Russian state-sponsored threat actor Turla has been identified leveraging Andromeda malware to attack Ukrainian organizations. The malware was likely deployed by other hackers through an infected USB drive. Mandiant detailed the attack in a recent report, stating that the attack was conducted in September 2022. Turla has been active since at least 2006 and is also referred to as Venomous Bear, Krypton, and Snake. The group has deployed the ComRAT malware in the past, but has since added more tactics and techniques such as the addition of the Andromeda malware that first emerged in 2011.
Andromeda is typically used for malware delivery and credential theft. Mandiant stated that it was analyzing an operation suspected to be the work of Turla when it identified expired Andromeda command and control domains leveraged by the group for victim profiling purposes. Although the attack occurred last fall, it is likely that the legacy Andromeda sample was delivered in December 2021 via an infected USB drive.