Ukraine-linked hackers are stepping up cyberattacks against Russian aerospace and wider defence-related companies, using new custom malware to steal designs, schedules, and internal emails.
The campaign targets both prime contractors and smaller suppliers, aiming to map production chains and expose weak points in Russia’s war industry. The tools used in this campaign are simple, but they are used with care and good planning.
.webp "Ukraine Hackers Attacking Russian Aerospace Companies and Other Defence-Related Sectors 2")
The malware first appeared in late 2024 in spear-phishing waves sent to engineers and project managers working on avionics, guidance systems, and satellite links.
Lures used fake job offers, conference invites, and contract updates, with attached documents that exploited outdated office software on Windows hosts. Once opened, the file quietly dropped a small loader that set the stage for the main payload.
Intrinsec security analysts identified the malware after seeing repeated outbound traffic from a defence integrator’s remote office to rare command servers hosted on bulletproof infrastructure.
Their complete technical breakdown shows that the attackers carefully tuned each payload to the victim’s role, adding custom modules for email scraping, document theft, and credential capture.
,%20and%20the%20phishing%20page%20(right)%20(Source%20-%20Intrinsec).webp "Ukraine Hackers Attacking Russian Aerospace Companies and Other Defence-Related Sectors 4")
The operation hits research labs, testing ranges, and logistics firms that support aircraft, drones, and missile systems. Stolen data can reveal parts shortages, delivery delays, and software bugs, giving Ukrainian planners a clearer view of Russian combat readiness.
Infection chain and command execution
The infection chain is simple but smart. The first loader, often a small DLL, runs in memory only and pulls a second-stage script from a hard-coded URL.
That script injects the final payload into a trusted process such as explorer.exe, which helps it blend with normal user activity.
Intrinsec researchers noted that the payload uses a compact command loop to stay flexible. A typical routine, as seen in memory dumps, looks like this:-
while (connected) {
cmd = recv();
if (cmd == "exfil") run_exfil();
if (cmd == "shell") open_shell();
}This simple logic lets the operator switch between silent data theft and hands-on keyboard control. Each stage is built to keep noise low on the host.
Despite its clear design, the malware avoids noisy persistence tricks, instead relying on scheduled tasks and hijacked update tools to return after reboots while staying hard to spot.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
