Check Point warns of false documents in Russia-Ukraine war

BEC-Phishing-Kampagne stiehlt Office 365-Anmeldedaten und umgeht Multifaktor Authentifizierung

Phishing bait with malware for cyber espionage

Hacker groups disguise their spear-phishing emails as news articles, job postings and official-looking documents to spread cyber-espionage malware to banks, government agencies and energy suppliers. The previous targets are located in five countries. Check Point Research presents the three groups responsible for the attacks.

After hackers recently misused alleged donation campaigns for victims of the Ukraine war for their own financial gain, Check Point Research (CPR), the research department of Check Point Software Technologies, has once again observed cyber attacks in the context of the conflict.

The perpetrators sent malware to organizations in five countries as part of so-called spear phishing campaigns: a phishing email tailored to the recipient, which seems to come from a trustworthy source and usually contains a link or a file with malicious content. Behind the attacks are APT groups that represent advanced persistent threats, i.e. an ongoing threat. They usually target confidential corporate or government documents over a longer period of time in order to steal sensitive information and use malware specially tailored to the victims’ IT structures to gain access.

In a new report, CPR introduces three APT groups, named El Machete, Lyceum and SideWinder, who conducted spear phishing campaigns against victims in five countries. So far, the targets include institutions and companies in Nicaragua, Venezuela, Israel, Saudi Arabia and Pakistan. So far, the target has been institutions from the government, financial and energy sectors. Depending on the target and region, the attackers use various deception maneuvers, ranging from official-looking documents to news articles and job postings. When examining the bait documents, CPR found various malware capable of keylogging, screenshots and command execution. The security experts believe that the motivation behind these recent espionage actions is to steal sensitive information from governments, banks and electricity suppliers. They emphasize that the locations of the hackers and their victims are not limited to one region, but extend worldwide, including Latin America, the Middle East and Asia.

Sergey Shykevich, Threat Intelligence Group Manager at Check Point, explains: “We are currently observing a large number of APT campaigns that exploit the war to spread malware. The campaigns are targeted, sophisticated and focus on victims in the government, financial and energy sectors. In our new report, we present three APT groups that we caught conducting these Spear phishing campaigns. We have carefully examined the malware used and found spyware programs that can handle keylogging and screenshoting, among other things.“

CPR investigated the malware used by the ATP groups, which is used specifically for these cyber espionage activities. Methods include:

  • Keylogging: Records everything that is typed using the keyboard.
  • Credential Collection: Collects credentials stored in Chrome and Firefox browsers.
  • File Collection: Collects information about the files on each drive and captures file names and file sizes to enable the theft of certain files.
  • Screenshoting: Records the current screen content of the user via screenshots.
  • Collection of data from the clipboard.
  • Execution of commands.

The different groups differed not only in the goals they aimed at. They also used different types of malware, which are designed to extract hot information in different ways and through specifically selected weak points. Here is a summary of the attack methods of the respective ATP group:

El Machete

  1. Spear-phishing e-mail with text about Ukraine will be sent to the destination.
  2. A Word document with an article about Ukraine is attached to the message.
  3. A malicious macro inside the document places a number of files.
  4. Malware is downloaded to the PC.


  1. Sending an e-mail with content about war crimes in Ukraine, including a link to a malicious document stored on a website.
  2. The document executes a macro code when it is closed.
  3. An EXE file is saved on the PC.
  4. The next time the PC restarts, the malware will run.


  1. The victim opens a contaminated document.
  2. When it is opened, the document retrieves a template from a prepared server.
  3. The downloaded external template is an RTF file that exploits the vulnerability CVE-2017-11882.
  4. The malware ends up on the victim’s PC.

El Machete

El Machete was discovered while sending spear phishing emails to financial institutions in Nicaragua. The mail was accompanied by a Word document entitled “Dark Plans of the neo-Nazi regime in Ukraine”. It included an article allegedly written and published by Alexander Khokholikov, the Russian ambassador to Nicaragua, which allegedly discusses the Russian-Ukrainian conflict from the Kremlin’s point of view.


In mid-March, an Israeli energy company received an e-mail from the address inews-reporter[at] with the subject “Russian war crimes in Ukraine”. The email included some images from public media and a link to an article on the domain news was released live. The link in the email leads to a document containing the article “Researchers gather evidence of possible Russian war crimes in Ukraine” published by The Guardian. On the same domain there are several other contaminated documents related to Russia and the war, such as a copy of a 2020 Atlantic Council article on Russian nuclear weapons and a job advertisement for an “extraction / protective agent” in Ukraine.


The malicious document from Sidewinder, which also exploits the Russia-Ukraine war, was uploaded to VirusTotal (VT) in mid-March. Judging by its content, the intended targets are Pakistani institutions; the bait document contains the document of the National Institute of Maritime Affairs of Bahria University in Islamabad and is entitled “Focused talk on Russian Ukraine Conflict Impact on Pakistan”. This malicious document uses Remote Template Injection. When it is opened, the document retrieves a remote template from the attackers’ server.

Sergey Shykevich concludes by commenting on the findings of CPR’s security experts: “I am firmly convinced that the core motivation of these campaigns is espionage. I strongly recommend governments, banks and energy companies to re-sensitize their employees to the issue of IT security and implement security solutions that protect the network at all levels.”

Tech Outsourcing | Dedicated Software Team

Ready to see us in action:

More To Explore
Enable registration in settings - general
Have any project in mind?

Contact us: