FILEMESS

FILEMESS is a Go-based stealer used in Ukrainian-targeted campaigns, particularly those attributed by CERT-UA to UAC-0239. Since at least the second half of September 2025, it has been observed in spearphishing attacks against the Defence Forces of Ukraine and local government/state bodies across multiple Ukrainian regions, including campaigns impersonating the Security Service of Ukraine and using lure themes related to “countering russian sabotage-reconnaissance groups.” Delivery was observed via phishing emails sent from services such as UKR.net and Gmail, with links to password-protected archives or direct VHD attachments containing an executable and decoy PDF documents. FILEMESS was also reported alongside the OrcaC2 framework.

Its primary function is file theft. FILEMESS recursively searches for files matching targeted extensions in Desktop, Downloads, and Documents folders and on logical drives D through Z; reporting also notes that it collects files matching certain extensions and exfiltrates them to Telegram via the Telegram API. It computes MD5 hashes of discovered files, uses two extension lists including a shorter list for common user folders, checks for an existing process to avoid multiple concurrent instances, and establishes persistence through a Windows Registry Run key. Its Telegram API credentials are XOR-obfuscated and Base64-encoded. High-confidence associations in the provided content link FILEMESS to UAC-0239 campaigns targeting Ukrainian defense forces and local governments; no specific file hashes or network IoCs for FILEMESS itself were provided in the content.