Ukrainian military emails hacked to phish and steal refugee data

Ukrainian military emails hacked to phish and steal refugee data

Threat actors are using the hacked accounts for phishing scams targeting European government officials to steal Ukrainian refugees and supply data.

A newly discovered phishing campaign uses compromised email accounts of Ukraine’s army personnel to steal data from European governments entities. It is worth noting that the email addresses in the discussion are private email accounts of Ukrainian military personnel offered by and

The findings come soon after the State Service of Special Communication and Information Protection of Ukraine issued a warning last week regarding the possibility of phishing attacks against its military officials to steal sensitive private data.

About Asylum Ambuscade

The Sunnyvale-based enterprise security firm, Proofpoint, has disclosed details of a new phishing campaign where nation-state-sponsored threat actors aim to steal the Ukrainian refugee movement and supply related data.

They are targeting European government entities to obtain intelligence information. The campaign was detected on 24 February 2022. The company dubbed the social engineering-based campaign as Asylum Ambuscade.

Malicious Emails Used to Hack Data

In the report, Proofpoint researchers Michael Raggi and Zydeca Cass wrote that threat actors use emails loaded with a malicious macro attachment (XLS file). The content is related to the Emergency Meeting of the NATO Security Council, held on 23 February.

The malicious attachment attempts to download Lua-based malware known as SunSeed. The primary objective of attackers is targeting European government officials responsible for managing transportation, budget/finance allocation, and population movement in Europe.

Ukrainian military emails hacked to phish and steal refugee data
Warnings sent out by Ukrainian authorities

A key aspect of Asylum Ambuscade is that compromised email accounts of Ukrainian military service personnel are used to distribute malware-laced emails onto infected hosts. SunSeed serves as a downloader to establish communications with the attacker-controlled server to extract the next-stage payload.

Possible Perpetrator?

Proofpoint didn’t associate the new phishing campaign with any specific hacking group or threat actor. The company noted in its blog post that the two sets of attacks they observed indicate similarities between the timeline overlaps, phishing lures used in the campaign, and the patterns of victimology with a Belarusian state-backed group known as TA445 (aka UNC1151 and Ghostwriter.

The social engineering lures utilized in this phishing campaign were very timely, following a NATO Security Council meeting on 23rd February 2022 and a news story about a Russian government ‘kill list’ targeting Ukrainians that began circulating in Western media outlets on 21st February 2022.


More security news on

  1. Anonymous hacks Russian TV channels and charging station
  2. DDoS Attack and Data Wiper Malware hit Computers in Ukraine
  3. DDoS attacks cripple government and banking websites in Ukraine
  4. Ex-army admin jailed for 12 years over US military health data theft
  5. Chinese APT group spying on Vietnam military with FoundCore RAT
Related Posts
Baby Got Bots
Read More

Baby Got Bots

This is the first in a series of blog posts “on all things Bot.” From bad to good…