Threat actors have launched a new phishing campaign targeting aid organizations involved in humanitarian operations in Ukraine. According to an analysis by The Hacker News, attackers posed as officials from trusted agencies to host fake Zoom meetings, delivering malicious PDF files designed to deploy credential-harvesting payloads.
The campaign leveraged convincing lures using familiar institutional language, complete with genuine branding elements. Victims were invited to attend online sessions where attackers shared documents containing embedded links to compromised web servers. Once accessed, these links triggered the download of malicious scripts that could exfiltrate credentials and sensitive communication data.
Researchers reported that this activity fits within a broader trend of espionage operations exploiting humanitarian sectors. The targets primarily included logistics and coordination groups managing international aid distribution. The malicious PDFs, disguised as event schedules or operational updates, contained JavaScript code that activated on open, redirecting users through multiple obfuscation layers to phishing infrastructure hosted on anonymized domains.
Security analysts have highlighted the evolving sophistication of social engineering techniques in conflict-related cyberspace. The campaign shows how adversaries are adapting legitimate collaboration tools for exploitation, complicating attribution and detection. Organizations engaged in Ukraine relief operations have been urged to verify communications, restrict file macros, and review endpoint telemetry for indicators of compromise associated with weaponized PDF exploits.
This latest incident underscores persistent digital risks facing humanitarian missions operating within high-threat geopolitical contexts, where adversaries increasingly target information pipelines supporting aid logistics and international coordination.