We are publishing a detailed analysis of the hacker attack on Babel because it occurred at a time when the editorial office is conducting several sensitive investigations at once.
One of them concerns a large unit of the Ukrainian Armed Forcesʼ assault forces. The other is a case that has a great public resonance.
The editorial staff of Babel had several versions about who was trying to hack us. The situation was complicated by the fact that the day before the attempted hack, the MP Yaroslav Zheleznyak reported a hunt for information about Babel. He is indirectly related to the material of one of our investigations.
Yaroslav Zheleznyak wrote that he would be “grateful for detailed information” about the owners of the publication. Therefore, there were several versions about who ordered the hack.
After we received a detailed analysis of the attacking script from CERT-UA and saw its name SKELYAAGENT, the number of versions decreased. But there are still a few of them, because any script name or comment in the code can be a decoy to send the victim on the wrong track.
We know that this hacker group knows how to use such decoys, because one of them was in a “phishing” letter that the editor of Babel received. The name SKELYAAGENT could be the same decoy.
CERT-UA
The script was hidden in a text file and a spreadsheet file. One of the files contained a blurred image that supposedly contained screenshots of correspondence and that had to be clicked on.
Hereʼs what it looked like.
CERT-UA
If the editor of Babel clicked on the image to "blur" it, the macro program would install a Trojan program on his computer. This program would collect logins and passwords, browser data, and all instant messengers.
In addition, it would listen to the editorial staff through the input mic and record video from the webcam.
A leak of such data would endanger the lives of several dozen witnesses in one of the ongoing investigations. It would also create a threat of disclosure of confidential data of our sources in another investigation.
Such actions are described in Article 361 of the Criminal Code of Ukraine. During martial law, they are punishable by imprisonment for a term of ten to fifteen years.
The editorial staff of Babel is finding out who was behind the attack.
We are publishing the full text of the analysis that Babel received from CERT-UA (thanks for the fast and professional work!)
The National Cyber Incident, Cyber Attack, and Cyber Threat Response Team CERT-UA received a report and related materials from a representative of Babel on June 18, 2026 regarding an attempted cyber attack on an employee of the specified media outlet.
Based on the results of the measures taken, the event was classified as a cyber incident of category "02. Malicious program code" (CERT-UA identifier #22689).
It was found that an employee of Babel received a message from an unidentified person on June 18, 2026 with a proposal to distribute information about alleged abuses in the military unit and a link to a public file service for downloading "evidence".
The archive "Photos+Lists.zip" was downloaded from the mentioned link, which contained two documents: "Lists.xlsm" and "Photos.docm". When the documents are opened and the macro is activated on the computer, a VBS script will be created and executed, which will create a ZIP archive, extract its contents, and then run several BAT scripts and an EXE file.
The mentioned executable file, based on a set of features, is classified as a software tool for implementing cyber threats and is codified by CERT-UA as SKELYAAGENT (while preserving the authenticity of the name used by its developer).
Functionally, the software tool provides the ability to covertly access a computer remotely (including using Cloudflare tunnels), execute commands, record keystrokes, record sound and video from a webcam and microphone, and steal authentication data (logins, passwords, HTTP session data) from Internet browsers, messengers Signal, WhatsApp, Telegram, saved passwords for Wi-Fi networks, etc.
According to available technical data, such cyberattacks may have been carried out at least since the end of May 2026 (in particular, one of the domain names was registered on May 27, 2026). Characteristic features, in addition to the aforementioned SKELYAAGENT software tool, are the active use of documents with macros (with hiding the obfuscated content of components in document properties or table cells), intensive use of artificial intelligence, building a control channel through “Cloudflare” infrastructure and tools, as well as specific artifacts at the level of document metadata and lexical-onomastic features, for example: "Ruslan4ik0^^", "serva4ok", "muzhichok".
The described activity is local in nature and is tracked by CERT-UA under the identifier UAC-0272.
CERT-UA has taken appropriate measures to respond to the cyber threat.
Cyber threat indicators:
Network:
mishdevelop[.]uk
agent.mishdevelop[.]uk
serva4ok.mishdevelop[.]uk
muzhichok.mishdevelop[.]uk
apps-partnership-types-bride.trycloudflare[.]com
huntington-correctly-expect-interim.trycloudflare[.]com
CERT-UA