The government computer emergency response team CERT-UA has recorded numerous cases of targeted cyberattacks against both employees of defense-industrial complex enterprises and individual representatives of the Defense Forces of Ukraine.

During March 2025, the Signal messenger detected the distribution of messages with archives that allegedly contain a report with the results of a meeting. At the same time, in some cases, to increase trust, messages can be sent from persons from the list of existing contacts whose accounts have been compromised in advance.

As a rule, the mentioned archives contain a file with the extension ".pdf", as well as an executable file classified as DarkTortilla, which is a cryptor/loader software tool, the purpose of which is to decrypt and launch (including by injection) the Dark Crystal RAT (DCRAT) remote control software tool.

We remind you that this activity has been tracked by the identifier UAC-0200 since at least the summer of 2024. At the same time, starting from February 2025, the content of the decoy messages concerns UAVs, electronic warfare equipment, etc.

The use of popular messengers, both on mobile devices and on computers, significantly expands the attack surface, including by creating uncontrolled (in the context of security measures) information exchange channels.

Therefore, we urge you to be vigilant, and in case of receiving such messages, please immediately inform CERT-UA by all available means.

Source: https://cert.gov.ua/article/6282737