CrescentImp Malware Targets Ukraine’s Media Organisations

You are currently viewing CrescentImp Malware Targets Ukraine’s Media Organisations


Things are still difficult for Ukraine’s war-torn country, and the situation is severe. As their struggle against Russia approaches its 100th day, a new cyber threat has arrived at their doorstep.


Ukraine’s CERT has issued a malware alert.

The CERT-UA has supplied information regarding a new malware campaign that is primarily targeting Ukrainian media organisations.

The goal of the hackers is to use the recently discovered Follina vulnerability (CVE-2022-30190) to infect victims’ computers with CrescentImp malware.

What harm may CrescentImp cause you?

CrescentImp malware can collect valuable information from affected computers and provide its controllers with a backdoor via which they can download further malware.

CERT-UA, which is tracking this malicious campaign as UAC-0113, connects it to the Russia-linked Sandworm advanced persistent threat organisation with intermediate confidence.

Who are the intended victims?

The assault effort targets Ukrainian radio stations, newspapers, news agencies, and other media outlets, and includes malicious emails with a document attached.

What is the mechanism of infection?

The Microsoft Windows Support Diagnostic Tool is affected by CVE-2022-30190 (MSDT). It lets a remote attacker to use the target machine to run arbitrary shell commands.

When a victim opens the page, JavaScript code is executed and an HTML file is downloaded to the victim’s workstation.

The CrescentImp malware EXE file called “2.txt” is downloaded and launched by the code.

Because this virus is still in its early stages, determining its capabilities is challenging.According to the CERT-UA team, the effort targeted over 500 email addresses.

Have there been any other assaults like this?

Earlier this month, the researchers discovered a malicious operation that infected Ukrainian government entities’ networks with the Cobalt Strike Beacon malware by exploiting two Windows zero-day vulnerabilities, including CVE-2022-30190.



Normal life in Ukraine has taken a significant battering after more than three months of war, and malware assaults like CrescentImp will only add to the country’s struggle to remain afloat in the face of Russia’s persistent onslaught.


Leave a Reply