Ukraine’s Computer Emergency Response Team (CERT-UA) has issued a warning regarding a new campaign targeting the defense sector with the Dark Crystal RAT, also known as DCRat.
This campaign, which was detected earlier this month, targets employees of defense-industrial complex enterprises and individual representatives of the Defense Forces of Ukraine.
The attackers distribute malicious messages through the Signal messaging app, often using previously compromised accounts to increase the likelihood of success. These messages contain supposed meeting minutes and are shared as archive files.
Upon opening, the archive files reveal a decoy PDF and an executable, a .NET-based evasive crypter known as DarkTortilla, which decrypts and launches the DCRat malware.
DCRat is a well-documented remote access trojan (RAT) that allows the execution of arbitrary commands, steals valuable information, and establishes remote control over infected devices.
CERT-UA attributes this activity to the threat cluster UAC-0200, which has been active since at least summer 2024.
According to CERT-UA, “the use of popular messengers significantly expands the attack surface, including due to the creation of uncontrolled information exchange channels.”
This development comes after Signal allegedly stopped responding to requests from Ukrainian law enforcement regarding Russian cyber threats, as reported by The Record.
Ukraine’s National Security and Defense Council deputy secretary, Serhii Demediuk, stated, “With its inaction, Signal is helping Russians gather information, target our soldiers, and compromise government officials.”
However, Signal CEO Meredith Whittaker denied the claim, stating, “we don’t officially work with any government, Ukraine or otherwise, and we never stopped. We’re not sure where this came from or why.”
This incident follows reports from Microsoft and Google that Russian cyber actors are increasingly targeting WhatsApp and Signal accounts by exploiting the device linking feature, as Ukrainians have turned to Signal as an alternative to Telegram.
