Pierluigi Paganini March 20, 2025

CERT-UA warns of a cyber campaign using Dark Crystal RAT to target Ukraine’s defense sector, including defense industry employees and Defense Forces members.

The Computer Emergency Response Team of Ukraine (CERT-UA) uncovered a new cyber espionage campaign targeting employees of defense-industrial complex enterprises and representatives of the Defense Forces of Ukraine with Dark Crystal RAT.

In March 2025, threat actors distributed archived messages through Signal. The archive contains a fake PDF report and DarkTortilla malware, which acts as a launcher for the Dark Crystal RAT (DCRat). The Ukrainian government experts noticed that some messages were sent from compromised contacts to increase trust.

“Typically, the mentioned archives contain a file with the extension “.pdf”, as well as an executable file classified as DarkTortilla, which is a cryptor/loader type software tool, the purpose of which is to decrypt and launch (including by injection) the Dark Crystal RAT (DCRAT) remote control software tool.” reads the report published CERT-UA.

CERT-UA published Indicators of Compromise (IoCs) for the ongoing campaign.

CERT-UA’s report states that the UAC-0200 activity has been tracked since summer 2024, with recent decoy messages (since February 2025) focusing on UAVs and electronic warfare. The use of popular instant messaging apps on both mobile and desktop devices broadens the attack surface, creating uncontrolled information exchange channels that bypass security measures.

DCRat first appeared in the threat landscape in 2018, but a year later it was redesigned and relaunched.

DCRat is written in .NET and has a modular structure, affiliates could develop their own plugins by using a dedicated integrated development environment (IDE) called DCRat Studio.

The modular architecture of the malware allows to extend its functionalities for multiple malicious purposes, including surveillance, reconnaissance, information theft, DDoS attacks, and arbitrary code execution.

The DCRat consists of three components:

• A stealer/client executable
• A single PHP page, serving as the command-and-control (C2) endpoint/interface
• An administrator tool

In June 2022, the Governmental Computer Emergency Response Team of Ukraine (CERT-UA) warned of another malware campaign targeting Ukrainian telecommunications operators with the DarkCrystal RAT.

The malspam messages had the topic “Free primary legal aid” use a password-protected attachment “Algorithm of actions of members of the family of a missing serviceman LegalAid.rar.”

The RAR archive analyzed by the Ukrainian CERT-UA contains the document “Algorithm_LegalAid.xlsm.” Upon opening the document and enabling the macro, a PowerShell command will be executed. The script will download and run the .NET bootloader “MSCommondll.exe,” which in turn will download and run the malware DarkCrystal RAT.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ukraine)