Ukrainian researchers have discovered a phishing campaign targeting local state agencies with remote-access malware. 

To gain access to the victim's system, the hackers disguise the malicious emails as official requests from Ukraine’s security service (SBU). The emails contain a .zip file that, once opened, launches malware the researchers are calling ANONVNC.

The backdoor malware is based on open-source remote management code called MeshAgent, according to Ukraine’s computer emergency response team (CERT-UA). 

CERT-UA tracks the threat actor behind this campaign as UAC-0198 but hasn’t provided any details about its origins.

Since July 2024, the group has infected more than 100 computers with the malware, including those used by state agencies, CERT-UA said. Researchers suggested that the geography of the attacks "could be broader."

The report didn’t specify the goal of the campaign or if the hackers caused any damage to their victims’ computers. CERT-UA stated that it "has taken urgent measures" to reduce the probability of further attacks on systems infected with ANONVNC.

According to an analysis by the cybersecurity firm MalwareBytes, MeshAgent can infiltrate systems in different ways, most often as a result of email campaigns containing malicious macros. MeshAgent is associated with another remote-management tool, MeshCentral.

Earlier in July, Ukrainian researchers reported discovering an information-stealing campaign targeting readers of Ukraine’s most popular news website, Ukr.net. In this campaign, the threat actor tracked as UAC-0102 created a fake version of the website to collect users' personal information and infect their systems with malware.

In another campaign in July, a suspected Belarusian state-sponsored hacker group, GhostWriter, targeted Ukrainian organizations and local government agencies with PicassoLoader malware. Researchers believe the group may be interested in Ukraine’s financial and economic indicators, taxation, as well as the reform of local self-government bodies.