of documents - bait in the Russia / Ukraine conflict

Check Research (CPR) έχει καταγράψει ομάδες απειλής να χρησιμοποιούν έγγραφα με θέμα τη Russia/Ukraine to spread malware and lure victims into global cyber espionage. Depending on the targets and the region, attackers use official-looking documents, even news articles and job advertisements, as bait.


CPR believes that the motive behind these recent campaigns is cyber espionage, for the theft of sensitive information from governments, banks and energy companies. Threat groups and their victims are not concentrated in one area, but cover the whole world, including Latin America, the Middle East and Asia.

Σε μια νέα δημοσίευση, η CPR παρουσιάζει τα προφίλ τριών ομάδων APT, που ονομάζονται El Machete, Lyceum και Sidewinder, οι οποίες εντοπίστηκαν πρόσφατα να διεξάγουν εκστρατείες spear- σε πέντε χώρες. Ο παρακάτω πίνακας συνοψίζει την προέλευση, τον τομέα-στόχο και τις χώρες-στόχους κάθε ομάδας APT.

APT name APT origin Target Sector Target countries
The Machete Spanish speaking country Economic, Governmental Nicaragua, Venezuela
Lyceum Islamic Republic of Iran Energy Israel, Saudi Arabia
SideWinder Probably India Unknown Pakistan

Malware features

The CPR in the malware that each of the three APT groups contained, specifically for these cyber espionage activities. Features include:

  • Keylogging: κλέβει ό,τι εισάγετε χρησιμοποιώντας το
  • Credentials Collection: collects credentials stored in Chrome and Firefox browsers
  • File collection: collects file information on each drive and collects filenames and file sizes, allowing specific files to be stolen
  • Screenshot
  • Data collection from the clipboard
  • Execute commands

Attack methodologies

spy 007
  1. Spear-phishing email with text about Ukraine
  2. Attached Word document with article about Ukraine
  3. Malicious macro inside the document throws a sequence of files
  4. Download malware on your computer


  1. Email with content related to war crimes in Ukraine and a link to a malicious document hosted on a website
  2. The document executes a macro code when the document is closed
  3. The Exe file is stored on the computer
  4. The next time you restart your computer, the malware is running


  1. The victim opens the malicious document
  2. When opened, the document retrieves a remote template from a controlled server
  3. The external template downloaded is an RTF file, which exploits vulnerability CVE-2017-11882
  4. The malware has been installed on the victim's computer

El Machete

Το  Machete εθεάθη να στέλνει spear-phishing μηνύματα σε χρηματοοικονομικούς οργανισμούς στη Νικαράγουα, με συνημμένο έγγραφο Word με τίτλο «Σκοτεινά σχέδια του νεοναζιστικού καθεστώτος στην Ουκρανία». Το έγγραφο περιείχε ένα άρθρο που γράφτηκε και δημοσιεύτηκε από τον  Khokholikov, τον Ρώσο πρεσβευτή στη Νικαράγουα, το οποίο συζητούσε τη ρωσο-ουκρανική σύγκρουση από την οπτική γωνία του Κρεμλίνου.


Image 1 - Bait document containing an article on the Russia-Ukraine conflict, sent by the El Machete APT to Nicaraguan financial institutions.


In mid-March, an Israeli energy company received an email from management inews-reporter @ protonmail [.] com on "Russian war crimes in Ukraine". The email contained some photos taken from public media sources and contained a link to an article hosted on the news-spot [.] Live domain. The link to the email leads to a document containing the article "Investigators gather information on possible Russian war crimes in Ukraine" published by the Guardian. The same domain hosts some more malicious documents related to Russia as well as the Russia-Ukraine war, such as a copy of a 2020 Atlantic Council article on Russian nuclear weapons and a job advertisement for an "Extraction / Protective Agent ”agent in Ukraine.

Image 2. Bait-email using the subject of the Russia-Ukraine conflict, sent by the Lyceum team


Image 3 - Bait documents related to the Russia-Ukraine war used by the APT team Lyceum



The malicious Sidewinder document, which also takes advantage of the Russia-Ukraine war, was uploaded to VirusTotal (VT) in mid-March. Judging by its content, the desired targets are Pakistani entities. The bait document contains an archive of the Bahria University's National Institute of Maritime Affairs in Islamabad and is entitled "Discussion on the Impact of the Russia-Ukraine Conflict on Pakistan." This malicious document uses remote template input. When opened, the document retrieves a remote template from a controlled server from attackers.

Image 4 - Bait document related to the Russia-Ukraine war, by Sidewinder APT


Comment by Sergey Shykevich, Intelligence Group Manager at Check Point Software:

"Right now, we're seeing a variety of APT campaigns using the Russia-Ukraine war to distribute malware. The campaigns are highly targeted and sophisticated, focusing on government, finance and energy. In our most recent report, we profile and cite examples from three different APT groups, all from different parts of the world, that we found to orchestrate these spear-phishing campaigns. We carefully studied the malware involved and found features that cover keyboard capture, screenshots and more. I firmly believe that these campaigns are primarily motivated by cyber espionage. Our findings reveal a clear trend, that the war between Russia and Ukraine is bait used by threat groups worldwide. "I strongly urge governments, banks and energy companies to take action to raise awareness and educate their employees about cybersecurity and to implement cybersecurity solutions that protect their network at all levels."

The latest figures on cyber-attacks in Ukraine, Russia and NATO countries

Recently, Check Point Research (CPR) published an update on the trends of cyber attacks during the current Russia-Ukraine war. One month after the start of the war on February 24, 2022, both Russia and Ukraine saw increases in cyber attacks by 10% and 17% respectively.

CPR has also seen a 16% increase in cyber attacks worldwide throughout the current conflict and presents cyber attack data for countries, NATO regions and more here. The Best Technology Site in Greecefgns

Subscribe to Blog by Email

Subscribe to this blog and receive notifications of new posts by email.

Ukraine, Russia, Check Point Research, iguru

Written by newsbot

Although the press releases will be from very select to rarely, I said to go ... because sometimes the authors are hiding.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).