Cobalt Strike Deployed in Ukraine Through Fake AV Updates

According to the Computer Emergency Response Team of Ukraine, cybercriminals deliver fake Windows antivirus updates that install Cobalt Strike and other types of malware.

The phishing emails pose as Ukrainian government agencies providing methods to boost network protection and urge receivers to download “critical security updates,” which come in the form of a 60 MB file named “BitdefenderWindowsUpdatePackage.exe.”

These emails include a link to a French website (which is no longer available) that contains download buttons for the supposed antivirus software updates.

MalwareHunterTeam also discovered that another website, nirsoft[.]me, was operating as the campaign’s command and control server.

When a target downloads and executes the bogus BitDefender Windows update [VirusTotal], the screen below appears, urging the potential victims to install a ‘Windows Update Package.’


However, this ‘update’ actually downloads and installs the one.exe file [VirusTotal] from the Discord CDN, which is a Cobalt Strike beacon.


Cobalt Strike is a widely misused penetration testing suite that provides offensive security features, allows for lateral network movement, and guarantees persistence. The same process delivers a Go downloader (dropper.exe), which decodes and runs a base-64-encoded file (java-sdk.exe).

As explained by BleepingComputer, this file creates a new Windows registry key for persistence and downloads

Read More: