The Computer Emergency Response Team of Ukraine (CERT-UA) warns that the threat actor UAC-0125 abuses Cloudflare Workers services to target the Ukrainian army with Malware.
The threat actor UAC-0125 exploits Cloudflare Workers to spread malware disguised as the mobile app Army+ app from Ukraine's Ministry of Defence.
Visitors to the malicious websites are prompted to download an executable file, which triggers a decoy file and a PowerShell script that sets up covert SSH access for attackers via Tor.
The UAC-0125 activity is linked to the UAC-0002 cluster (Sandworm/APT44), and previous attacks used trojanized Microsoft Office files for deeper intrusions.