information-stealing malware

A Russia-linked threat actor has been observed deploying a new information-stealing malware in cyber attacks targeting Ukraine.

Dubbed Graphiron by Broadcom-owned Symantec, the malware is the handiwork of an espionage group known as Nodaria, which is tracked by the Computer Emergency Response Team of Ukraine (CERT-UA) as UAC-0056.

"The malware is written in Go and is designed to harvest a wide range of information from the infected computer, including system information, credentials, screenshots, and files," the Symantec Threat Hunter Team said in a report shared with The Hacker News.

Nodaria was first spotlighted by CERT-UA in January 2022, calling attention to the adversary's use of SaintBot and OutSteel malware in spear-phishing attacks targeting government entities.


Also called DEV-0586, TA471, and UNC2589, the hacking crew has been linked to the destructive WhisperGate (aka PAYWIPE) data wiper attacks targeting Ukrainian entities around the same time.

The group, which is said to be active since at least April 2021, has repeatedly deployed custom backdoors such as GraphSteel and GrimPlant in various campaigns in the aftermath of Russia's military invasion of Ukraine. Select intrusions have also entailed the delivery of Cobalt Strike Beacon for post-exploitation.

Graphiron, the latest program added to the group's arsenal, is an improved version of GraphSteel, packing in features to run shell commands and harvest system information, files, credentials, screenshots, and SSH keys.

Another notable aspect is that while GraphSteel and GrimPlant made use of Go version 1.16, Graphiron relies on version 1.18, which officially shipped in March 2022. This also suggests that Graphiron is a more recent development.


The earliest evidence of Graphiron's usage goes back to October 2022 and it has been employed in attacks until at least mid-January 2023.

Furthermore, an analysis of the infection chains reveals the presence of two stages, a downloader that's responsible for retrieving an encrypted payload containing the Graphiron malware from a remote server.

With the latest findings, Nodaria joins another Russian state-sponsored group referred to as Gamaredon in extensively singling out Ukraine.

"While Nodaria was relatively unknown prior to the Russian invasion of Ukraine, the group's high-level activity over the past year suggests that it is now one of the key players in Russia's ongoing cyber campaigns against Ukraine," Symantec said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.