Russian advanced persistent threat group Sandworm
-linked threat actors, tracked as UAC-0113, has been impersonating Ukrainian telecommunications providers EuroTransTelecom and Datagrooup to distribute the Warzone RAT and Colibri loader, The Hacker News
Recorded Future researchers discovered that the new attacks are a continuation of the same campaign aimed at spreading the DCRat, or DarkCrystal RAT, malware through phishing emails.
"A transition from DarkCrystal RAT to Colibri Loader and Warzone RAT demonstrates UAC-0113's broadening but continuing use of publicly available commodity malware," said researchers.
All of the attacks have been observed to leverage fraudulent domains hosting an "Odesa Regional Military Administration" site, as well as facilitate stealthy encoded ISO image payload file delivery through HTML smuggling.
Included in the ISO file related to the newest attack is an LNK file triggering the infection sequence that eventually prompts Colibri loader and Warzone RAT deployment, as well as a decoy document meant to hide malicious activity, said researchers.