Full Report
A phishing campaign in Ukraine uses malicious SVG files to drop Amatera Stealer and PureMiner, enabling data theft and cryptomining. Learn more.
Analysis Summary
# Incident Report: Phishing Campaign Delivering Amatera Stealer and PureMiner via Malicious SVG
## Executive Summary
A targeted phishing campaign impersonating the National Police of Ukraine distributed malicious Scalable Vector Graphics (SVG) files to initiate a multi-stage, fileless malware deployment. The attack successfully installed Amatera Stealer (for data theft) and PureMiner (for cryptomining) on compromised Microsoft Windows systems. Rapid detection by security researchers allowed for the analysis of the sophisticated attack chain, leading to the identification of associated Indicators of Compromise (IOCs).
## Incident Details
- Discovery Date: September 26, 2025 (Date of published analysis)
- Incident Date: Ongoing at time of writing (No specific start date provided)
- Affected Organization: Undisclosed, but potentially any organization targeted by the geopolitical lure.
- Sector: Unknown (General targeting)
- Geography: Ukraine (Target focus)
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown (Triggered upon email opening)
- **Vector:** Malicious Phishing Email
- **Details:** Attackers sent emails disguised as official notices from the National Police of Ukraine, pressuring recipients to open the attachment, **“elektronni\_zapit\_NPU.svg.”**
### Payload Delivery Chain
1. **SVG Execution:** The embedded HTML element in the SVG redirects the user to a download page.
2. **Archive Download:** A password-protected archive is downloaded, containing a Compiled HTML Help (CHM) file.
3. **HTA Execution:** The malicious file inside the CHM triggers a shortcut object whose "Click" method executes a remote, obfuscated HTML Application (HTA) via **CountLoader** in hidden mode.
4. **Payload Staging:** The CountLoader communicates with the C2 server, sends system info, and receives further commands.
5. **Malware Deployment:** Payloads (Amatera Stealer and PureMiner) are deployed filelessly, using .NET AOT compilation with process hollowing or memory loading via PythonMemoryModule.
### Lateral Movement
- The report explicitly details the **CountLoader**'s functionality to perform domain reconnaissance and download further commands, implying potential internal reconnaissance capabilities, although specific lateral movement techniques beyond initial staging are not detailed.
### Data Exfiltration/Impact
- **Impact:** Remote control of host, collection of sensitive information (Amatera Stealer), and hijacking of computing resources for cryptomining (PureMiner).
### Detection & Response
- **Detection:** FortiGuard Labs observed and analyzed the campaign, leading to the public disclosure.
- **Response (Implied):** Threat intelligence sharing via IOCs and promoting immediate protective measures across Fortinet security products.
## Attack Methodology
- **Initial Access:** Phishing via Malicious SVG Attachment delivering a CHM file.
- **Persistence:** Not explicitly detailed for the final payloads, but the CountLoader establishes C2 communication.
- **Privilege Escalation:** Not explicitly detailed, but likely achieved through exploitation inherent in the HTA/CountLoader execution chain or user privilege context.
- **Defense Evasion:** Fileless execution utilizing process hollowing or in-memory loading to bypass traditional file-based signature detection. Obfuscation of CountLoader code using string encoding and array shuffling.
- **Credential Access:** Amatera Stealer is designed for data collection, which typically includes credentials.
- **Discovery:** CountLoader supports a command to perform domain reconnaissance.
- **Lateral Movement:** Supported by download/execute commands from the C2 server, though execution details are vague.
- **Collection:** Sensitive information collected by Amatera Stealer.
- **Exfiltration:** Data is sent to the C2 server via HTTP POST request using XorBase64 encoding.
- **Impact:** Financial loss via cryptomining (PureMiner) and data exfiltration risk (Amatera Stealer).
## Impact Assessment
- **Financial:** Potential operational cost due to resource consumption from cryptomining (PureMiner).
- **Data Breach:** High risk of sensitive information theft due to Amatera Stealer deployment.
- **Operational:** Risk of system instability or performance degradation due to cryptomining activities.
- **Reputational:** (Unspecified, dependent on victims).
## Indicators of Compromise
- **Domains / IPs:**
- npulvivgov[.]cfd
- ms-team-ping{1 to 10}[.]com
- azure-expresscontainer{1 to 10}[.]com
- acqua-tecnica[.]it
- phuyufact[.]com
- 109[.]176[.]207[.]110
- amaprox[.]click
- ama0899[.]shop
- **File Indicators (SHA-256 Hashes):**
- bcce8115784909942d0eb7a84065ae2cd5803dc9c45372a461133f9844340436
- 9cbb497f0878a073504d3699cfbd86a816c7941234729631722d010f6ecd09f5
- *[List continues for 14 distinct hashes]*
- **Behavioral Indicators:**
- Execution of remote HTA resources from within a CHM file structure.
- In-memory execution or process hollowing used for final payload delivery (.NET AOT).
- C2 communication using XorBase64 encoded HTTP POST requests.
## Response Actions
*Containment, Eradication, and Recovery actions are not detailed as they are recommendations based on the findings rather than actions taken during the incident analysis period.*
## Lessons Learned
- **SVG as a Vector:** Malicious content can be embedded within "safe" file types like SVG, capable of initiating complex attack sequences and bypassing standard document inspection controls.
- **Multi-Stage Fileless Attacks:** Attackers are utilizing multi-stage methods (SVG -> CHM -> HTA/CountLoader) combined with fileless techniques (.NET AOT/memory loading) to maximize stealth and complicate attribution/remediation.
- **Social Engineering Efficacy:** Utilizing official-sounding governmental lures remains highly effective in coercing users into bypassing security warnings.
## Recommendations
- **Endpoint Protection:** Deploy Endpoint Detection and Response (EDR) solutions capable of inspecting processes spawned from documents/archives (CHM/HTA) and detecting memory-only execution techniques like process hollowing.
- **Email Filtering:** Enhance email security controls (FortiMail, Web Filtering) to scrutinize content within SVG files or block SVG attachments entirely if appropriate for the business context.
- **Content Disarm:** Implement Content Disarm and Reconstruction (CDR) services to actively neutralize potential macros or embedded harmful code within file attachments before they reach end-users.
- **User Training:** Conduct recurring training focused on identifying geopolitical phishing lures and the dangers of opening attachments from unexpected official sources.