CERT-UA Warns of UAC-0173 Attacks Deploying DCRat to Compromise Ukrainian Notaries

The Computer Emergency Response Team of Ukraine (CERT-UA) on Tuesday warned of renewed activity from an organized criminal group it tracks as UAC-0173 that involves infecting computers with a remote access trojan named DCRat (aka DarkCrystal RAT).

The Ukrainian cybersecurity authority said it observed the latest attack wave starting in mid-January 2025. The activity is designed to target the Notary of Ukraine.

The infection chain leverages phishing emails that claim to be sent on behalf of the Ministry of Justice of Ukraine, urging recipients to download an executable, which, when launched, leads to the deployment of the DCRat malware. The binary is hosted in Cloudflare’s R2 cloud storage service.

“Having thus provided primary access to the notary’s automated workplace, the attackers take measures to install additional tools, in particular, RDPWRAPPER, which implements the functionality of parallel RDP sessions, which, in combination with the use of the BORE utility, allows you to establish RDP connections from the Internet directly to the computer,” CERT-UA said.

The attacks are also characterized by the use of other tools and malware families like FIDDLER for intercepting authentication data entered in the web interface of state registers, NMAP for network scanning, and XWorm for stealing sensitive data, such as credentials and clipboard content.

Furthermore, the compromised systems are used as a conduit to draft and send malicious emails using the SENDMAIL console utility in order to further propagate the attacks.

The development comes days after CERT-UA attributed a sub-cluster within the Sandworm hacking group (aka APT44, Seashell Blizzard, and UAC-0002) to the exploitation of a now-patched security flaw in Microsoft Windows (CVE-2024-38213, CVSS score: 6.5) in the second half of 2024 via booby-trapped documents.

The attack chains have been found to execute PowerShell commands responsible for displaying a decoy file, while simultaneously launching additional payloads in the background, including SECONDBEST (aka EMPIREPAST), SPARK, and a Golang loader named CROOKBAG.

The activity, attributed to UAC-0212, targeted supplier companies from Serbia, the Czech Republic, and Ukraine between July 2024 and February 2025, with some of them recorded against more than two dozen Ukrainian enterprises specializing in development of automated process control systems (ACST), electrical works, and freight transportation.

Some of these attacks have been documented by StrikeReady Labs and Microsoft, the latter of which is tracking the threat group under the moniker BadPilot.