Hackers are distributing malicious emails that imitate official notices from the National Police of Ukraine. This phishing campaign, identified by FortiGuard Labs, targets any organisation running Microsoft Windows to compromise their systems with at least two new malware strains, including Amatera Stealer and PureMiner.
The attacks start with an email that includes a malicious Scalable Vector Graphics (SVG) file. For your information, an SVG is a simple image format, but attackers exploit its text-based code to embed harmful content.
The messages pressure the recipient using formal, legal language, falsely claiming an appeal is under review and warning that ignoring the notice could lead to “further legal action.”
How the Infection Spreads
When a victim opens the SVG attachment, the file tricks them by displaying a fake screen that says, “Please wait, your document is loading…” It then immediately forces the computer to download one of several password-protected ZIP archives, including ergosystem.zip or smtpB.zip, with the password displayed to make the process seem trustworthy.
Inside the archive is a Compiled HTML Help (CHM) file, which acts as the main trigger, launching a malicious script called the CountLoader. This loader, which Hackread.com previously reported on, is a known entry point designed to deliver multiple harmful programs.
Here, its job is to connect with a remote server, steal some basic system details, and then deliver the final malware. Researchers refer to this as a “fileless” threat because the payload is loaded directly into the computer’s memory, making it hard to detect.
Double Threat of Data Theft and Hijacking
According to FortiGuard Labs’ blog post, CountLoader delivers two dangerous payloads: Amatera Stealer and PureMiner. Researchers explained in a report shared exclusively with Hackread.com that the PureMiner cryptominer is delivered using DLL sideloading from ergosystem.zip, while the Amatera Stealer is deployed via a malicious Python script found in smtpB.zip.
Amatera Stealer is an information-gathering tool that first gathers basic system information (like computer name, OS details, and username) and current clipboard contents. It then aggressively targets saved information, including credentials and files, from Firefox and Chrome browsers, chat apps like Telegram and Discord, and programs like Steam, FileZilla, and AnyDesk. It also targets files from major desktop crypto wallets, including BitcoinCore, Exodus, Atomic, and Electrum, and can search up to five folders deep for these files.
On the other hand, PureMiner is a cryptominer that collects detailed hardware information, like video card specifications. Once installed, PureMiner allows the criminals to secretly use the victim’s own computer power (both the CPU and GPU) for their financial benefit, a process called cryptocurrency mining.
The overall impact of this attack is rated as High severity as it allows remote control, data theft, and resource hijacking. Given this threat, users are urged to maintain strong security awareness. Avoid opening unexpected attachments, and always verify urgent, unsolicited requests through a separate trusted channel before clicking links.
