Securonix researchers recently uncovered a phishing campaign using a Pilot-in-Command (PIC) Drone manual document as a lure to deliver a toolkit dubbed Merlin.

The campaign, codenamed STARK#VORTEX by Securonix, targets Ukrainian military entities and CERT-UA attributed it to a threat actor tracked as UAC-0154.

The MerlinAgent is an open-source C2 toolkit written in Go, it is similar to other post-exploitation toosl like Cobalt Strike or Sliver.

The lure file (“Інфо про навчання по БПЛА для військових.v2.2.chm” which translates to “info on UAV training for the military”) is in the form of a Microsoft Help file (.chm). Upon opening the document, a malicious JavaScript embedded inside one of the HTML pages is executed.