Keypoints
- Operation MiddleFloor uses targeted emails (not social media) to deliver fake PDFs and forms impersonating EU institutions and Moldovan ministries to influence public opinion ahead of Moldova’s elections.
- Malicious PDFs link to attacker-controlled domains (e.g., europa[.]study, europa-eppo[.]eu) hosting HTML forms that collect user input and environment data.
- Client-side JavaScript (index.js) gathers form fields, the victim’s user-agent, and IP geolocation (via https://ipapi.co/json/) and POSTs the data to script.php, which forwards it to Telegram bots.
- Additional logging via logger.js captures page URL, IP/geolocation and user-agent and sends this to logger.php; logger.js is distributed with a consistent SHA256 fingerprint.
- Infrastructure comprises spoofed domains, shared VPS hosting (AS200313), dedicated mail servers (Mailcow on providers like BlueVPS/OVH), and interlinked certificates/SPF/MX records to enable spoofed email delivery.
- Evidence links the operation to earlier Lying Pigeon clusters across Europe (NATO summit, 2023 Spain elections, Polish campaigns) and to prior malware distribution activity (infostealers such as Lumma in related clusters).
MITRE Techniques
- [T1566] Phishing – Delivery of spoofed emails and PDFs to trick recipients into opening forms and interacting with attacker infrastructure (‘Threat actors use spoofed email accounts to send fake documents and gather information.’)
- [T1003] Credential Dumping – Harvesting personal and sensitive details via fraudulent forms that request user data for purported official compliance (‘Collecting personal details and sensitive information through fake forms.’)
- [T1213] Data from Information Repositories – Soliciting sensitive organizational and personal information through fabricated EU/ministries documents and feedback forms (‘Using fake documents to solicit sensitive information from victims.’)
- [T1189] Drive-by Compromise – Potential follow-on exploitation of victims after interaction with the malicious infrastructure, enabling targeted malware or exploitation (‘Potential exploitation of victims’ vulnerabilities after they interact with the threat actors’ infrastructure.’)
Indicators of Compromise
- [Domains] impersonation and form hosting – europa[.]study, europa-eppo[.]eu, and many other spoofed EU/Moldovan domains (and dozens more used across the campaign)
- [Mail servers / IPs] email infrastructure and hosting – 185.255.132[.]69, 45.133.148[.]35, and other mail server IPs listed for the campaign (several additional mail server IPs used)
- [File hashes] malicious JavaScript and form artifacts – logger.js SHA256: 4df435afa20401e3af2d17bf8dd67a9d8553520e29cc05905fc9458b8e81ce8f, and MiddleFloor cluster SHA256: fb9105dc73a5… (and other listed hashes)
- [File names] payloads and delivery artifacts – Network_CPP_Shield.msi (used in a related campaign distributing Lumma Infostealer), and PDF attachments (e.g., falsified ministry/EU PDFs)
Operation MiddleFloor uses email as the primary vector: attackers send spoofed messages with PDF attachments that impersonate EU institutions or Moldovan ministries and include links or embedded directives pointing recipients to attacker-controlled domains. Those domains host HTML forms whose index.js collects all submitted form fields, the browser user-agent, and IP/geolocation by requesting https://ipapi.co/json/; the script then bundles the data and POSTs it to script.php, which returns a JSON response indicating the data was forwarded to a Telegram bot. Other pages (including main landing pages) load a common logger.js (identified by a stable SHA256) that gathers page URL, user-agent and IP/geolocation and POSTs them to logger.php, enabling threat actors to track both form submitters and non-submitting visitors.
The operation’s infrastructure is organized into interconnected components: multiple spoofed domains registered across registrars (Zone Media OÜ, NameCheap, Realtime Register), hosting on shared VPSes and dedicated mail servers (Mailcow-managed mail servers hosted on providers like BlueVPS and OVH), and coordinated DNS/SPF/MX and TLS certificate usage to support email spoofing. Historical pivots (shared certificates, common IPs such as 185.255.132[.]69 and 45.133.148[.]35, and reuse of mail servers like mail.mailogon[.]online/mail.mailos[.]ru) link MiddleFloor to prior Lying Pigeon activity across Europe; related clusters have used the same patterns to deliver additional threats (for example, a fake NASK PDF that led to Network_CPP_Shield.msi and Lumma Infostealer distribution).
Read more: https://research.checkpoint.com/2024/disinformation-campaign-moldova/