Analyzing the DirtyMoe and STEADY#URSA Attack on Ukrainian Infrastructure

Ukraine has found itself at the center of a sophisticated cyber-attack campaign, where over 2,000 computers have been compromised by the malware strain known as DirtyMoe. This malicious software, active since 2016, is notorious for its capabilities in executing cryptojacking and distributed denial-of-service (DDoS) attacks. The Computer Emergency Response Team of Ukraine (CERT-UA) attributes these attacks to a threat actor labeled UAC-0027. Notably, cybersecurity company Avast in March 2022 uncovered the worm-like propagation abilities of DirtyMoe, exploiting known vulnerabilities to spread itself further.

Delivery Mechanisms and Challenges

DirtyMoe’s delivery mechanisms include the use of another malware named Purple Fox, or through deceptive MSI installer packages mimicking legitimate software like Telegram. Purple Fox comes with a rootkit component, significantly complicating the detection and removal processes by hiding the malware deep within the infected system. The initial access vector in the Ukrainian attacks remains undetermined,

DirtyMoe’s Operational Scale

CERT-UA’s detection and analysis reveal that DirtyMoe can establish remote access, launch DDoS attacks, and perform cryptocurrency mining. Its self-propagation feature, enabled by brute-forcing credentials or exploiting vulnerabilities, along with a sophisticated command and control (C2) infrastructure, underscores the advanced nature of this threat. The infrastructure associated with DirtyMoe includes a vast number of IP addresses, primarily located in compromised hardware within China, illustrating the global scale and complexity of its operations​​.

Recommendations for Combatting DirtyMoe

In response to these threats, CERT-UA recommends vigilant monitoring and proactive measures to detect signs of infection. Recommendations include investigating network connections for suspicious activities, utilizing the Windows Registry and Event Viewer to detect malware signatures, and inspecting directories for unknown files. Two methods for malware removal have been suggested, emphasizing the importance of enabling the system’s built-in firewall to block potential infection vectors​​.

The STEADY#URSA Campaign

Parallelly, a phishing campaign dubbed STEADY#URSA has been targeting Ukrainian military personnel, aiming to install a custom PowerShell backdoor known as SUBTLE-PAWS. This campaign, elaborated on by Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov, initiates with a malicious .lnk file that deploys the SUBTLE-PAWS payload. This attack has connections to Shuckworm, also recognized by multiple aliases such as Aqua Blizzard and Gamaredon. Shuckworm, believed to operate under Russia’s Federal Security Service (FSB), has been active since 2013 and exhibits sophisticated cyber espionage capabilities.

The SUBTLE-PAWS Backdoor Capabilities

SUBTLE-PAWS leverages advanced techniques for dynamic payload execution and persistence, including storing executable code in the Windows Registry to evade detection. Additionally, it uses Telegram’s Telegraph platform for retrieving command-and-control information, a tactic previously associated with this adversary. The malware’s propagation methods also include spreading via USB drives, a technique documented by Check Point in November 2023 under the name LitterDrifter for a different PowerShell-based USB worm.


This series of cyber-attacks underscores the evolving landscape of cyber warfare, highlighting the need for robust cybersecurity defenses and international cooperation. The use of sophisticated malware like DirtyMoe and SUBTLE-PAWS by state-sponsored actors poses significant threats not only to the immediate targets but also to the global digital infrastructure. As these threats continue to advance, the imperative for continuous vigilance and adaptive cybersecurity strategies becomes ever more critical.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Questions or concerns? Feel free to reach out to us any time –

Copyright © Netizen Corporation. All Rights Reserved.