Ukrainian Police Spoofed: SVG Fileless Phishing Delivers Amatera Stealer in Kyiv
Executive Summary
In early 2024, cybercriminals conducted a sophisticated phishing campaign targeting organizations and individuals in Kyiv, Ukraine, by spoofing the National Police of Ukraine. The attackers distributed malicious emails containing Scalable Vector Graphics (SVG) files, which enabled fileless delivery of info-stealing malware such as Amatera Stealer and the cryptocurrency miner PureMiner. By leveraging social engineering and trusted police branding, they bypassed common security defenses, leading to the theft of sensitive credentials, system compromise, and potential financial losses. The breach highlights attackers’ growing reliance on fileless techniques and deceptive lures to infiltrate victims’ environments with minimal detection.
This incident underlines a shift toward advanced, stealthy phishing tactics that weaponize graphics files and trusted institutional identities. The approach signifies an escalating trend in cybercrime, where threat actors continue to innovate to evade legacy controls and exploit user trust amid ongoing geopolitical unrest.
Why This Matters Now
Phishing attacks using fileless malware and trusted branding are surging, outpacing traditional defenses. Organizations must respond rapidly as these advanced techniques reduce the window for detection and heighten risks to sensitive data—especially amid heightened cyberthreats in the region and globally.
Attack Path Analysis
Attackers targeted Ukrainian users through phishing emails that impersonated the National Police and leveraged malicious SVG files to deliver fileless payloads. Upon a successful phishing execution, infostealer and cryptominer malware were launched with the privileges of the compromised user. The malware attempted to move laterally within the network to access new targets and resources. Command and control connections were established via outbound channels to allow ongoing attacker control and exfiltration of credentials and sensitive data. Collected information and potentially mined cryptocurrency were exfiltrated to external servers, before the attack concluded with potential disruption, resource abuse, or further propagation.
Kill Chain Progression
Initial Compromise
Description
Victims were tricked by phishing emails including malicious SVG attachments impersonating the Ukrainian Police, leading to the download and execution of fileless stealer and cryptominer payloads.
Related CVEs
CVE-2024-21412
CVSS 7.8A vulnerability in Microsoft Windows SmartScreen allows attackers to bypass security warnings, potentially leading to the execution of malicious code.
Affected Products:
Microsoft Windows – 10, 11
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Phishing: Spearphishing Attachment
User Execution: Malicious File
Obfuscated Files or Information
Process Injection
Signed Binary Proxy Execution
Data from Local System
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Masquerading
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security Awareness Training
Control ID: 12.6
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 6(1)
CISA ZTMM 2.0 – Automate Continuous Threat Monitoring
Control ID: Detection & Visibility: 2.2
NIS2 Directive – Security in Network and Information Systems
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Direct impersonation of Ukrainian National Police creates critical trust erosion and credential theft risks for government agencies using similar authentication systems.
Law Enforcement
Police impersonation attacks undermine law enforcement credibility while fileless phishing and cryptocurrency mining threaten sensitive investigative systems and data.
Financial Services
Amatera Stealer specifically targets financial credentials while PureMiner cryptocurrency mining can compromise payment processing systems requiring PCI compliance controls.
Information Technology/IT
SVG-based fileless attacks exploit web technologies requiring enhanced egress filtering, anomaly detection, and zero trust segmentation across IT infrastructure.
Sources
- Ukrainian Cops Spoofed in Fileless Phishing Attacks on Kyivhttps://www.darkreading.com/cyberattacks-data-breaches/ukrainian-cops-spoofed-fileless-phishing-attacks-kyivVerified
- SVG Phishing hits Ukraine with Amatera Stealer, PureMinerhttps://www.fortinet.com/blog/threat-research/svg-phishing-hits-ukraine-with-amatera-stealer-pureminerVerified
- SVG email attachment spreads Amatera Stealer, PureMiner malwarehttps://www.scworld.com/news/svg-email-attachment-spreads-amatera-stealer-pureminer-malwareVerified
- Researchers Expose Phishing Threats Distributing CountLoader and PureRAThttps://thehackernews.com/2025/09/researchers-expose-svg-and-purerat.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, robust east-west traffic controls, and strict egress enforcement would have significantly constrained lateral spread, prevented unauthorized data exfiltration, and made C2 communications detectable. Visibility and anomaly detection capabilities within CNSF would have enabled early detection and blocked suspicious outbound and internal activities initiated by the infostealer and cryptominer.
Control: Threat Detection & Anomaly Response
Mitigation: Early detection and alerting on suspicious fileless activity and anomalous user behavior.
Control: Zero Trust Segmentation
Mitigation: Containment of compromised workloads and restriction of privilege escalation attempts.
Control: East-West Traffic Security
Mitigation: Detection and blocking of unauthorized intra-cloud movement.
Control: Inline IPS (Suricata)
Mitigation: Detection and blocking of known C2 traffic signatures and suspicious outbound patterns.
Control: Egress Security & Policy Enforcement
Mitigation: Blocking of unauthorized outbound data transfers.
Minimization of business disruption and automated containment of malicious workloads.
Impact at a Glance
Affected Business Functions
- Information Security
- IT Operations
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive system information, user credentials, and financial data due to the deployment of Amatera Stealer.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict movement from compromised users or services and reduce attack surface.
- • Enforce granular egress controls to block unauthorized outbound communications and data exfiltration.
- • Deploy inline threat detection and anomaly response tools to identify suspicious behaviors and malware activity early.
- • Strengthen east-west traffic visibility and enforce microsegmentation to prevent lateral movement within cloud environments.
- • Continuously monitor and baseline cloud workload behaviors to detect and remediate malicious processes like cryptominers.
