🚨 @SentinelLabs, together with the Digital Security Lab of Ukraine, has uncovered a coordinated spearphishing campaign targeting members of the Red Cross, Norwegian Refugee Council, UNICEF, and other NGOs supporting Ukraine, as well as regional government officials.

SHA-256: 4362f67ab65cca32fb610e62745aac7d8587a7bac46e5a6c89db8b4a9c7e9458 f78944a2699b21fb34fc9c1c7c0ae7ca16c709bf72cbc15ad0cdaa66bec8d1bd ad8a491018f5c5edecfc75ec3a3627aa04a26019ce87c8f236bb400ec35c3244 a0e709c0df0e38b30a2283dc5c1667c852d212952cc4db18c364d35a70ca0c96

IOCs: 46.4.92[.]6 64.20.61[.]146 pixeldrain[.]com id[.]remoteutilities[.]com Payload: Remote Utilities rutserv.exe, rfusclient.exe

Attack chain: PDF posing as an official document→ embedded button→ RAR archive→ ZIP archive→ JS file disguised as a document. The JS drops a fake “corrupted” PDF for the user, requests elevated privileges, and silently downloads an MSI payload. Final stage: installation RAT

Today we observed an active phishing campaign linked to Russia-aligned threat actors. Emails impersonated Ukrainian government institutions and delivered malicious attachments. The campaign is aimed at infecting Windows endpoints and establishing persistent remote access.

Find more domains on @ValidinLLC : CERT_FINGERPRINT-HOST: 1fa3e6f0a65b7429219022eee3a7976f6761aba0 HOST-JARM: 27d27d27d00027d00042d43d00041df04c41293ba84f6efe3a613b22f983e6

https://support-958[.]ubpages[.]com/2dc0e7fc-1/ More IOCs: https://t.co/tjVqIIZfoY

DSLU is tracking a phishing campaign targeting Facebook accounts. Attackers are abusing Meta Business Suite invites and using two attack vectors: a link to a phishing website and a link prompting users to join a fake Facebook page.

👉 More IOCs: https://t.co/mr8gmzwAo0 👉 Track IOCs in VT: entity:domain ukr-one.* AND jarm:"00000000000000000042d43d00041da8040ca1d7d1b3e955a3535eb361ef06"

👉 IOCs: ukr-one[.]ors-oc[.]info ukr-one[.]connect-all[.]org ukr-one[.]2dotz[.]org ukr-one[.]naturalbd[.]org ukr-one[.]seateur[.]info ukr-one[.]mirrisunkov[.]cyou

⚠️ Attackers are using hacked Telegram accounts to spread fake invitations to “vote for kids in a drawing contest.” The links lead to phishing sites stealing account credentials.

🚨 Six months of prep. One day targeting Ukraine’s humanitarian networks including individuals from the @ICRC, @UNICEF, and @NRC_Norway. New from @LabsSentinel and the @DSLab_Ukraine: A one-day spearphishing operation — PhantomCaptcha — that targeted humanitarian organizations

SentinelLABS, together with Digital Security Lab of Ukraine, has uncovered a coordinated spear-phishing campaign targeting organizations critical to Ukraine’s war relief efforts. https://t.co/zkOAEwPraR

4/ The PhantomCaptcha campaign highlights a highly capable adversary collecting intelligence on humanitarian and reconstruction operations in Ukraine. ➡️ Full details in report:

3/ Despite six months of preparation, the attackers’ infrastructure was active for only one day – reflecting meticulous planning, compartmentalized setup, and strong operational security.

2/ Attackers impersonated the Ukrainian President’s Office, sending weaponized PDFs that led victims to a fake Cloudflare captcha page (“ClickFix”-style). The payload: a WebSocket RAT hosted on Russian-owned infrastructure, enabling remote command execution and data theft.

@500mk500 might be of interest to you

👉 Domain: campaign-insight-hub[.]pages[.]dev 👉 appeal_form: f2bc64faa5d81910ea3cdf6905e3efe728ae356ec23fb6de0b40daa592d4e99c 👉 URL pattern: https://*.pages.dev/welcome_to_meta_for_business https://*.pages.dev/appeal_form 👉 More IOCs:

Phishing emails, where attackers pretend to be Meta, accuse you of violating community rules or intellectual property and threaten to block account. We identified a number of related domains and other IOCs:

@500mk500 fyi