Conflict-Themed Social Engineering Distributes RATs Across Eastern Europe

17 October 2025

By Samantha Clarke and the Mimecast Threat Research Team

Campaign Overview

The Mimecast Threat Research team continues to monitor sustained malicious activity conducted by MCTO1025 since 2023, a cybercrime group that has maintained consistent operations targeting Ukraine and neighbouring countries Romania and Moldova. This operation demonstrates sophisticated understanding of regional geopolitical tensions and leverages conflict-related themes to achieve high victim engagement rates across targeted populations. MCTO1025 operations encompass diverse social engineering approaches designed to exploit the ongoing conflict situation and associated humanitarian concerns.

Campaign themes include impersonation of Ukrainian and Russian security services, distribution of fake airstrike evacuation plans, fraudulent military mobilization communications, and offers of safe passage from conflict zones.

Notable Campaigns in 2024

TV8 Moldova Hack

In early January 2024, Moldovan TV channel TV8's email account was compromised and used to send mail with the subject ''Press Release from TV8 - Пресс - Релиз от телекомпании TV8' offering an interview with the founder of a group. Translated from original Russian, the following explanation appeared on mediacritica.md: [Официальная электронная почта TV8 подверглась кибератаке. Комментарий телеканала - Mediacritica ]

On the night of January 8-9, the official email of TV8 was subjected to a cyber attack. According to the media outlet, the attackers, on behalf of the TV channel, sent a message to several individuals and agencies , stating that a journalist from the editorial office of the Tv8.md website had interviewed the founder of the hacker group DaVinci Group-DVG8873, which positions itself as an " independent cyber force against Ukraine and NATO countries." In a comment for Mediacritica, TV8 editor-in-chief Mariana Rață noted that this is not the first time that Moldovan media have been subjected to cyber attacks.

According to checks carried out by TV8 technical specialists, the attack was carried out from an IP address managed from a host in Amsterdam, the Netherlands. "The owner of the hosting company is the British company Aeza International LTD, founded by a citizen of Kazakhstan - Marat Timurov. Aeza International is one of the most popular hosting companies in Russia and is presented on several specialized sites as a Russian company. TV8 contacted this company with a request to provide information about the users of the IP address from which the cyber attack was carried out, but we have not received a response yet," said Mariana Rață

According to the source, “the same night, the e-mail of the state-owned company Moldelectrica was also subjected to a similar cyberattack. The same text message was sent from the corporate mail of Moldelectrica.”

Online harassment campaigns, hacking of social media accounts, DDoS (Distributed Denial of Service) attacks or phishing are just some of the digital threats that the press in the Republic of Moldova faces, according to a study published by the Independent Journalism Center. Representatives of several media outlets covered by the study noted that in 2023, especially during August and September, their websites were the target of DDoS attacks, causing blockages that lasted from a few minutes to several hours.

SP.md portal manager Veaceslav Perunov confirmed that the media outlet he manages was subjected to DDoS attacks in August 2023, when several media outlets simultaneously experienced this phenomenon. “The site went down, but not for long. Our server coped,” Perunov said. Studio-L portal editor Renata Lupachescu spoke about the attack in September 2023: “We were subjected to a DDoS attack, the site went down and did not work for about four hours, then we solved the problem.” In October-November 2023, Nokta.md was subjected to DDoS attacks four or five times, and TV8 was subjected to such attacks three times

Safe Passage To Russia

Later in January 2024, the group began sending mails impersonating FSB officers offering ‘safe passage' to Russia in exchange for “anonymous completion of tasks for monetary rewards”. [Such ‘tasking’ is almost always associated with recruitment of money mules.]

AnonVNC Loader

Campaigns conducted in mid-August 2024 involved the dissemination of a relatively new loader known as AnonVNC through campaigns that impersonated the Ukrainian Security Services (SBU). This was later confirmed by CERT-UA, [https://cert.gov.ua/article/6280345 ] but given a different classification, despite the similarities to previous campaigns.

Technical analysis reveals MCTO1025's preference for commodity malware that provides reliable remote access capabilities while maintaining low detection profiles. The group's distribution methods include both URL-hosted payloads and split-RAR email attachments, demonstrating tactical flexibility designed to evade various security controls and maximize successful infections across different target environments.

Mimecast Protection

Mimecast has implemented detection capabilities targeting MCTO1025's specific tactics, including analysis of conflict-themed social engineering patterns, commodity RAT distribution methods, and the group's characteristic use of legitimate file-sharing platforms for payload hosting.

Targets

Primarily Ukrainian organizations across all sectors, with secondary targeting of Romanian and Moldovan entities, particularly those in government, media, and critical infrastructure sectors.

Indicators of Compromise (IOCs)

Malicious Domains:

• privat24x[.]com
• gbshost[.]com
• 8161[.]uk (Da Vinci Special Agency homepage)

Malicious URLs:

• hxxps://bitbucket[.]org/ukgas/medoc/downloads/scan_docs_023747_medoc.zip
• hxxps://bitbucket[.]org/privatbank/obmen/downloads/Електронні_акт_094584_Приватбанк24.7z
• hxxps://bitbucket[.]org/filedataup/up/downloads/Документи.zip
• hxxps://bitbucket[.]org/court_gov_ua/files/downloads/Dokumenty.zip
• hxxps://bitbucket[.]org/files_gov_ua/file/downloads/files.7z
• hxxps://drive.google[.]com/file/d/1LesqoxORcvaUbLN2O3KRNEN0z1qRLmFE/vie
• hxxps://drive.google[.]com/file/d/1EipxNQZfEMcr0D0v3bg9VHhhuBQfRKvK/view?usp=drive_link
• hxxps://drive.google[.]com/file/d/1byrqOmYvSFPAlUvw_Uwh8S_ziMC3T7UU/view
• hxxps://drive.google[.]com/file/d/1PD6UgmqTzAqOWjAkp2OBWUWBc5HWDIaS

Malware Samples (SHA256):

• de9f2262970884a7412c3b2fba2cb2fb9329ccf29a94b148ee47c255bff041a9
• ce3445a8bd61a791913bc2cb02bcb3dea9fc340bf1c984c40cb33ab1a91a2953
• 97646017a7fd3778e619e55cc7afd594bdd88df5542f21fc2ec10c88fa23741d
• 20ab498b278b14f3786f634778a04d219c74e9fd8517b98f4aca313c9934b7f2

AnonVNC Loader Samples:

• 4c4872202abb5a60a8764bf44b370578a2b3d6f449b3881e96cc38f1b55f9cda
• 02ec55a5a2ad775adccd333edd94ac0bd82129a233736f7240044e085b73b0b3
• a7297883de84d73fb4965c00228144a0e53c573ad3b7291be39bc6d9c284454c

Communication Channels:

• hxxps://t[.]me/UFSB95
• hxxps://t[.]me/DVG8873

Infrastructure:

• AEZA International LTD hosting (Amsterdam-based servers)

Recommendations

Threat Awareness:

• Train staff to recognize sophisticated social engineering that exploits regional tensions and humanitarian concerns
• Implement additional scrutiny for media organizations and critical infrastructure entities that may be targeted for propaganda or disinformation purposes

Proactive Threat Hunting:

• Search email receipt logs and URL logs for technical indicators associated with these campaigns
• Review network traffic for commodity RAT signatures, particularly communications with known AEZA hosting infrastructure
• Investigate any instances of Telegram channel promotion in recruitment-themed communications, especially those offering