Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Ukraine Separatists, Politicians Targeted in Surveillance Operation

Researchers at ESET have uncovered a cyber surveillance/espionage operation aimed at separatists, government officials, journalists and politicians in Ukraine.

Researchers at ESET have uncovered a cyber surveillance/espionage operation aimed at separatists, government officials, journalists and politicians in Ukraine.

The campaign, dubbed by the security firm Operation Groundbait, relies on a piece of malware dubbed Prikormka (the Russian word for “groundbait”). The malware, mostly seen in Ukraine, managed to go undetected since at least 2008.

The malware likely went unnoticed for several years due to low infection rates. ESET noticed the threat in 2015, when the number of infections rose to 178, a significant increase from the previous year when only 44 infections were spotted.

“The low detection ratio and ability to stay undetected for years is a common characteristic of targeted attacks (APTs). The investigation of campaigns and Prikormka activity has increased our confidence that this malware is used in targeted attacks,” ESET said in a report detailing Operation Groundbait.

The malware, designed to work on 32- and 64-bit Windows systems, uses over a dozen modules stored on the disk as DLL and EXE files to conduct various tasks. The Trojan is capable of stealing documents, logging keystrokes, grabbing screenshots, capturing audio from the microphone and Skype calls, and collecting saved passwords from applications.

In many cases, the attackers delivered the malware via spear-phishing emails carrying bait documents referencing the geopolitical situation in Ukraine and the armed conflict in the country’s Donbass region. The malware was dubbed Prikormka because in one of the attacks observed by the security firm, the threat displayed a pricelist for fishing groundbait.

“It’s the choice of this decoy document that we have so far been unable to explain,” said Robert Lipovský, senior malware researcher at ESET.

While a majority of infections have been found in Ukraine, the malware has also been detected in Russia. Researchers identified more than 80 unique campaign IDs, each associated with a number of decoy documents designed for a specific target.

The threat actor appears to have targeted individuals in the Ukrainian government, anti-government separatists in the Luhansk and Donetsk regions, and Ukraine’s nationalist political party Right Sector (Pravyi Sektor). Decoy documents analyzed by researchers also referenced religious topics, payment card fraud, and a job application written in Hungarian.

Evidence uncovered by ESET suggests that the attackers are conducting a politically-motivated operation from within Ukraine, which has led the security firm to classify it as cyber surveillance.

“Any further attempt at attribution would at this point be speculative. In addition to separatists, the targets of this campaign include Ukrainian government officials, politicians and journalists. The possibility of false flags must be considered too,” said Lipovský.

This is not the only APT campaign aimed at Ukraine. The country has been targeted in Operation Potato Express, by the Russia-linked threat group Pawn Storm (APT28, Sofacy), and by Sandworm Team or a related Russian operator with attacks on the country’s energy sector.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.