Full Report
The Computer Emergency Response Team of Ukraine (CERT-UA) is warning of a new campaign that targets the defense sectors with Dark Crystal RAT (aka DCRat). The campaign, detected earlier this month, has been found to target both employees of enterprises of the defense-industrial complex and individual representatives of the Defense Forces of Ukraine. The activity involves
Analysis Summary
This summary is based solely on the provided article excerpt.
# Threat Actor: UAC-0200 (Associated with Dark Crystal RAT)
## Attribution & Identity
* **Primary Threat Actor Cluster:** UAC-0200 (tracked by CERT-UA).
* **Activity Timeline:** Known to be active since at least Summer 2024.
* **Association:** Associated with the deployment of the Dark Crystal RAT (DCRat).
## Activity Summary
CERT-UA reported a new campaign detected earlier this month (March 2025) specifically targeting Ukrainian defense sectors. The activity involves spear-phishing attacks distributed via the Signal messaging application. The attackers send messages containing alleged meeting minutes, often using previously compromised Signal accounts to enhance credibility. These messages conceal archive files containing a decoy PDF and an executable wrapped in the DarkTortilla crypter, which ultimately deploys DCRat.
## Tactics, Techniques & Procedures
* **Delivery Mechanism:** Spear-phishing via the Signal messenger application (mobile and desktop).
* **Payload Concealment:** Use of archive files containing decoy documents and executables.
* **Evasion:** Use of DarkTortilla, a .NET-based evasive crypter, to decrypt and launch the payload.
* **Malware Functionality:** Utilization of Dark Crystal RAT (DCRat) for remote access, arbitrary command execution, and information theft.
## Targeting
* **Sectors:** Defense-industrial complex enterprises and Individual representatives of the Defense Forces of Ukraine.
* **Geography:** Ukraine.
* **Victims:** Employees of defense enterprises and members of the Ukrainian military.
## Tools & Infrastructure
* **Malware Families used:**
* Dark Crystal RAT (DCRat) - Remote Access Trojan (RAT)
* DarkTortilla - .NET-based evasive crypter
* **Infrastructure (C2, domains, IPs):** Not specified in the provided text.
## Implications
The threat actor is actively and persistently targeting critical national defense infrastructure and military personnel in Ukraine using modern, cross-platform messaging services (Signal) for initial access. The use of compromised accounts adds a layer of social engineering trust. The reliance on easily accessible messengers expands the attack surface beyond traditional email vectors.
## Mitigations
* **Security Awareness:** Users (especially in defense sectors) should exercise extreme caution regarding files received via Signal, even from known contacts (whose accounts may be compromised).
* **Endpoint Protection:** Ensure robust endpoint detection and response capable of identifying and neutralizing post-exploitation tools like DCRat and evasion techniques utilized by DarkTortilla.
* **Messaging Security:** Reviewing organizational security policies regarding the use of consumer messaging applications for sensitive communications, given their exploitation as an initial access vector.