CERT‑UA and regional outlets flagged a phishing campaign (UAC‑0050) impersonating Ukrainian government agencies that targeted Polish and Ukrainian officials and delivered Remcos RAT and Meduza Stealer. The campaign blends espionage‑style targeting with commodity malware to harvest credentials and remote access.

On Dec. 8, 2025 cybersecurity authorities and reporting detailed a targeted phishing campaign tracked as UAC‑0050 that impersonated Ukrainian government agencies and targeted recipients in Poland and Ukraine. The malicious emails contained attachments and links engineered to bypass cursory inspection and, when executed, deployed Remcos remote access trojan (RAT) and Meduza Stealer payloads. Analysts say the campaign illustrates a hybridization of espionage and financially motivated malware delivery: Remcos provides remote control and persistence, while Meduza exfiltrates credentials, browser data, and other sensitive artifacts useful for further intrusion or monetization. CERT‑UA and regional security vendors are tracking indicators of compromise and advising recipients to treat unsolicited agency‑branded communications with caution, verify sender domains, and inspect attachments in isolated environments. The incident reinforces the need for multifactor authentication, endpoint detection, and threat intelligence sharing across allied incident response teams. Regional defenders continue to analyze the campaign’s infrastructure for ties to known operators and to block malicious sender domains and hosting providers used to stage the malware.