Info-stealing malware targets DELTA users in Ukraine

The compromised email address of the Ukrainian Ministry of Defense was discovered to have sent phishing messages and instant messages to other users of the “DELTA” situational awareness program in order to infect computers with malware.

The malware attack was warned by the Ukrainian Military Personnel in a report published today by .

DELTA, an intelligence management and collection system that Ukraine created with its allies in order to aid the military track enemy movements, is what it calls.

This system offers comprehensive, real-time data with high-level integration of multiple sources. It can be run on all electronic devices from smartphones to laptops.

The digital certificates can be used to sign software codes and authenticate servers. They tell security products that no modifications have been made and that the operator of the server is the person they say they are.


Threat actors sent email and instant messages in this attack with false warnings to users that they needed to correct the “Delta” certificates to secure the system.

The malicious email contains a PDF document purportedly with certificate installation instructions, which includes links to download a ZIP archive named “”

Sample of email used in the campaign


Landing page from where victims download the ZIP file


The archive contains a digitally signed executable named “certificates_rootCA.exe,” which, upon launch, creates several DLL files on the victim’s system and launches “ais.exe,” which simulates the certificate installation process.

This convinces victims that they were being harmed and decreases their chances of realizing it.

Certificate installation dialog


VMProtect protects both the EXE and DLL files. This legitimate software wraps files on standalone virtual machines and encrypts their contents, making AV analysis and detection difficult.

Dropped DLLs “FileInfo.dll” and “procsys.dll” are malware. CERT-UA identified them as ‘FateGrab’ and ‘StealDeal’.

FateGrab, an FTP file thief, targets documents and email of the following formats: “.txt”, “.rtf”,?.xls”,.xlsx,”, “.ods,”,,,,.pdf”,.vbs,”,.pdf”,.pdf”,.vbs,”,.one,”,.kdbx,”,.docx,”,.docx”,.odt”,.eml”,, toml’.ml’sg’sg’sg’

StealDeal malware is information-stealing and can be used to steal passwords and browsing data from the internet browser.

CERT-UA could not link the operation above to known threats actors.