Date: 09/29/2025
Severity: High
Summary
A recent phishing campaign targeting Ukraine uses malicious SVG files disguised as official government communication. When opened, the SVG file downloads a password-protected archive containing a CHM file, which triggers a chain of malware execution via HTA CountLoader. The attackers deploy Amatera Stealer and PureMiner as fileless malware, using techniques like .NET AOT compilation, process hollowing, and in-memory execution via PythonMemoryModule to avoid detection. These tools are used to steal data and mine cryptocurrency on infected systems.
Indicators of Compromise (IOC) List
URL/Domain | npulvivgov.cfd ms-team-ping.com azure-expresscontainer.com acqua-tecnica.it phuyufact.com amaprox.click ama0899.shop |
IP Address | 109.176.207.110 |
Hash : | bcce8115784909942d0eb7a84065ae2cd5803dc9c45372a461133f9844340436
9cbb497f0878a073504d3699cfbd86a816c7941234729631722d010f6ecd09f5
7deb9e6398c92cf01502f32a78c16f55354dcf3d2b062918f6651852742bc7cd
c25e4bd9e8d49f3beef37377414028b07986dacce5551f96038b930faf887acc
9d2a88f7f4d6925e654ee3edcd334eb9496a279ee0c40f7b14405b35500ebf99
bf9e6bee654831b91e891473123bbd9bc7ff3450471e653c7045f5bd8477d7a1
b8fb772d92a74dcd910ac125ead1c50ce5834b76f58e7f107bb1e16b8c16adbb
61fee7e2012919fafc3b47b37753ff934f7a0ca2a567dca5f15d45ab55ae2211
c62fe8d6c39142c7d8575bd50e6f2fcd9f92c4f0a1a01411d0f3756a09fd78a7
2bd4df59071409af58d0253202b058a6b1f1206663236dea5163e7c30a055f21
27c9c4e200815a9f474126afa05d4266bc55aafa9df0681a333267e4bbd101de
7f505f8a947715ae954e5eb93e9e1911843dc2c16462a146e5658e4101cedc0e
d71148d7e64f2a3464488d696ac2312987eb4e8008c9a62956388d39905c865f
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "phuyufact.com" or siteurl like "phuyufact.com" or url like "phuyufact.com" or domainname like "npulvivgov.cfd" or siteurl like "npulvivgov.cfd" or url like "npulvivgov.cfd" or domainname like "acqua-tecnica.it" or siteurl like "acqua-tecnica.it" or url like "acqua-tecnica.it" or domainname like "ms-team-ping.com" or siteurl like "ms-team-ping.com" or url like "ms-team-ping.com" or domainname like "azure-expresscontainer.com" or siteurl like "azure-expresscontainer.com" or url like "azure-expresscontainer.com" or domainname like "amaprox.click" or siteurl like "amaprox.click" or url like "amaprox.click" or domainname like "ama0899.shop" or siteurl like "ama0899.shop" or url like "ama0899.shop" |
Detection Query 2 : | dstipaddress IN ("109.176.207.110") or srcipaddress IN ("109.176.207.110") |
Detection Query 3 : | sha256hash IN ("61fee7e2012919fafc3b47b37753ff934f7a0ca2a567dca5f15d45ab55ae2211","9cbb497f0878a073504d3699cfbd86a816c7941234729631722d010f6ecd09f5","7f505f8a947715ae954e5eb93e9e1911843dc2c16462a146e5658e4101cedc0e","27c9c4e200815a9f474126afa05d4266bc55aafa9df0681a333267e4bbd101de","7deb9e6398c92cf01502f32a78c16f55354dcf3d2b062918f6651852742bc7cd","c62fe8d6c39142c7d8575bd50e6f2fcd9f92c4f0a1a01411d0f3756a09fd78a7","bcce8115784909942d0eb7a84065ae2cd5803dc9c45372a461133f9844340436","c25e4bd9e8d49f3beef37377414028b07986dacce5551f96038b930faf887acc","9d2a88f7f4d6925e654ee3edcd334eb9496a279ee0c40f7b14405b35500ebf99","bf9e6bee654831b91e891473123bbd9bc7ff3450471e653c7045f5bd8477d7a1","b8fb772d92a74dcd910ac125ead1c50ce5834b76f58e7f107bb1e16b8c16adbb","2bd4df59071409af58d0253202b058a6b1f1206663236dea5163e7c30a055f21","d71148d7e64f2a3464488d696ac2312987eb4e8008c9a62956388d39905c865f")
|
Reference:
https://www.fortinet.com/blog/threat-research/svg-phishing-hits-ukraine-with-amatera-stealer-pureminer