Croatian government targeted by mysterious hackers


A mysterious hacker group has targeted, and most likely infected, Croatian government employees between February and April this year.

Attackers, which are suspected to be a state-sponsored unit, have targeted victims using a spear-phishing campaign that mimicked delivery notifications from the Croatian postal or other retail services.

Emails contained a link to a remote website with a lookalike URL, where users were asked to download an Excel document.

Users targeted with never-before-seen malware

The document was laced with malicious code packed as a macro script which appeared to have been largely copied off the internet, from various tutorials or open source projects hosted on,,,, or

The macro script, if enabled by the victim, would download and install malware on their systems. Two different sets of malware payloads were detected during these attacks.

The first was the Empire backdoor, a component of the Empire post-exploitation framework, a penetration testing utility. The second was SilentTrinity, another post-exploitation tool, similar to the first.

In a presentation at the Positive Hack Days (PHDays) security conference in May, Alexey Vishnyakov, a Senior Specialist in Threat Analysis for cyber-security firm Positive Technologies, said this was the first time when a malicious threat actor had weaponized the SilentTrinity tool in an active malware distribution campaign.

Croatian government detected the attacks in April

While they went under the radar for two months, the phishing attacks were eventually detected in early April. The Information Systems Security Bureau (ZSIS), the central state authority responsible for the cyber-security of the Republic of Croatia state bodies, issued two separate alerts about the attacks [1, 2].

The state cyber-security agency shared indicators of compromise, such as file names, registry keys, URLs, and IP addresses for the attackers’ command and control (C&C) servers, asking state agencies to check logs and scan computers for potential infections.

“The Croatian Post has already taken steps to remove the malicious web sites and servers, but both malware versions are currently active,” the agency said. “With this malware attackers can take control over a computer and execute arbitrary commands under the authority of the user who opened the XLS file and enabled to execute the macro commands.”

In a report published today, Vishnyakov pointed out certain connections between the C&C servers used in this campaign targeting Croatian government agencies and past malware distribution operations.

The most important is a FireEye report about hackers using a WinRAR vulnerability to infect government targets in Ukraine with the same Empire backdoor, and using the same C&C server. While FireEye never attributed those attacks to a specific hacker group, the targeting of the Ukrainian government is specific to Russian threat actors, who have been targeting the country’s officials and government agencies since 2014, when Russian troops invaded the Crimean peninsula.

While Vishnyakov refrained from attributing these attacks to a specific threat actor, the researcher did note that “the available data on hosts, addresses, and domains used-as well as the high number of connections between them-suggests a large-scale malicious effort.”

Related malware and cybercrime coverage:

About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts

E-Crypto News Executive Interviews

Automated trading with HaasBot Crypto Trading Bots

Blockchain/Cryptocurrency Questions and Answers

How to Choose a Legit Crypto Casino?
August 5, 2022
Spend Crypto
5 Ways to Spend Crypto
August 2, 2022
What Is A DAO LLC?
What Is A DAO LLC?
August 2, 2022
Can Running A Lightning Node Earn You Passive Income?
Can Running A Lightning Node Earn You Passive Income?
July 5, 2022
Is The Crypto Market Combating A Lehman Brothers Moment?
June 30, 2022

CryptoCurrencyUSDChange 1hChange 24hChange 7d
? --- 0.00 % 0.00 %

Bitcoin (BTC) $ 23,089.00
Ethereum (ETH) $ 1,675.92
Tether (USDT) $ 1.00
USD Coin (USDC) $ 1.00
BNB (BNB) $ 316.67
XRP (XRP) $ 0.360509
Binance USD (BUSD) $ 1.00
Cardano (ADA) $ 0.507199
Solana (SOL) $ 40.17
Polkadot (DOT) $ 8.73