{ "id": "1b107cd1-df92-4fc7-8e39-a86c6c43aaa8", "created_at": "2026-04-06T00:18:53.952907Z", "updated_at": "2026-04-10T13:13:05.977722Z", "deleted_at": null, "sha1_hash": "1016e2361902d1ccae0113c135dfbcb1c634d98d", "title": "Malicious campaigns target government, military and civilian entities in Ukraine, Poland", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 7675056, "plain_text": "Malicious campaigns target government, military and civilian\r\nentities in Ukraine, Poland\r\nBy Vanja Svajcer\r\nPublished: 2023-07-13 · Archived: 2026-04-05 17:44:49 UTC\r\nThursday, July 13, 2023 06:45\r\nCisco Talos has discovered a threat actor conducting several campaigns against government entities,\r\nmilitary organizations and civilian users in Ukraine and Poland. We judge that these operations are very\r\nlikely aimed at stealing information and gaining persistent remote access.\r\nThe activity we analyzed occurred as early as April 2022 and as recently as earlier this month,\r\ndemonstrating the persistent nature of the threat actor. Ukraine’s Computer Emergency Response Team\r\n(CERT-UA) has attributed the July campaign to the threat actor group UNC1151, as a part of the\r\nGhostWriter operational activities allegedly linked to the Belarusian government.\r\nThe attacks used a multistage infection chain initiated with malicious Microsoft Office documents, most\r\ncommonly using Microsoft Excel and PowerPoint file formats. This was followed by an executable\r\ndownloader and payload concealed in an image file, likely to make its detection more difficult.\r\nThe final payloads include the AgentTesla remote access trojan (RAT), Cobalt Strike beacons and njRAT.\r\nUkrainian and Polish government and military organizations among those\r\ntargeted\r\nTalos first discovered a campaign in late April using several malicious files very likely intended for users in\r\nUkraine, based on the content of the lure displayed when the target opens a malicious Microsoft Excel file. Talos\r\neventually uncovered additional campaigns, including the two previously mentioned by Ukraine’s Computer\r\nEmergency Response Team (CERT-UA) and FortiGuard Labs researchers. The campaigns we discovered also\r\ninvolve malicious files intended for users in Poland.\r\nThe actor is focusing on Ukrainian and Polish government and military targets, based on the content of Excel and\r\nPowerPoint lures that include official-looking images and text. The purpose of these socially engineered lures is to\r\nconvince the targeted users to enable macros, thereby allowing the execution chain to commence. This is the first\r\nstage of the attack, as demonstrated in the timeline below.\r\nhttps://blog.talosintelligence.com/malicious-campaigns-target-entities-in-ukraine-poland/\r\nPage 1 of 14\n\nTimeline of the various attacks.\r\nStages of the attack: The lure entices the user to enable macros that infect the system\r\nhttps://blog.talosintelligence.com/malicious-campaigns-target-entities-in-ukraine-poland/\r\nPage 2 of 14\n\nOf the two file types, the PowerPoint files are more unusual in that they would not show any actual slides when\r\nopened, but would still execute the malicious VBA code, a finding consistent with CERT-UA’s analysis. Talos is\r\ncurrently researching whether the file’s failure to open is because they are intentionally corrupted. In any case, the\r\nVBA code still runs whenever the files are executed. Based on the files’ thumbnail images – the only content\r\nvisible in the Windows Explorer window – the PowerPoint files imitate Ukraine’s Ministry of Defence and\r\nPoland’s Ministry of National Defence. The image below shows the thumbnail images indicating the campaign’s\r\nvictims.\r\nThumbnail images show themes used by PowerPoint lures in these campaigns by the actor.\r\nAs opposed to the PowerPoint documents that did not display any slides in our testing environments, all Excel\r\ndocuments display legitimate-looking documents related to the targeted military organizations, or generic\r\ndescriptions on how to enable VBA macro functionality in Excel. The VBA code in the Excel and PowerPoint-based campaigns displays a high level of similarity. The content of one of the Excel lures is shown below and\r\ncontains the form for calculating salary payments (cash certificates) for soldiers of a specific military unit.\r\nSeptember 2022 campaign uses a lure that purports to be an official document from the Ukrainian\r\nMinistry of Defence.\r\nThe actor returned with a new campaign on July 4, 2023. The lure contains a payment instruction form containing\r\nVBA code, which appears to have been sent from the State Treasury Service of Ukraine. The content of the form\r\nis legitimate and targets Ukrainian government organizations, as seen in the image below. The form also contains\r\nlegitimate macro code modified by the attacker to call malicious subroutines. It seems that the legitimate macro\r\nhttps://blog.talosintelligence.com/malicious-campaigns-target-entities-in-ukraine-poland/\r\nPage 3 of 14\n\ncode is used to calculate some values in the spreadsheets, but the legitimate functions are changed to call the\r\nfunction that starts the infection process.\r\nUkrainian and Polish businesses, general users also targeted\r\nThe generic campaigns are aimed at various civilian targets in Poland and Ukraine, such as with Excel spreadsheet\r\nlures masquerading as value-added tax (VAT) return forms. Others include Excel spreadsheets that contain\r\nsocially engineered instructions on how to enable macros in Excel so that the malicious VBA code can be\r\nexecuted. These two lures are shown below, respectively.\r\nhttps://blog.talosintelligence.com/malicious-campaigns-target-entities-in-ukraine-poland/\r\nPage 4 of 14\n\nApril 2023 campaign targeting business users in Poland with a fake VAT return form.\r\nThe majority of the Excel campaigns show some element of luring the user to enable macros in Excel with\r\nspecific content using Ukrainian language.\r\nAttacks start with VBA code to decode the next malware stage\r\nAll campaigns start with Microsoft Office documents, which are possibly sent to the targets as email attachments.\r\nIn most cases, the file is an Excel spreadsheet containing a VBA macro, but we also found four instances where a\r\nmalicious PowerPoint OLE2 (PPT) file was used, possibly indicating the actor's readiness to use file formats less\r\ncommonly used in attacks.\r\nhttps://blog.talosintelligence.com/malicious-campaigns-target-entities-in-ukraine-poland/\r\nPage 5 of 14\n\nVBA code is responsible for dropping the downloader executable or DLL.\r\nThe VBA code in all files is similar, with minor variations, where some functions serve a legitimate purpose (e.g.,\r\nsome functions for conversion of strings into numbers in Excel). The code is obfuscated, using an obfuscator\r\nscript, based on the fact that some comments the actor didn’t strip are also obfuscated when the words written in\r\nthe comments are not recognized as a part of the VBA syntax.\r\nAs seen below in the image, the obfuscator randomizes function and variable names but makes the mistake of not\r\nrecognizing the comments (in green).\r\nRandomized code comments show the code was likely obfuscated by an automated tool.\r\nhttps://blog.talosintelligence.com/malicious-campaigns-target-entities-in-ukraine-poland/\r\nPage 6 of 14\n\nThe code contains the next stage stored as hexadecimal encoded strings and is split into multiple strings so that an\r\nantivirus scan would not detect the content as potentially malicious. There are three main subroutines: the first is\r\nlaunched when the document is opened (e.g., Auto_Open, Workbook_Open), the second creates a randomly\r\nnamed dynamic loading library (DLL) file in the user’s temporary files folder, and the third creates a randomly\r\nnamed shortcut (LNK) file which contains code to run regsvr32.exe (or rundll32.exe) to launch the next stage.\r\nThe name of the shortcut file, depending on the campaign, is either randomly generated by a random string\r\ngenerator function or hardcoded in the macro code. In some campaigns, the random names are generated by a\r\nspecific function in the VBA code. The screenshot above shows the function that generates a random string of\r\nvariable length, specified in the function argument.\r\nOne subroutine calls the DLL dropper, LNK creation and launch routine.\r\nEarlier campaigns used an executable downloader, while the later ones used DLLs for the next stage.\r\nIn some instances, two randomly generated bytes are added to the end of the file, which invalidates the detection\r\nof the dropped files using simple checksum-based techniques.\r\nIn some cases randomly generated bytes are added to the end of the dropped file.\r\nThe July 2023 campaign has a slightly modified infection chain. The dropper first creates a shortcut file but the\r\ndropped DLL is launched with rundll32.exe instead of regsvr32.exe. Once the initial export is called (in this case,\r\nhttps://blog.talosintelligence.com/malicious-campaigns-target-entities-in-ukraine-poland/\r\nPage 7 of 14\n\nthe legitimately named function IETrackingProtectionEnabled), the downloader will copy itself and call\r\nregsvr32.exe with parameters “/u /s” to automatically call the function for unregistering COM servers\r\nDllUnregisterServer.\r\nEventually, when the DLL is copied into its final path, rundll32.exe is used to call the exported function\r\nSetQueryNetSessionCount, which downloads the next stage. The final payload of the July 2023 campaign is\r\nnjRAT, which increases our confidence that the threat actor's goals are information stealing and remote control of\r\nthe targeted systems. NjRAT is an open-source remote access trojan (RAT) whose source code is freely available\r\nand is used by commodity actors and APTs, making the process of attribution more difficult.\r\nJuly 2023 campaign's main malicious VBA function is Data_Open.\r\nObfuscated downloader retrieves an image containing the payload\r\nThe next stage is a Portable Executable (PE) file, an executable or a DLL file. ConfuserEx obfuscator, an\r\nobfuscator that is very commonly used by malicious actors to obfuscate .NET code, is used with various levels of\r\nobfuscation, anti-tampering and anti-debugging, which makes the unpacking more difficult for malware\r\nresearchers. CERT-UA named the downloader PicassoLoader.\r\nAll downloaders attempt to download an image file from a URL. Depending on the campaign, the final payload or\r\nthe third intermediate stage is appended as an encrypted binary blob to the end of the image. The image will still\r\ndisplay in viewers but the downloader will extract the executable content using the appropriate decryption key and\r\nthe decryption algorithm.\r\nhttps://blog.talosintelligence.com/malicious-campaigns-target-entities-in-ukraine-poland/\r\nPage 8 of 14\n\nThe encrypted next-stage blob is appended to the end of a JPEG image.\r\nThe downloader uses managed AES (Rijndael algorithm) to decrypt the appended data which is then reflectively\r\nloaded as a byte array using the Assembly.Load function as seen below. The decryption key and the initialization\r\nvector are either stored as obfuscated strings in the body of the downloader or calculated as an MD5 checksum of\r\nthe downloaded image file.\r\nThe downloader first decrypts the third stage and then loads it using the Assembly.Load function.\r\nThe code to download the next stage is in constant development. In earlier versions, the call to the Assembly.Load\r\nfunction is fairly easy to spot. In the later campaigns, the actor has chosen to add a layer of obfuscation and use\r\nthe RuntimeBinder.Binder functionality to find and invoke functions for downloading, decryption and loading.\r\nhttps://blog.talosintelligence.com/malicious-campaigns-target-entities-in-ukraine-poland/\r\nPage 9 of 14\n\nLater variants of the downloader use Binder to invoke functions.\r\nEarlier variants use RijndaelManaged implementation of AES decryption routine to decrypt the next stage, while\r\nthe variant from April 2023 uses a simplified variant of RC4 to decrypt the payload appended to an image file.\r\nThe variant from July 2023 returns to RijndaelManaged.\r\nManaged Rijndael is used to decrypt the third stage.\r\nSimplified RC4 is used to decrypt the third stage in April 2023.\r\nMost of the URLs and the infrastructure were not accessible at the time of analysis, although we managed to\r\nobtain images from three campaigns to recreate the infection chain. Our analysis triggered exceptions in the\r\ndecryption process, so it is possible that the image files we obtained were corrupted or that the implementation of\r\ndecryption in some of the downloaders was incorrect.\r\nNevertheless, previous analyses by CERT-UA and FortiGuard Labs indicate that final payloads, which included\r\nAgentTesla and Cobalt Strike, were used for information theft and remote access to infected systems.\r\nhttps://blog.talosintelligence.com/malicious-campaigns-target-entities-in-ukraine-poland/\r\nPage 10 of 14\n\nJuly 2022 image with the next-stage campaign targeting Ukrainian government organizations.\r\nPayload-carrying image used in September 2022 campaign.\r\nhttps://blog.talosintelligence.com/malicious-campaigns-target-entities-in-ukraine-poland/\r\nPage 11 of 14\n\nPayload-carrying image used in April 2023 campaign.\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nhttps://blog.talosintelligence.com/malicious-campaigns-target-entities-in-ukraine-poland/\r\nPage 12 of 14\n\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically\r\nand alerts users of potentially unwanted activity on every connected device.\r\nCisco Secure Malware Analytics (formerly Threat Grid) identifies malicious binaries and builds protection into all\r\nCisco Secure products.\r\nUmbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nThe following ClamAV signatures are applicable to this threat:\r\nDoc.Malware.Corona-10003975-0\r\nWin.Downloader.DotNETEncryptedJPEG-10006210-0\r\nWin.Downloader.DotNETEncryptedJPEG-10006211-0\r\nWin.Downloader.DotNETEncryptedJPEG-10006212-0\r\nWin.Downloader.DotNETEncryptedJPEG-10006213-0\r\nWin.Downloader.DotNETEncryptedJPEG-10006214-0\r\nWin.Downloader.DotNETEncryptedJPEG-10006215-0\r\nWin.Downloader.DotNETEncryptedJPEG-10006216-0\r\nWin.Downloader.DotNETEncryptedJPEG-10006217-0\r\nWin.Downloader.DotNETEncryptedJPEG-10006218-0\r\nWin.Downloader.DotNETEncryptedJPEG-10006219-0\r\nWin.Downloader.DotNETEncryptedJPEG-10006220-0\r\nWin.Downloader.DotNETEncryptedJPEG-10006221-0\r\nhttps://blog.talosintelligence.com/malicious-campaigns-target-entities-in-ukraine-poland/\r\nPage 13 of 14\n\nWin.Downloader.DotNETEncryptedJPEG-10006222-0\r\nImg.Dropper.Agent-10006223-0\r\nImg.Dropper.Agent-10006224-0\r\nXls.Dropper.Corona-10006204-0\r\nXls.Dropper.Corona-10006205-1\r\nXls.Dropper.Corona-10006207-0\r\nXls.Dropper.Corona-10006205-1\r\nOle2.Dropper.Corona-10006206-1\r\nXls.Dropper.Corona-10006207-1\r\nOle2.Dropper.Corona-10006209-0\r\nWin.Trojan.Generic-6417450-0\r\nIndicators of Compromise (IOC)\r\nIndicators of Compromise associated with these threats can be found here.\r\nSource: https://blog.talosintelligence.com/malicious-campaigns-target-entities-in-ukraine-poland/\r\nhttps://blog.talosintelligence.com/malicious-campaigns-target-entities-in-ukraine-poland/\r\nPage 14 of 14\n\n https://blog.talosintelligence.com/malicious-campaigns-target-entities-in-ukraine-poland/ \nPayload-carrying image used in April 2023 campaign.\nCoverage \nWays our customers can detect and block this threat are listed below.\n Page 12 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://blog.talosintelligence.com/malicious-campaigns-target-entities-in-ukraine-poland/" ], "report_names": [ "malicious-campaigns-target-entities-in-ukraine-poland" ], "threat_actors": [ { "id": "f29188d8-2750-4099-9199-09a516c58314", "created_at": "2025-08-07T02:03:25.068489Z", "updated_at": "2026-04-10T02:00:03.827361Z", "deleted_at": null, "main_name": "MOONSCAPE", "aliases": [ "TA445 ", "UAC-0051 ", "UNC1151 " ], "source_name": "Secureworks:MOONSCAPE", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "119c8bea-816e-4799-942b-ff375026671e", "created_at": "2022-10-25T16:07:23.957309Z", "updated_at": "2026-04-10T02:00:04.807212Z", "deleted_at": null, "main_name": "Operation Ghostwriter", "aliases": [ "DEV-0257", "Operation Asylum Ambuscade", "PUSHCHA", "Storm-0257", "TA445", "UAC-0051", "UAC-0057", "UNC1151", "White Lynx" ], "source_name": "ETDA:Operation Ghostwriter", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "HALFSHELL", "Impacket", "RADIOSTAR", "VIDEOKILLER", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "8a33d3ac-14ba-441c-92c1-39975e9e1a73", "created_at": "2023-01-06T13:46:39.195689Z", "updated_at": "2026-04-10T02:00:03.243054Z", "deleted_at": null, "main_name": "Ghostwriter", "aliases": [ "UAC-0057", "UNC1151", "TA445", "PUSHCHA", "Storm-0257", "DEV-0257" ], "source_name": "MISPGALAXY:Ghostwriter", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434733, "ts_updated_at": 1775826785, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1016e2361902d1ccae0113c135dfbcb1c634d98d.pdf", "text": "https://archive.orkl.eu/1016e2361902d1ccae0113c135dfbcb1c634d98d.txt", "img": "https://archive.orkl.eu/1016e2361902d1ccae0113c135dfbcb1c634d98d.jpg" } }