Summary
- CERT-UA has documented several initial-access methods used by UAC-0145, which it associates with Sandworm.
- The activity combines custom malware with torrents, Signal, fake CAPTCHA prompts, PowerShell, OpenSSH, and Tor.
- Effective defence depends on controlling software acquisition, user-driven command execution, and legitimate administration tools.
Ukraine’s national incident response team has detailed several access methods used by a threat cluster it associates with Russia-linked Sandworm operations, including trojanised software downloads, direct social engineering over Signal, and fake CAPTCHA prompts that persuade users to execute PowerShell commands.
CERT-UA tracks the activity as UAC-0145 and considers it a subcluster of UAC-0002, which is also associated with the names Sandworm, APT44, and Seashell Blizzard. The attribution represents CERT-UA’s assessment rather than independent proof for every intrusion assigned to the cluster.
The agency’s technical account describes software installers distributed through torrent services, turning a user’s search for unofficial or unlicensed software into an execution route. Other approaches have involved direct conversations over Signal, allowing the operator to adapt the pretext to a specific target.
Fake CAPTCHA or verification prompts provide another route. Instead of exploiting a software flaw, the page instructs the user to copy a command and run it through PowerShell, placing the initial execution inside an apparently deliberate user action.
CERT-UA also identifies custom malware including GHETTOVIBE and SCOUTCURL, alongside OpenSSH and Tor. Those legitimate technologies can support tunnelling, port forwarding, lateral movement, and persistent access while blending with software used for authorised administration.
Simple access supports capable operations
The observed methods do not depend on one advanced exploit. Pirated software, messaging conversations, and familiar verification prompts can establish an initial foothold before more capable tooling is introduced.
That approach reduces dependence on scarce vulnerabilities and allows operators to switch distribution methods when infrastructure is blocked. It also complicates detection because much of the early sequence resembles legitimate behaviour: downloading an installer, speaking to somebody through a messaging service, opening a terminal, or using an administration utility.
Controls that focus solely on malicious files may miss the wider chain. Application controls can restrict unapproved installers, while PowerShell logging, behavioural endpoint monitoring, and network detection can reveal execution and access that depart from the user’s normal role.
OpenSSH is present on modern Windows and Linux systems and may be essential for administration. Tor may also have authorised research or privacy uses. Rather than relying only on blanket blocking, organisations can monitor unexplained port forwarding, new services, unexpected outbound destinations, and administration tools running from user directories.
The direct approaches over Signal also place pressure on identity and support processes. Messages can include information collected through reconnaissance, compromised accounts, or public records, producing a request that appears relevant to the employee’s work rather than a generic phishing lure.
Techniques observed in Ukraine travel easily
Ukraine continues to provide detailed evidence of techniques used in sustained state-linked operations against public institutions and essential services. Some campaigns remain specific to the wartime environment, but access methods that prove reliable can be reused against European governments, defence suppliers, researchers, media organisations, logistics companies, and infrastructure operators.
Torrent-delivered software also creates a route outside formal procurement controls. An organisation may maintain a well-governed supplier programme while employees or contractors install unofficial software on specialist workstations, personal devices, or unmanaged systems that later connect to corporate services.
Incident response should establish how software arrived on a machine, rather than concentrating only on the final payload. Torrent activity, Signal attachments, fake verification pages, PowerShell history, and unexpected tunnelling tools may explain the original compromise after the malware itself has been removed.
CERT-UA’s findings show technically capable operators using familiar services and ordinary system tools where they provide a reliable route. Resilience depends on preventing user-assisted execution from becoming durable access and on recognising legitimate technologies when they operate outside their expected context.



