The Computer Emergency Response Team of Ukraine (CERT-UA) has cautioned of a new set of spear-phishing attacks exploiting the “Follina” flaw in the Windows operating system to deploy password-stealing malware.

Attributing the intrusions to a Russian nation-state group tracked as APT28 (aka Fancy Bear or Sofacy), the agency said the attacks commence with a lure document titled “Nuclear Terrorism A Very Real Threat.rtf” that, when opened, exploits the recently disclosed vulnerability to download and execute a malware called CredoMap.

Follina (CVE-2022-30190, CVSS score: 7.8), which concerns a case of remote code execution affecting the Windows Support Diagnostic Tool (MSDT), was addressed by Microsoft on June 14, as part of its Patch Tuesday updates, but not before it was subjected to widespread zero-day exploit activity by numerous threat actors.

According to an independent report published by Malwarebytes, CredoMap is a variant of the .NET-based credential stealer that Google Threat Analysis Group (TAG) divulged last month as having been deployed against users in Ukraine.

The malware’s main purpose is to siphon data, including passwords and saved cookies, from several popular browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox.

“Although ransacking browsers might look like petty theft, passwords are the key to accessing sensitive information and intelligence,” Malwarebytes said. “The target, and the involvement of APT28, a division of Russian military intelligence), suggests that campaign is a part of the conflict in Ukraine, or at the very least linked to the foreign policy and military objectives of the Russian state.”

It’s not just APT28. CERT-UA has further warned of similar attacks mounted by Sandworm and an actor dubbed UAC-0098 that leverage a Follina-based infection chain to deploy CrescentImp and Cobalt Strike Beacons on to targeted hosts in media and critical infrastructure entities.

The development comes as Ukraine continues to be a target for cyberattacks amidst the country’s ongoing war with Russia, with Armageddon hackers also spotted distributing the GammaLoad.PS1_v2 malware in May 2022.

Update: Amidst relenting hacking attempts tailored to drop malware in Ukrainian organizations, Microsoft revealed in a special report that state-backed Russian hackers have engaged in “strategic espionage” against 128 targets spanning governments, think tanks, businesses, and aid groups in 42 countries supporting Kyiv since the onset of the war.

49% of the observed activity focused on government agencies, followed by IT (20%), critical infrastructure (19%), and NGOs (12%). Just 29% of these intrusions are said to have been successful, with a quarter of the incidents leading to the exfiltration of sensitive data.

“To date, the Russians haven’t used destructive ‘wormable’ malware that can jump from one computer domain to another and thereby cross international borders to spread economic damage,” the Redmond-based tech giant said.

“Instead, they are designing attacks to stay within Ukraine. While Russia has been careful to confine its destructive malware to specific network domains located within Ukraine itself, these attacks are more sophisticated and widespread.”