Decade-old malware haunts Ukrainian police | CyberScoop<\/title> <meta name=\"description\" content=\"A virus dating to 2015 is still hitting targets in Ukraine, showing its enduring power. \"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/decade-old-malware-haunts-ukrainian-police\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Decade-old malware haunts Ukrainian police \"> <meta property=\"og:description\" content=\"A virus dating to 2015 is still hitting targets in Ukraine, showing its enduring power. \"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/decade-old-malware-haunts-ukrainian-police\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2024-04-17T12:00:00+00:00\"> <meta property=\"article:modified_time\" content=\"2024-04-16T21:45:11+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/decade-old-malware-haunts-ukrainian-police-2.jpg\"> <meta property=\"og:image:width\" content=\"1920\"> <meta property=\"og:image:height\" content=\"1280\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"AJ Vicens\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@AJVicens\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1712700738g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress-next\/dist\/css\/related-posts-block-styles.min.css?m=1713212360g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1711866546g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=74528d75ce0daeb8628a\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/80158\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.5.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=80158\">\n<link rel=\"alternate\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fdecade-old-malware-haunts-ukrainian-police%2F\">\n<link rel=\"alternate\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fdecade-old-malware-haunts-ukrainian-police%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-80158 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/decade-old-malware-haunts-ukrainian-police\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"24.600358422939\">\n<div class=\"single-article__header-content\" readability=\"29.25\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/news\/geopolitics\/\"> <span>Geopolitics<\/span> <\/a> <\/li>\n<\/ul>\n<p> A virus dating to 2015 is still hitting targets in Ukraine, showing its enduring power. <\/p>\n<\/p><\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"426\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/decade-old-malware-haunts-ukrainian-police.jpg?resize=640%2C426&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/decade-old-malware-haunts-ukrainian-police-2.jpg 1920w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/decade-old-malware-haunts-ukrainian-police-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/decade-old-malware-haunts-ukrainian-police-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/decade-old-malware-haunts-ukrainian-police-2.jpg?resize=1024,683 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/decade-old-malware-haunts-ukrainian-police-2.jpg?resize=1536,1024 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/decade-old-malware-haunts-ukrainian-police-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/decade-old-malware-haunts-ukrainian-police-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/decade-old-malware-haunts-ukrainian-police-2.jpg?resize=506,337 506w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/decade-old-malware-haunts-ukrainian-police-2.jpg?resize=1013,675 1013w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/decade-old-malware-haunts-ukrainian-police-2.jpg?resize=1265,843 1265w\" sizes=\"(max-width: 1013px) 100vw, 1013px\"><figcaption> Photo of monitor while downloading a file from the “Internet to My Computer”. (spxChrome\/Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"45.871475953566\"><body readability=\"92.192750162796\"><\/p>\n<p>More than 100 documents containing potentially confidential information related to government and police activities in Ukraine were uploaded to a publicly accessible repository recently as the result of nearly decade-old malware, an unusual case in which an old and imperfect virus has escaped detection, allowing it to persist and continue to pose a threat.<\/p>\n<p>The documents, discovered as part of normal threat hunting activities carried out by researchers with Cisco\u2019s Talos Threat Intelligence Research Team, were infected with a virus named \u201cOfflRouter,\u201d which dates to 2015 and has not been examined extensively in public, <a href=\"https:\/\/blog.talosintelligence.com\/offlrouter-virus-causes-upload-confidential-documents-to-virustotal\/\">according to an analysis<\/a> shared exclusively with CyberScoop. <\/p>\n<p>In this case, OfflRouter serves as a means to deliver an executable file known as \u201cctrlpanel.exe,\u201d which attempts to lower Word security settings and select additional documents to infect, Vanja Svajcer, outreach researcher with Talos, told CyberScoop in an email.<\/p>\n<p>The virus can only be spread by sharing laced documents and removable media, such as USB memory sticks, and only targets files with a \u201c.doc\u201d file extension, suggesting either that the virus was created to target a small number of entities or specific files, or that the virus\u2019s author made a mistake in designing the malware. Newer versions of Word use the \u201c.docx\u201d file extension, but the \u201c.doc\u201d remains in use. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Against the backdrop of a number of different hacking operations in Ukraine, the re-emergence of an old virus represents an anomaly. <\/p>\n<p>\u201cWhen the same old virus, over the course of a few years (most recently in February 2024) causes users to upload over 100 official police and local government documents to VirusTotal, it becomes more interesting,\u201d Svajcer said. \u201cIt seems likely to be impacting enough people to warrant the upload of significant amounts of documents.\u201d<\/p>\n<p>The virus is also also interesting, Svajcer added, because its activity is limited to Ukraine, where Russian hacking groups are carrying out <a href=\"https:\/\/cyberscoop.com\/tag\/ukraine\/\">constant aggressive cyber operations<\/a> ranging from destructive activity to cyberespionage against public and private entities. The researchers could not determine who was behind the operation. <\/p>\n<p>Talos researchers uncovered the virus after discovering several apparently Ukrainian local government and Ukrainian National Police documents uploaded to VirusTotal, a website used by threat intelligence researchers to scan documents for malware, viruses and other threats. Further investigation revealed more than 100 documents that included potentially confidential information about police activities.<\/p>\n<p>The analysis of those documents revealed they were infected with OfflRouter. A 2018 OfflRouter <a href=\"https:\/\/www.csirt.gov.sk\/wp-content\/uploads\/2021\/08\/analysis_offlrouter.pdf\">analysis by the Slovakian government Computer Security Incident Response Team<\/a>, also based on Ukrainian National Police files, noted that it was \u201crare\u201d to discover malware that \u201clooks like the 1st stage of some cyber operation, but currently it is not publicly known what tools on removable devices are used during the next stages and what kind of organizations are targeted in the campaign.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>That police files were uploaded in 2018 and more recently \u201cindicates that the virus managed to survive over 5 years in that environment,\u201d Svajcer said. \u201cWe think it is important to emphasize the risk of such a virus infecting government organizations and the dangers of non-deliberate data leaks which can happen as a result. Instead of VirusTotal, the data could have been leaked to a lot less friendly organization.\u201d<\/p>\n<p>The documents could be acting as lures to target additional agencies and organizations, according to the analysis. Lure documents \u2014 which are created by adding malware or abusing <a href=\"https:\/\/www.cynet.com\/attack-techniques-hands-on\/office-macro-attacks\/\">automated scripting capabilities<\/a> in documents to deliver malware to carry out any number of tasks \u2014 are a common tactic employed by hacking groups as initial vectors to access targeted networks. <\/p>\n<p>Recent examples include the <a href=\"https:\/\/cyberscoop.com\/tag\/gamaredon\/\">Russian-linked Gamaredon<\/a> group using documents laced with information-stealing malware that <a href=\"https:\/\/blog.talosintelligence.com\/gamaredon-apt-targets-ukrainian-agencies\/\">targeted Ukrainian agencies<\/a> as part of a cyber espionage operation. Last summer, a hacking campaign tracked as UNC1151 (which has possible links to the Belarusian government), targeted several government agencies across Ukraine and Poland using the tactic, <a href=\"https:\/\/blog.talosintelligence.com\/malicious-campaigns-target-entities-in-ukraine-poland\/\">Talos reported at the time<\/a>.<\/p>\n<p>An ongoing hacking campaign tracked as RomCom, with potential ties to Russia, also abused the tactic in July 2023 to gather information on Ukraine\u2019s efforts to join NATO during the NATO Summit, <a href=\"https:\/\/blogs.blackberry.com\/en\/2023\/07\/romcom-targets-ukraine-nato-membership-talks-at-nato-summit\">researchers with BlackBerry<\/a> detailed in a report at the time. <\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"1.2569444444444\">\n<div class=\"author-card\" readability=\"8\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/04\/decade-old-malware-haunts-ukrainian-police-1.jpg?w=640&ssl=1\" alt=\"AJ Vicens\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by AJ Vicens<\/h4>\n<p> AJ covers nation-state threats and cybercrime. He was previously a reporter at Mother Jones. Get in touch via Signal\/WhatsApp: (810-206-9411). <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Geopolitics<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/decade-old-malware-haunts-ukrainian-police\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Decade-old malware haunts Ukrainian police | CyberScoop Skip to main<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[724,302,168,1889,288,354],"tags":[727,306,169,1890,294,358],"class_list":["post-3128","post","type-post","status-publish","format-standard","hentry","category-cisco-talos","category-geopolitics","category-malware","category-offlrouter","category-threats","category-ukraine","tag-cisco-talos","tag-geopolitics","tag-malware","tag-offlrouter","tag-threats","tag-ukraine"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cisco-talos\/\" rel=\"category tag\">Cisco Talos<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/geopolitics\/\" rel=\"category tag\">Geopolitics<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/malware\/\" rel=\"category tag\">Malware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/offlrouter\/\" rel=\"category tag\">OfflRouter<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ukraine\/\" rel=\"category tag\">Ukraine<\/a>","tag_info":"Ukraine","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3128","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=3128"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/3128\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=3128"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=3128"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=3128"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":3128,"date":"2024-04-17T07:00:00","date_gmt":"2024-04-17T12:00:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=80158"},"modified":"2024-04-17T07:00:00","modified_gmt":"2024-04-17T12:00:00","slug":"decade-old-malware-haunts-ukrainian-police","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/04\/17\/decade-old-malware-haunts-ukrainian-police\/","title":{"rendered":"Decade-old malware haunts Ukrainian police\u00a0"},"content":{"rendered":"