{ "id": "535d2fae-8a3e-4dff-b489-12ad6840cc6e", "created_at": "2026-04-06T00:08:11.617295Z", "updated_at": "2026-04-10T03:35:37.684634Z", "deleted_at": null, "sha1_hash": "0050732bfe5f7424cfd141e3f6f6ccca10e7b7f7", "title": "New UAC-0056 activity: There’s a Go Elephant in the room", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1663518, "plain_text": "New UAC-0056 activity: There’s a Go Elephant in the room\r\nBy Mark Stockley\r\nPublished: 2022-03-31 · Archived: 2026-04-05 14:01:41 UTC\r\nThis blog post was authored by Ankur Saini, Roberto Santos and Hossein Jazi.\r\nUAC-0056 also known as SaintBear, UNC2589 and TA471 is a cyber espionage actorthat has been active since\r\nearly 2021 and has mainly targeted Ukraine and Georgia. The group is known to have performed a wiper attack in\r\nJanuary 2022 on multiple Ukrainian government computers and websites.\r\nEarlier in March, Cert-UA reported UAC-0056activity that targeted state organizations in Ukraine using malicious\r\nimplants called GrimPlant, GraphSteel as well as CobaltStrike Beacon. Following up with that campaign,\r\nSOCPRIMEand SentinelOnehave reported some similar activities associated with this actor.\r\nIn late March, the Malwarebytes Threat Intelligence Team identified newactivity from this group that targeted\r\nseveral entities in Ukraine, including ICTV, a private TV channel. Unlike previous attacks that were trying to\r\nconvince victims to open a url and download a first stage payload or distributing fake translation software, in this\r\ncampaign the threat actor is using a spear phishing attack that contains macro-embedded Excel documents. In this\r\nblog post, we provide a technical analysis of this new campaign.\r\nAttack process\r\nThe following picture shows the overall attack procedure used by this actor. The attack starts with malicious\r\ndocuments sent as attachment to a phishing email. The document contains a malicious macro that drops an\r\nembedded payload within the document. The next stage payloads are being downloaded from the attacker server\r\nin Base64 format.\r\nArticle continues below this ad.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/\r\nPage 1 of 11\n\nPhishing email\r\nThe actor has distributed phishing emails at least from March 23th to March 28th. The email subject is\r\nЗаборгованість по зарплаті(wage arrears) and the body of all the emails is the same:\r\nЗаборгованість по зарплаті. Оновлюється автоматично. Просимо надіслати вашу пропозицію для\r\nскорочення заборгованості по зарплаті. (Wage arrears. Updated automatically. Please send your offer to reduce\r\nyour salary arrears.)\r\nExcel document:\r\nThe attached document has the same name as email subject “Заборгованість по зарплаті” and it seems the actor\r\nhas used a legit document as decoy.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/\r\nPage 2 of 11\n\nThis document contains an embedded macro that drops the first stage payload called “base-update.exe”. The\r\npayload has been saved in a “very hidden sheet” named “SheetForAttachedFile”. The sheet contains the filename,\r\nthe date the payload is attached (21th March 2022), the file size and the content of the attached file in hex format.\r\nThe macro reads the content of the embedded file in the hidden sheet and writes it into the defined location for this\r\npayload which is the “AppDataLocalTemp” directory. The macro used by the actor is taken from a websitethat\r\ndescribed and provided code for a method to attach and extract the files from an Excel workbook.\r\nElephant Dropper (Base-Update.exe)\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/\r\nPage 3 of 11\n\nElephant Dropper is the initial executable deployed in this attack; as the name suggests this is a simple dropper\r\nwhich deploys further stages. This executable is written in the Go programming language and is signed with a\r\nstolen Microsoft certificate. The strings in the binary suggest that it was actually named as Elephant Dropper by\r\nthe attackers themselves.\r\nIt checks if the “C:Users{user}.java-sdk”directory exists on the system and creates it if it does not. The strings in\r\nthe binary are encoded and are only decoded when they are required to be used.\r\nThe dropper decodes the C2 address from a string and then downloads a Base64 encoded binary from the C2 and\r\nwrites it to “C:Users{user}.java-sdkjava-sdk.exe”. This downloaded binary is named as Elephant Downloader by\r\nthe attackers judging from the strings present. java-sdk.exe is then executed by the dropper with the following\r\narguments,“-a 0CyCcrhI/6B5wKE8XLOd+w==”. The argument “-a”refers to address and the Base64 string is\r\nthe C2 address in AES encrypted format.\r\nElephant Downloader (java-sdk.exe)\r\nElephant Downloader is also written in the Go Programming Language and is executed by the Dropper. The main\r\npurpose of this payload is to maintain persistence on the system and also deploy the next two stages of the attack.\r\nThe strings in this executable are encoded in the same way as in the Dropper. It makes itself persistent through the\r\nauto-run registry key. To do so, it creates a registry key under\r\n“SoftwareMicrosoftWindowsCurrentVersionRun”named as “Java-SDK”with value “C:Users{user}Desktopjava-sdk.exe -a 0CyCcrhI/6B5wKE8XLOd+w==”.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/\r\nPage 4 of 11\n\nThe downloader is responsible for getting the implant and the client; the URL paths for the payloads are stored in\r\nencoded form in the binary. It downloads the implant and the client from http://194.31.98.124:443/mand\r\nhttp://194.31.98.124:443/prespectively in Base64 encoded format.\r\nAfter this, it decodes the file names which are stored as well in encoded format and creates the file in the earlier\r\nmentioned directory .java-sdk. The file name of the implant is oracle-java.exeand the client is microsoft-cortana.exe. The downloader executes both payloads and passes “-addr 0CyCcrhI/6B5wKE8XLOd+w==” as\r\narguments to both. Again the Base64 string is the C2 address in AES encrypted format.\r\nElephant Implant (oracle-java.exe)\r\nElephant Implant (also tracked as GrimPlant backdoor) seems to be one of the most important payloads in this\r\nattack. This executable communicates with the C2 on port 80. Similar to earlier payloads, strings are encoded in\r\nthe same fashion is in this binary as well, and it also gets the C2 address encrypted from its parent process. The\r\nimplant makes use of gRPC to communicate with the C2, it has a TLS certificate embedded in the binary and\r\nmakes use of SSL/TLS integration in gRPC. This allows the malware to encrypt all the data that is being sent to\r\nthe C2 via gRPC.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/\r\nPage 5 of 11\n\nThe implant uses the MachineIDlibrary to derive a unique id for each machine. It also gets the IP address of the\r\nmachine by making a request to “https://api.ipify.org/”.\r\nIt also collects information related to the OS in a function namedGetOSInfo, as part of this the malware collects\r\nthe hostname, OS name and number of CPUs in the system. A function named GetUserInfocollects the Name,\r\nUsername and path to Home directory of the current user.\r\nThe Implant can communicate with the C2 by using 4 types of RPC requests:\r\n/Implant/Login– This is the initial RPC request that is sent to the C2. Along with this RPC request the\r\nearlier retrieved ID and system information is sent to the C2 as well.\r\n/Implant/FetchCommand– This RPC request is used to retrieve the command that the actor wants to\r\nexecute on the target machine. The retrieved command is executed via\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/\r\nPage 6 of 11\n\n“%windir%SysWOW64WindowsPowerShellv1.0powershell.exe“. An AdminIdand Commandto be executed\r\nis received as a response to this command.\r\n/Implant/SendCmdOutput– This is used to send the output of an executed command by sending a\r\nSendCmdOutput RPC request to the C2. An AdminId and Command Output is sent with this request.\r\n/Implant/Heartbeat– A Heartbeat RPC request is made to C2 to send the status to the C2 at regular\r\nintervals. The machine id and system info retrieved earlier is sent with this request.\r\nElephant Client (microsoft-cortana.exe)\r\nThe last payload that will be described is this blog is the one named elephant_clientby the actor (also tracked as\r\nGraphSteel backdoor). The functionality suggests that this final payload is a data stealer.\r\nSimilar to other payloads in this attack chain, this payload receives the C2 server as a parameter in Base64 format\r\n(0CyCcrhI/6B5wKE8XLOd+w==) which is AES encrypted format of the server. Decoding the Base64 string\r\ngives us the C2 IP address in AES encrypted format: d02c8272b848ffa079c0a13c5cb39dfb . The actor uses the\r\nfollowing key to AES decrypt (ECB-NoPadding mode) the C2 address:\r\nF1D21960D8EB2FDDF2538D29A5FD50B5F64A3F9BF06F2A3C4C950438C9A7F78E\r\n.\r\nOnce the sample has established its connection with its C2 server, it starts collecting data and exfiltrating them\r\ninto the server. At first it collects some basic info about the user and send it to the server as shown in Figure 12.\r\n(some info has been removed for privacy). The collected data is Base64 encoded, and includes hostname, OS\r\nname(windows), number of CPUs, IP address, Name, Username and home directory.\r\nAfter that, the client tries to steal credentials from the victim’s machine. The actor steals data from the following\r\nservices:\r\nBrowser credentials\r\nWiFi information\r\nCredentials manager data\r\nMail accounts\r\nPutty connections data\r\nFilezilla credentials\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/\r\nPage 7 of 11\n\nWe have installed some of these services for testing purposes. Figure 13 shows how the stolen data is being sent to\r\nC2 server:\r\nBase64 decoding data shows what data has been exfiltrated:\r\nFor example, to recover Wifi data, the command netsh wlan show profiles (that list all SSIDs saved in the\r\nmachine) has been used. Once all the SSIDs are gathered, if any, it will launch the command\r\nnetsh wlan show profile [SSID] key=clear\r\n, revealing all saved wifi passwords:\r\nThe following image shows an example of the command execution, where you can see some of the commands\r\nexecuted in the process:\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/\r\nPage 8 of 11\n\nFigure 17 shows another example of exfiltration in which an encoded PowerShell command is used to steal the\r\ndata from the Secure Vault:\r\nIn addition to stealing credentials, the actor steals all the files from the victim’s machine. To collect the data it\r\niterates through all the files in the user directory and hashes each of them. All of these collected hashes will be\r\nsent to the actor’s C2 server. Finally, the malware will send to the attackers all these files.\r\nNote that all the collected data are AES encrypted before being sent to C2 server, so packet inspection will not\r\nreveal any useful information.\r\nConclusion\r\nUAC-0056 aka UNC2589, TA471, or SaintBear is an active actor that has been performing cyber espionage\r\ncampaigns against Ukraine since 2021. The group is known to have performed the WhisperGate disruptive attack\r\nagainst Ukraine government entities in early 2022. Recently we have observed new activity associated with this\r\nactor that used macro-embedded excel documents to drop its malicious software on victims machines. In this blog\r\nwe provided a technical analysis of this campaign.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/\r\nPage 9 of 11\n\nThe Malwarebytes Threat Intelligence teamcontinues to monitor cyber attacks related to the Ukraine war. We are\r\nprotecting our customers and sharing additional indicators of compromise.\r\nIOCs\r\nEmails:\r\n1ce85d7be2e0717b79fbe0132e6851d81d0478dba563991b3404be9e58d745b1\r\n58c93b729273ffa86ed7baa7f00ccd9664ab9b19727010a5a263066bff77cee8\r\ned0128095910fa2faa44e41f9623dc0ba26f00d84be178ef46c1ded003285ae3\r\nExcel doc:\r\nc1afb561cd5363ac5826ce7a72f0055b400b86bd7524da43474c94bc480d7eff\r\nElephant dropper (base-update.exe):\r\n9e9fa8b3b0a59762b429853a36674608df1fa7d7f7140c8fccd7c1946070995a\r\nElephant downloader (java-sdk.exe):\r\n8ffe7f2eeb0cbfbe158b77bbff3e0055d2ef7138f481b4fac8ade6bfb9b2b0a1\r\nElephant Implant (oracle-java.exe):\r\n99a2b79a4231806d4979aa017ff7e8b804d32bfe9dcc0958d403dfe06bdd0532\r\nElephant Client (microsoft-cortana.exe):\r\n60bdfecd1de9cc674f4cd5dd42d8cb3ac478df058e1962f0f43885c14d69e816\r\nC2:\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/\r\nPage 10 of 11\n\n194.31.98.124\r\nSource: https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/" ], "report_names": [ "new-uac-0056-activity-theres-a-go-elephant-in-the-room" ], "threat_actors": [ { "id": "eecf54a2-2deb-41e5-9857-fed94a53f858", "created_at": "2023-01-06T13:46:39.349959Z", "updated_at": "2026-04-10T02:00:03.296196Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Bleeding Bear", "Cadet Blizzard", "Nascent Ursa", "Nodaria", "Storm-0587", "DEV-0587", "Saint Bear", "EMBER BEAR", "UNC2589", "TA471", "UAC-0056", "FROZENVISTA", "Lorec53", "Lorec Bear" ], "source_name": "MISPGALAXY:SaintBear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c28760b2-5ec6-42ad-852f-be00372a7ce4", "created_at": "2022-10-27T08:27:13.172734Z", "updated_at": "2026-04-10T02:00:05.279557Z", "deleted_at": null, "main_name": "Ember Bear", "aliases": [ "Ember Bear", "UNC2589", "Bleeding Bear", "DEV-0586", "Cadet Blizzard", "Frozenvista", "UAC-0056" ], "source_name": "MITRE:Ember Bear", "tools": [ "P.A.S. Webshell", "CrackMapExec", "ngrok", "reGeorg", "WhisperGate", "Saint Bot", "PsExec", "Rclone", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "03a6f362-cbab-4ce9-925d-306b8c937bf1", "created_at": "2024-11-01T02:00:52.635907Z", "updated_at": "2026-04-10T02:00:05.339384Z", "deleted_at": null, "main_name": "Saint Bear", "aliases": [ "Saint Bear", "Storm-0587", "TA471", "UAC-0056", "Lorec53" ], "source_name": "MITRE:Saint Bear", "tools": [ "OutSteel", "Saint Bot" ], "source_id": "MITRE", "reports": null }, { "id": "083d63b2-3eee-42a8-b1bd-54e657a229e8", "created_at": "2022-10-25T16:07:24.143338Z", "updated_at": "2026-04-10T02:00:04.879634Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Ember Bear", "FROZENVISTA", "G1003", "Lorec53", "Nascent Ursa", "Nodaria", "SaintBear", "Storm-0587", "TA471", "UAC-0056", "UNC2589" ], "source_name": "ETDA:SaintBear", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Elephant Client", "Elephant Implant", "GraphSteel", "Graphiron", "GrimPlant", "OutSteel", "Saint Bot", "SaintBot", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434091, "ts_updated_at": 1775792137, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0050732bfe5f7424cfd141e3f6f6ccca10e7b7f7.pdf", "text": "https://archive.orkl.eu/0050732bfe5f7424cfd141e3f6f6ccca10e7b7f7.txt", "img": "https://archive.orkl.eu/0050732bfe5f7424cfd141e3f6f6ccca10e7b7f7.jpg" } }