FlyingYeti APT Serves Up Cookbox Malware Using WinRAR

The Russia-aligned FlyingYetis phishing campaign exploited Ukrainian citizens financial stress to spread Cookbox malware.

A month-long phishing campaign by the Russia-aligned threat actor group FlyingYeti has been leveraging a WinRAR vulnerability to deliver the Cookbox malware to Ukrainian citizens.
The Cloudforce One threat intelligence team
noted in an advisory this week
that the attack aimed to exploit the financial distress of Ukrainian citizens following the lifting of a government moratorium on evictions and utility disconnections for unpaid debt.
FlyingYeti sought to capitalize on that pressure, leveraging debt restructuring and payment-related lures in an attempt to increase their chances of successfully targeting Ukrainian individuals, the report noted.
Also known as UAC-0149 by the Computer Emergency Response Team of Ukraine (CERT-UA), FlyingYeti has previously primarily targeted the countrys military entities, but extended its focus to include civilian targets in the latest campaign.
Phishing operations began in mid-April, when Cloudforce One detected FlyingYetis preparations.
The attackers used the debt-themed lures to trick victims into opening malicious files. When opened, the files infected the victims system with the Cookbox malware, a PowerShell-based threat able to execute additional malicious commands and payloads.
FlyingYetis phishing emails and Signal messages impersonated the countrys housing authority, Kyiv Komunalka, and its website, urging recipients to download a Microsoft Word document which then retrieved a WinRAR archive file from a GitHub-hosted site. WinRAR is a file archiver utility for Windows.
This file exploited the WinRAR vulnerability
CVE-2023-38831
to execute the Cookbox malware, and contained multiple files, including those designed to obscure file extensions and appear as harmless documents.
These decoy documents, which looked like debt restructuring agreements, contained tracking links with Canary Tokens to monitor victim engagement.
The report noted the malware also used persistence techniques to remain on the victims device, communicating with a dynamic DNS (DDNS) domain for command-and-control (C2) purposes.
Cloudflares monitoring revealed that FlyingYeti conducted extensive reconnaissance on Ukrainian communal housing and utility payment processes, including analyzing QR codes used for making payments.
The malware delivery method initially leveraged Cloudflares serverless computing platform Workers to fetch the WinRAR file from GitHub.
When the company uncovered this method, they could shut down the operation, but FlyingYeti adapted by directly hosting the malware on GitHub, the company noted.
Cloudflares efforts included notifying GitHub, which resulted in the removal of the phishing site, the WinRAR file, and the suspension of the associated account.
This forced FlyingYeti to move to yet other alternative hosting solutions, including online file-sharing services Pixeldrain and Filemail.
Still, Cloudflares continuous disruption efforts extended the attacks execution time and forced the attackers to repeatedly adapt their tactics, which ended with the malicious actors giving up on the campaign for now, it reported.
FlyingYeti could easily resurface however:
Ukraine has been targeted
by various threat actors during its ongoing war with Russia, most recently through attackers
using an old Microsoft Office RCE exploit
from 2017 as the initial vector.
In the report, Cloudflare recommended several basic security steps to mitigate potential phishing threats, starting with
implementing zero-trust architecture
foundations.
Ensure your systems have the latest WinRAR and Microsoft security updates installed, the report noted. Consider preventing WinRAR files from entering your environment, both at your Cloud Email Security solution and your Internet Traffic Gateway.
Additional email security measure should focus on protection against phishing,
business email compromise (BEC)
, and other threats, while leveraging browser isolation can separate messaging applications such as LinkedIn, email, and Signal from the main network.
Additionally, scanning, monitoring, and enforcing controls on specific or sensitive data moving through your network environment with data loss prevention policies was also recommended.
Running an endpoint detection and response (EDR) tool, for example Microsoft Defender for Endpoint, can provide visibility into binary execution on hosts.
Finally, searching the network for FlyingYetis indicators of compromise (IOCs), included in the report, could help identify potential malicious activity.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
FlyingYeti APT Serves Up Cookbox Malware Using WinRAR