- Attackers use phishing emails pretending to be Ukrainian government agencies to deliver Malware.
- Malicious SVG attachments start a download chain leading to remote access trojans and cryptocurrency mining tools.
- The main malware involved are CountLoader, Amatera Stealer, and PureMiner, with CountLoader acting as a delivery tool.
- Malware is developed and spread by a group known as PureCoder, offering products like PureRAT and PureMiner.
- Researchers highlight growing sophistication in these attacks, including fileless malware that evades detection.
On September 26, 2025, researchers identified a phishing campaign targeting Ukrainian government agencies. Attackers sent emails mimicking official messages from the National Police of Ukraine. The aim was to infect systems with malware used to steal data and mine cryptocurrency.
According to a report by Fortinet FortiGuard Labs, the emails contained malicious SVG (Scalable Vector Graphics) attachments. When opened, these files downloaded a password-protected ZIP archive. The ZIP included a Compiled HTML Help (CHM) file, which, when activated, triggered a series of steps leading to the deployment of the CountLoader malware.
CountLoader then delivered two main threats: Amatera Stealer, designed to steal information, and PureMiner, used for illegal cryptocurrency mining. The same campaign used various tools linked to a developer known as PureCoder, who also created malware like PureRAT, PureHVNC RAT, and PureClipper, among others. These programs can allow remote control of infected devices, steal saved information, or redirect cryptocurrency transactions.
Researchers noted that both Amatera Stealer and PureMiner operate as fileless malware, meaning they run without leaving files on a computer’s hard drive. Instead, they execute directly in a computer’s memory. The process involves techniques like .NET Ahead-of-Time (AOT) compilation and process hollowing, or are loaded into memory using Python-based tools.
Amatera Stealer looks for certain files and collects data from popular web browsers and applications like Steam, Telegram, and FileZilla, as well as various cryptocurrency wallets. “This phishing campaign demonstrates how a malicious SVG file can act as an HTML substitute to initiate an infection chain,” Fortinet said. The SVG code led users to a site that triggered further downloads.
In a related development, security firm Huntress discovered a group likely based in Vietnam using similar phishing methods targeting recipients with supposed copyright notices. This campaign also used ZIP files, which installed PXA Stealer and eventually PureRAT through several layers of hidden loaders and credential theft.
“This campaign demonstrates a clear and deliberate progression, starting with a simple phishing lure and escalating through layers of in-memory loaders, defense evasion, and credential theft,” said security researcher James Northey in his report. The attacks show a move from basic techniques to more advanced methods using modular, commercial malware.
For further details, see the full Fortinet FortiGuard Labs report.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Shiba Inu at $2? The Math Reveals an Impossible Crypto Dream
- Leaked Messages Spark Bitcoin Hard Fork Rumors, Dashjr Denies
- Kraken Raises $500M at $15B Valuation, Fuels IPO Speculation
- Plasma DeFi Surges to $4B in Deposits on Launch, XPL Soars 30%
- CoinFerenceX 2025 Unites Global Web3 Innovators in Singapore on September 29
