IMI representative receives phishing email collecting system data

Institute of Mass Information representative Valentyna Troyan received a phishing email on April 24 with a malicious file attachment that collects data about the system.

Unlike the similar emails that had arrived in her inbox earlier, the file was in .pdf format, not the usual .zip.

The Digital Security Laboratory (Tsyfrolaba), which Valentyna contacted for advice, says that the attached file contained malware.

“The file contains a link that downloads an archive with several password-protected documents and a 'password,' but it is probably some kind of script that collects data about the system, the IP address, language, and also tries to bypass protection. Probably followed by another payload,” adds Tsyfrolaba.

Screenshot of the email received by IMI representative Valentyna Troyan.

In April 2025, the Institute of Mass Information (IMI) received multiple phishing emails claiming to be from accountants, which arrived to the NGO's inbox. The emails were sent by the hacker group UAC-0050, which is affiliated with the Russian intelligence services. Tsyfrolaba specialists explain that the archives sent by the hackers contain password-protected documents and the malicious file “Password.js”. If you run it on a computer with a Windows operating system, it will secretly install the software Remote Utilities, which can take screenshots, make recordings with the microphones and cameras, steal passwords, documents, etc.