Suspected Russian hackers have been targeting Ukrainian military and defense enterprises in a new espionage campaign, according to a new report.

The threat actor behind the campaign, tracked as UAC-0185 by Ukraine’s military computer emergency response team (MIL.CERT-UA), sent phishing emails disguised as invitations to a legitimate defense conference that took place in Kyiv last week.

The group, also known as UNC4221, has been active since at least 2022, primarily targeting Ukrainian military personnel by stealing credentials through messaging apps such as Signal, Telegram and WhatsApp, as well as through local military systems like Delta, Teneta and Kropyva.

In addition to account compromises, the attackers are selectively carrying out cyberattacks to gain unauthorized remote access to the computers of employees within Ukraine's defense-industrial complex and defense forces, according to MIL.CERT-UA.

Ukraine hasn’t attributed the group to a specific country, but researchers have previously linked UNC4221 to Russia. The group’s tactics and goals align with those that Moscow-backed hackers commonly employ.

The group employs well-known tools to infect their victims’ devices, including MeshAgent and UltraVNC — an open-source software used to remotely manage computer systems.

Earlier in August, the threat actor tracked as UAC-0198 used backdoor malware based on MeshAgent to infect over 100 Ukrainian state computers. 

According to an analysis by the cybersecurity firm MalwareBytes, MeshAgent can infiltrate systems in different ways, most often as a result of email campaigns containing malicious macros. UltraVNC software can also be abused by hackers to gain control over the targeted system and install backdoors.

Ukrainian military and defense enterprises are common targets for hackers, usually with links to Russia. Earlier in July, the threat actor tracked as UAC-0180 attempted to gain access to the systems of Ukrainian defense companies using malicious emails disguised as drone procurement contracts.

In a campaign in June, the group known as Vermin attacked Ukrainian armed forces with Spectr malware to steal sensitive information from their devices.

In the same period, researchers warned of attacks on Ukraine’s Ministry of Defence by the Belarusian state-sponsored hackers known as Ghostwriter.

Earlier, CERT-UA also warned about cyberattacks against Ukrainian military personnel and defense services using DarkCrystal malware, which could allow attackers to gain remote access to a victim’s device.