UAC-0145 Uses ClickFix CAPTCHAs to Infect Ukrainian Devices wih Malware
Russian state-sponsored threat actors have been observed leveraging the infamous ClickFix strategy to trick Ukrainian targets into infecting their own machines with data-stealing malware. According to the Computer Emergency Response Team of Ukraine (CERT-UA), the activity has been attributed to UAC-0145 , a sub-cluster within Sandworm , an advanced hacking unit affiliated with GRU, Russia's primary foreign military intelligence agency. In these attacks, threat actors have been found to leverage fake CAPTCHA checks on compromised websites that instruct prospective targets to execute a PowerShell command in the terminal. "The mentioned command, as an example, could be intended for downloading and saving a VBS file in the Startup autorun directory; one of the variants of such a program was called GHETTOVIBE," CERT-UA said in an alert. The attacks also involve the use of SCOUTCURL, a PowerShell script that performs basic reconnaissance by harvesting details about t...
î ‚Jul 19, 2026