article featured image


Ukrainian government networks were infected via trojanized ISO files posing as legitimate Windows 10 installers and several governmental institutions were hacked.

Threat actors used malware to collect data from their victims, deploy additional malicious tools, and exfiltrate stolen data to controlled servers.

According to cyber researchers, one of the malicious ISOs was hosted on the toloka[.]to Ukrainian torrent tracker by a user whose account was created in May 2022.

The ISO was configured to disable the typical security telemetry a Windows computer would send to Microsoft and block automatic updates and license verification.

There was no indication of a financial motivation for the intrusions, either through the theft of monetizable information or the deployment of ransomware or cryptominers.


Was Ukraine Specifically Targeted in This Cyber Attack?

Unlike other attacks where cyber-espionage groups host payloads on their infrastructure, this time the trojanized Windows 10 ISOs were deployed through Ukrainian and Russian language torrent file-sharing platforms.

The malicious installers did not necessarily aim at the Ukrainian government at first. But after the threat actors checked the infected devices they continued the attacks more intensively on the endpoints determined to belong to government entities.

Threat Actors Picked Targets That Overlap with GRU Interests in Ukraine

The UNC4166 threat group was tracked as being behind this attack and security researchers think their purpose is to exfiltrate useful information from UA government networks.

It was also discovered that the organizations attacked in this campaign were on a target list belonging to APT28 state hackers, which links to Russian military intelligence.

Lots of phishing attempts that targeted the Ukrainian government and its military groups have been labeled as APT28 operations by Google, Microsoft, and Ukraine’s CERT since Russia invaded Ukraine. At this point, cyber researchers agree that

The use of trojanized ISOs is novel in espionage operations and included anti-detection capabilities indicates that the actors behind this activity are security conscious and patient, as the operation would have required a significant time and resources to develop and wait for the ISO to be installed on a network of interest


If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Author Profile

Livia Gyongyoși

Communications and PR Officer

Livia Gyongyoși is a Communications and PR Officer within Heimdal®, passionate about cybersecurity. Always interested in being up to date with the latest news regarding this domain, Livia's goal is to keep others informed about best practices and solutions that help avoid cyberattacks.

Leave a Reply

Your email address will not be published. Required fields are marked *