--- title: "The Latest Malware Jester Stealer Warning in Ukraine from CERT-UA: Here’s Everything You Need to Know | Phish Protection" description: "As the conflict between Russia and Ukraine escalates, the potential of utilizing more lethal weapons, which was previously merely a fear." image: "https://phishprotection.com/og/blog/latest-malware-jester-stealer-warning-ukraine-cert-ua.png" canonical: "https://phishprotection.com/blog/latest-malware-jester-stealer-warning-ukraine-cert-ua/" --- Quick Answer As the conflict between Russia and Ukraine escalates, the potential of utilizing more lethal weapons, which was previously merely a fear, may now take on a new form. The Ukrainian Computer Emergency Response Team (\[CERT-UA\](https://cert.gov.ua/article/40135)) has issued a warning about a huge distribution campaign based on the concept of a "chemical attack." Receiving an email like this in Ukraine's invasion-affected regions is sure to generate \*\*widespread panic\*\*. Jester Stealer, a malicious file capable of large-scale \[data theft\](/resources/phishing-identity-theft/), is back on Share [ ](https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Flatest-malware-jester-stealer-warning-ukraine-cert-ua%2F "Share on LinkedIn") [ ](https://twitter.com/intent/tweet?text=The%20Latest%20Malware%20Jester%20Stealer%20Warning%20in%20Ukraine%20from%20CERT-UA%3A%20Here%26%238217%3Bs%20Everything%20You%20Need%20to%20Know&url=https%3A%2F%2Fphishprotection.com%2Fblog%2Flatest-malware-jester-stealer-warning-ukraine-cert-ua%2F "Share on X/Twitter") [ ](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fphishprotection.com%2Fblog%2Flatest-malware-jester-stealer-warning-ukraine-cert-ua%2F "Share on Facebook") [ ](https://reddit.com/submit?url=https%3A%2F%2Fphishprotection.com%2Fblog%2Flatest-malware-jester-stealer-warning-ukraine-cert-ua%2F&title=The%20Latest%20Malware%20Jester%20Stealer%20Warning%20in%20Ukraine%20from%20CERT-UA%3A%20Here%26%238217%3Bs%20Everything%20You%20Need%20to%20Know "Share on Reddit") [ ](mailto:?subject=The%20Latest%20Malware%20Jester%20Stealer%20Warning%20in%20Ukraine%20from%20CERT-UA%3A%20Here%26%238217%3Bs%20Everything%20You%20Need%20to%20Know&body=Check out this article: https%3A%2F%2Fphishprotection.com%2Fblog%2Flatest-malware-jester-stealer-warning-ukraine-cert-ua%2F "Share via Email") ![Phish Protection blog post image](https://media.mailhop.org/phishprotection/images/2022/05/phishing-prevention-best-practices-7641.jpg) As the conflict between Russia and Ukraine escalates, the potential of utilizing more lethal weapons, which was previously merely a fear, may now take on a new form. The Ukrainian Computer Emergency Response Team ([CERT-UA](https://cert.gov.ua/article/40135)) has issued a warning about a huge distribution campaign based on the concept of a “chemical attack.” Receiving an email like this in Ukraine’s invasion-affected regions is sure to generate **widespread panic**. Jester Stealer, a malicious file capable of large-scale [data theft](/resources/phishing-identity-theft/), is back on the hunt. ### What the Warning is About and How it Works Recently, via its official website, CERT-UA (**Center of Excellence for Applied Research and Training**) issued a warning about the upcoming wave of cyberattacks on Ukrainians that shall distribute Jester Stealer. It says, “The hackers obtain the stolen data over Telegram using statically established proxy addresses (e.g., within TOR),” and “They also employ anti-analysis methods (anti-VM/debug/sandbox).” The virus does not have a **persistence mechanism** and is removed as soon as its activity is accomplished. ### Details as Issued by CERT-UA > “over 90% of ransomware attacks begin with a phishing email ([Verizon 2024 Data Breach Investigations Report](https://www.verizon.com/business/resources/reports/dbir/)) email. Blocking the phishing email is the most effective ransomware prevention strategy available - it stops the attack at the earliest possible stage, before any malware reaches your network. Every ransomware incident we’ve investigated started with an email that should have been caught.” - **Vasile Diaconu**, Operations Lead, DuoCircle The Ukrainian government’s unit for reacting to computer emergencies, CERT-UA, discovered the widespread circulation of emails with the subject “**chemical attack**” and a link to an XLS document containing a macro. When you open the document and activate the macro, it will download and launch the EXE file, infecting your computer with the dangerous malware JesterStealer. ![Phishing prevention best practices](https://media.mailhop.org/phishprotection/images/2022/05/phishing-prevention-best-practices-7641.jpg) ### Another Phishing Campaign CERT-UA has linked the Jester Stealer campaign with another **phishing campaign** their system identified as the work of Russian state actors linked to APT28 (aka Fancy Bear aka Strontium). These emails, titled “Кіберaтака” (cyber-attack in Ukrainian), are disguised as a security alert from CERT-UA. They contain a RAR file titled “UkrScanner.rar” attached to them, and when opened, the files deploy a malware called CredoMap\_v2. ### Sources Through Which Jester Stealer Can Attack Your System - The files are obtained from **compromised web pages**, according to the CERT-UA. - JesterStealer extracts authentication and other information from Internet browsers, MAIL/FTP/VPN clients, crypto wallets, password managers, messengers, game programs, and other applications. The stolen information is then sent back to the attackers via Telegram. When the malicious action is finished, _the virus deletes itself_. ### In What Manner Does it Infiltrate Systems? The Jester Stealer is a Net-based malware that generally infects target computers via [phishing emails](/content/stop-phishing-emails/report-phishing-emails/) masquerading as a txt, jar, ps1, bat, png, doc, Xls, pdf, mp3, mp4, or ppt file attachment. Threat actors may also use **random distribution routes**, such as pirated material and hacking tools marketed on YouTube. ### What is Jester Stealer? Jester Stealer is an Information Stealer who takes your sensitive information, including login passwords, cookies, credit card information, etc., and passes it to a Threat Actor (TA). TAs collect and use stolen data by uploading it to a **remote server**, which in turn is sold on dark web markets or used in future attacks. Jester Stealer is a new threat that surfaced on cybercrime forums in July 2021\. It has been upgraded seven times since then, with each version offering new features. In addition to the Stealer’s anti-sandbox and anti-VM capabilities also allow data exfiltration through various platforms, including browsers, VPN clients, password managers, chat messengers, email clients, and crypto-wallets. Data is exfiltrated via TOR as logs to Telegram Bot. #### Its unique characteristics _Jester Stealer has the following features:_ - The AES-CBC-256 algorithm is used to encrypt the connection. - Tor servers may be found around the network. - All logs are sent to your **Telegram bot**. - Swift log collecting in memory with no data written to the disc. - For lifetime access, Jester Stealer can be purchased for $99 a month or $249. ### What is at Stake? Since it encrypts connections with **AES-CBC-256**, integrates Tor network servers, redirects logs to Telegram bots, and bundles stolen material in memory before exfiltration, its attack vector is vast: - Passwords, credit cards, cookies, autofill information, browsing histories, and bookmarks/favorites for more than 20 web browsers. - Password managers such as KeePass, NordPass, LastPass, BitWarden, 1Password, RoboForm, and others. - Software for gaming: Steam sessions, Twitch streams, and OBS profiles with broadcast keys. - Thunderbird, Outlook, and FoxMail as potential email clients. - Apps for instant messaging: Telegram, Discord, WhatsApp, Signal, and Pidgin - The most popular digital wallets include Electrum, Exodus, Guarda, Atomic, Coinomi, Jaxx, Wasabi, Zcash, etc. ### Guidelines to Safeguard Your Information Systems **Avoid Unreliable Websites**: Keeping info-stealing infections to a minimum can be done by not downloading **executable files** from untrustworthy websites or torrent swarms. **Use official news sources**: Stick to official news sources for breaking news in impacted areas. A true warning on the President’s website, or comparable message from official sources on Twitter, is more likely to be trusted than random emails. **Up-to-date Anti-Virus**: It is always best to avoid downloading and executing files that arrive in unsolicited emails and check downloaded files on an up-to-date anti-virus program. **Avoid persuading emails that ask to download macros**: Attackers frequently use deceptive messages, e.g., _asking you to cancel an order or read a legal document_. They will somehow make you download a document and then attempt to convince you to let macros execute. No reputable and legitimate organization will ask you to open an Excel file to cancel an order, and also, you don’t need macros to read a Word page. ![Phishing attack prevention](https://media.mailhop.org/phishprotection/images/2022/05/phishing-attack-prevention-5862.jpg) **Upgrading Overall Security:** Develop a security attitude among your staff. Enable [multi-factor authentication](/blog/latest-phishing-campaign-targeting-microsoft-proves-multi-factor-authentication-risky-organizations/), ensuring strong passwords, and remember that phishing is still the most common attack vector, even for sophisticated adversaries. ### Final Words The conflict between Ukraine and Russia is not the only reason for the **cyberattack warning**; [phishing attempts](/resources/history-of-phishing/) have taken over the digital world. There is no hard and fast rule for protecting oneself against such cyber assaults; the only golden rule is to follow the fundamental cyber protection principles to avoid financial and reputational damages to your business. ## Topics [ Phishing ](/tags/phishing/) ![Brad Slavin](https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg) [ Brad Slavin ](/authors/brad-slavin/) General Manager Founder and General Manager of DuoCircle. Product strategy and commercial lead across DuoCircle's 2,000+ customer base. [LinkedIn Profile →](https://www.linkedin.com/in/bradslavin) ## Protect your inbox from phishing attacks Real-time email security with 60-day free trial. No credit card required. [Start Free Trial](https://portal.duocircle.com/cart.php?a=add&pid=101&brand=phishprotection) [View Pricing](/pricing/) ## Related Articles [ Foundational 5m 0ktapus, Okta Breach Helps Attackers Launch Sophisticated Supply Chain Attacks Sep 5, 2022 ](/blog/0ktapus-okta-breach-helps-attackers-launch-sophisticated-supply-chain-attacks/)[ Foundational 4m 13 Spear Phishing Attacks Examples To Justify Investment For Phishing Prevention Solutions In Your Organization Aug 1, 2019 ](/blog/13-spear-phishing-attacks-examples-to-justify-investment-for-phishing-prevention-solutions-in-your-organization/)[ Foundational 4m All 14 centers of Kettering Health were affected by a massive ransomware attack, Major outage in the Ohio medical center May 23, 2025 ](/blog/14-centers-of-kettering-health-were-affected-by-massive-ransomware-attack-in-ohio-medical-center/)[ Foundational 4m 2021 Phishing Trends You Need To Be Wary Of Aug 2, 2021 ](/blog/2021-phishing-trends-to-be-wary-of/) ```json {"@context":"https://schema.org","@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]} ``` ```json {"@context":"https://schema.org","@type":"WebSite","name":"Phish Protection","url":"https://phishprotection.com","description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]}}} ``` ```json [{"@context":"https://schema.org","@type":"BlogPosting","headline":"The Latest Malware Jester Stealer Warning in Ukraine from CERT-UA: Here’s Everything You Need to Know","description":"As the conflict between Russia and Ukraine escalates, the potential of utilizing more lethal weapons, which was previously merely a fear.","url":"https://phishprotection.com/blog/latest-malware-jester-stealer-warning-ukraine-cert-ua/","datePublished":"2022-05-18T14:57:15.000Z","dateModified":"2026-04-17T15:43:10.000Z","dateCreated":"2022-05-18T14:57:15.000Z","author":{"@type":"Person","@id":"https://phishprotection.com/authors/brad-slavin/#person","name":"Brad Slavin","url":"https://phishprotection.com/authors/brad-slavin/","jobTitle":"General Manager","description":"Brad Slavin is the founder and General Manager of DuoCircle, the company behind DMARC Report, AutoSPF, Phish Protection, and Mailhop. He founded DuoCircle in 2014 and has led the company's growth to 2,000+ customers across its email security product family. Brad's focus is product strategy, customer relationships, and the commercial and compliance side of email authentication (DPAs, SLAs, enterprise procurement).","image":"https://media.mailhop.org/phishprotection/images/authors/brad-slavin.jpg","knowsAbout":["Email Security Strategy","SaaS Product Management","Enterprise Compliance","Customer Success","Email Deliverability Business"],"worksFor":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com"},"sameAs":["https://www.linkedin.com/in/bradslavin"]},"publisher":{"@type":"Organization","name":"Phish Protection","url":"https://phishprotection.com","logo":{"@type":"ImageObject","url":"https://phishprotection.com/images/phishprotection-logo.png"},"description":"Advanced phishing protection and email security for businesses. Real-time threat defense, time-of-click protection, and seamless Office 365 integration.","parentOrganization":{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138883901","name":"DuoCircle LLC","url":"https://www.duocircle.com","sameAs":["https://www.wikidata.org/wiki/Q138883901","https://www.crunchbase.com/organization/duocircle-llc","https://www.linkedin.com/company/duocircle","https://github.com/duocircle"],"subOrganization":[{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138898167","name":"DMARC Report","url":"https://dmarcreport.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897474","name":"AutoSPF","url":"https://autospf.com"},{"@type":"Organization","@id":"https://www.wikidata.org/wiki/Q138897912","name":"Phish Protection","url":"https://www.phishprotection.com"}]},"sameAs":["https://www.linkedin.com/company/duocircle","https://x.com/duocirclellc","https://www.facebook.com/duocirclellc","https://github.com/duocircle"],"contactPoint":{"@type":"ContactPoint","contactType":"customer support","url":"https://phishprotection.com/contact/"},"knowsAbout":["Phishing Protection","Email Security","Anti-Phishing","Business Email Compromise","Ransomware Protection","Time of Click Protection","Office 365 Email Security","Advanced Threat Defense"]},"mainEntityOfPage":{"@type":"WebPage","@id":"https://phishprotection.com/blog/latest-malware-jester-stealer-warning-ukraine-cert-ua/"},"articleSection":"foundational","keywords":"Phishing","wordCount":993,"image":{"@type":"ImageObject","url":"https://media.mailhop.org/phishprotection/images/2022/05/phishing-prevention-best-practices-7641.jpg","caption":"Phish Protection blog post image","width":1200,"height":630},"speakable":{"@type":"SpeakableSpecification","cssSelector":[".answer-block","h1"]}},{"@context":"https://schema.org","@type":"FAQPage","mainEntity":[{"@type":"Question","name":"In What Manner Does it Infiltrate Systems?","acceptedAnswer":{"@type":"Answer","text":"The Jester Stealer is a Net-based malware that generally infects target computers via [phishing emails](/content/stop-phishing-emails/report-phishing-emails/) masquerading as a txt, jar, ps1, bat, png, doc, Xls, pdf, mp3, mp4, or ppt file attachment."}},{"@type":"Question","name":"What is Jester Stealer?","acceptedAnswer":{"@type":"Answer","text":"Jester Stealer is an Information Stealer who takes your sensitive information, including login passwords, cookies, credit card information, etc., and passes it to a Threat Actor (TA). TAs collect and use stolen data by uploading it to a **remote server**, which in turn is sold on dark web markets..."}},{"@type":"Question","name":"What is at Stake?","acceptedAnswer":{"@type":"Answer","text":"Since it encrypts connections with **AES-CBC-256**, integrates Tor network servers, redirects logs to Telegram bots, and bundles stolen material in memory before exfiltration, its attack vector is vast:"}}]}] ``` ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://phishprotection.com/"},{"@type":"ListItem","position":2,"name":"Blog","item":"https://phishprotection.com/blog/"},{"@type":"ListItem","position":3,"name":"Foundational","item":"https://phishprotection.com/foundational/"},{"@type":"ListItem","position":4,"name":"The Latest Malware Jester Stealer Warning in Ukraine from CERT-UA: Here’s Everything You Need to Know","item":"https://phishprotection.com/blog/latest-malware-jester-stealer-warning-ukraine-cert-ua/"}]} ```