Hackers Target State Organizations With The Open-Source Merlin Tool

Tyler Cross
Tyler Cross Senior Writer
Tyler Cross Tyler Cross Senior Writer

Ukraine is warning about a new wave of cyberattacks making use of the Merlin open-source tool to perform operations on the compromised networks of various state organizations.

Merlin is a tool used by cybersecurity experts in red team exercises — which is when experts attempt to find vulnerabilities by attacking software so that it can be fixed or patched before criminals take advantage.

It’s available for free on Github, being Go-based and open-source. Like with the Sliver toolkit last year, this software, which was normally used to strengthen cybersecurity, was misappropriated and used to perform lateral movements and attacks within these networks.

As of now, the hackers haven’t been found — due to the open-nature source of the virus, finding a specific origin for the attack is difficult. It could theoretically be from anyone using the software.

The hack began with a phishing email campaign, with hackers posing as officials in the agency using the ert-ua@ukr[.]net email address. The email encourages victims to open a file.

“Opening the mentioned CHM file will execute JavaScript code,” explains Ukraine’s Computer Emergency Response Team (CERT). “Which, in turn, will ensure the launch of a PowerShell script designed to load, decrypt and decompress the GZIP archive “ctlhost.exe.tmp”, which contains the executable file “ctlhost.exe”.”

After executing this file, the victim’s system will be subtly damaged by the Merlin open-source tool and allow the hackers to make further attacks or make lateral movements within your network.

Essentially, this threat works a lot like traditional social engineering scams, which while common, have proven to still be an effective means of infiltrating networks.

Ukraine and its international partners are continuing to monitor the situation and remind users to take their cyber security seriously and be vigilant when watching for email phishing scams. Always verify the sender before downloading any attachments or files.

About the Author
Tyler Cross
Tyler Cross
Senior Writer

About the Author

Tyler is a writer at SafetyDetectives with a passion for researching all things tech and cybersecurity. Prior to joining the SafetyDetectives team, he worked with cybersecurity products hands-on for more than five years, including password managers, antiviruses, and VPNs and learned everything about their use cases and function. When he isn't working as a "SafetyDetective", he enjoys studying history, researching investment opportunities, writing novels, and playing Dungeons and Dragons with friends.

Leave a Comment