The cyberattack with dangerous emails was detected by specialists from the cybersecurity unit of “Ukrzaliznytsia” (Ukrainian railway). The subject of the letters is “How to recognize a kamikaze drone”, and they allegedly arrive on behalf of the State Emergency Service of Ukraine (DSNS) from morgunov.a@dsns.com[.]ua.

The attachment to the letter contains the RAR archive "shahed-136.rar" with the PPSX document "shahed.ppsx". If you open it, the file "WibuCm32.dll" will be downloaded to the device. It is classified as DolphinCape malware. The main functionality of the program is to collect information about the computer, run EXE/DLL files, as well as create and exfiltrate screenshots.