The Computer Emergency Response Team of Ukraine (CERT-UA) has issued a warning regarding a series of targeted cyberattacks aimed at employees within the defense-industrial complex and members of the Defense Forces of Ukraine. These attacks have been persistent since at least the summer of 2024 and have intensified in recent months. The attackers are leveraging the Signal messenger app to disseminate malicious files, often by infiltrating the accounts of trusted contacts to enhance their credibility.
Attack Vector and Tactics
In March 2025, CERT-UA noted that attackers were utilizing Signal to send archived messages that purported to contain reports from meetings. These messages typically included a PDF file alongside an executable file identified as DarkTortilla, a cryptor/loader tool engineered to decrypt and activate the DarkCrystal RAT (DCRAT) remote control software.
The choice of popular instant messaging platforms like Signal broadens the attack surface, creating uncontrolled channels for information exchange that can circumvent traditional security measures. Since February 2025, the content of these deceptive messages has pivoted to focus on critical topics such as unmanned aerial vehicles (UAVs) and electronic warfare equipment. By exploiting the trust associated with messages from familiar contacts—whose accounts have been compromised—the attackers can effectively bypass security protocols and gain access to sensitive information within the defense sector.
CERT-UA has classified this ongoing activity under the identifier UAC-0200 and strongly encourages recipients of any suspicious messages to report them without delay.
Cyber Threat Indicators
CERT-UA has compiled a list of files and network indicators connected to these cyberattacks. This includes various executable and archive files with specific hashes used to propagate the DarkCrystal RAT. Additionally, several IP addresses and URLs have been identified as part of the attackers’ infrastructure.
These indicators are vital for recognizing and mitigating potential threats within the defense sector. In light of these targeted attacks, CERT-UA underscores the necessity of vigilance and the immediate reporting of any suspicious activities. The use of instant messaging for malware distribution underscores the evolving landscape of cyber threats and highlights the urgent need for robust security measures across all communication channels.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup – Try for Free
