{ "id": "fbf2479b-948b-4f35-98e0-41286878f61e", "created_at": "2026-04-06T00:07:41.817244Z", "updated_at": "2026-04-10T03:37:50.369153Z", "deleted_at": null, "sha1_hash": "0243cc97cb90bbde4dd31753b01a2effa19bef58", "title": "UAC-0063 Attack Detection: Hackers Target Ukrainian Research Institutions Using HATVIBE, CHERRYSPY, and CVE-2024-23692", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48472, "plain_text": "UAC-0063 Attack Detection: Hackers Target Ukrainian Research\r\nInstitutions Using HATVIBE, CHERRYSPY, and CVE-2024-23692\r\nBy Veronika Zahorulko\r\nPublished: 2024-07-23 · Archived: 2026-04-05 16:39:59 UTC\r\nSince the outbreak of the full-scale war in Ukraine, cyber defenders have identified the growing volumes of cyber-espionage campaigns aimed at collecting intelligence from the Ukrainian state bodies. Further, the same tactics,\r\ntechniques, and procedures are applied to target broader geography, including North America, Europe, and Asia.\r\nPrecisely, in May 2023, the UAC-0063 group launched a cyber-espionage campaign targeting Ukraine, Central\r\nAsia, Israel, and India. And now, the most recent alert by CERT-UA warns cyber defenders about the ongoing\r\noffensive operation against Ukrainian research institutions orchestrated by the same hacking collective. \r\nDetect UAC-0063 Activity Covered in the CERT-UA#10356 Alert\r\nThe UAC-0063 group is back in the cyber threat arena, targeting the academic sector in Ukraine. The group’s\r\ncapability to experiment with diverse adversary toolkits and multiple infection vectors at the initial attack flow\r\nunderscores the need for proactive defense. SOC Prime’s Platform for collective cyber defense curates a complete\r\nproduct suite for AI-powered Detection Engineering, Automated Threat Hunting, and Detection Stack Validation,\r\nenabling organizations to timely spot intrusions and risk-optimize their cybersecurity posture. By following the\r\nlink below, security experts can instantly reach the comprehensive detection stack addressing the latest UAC-0063\r\nadversary activity and filtered by the “CERT-UA#10356” tag based on the alert ID. \r\nSigma rules for UAC-0063 attack detection based on the CERT-UA#10356 alert\r\nAll detection algorithms are mapped to the MITRE ATT\u0026CK® framework, enriched with actionable CTI and\r\nmetadata, and are ready to deploy into dozens of cloud-native and on-prem security analytics platforms. \r\nTo proactively defend against the latest and evergreen cyber attacks attributed to UAC-0063, security engineers\r\ncan also access more relevant SOC content by clicking the Explore Detections button below. \r\nExplore Detections\r\nCERT-UA has provided a collection of IOCs to detect threats related to the recent activity of the UAC-0063 group.\r\nBy relying on SOC Prime’s Uncoder AI, defenders can simplify IOC matching by instantly converting relevant\r\nthreat intelligence into custom performance-optimized queries tailored for the language format of the chosen\r\nSIEM or EDR and ready to hunt in the selected environment.\r\nUse Uncoder AI to hunt for IOCs linked to the UAC-0063 activity from CERT-UA#10356 alert\r\nUAC-0063 Latest Activity Analysis \r\nhttps://socprime.com/blog/uac-0063-attack-detection-hackers-target-ukrainian-research-institutions-using-hatvibe-cherryspy-and-cve-2024-23692/\r\nPage 1 of 2\n\nCERT-UA researchers have uncovered a new malicious campaign attributed to the UAC-0063 hacking collective.\r\nAdversaries launched an attack against Ukrainian research institutions on July 8, 2024, leveraging the HATVIBE\r\nand CHERRYSPY malware.\r\nAt the initial infection stage, attackers who have access to an employee’s email account send a copy of a recently\r\nsent email to dozens of recipients, including the original sender. Notably, the original attachment is replaced with\r\nanother document containing a macro. \r\nBy opening the DOCX file and activating the macro, another file with a macro will be generated and opened on\r\nthe computer. The latter, in turn, will create and open an encoded HTA file of the HATVIBE “RecordsService”\r\nmalware, along with a scheduled task file “C:\\Windows\\System32\\Tasks\\vManage\\StandaloneService” designed\r\nto launch the malicious sample.\r\nFurther, adversaries download a Python interpreter and the CHERRYSPY malware into the “C:\r\nProgramDataPython” directory, relying on technical capabilities for hidden remote control of the computer. Unlike\r\nthe previous malware version, which was obfuscated with pyArmor, the latest iteration was compiled into a .pyd\r\n(DLL) file.\r\nNotably, the recently observed activity of the UAC-0063 actors could be affiliated with the APT28 group (UAC-0001), which is directly linked to the Main Directorate of the General Staff of russia’s Armed Forces. Additionally,\r\na DOCX file with a similar macro was found on VirusTotal, uploaded from Armenia on July 16, 2024. The lure\r\ncontent of this file contains text addressed to the Department of Defense Policy of the Ministry of Defense of the\r\nRepublic of Armenia on behalf of the Department of International Military Cooperation of the Ministry of\r\nDefense of the Kyrgyz Republic.\r\nMoreover, during June 2024, defenders observed multiple instances of installing the HATVIBE backdoor through\r\nHFS HTTP File Server vulnerability (probably CVE-2024-23692) exploitation. This showcases that the UAC-0063 group applies diverse attack vectors for initial compromise.\r\nTo minimize the risks of UAC-0063 intrusions, defenders strongly recommend enabling two-factor authentication\r\nfor email accounts, applying policies to block the execution of macros, mshta.exe, and other potentially hazardous\r\nsoftware, including the Python interpreter, and following industry best practices and recommendations typical for\r\nthe current cyber threat landscape. \r\nMITRE ATT\u0026CK Context\r\nLeveraging MITRE ATT\u0026CK provides extensive visibility into the behavior patterns related to the latest UAC-0063 attack against Ukrainian research institutions. Explore the table below to see the full list of dedicated Sigma\r\nrules addressing the corresponding ATT\u0026CK tactics, techniques, and sub-techniques.\r\nSource: https://socprime.com/blog/uac-0063-attack-detection-hackers-target-ukrainian-research-institutions-using-hatvibe-cherryspy-and-cve-2\r\n024-23692/\r\nhttps://socprime.com/blog/uac-0063-attack-detection-hackers-target-ukrainian-research-institutions-using-hatvibe-cherryspy-and-cve-2024-23692/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://socprime.com/blog/uac-0063-attack-detection-hackers-target-ukrainian-research-institutions-using-hatvibe-cherryspy-and-cve-2024-23692/" ], "report_names": [ "uac-0063-attack-detection-hackers-target-ukrainian-research-institutions-using-hatvibe-cherryspy-and-cve-2024-23692" ], "threat_actors": [ { "id": "d0d996a0-98e2-49fd-b55e-97ba053c4ed0", "created_at": "2024-07-25T02:00:04.423466Z", "updated_at": "2026-04-10T02:00:03.679863Z", "deleted_at": null, "main_name": "UAC-0063", "aliases": [], "source_name": "MISPGALAXY:UAC-0063", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434061, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0243cc97cb90bbde4dd31753b01a2effa19bef58.pdf", "text": "https://archive.orkl.eu/0243cc97cb90bbde4dd31753b01a2effa19bef58.txt", "img": "https://archive.orkl.eu/0243cc97cb90bbde4dd31753b01a2effa19bef58.jpg" } }