{
	"id": "069e3503-cadb-4aa6-8cb8-59e0558f0394",
	"created_at": "2026-04-06T00:20:20.947323Z",
	"updated_at": "2026-04-10T13:12:27.401646Z",
	"deleted_at": null,
	"sha1_hash": "1cc4ce033d0882f2409dfb88554b537f88119559",
	"title": "Cyberespionage Actor Deploying Malware Using Excel",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 289116,
	"plain_text": "Cyberespionage Actor Deploying Malware Using Excel\r\nBy Prajeet Nair\r\nArchived: 2026-04-05 17:19:55 UTC\r\nCybercrime , Cybercrime as-a-service , Cyberwarfare / Nation-State Attacks\r\nThreat Actors Luring Ukrainian Phishing Targets to Download Malicious Files (@prajeetspeaks) • April 2, 2022    \r\nExample of email lure used by attackers (Source: Malwarebytes)\r\nResearchers have found that cyberespionage actor UAC-0056, also known as SaintBear, UNC2589 and TA471, is\r\nnow using a macro-embedded Excel document to target several entities in Ukraine, including ICTV, a private TV\r\nchannel.\r\nSee Also: AI Arms Cybercriminals, and Defenders Must Match Pace\r\n\"Unlike previous attacks that were trying to convince victims to open a URL and download a first-stage payload\r\nor distributing fake translation software, in this campaign the threat actor is using a spear-phishing attack that\r\ncontains macro-embedded Excel documents,\" researchers at cybersecurity firm Malwarebytes say.\r\nThe UAC-0056 group, which cybersecurity firm SentinelOne recently reported was targeting Ukrainians with fake\r\ntranslation software, is known to have performed a wiper attack in January 2022 on multiple Ukrainian\r\ngovernment computers and websites.\r\nIn March, Cert-UA reported the group targeting state organizations in Ukraine using malicious implants called\r\nGrimPlant, GraphSteel and Cobalt Strike Beacon.\r\nhttps://www.govinfosecurity.com/cyber-espionage-actor-deploying-malware-using-excel-a-18830\r\nPage 1 of 4\n\nThe group is also known to have performed the WhisperGate disruptive attack against the Ukrainian government\r\nentities in early 2022.\r\nTechnical Analysis\r\nThe attack starts with a phishing email in which a document attachment containing a malicious macro drops an\r\nembedded payload. Then, further payloads are downloaded from the attacker server in Base64 format.\r\nThe researchers observed phishing emails being distributed from at least March 23 to March 28, with the subject\r\n\"wage arrears\" and with the body of all the emails containing a similar message: \"Wage arrears. Updated\r\nautomatically. Please send your offer to reduce your salary arrears.\" The attached document contains a similar\r\nmessage to the email body: \"This document contains an embedded macro that drops the first stage payload called\r\n'base-update.exe'. The payload has been saved in a 'very hidden sheet' named 'SheetForAttachedFile,'\" the\r\nresearchers say.\r\nMalwarebytes researchers found that this sheet contains the filename, the date the payload is attached (March 21,\r\n2022), the file size and the content of the attached file in hex format.\r\n\"The macro reads the content of the embedded file in the hidden sheet and writes it into the defined location for\r\nthis payload which is the 'AppDataLocalTemp' directory. The macro used by the actor is taken from a website that\r\ndescribed and provided code for a method to attach and extract the files from an Excel workbook,\" the researchers\r\nsay.\r\nExample of decoy Excel document (Source: Malwarebytes)\r\nExtracted Files\r\nElephant Dropper\r\nhttps://www.govinfosecurity.com/cyber-espionage-actor-deploying-malware-using-excel-a-18830\r\nPage 2 of 4\n\nResearchers say that the Elephant dropper is the initial executable deployed in this attack; it is a simple dropper\r\nthat deploys further stages. This dropper is written in the Go programming language and is signed with a stolen\r\nMicrosoft certificate.\r\n\"The strings in the binary suggest that it was actually named as Elephant Dropper by the attackers themselves,\"\r\nthe researchers say. \"It checks if the 'C:Users{user}.java-sdk' directory exists on the system and creates it if it does\r\nnot. The strings in the binary are encoded and are only decoded when they are required to be used.\"\r\nThe dropper also decodes the command-and-control address from a string and then downloads a Base64 encoded\r\nbinary from the C2 and writes it to \"C:Users{user}.java-sdkjava-sdk.exe.\"\r\nElephant Downloader\r\nElephant Downloader, which is also written in the Go programming language, is executed by the Dropper. The\r\npurpose of this payload is to maintain persistence and to deploy the next two stages of the attack.\r\n\"The strings in this executable are encoded in the same way as in the Dropper. It makes itself persistent through\r\nthe auto-run registry key,\" the researchers say. \"The downloader is responsible for getting the implant and the\r\nclient; the URL paths for the payloads are stored in encoded form in the binary. It downloads the implant and the\r\nclient.\"\r\nIn the next stage, the Elephant downloader decodes the file names, which are also stored in an encoded format and\r\ncreate a file. The file name of the implant is oracle-java.exe, and the client is microsoft-cortana.exe.\r\nElephant Implant\r\nElephant Implant, also tracked as GrimPlant backdoor, seems to be one of the most important payloads in this\r\nattack, the researchers say. They describe how it communicates with the C2 on port 80 and gets the C2 address\r\nencrypted from its parent process.\r\n\"The implant makes use of gRPC to communicate with the C2, it has a TLS certificate embedded in the binary and\r\nmakes use of SSL/TLS integration in gRPC. This allows the malware to encrypt all the data that is being sent to\r\nthe C2 via gRPC,\" the researchers say.\r\nThis implant also uses the MachineID library to derive a unique ID for each machine and gets the IP address of the\r\nmachine by making a request to https://api.ipify.org/.\r\nThe implant collects information related to the OS in a function named GetOSInfo. As part of this, the malware\r\ncollects the hostname, OS name and number of CPUs in the system, and a function named GetUserInfo collects\r\nname, username and path to Home directory of the current user.\r\nElephant Client\r\nThe last payload that the researchers detailed is named elephant_client by the actor. It is also tracked as the\r\nGraphSteel backdoor. This final payload is a data stealer, the researchers say.\r\nhttps://www.govinfosecurity.com/cyber-espionage-actor-deploying-malware-using-excel-a-18830\r\nPage 3 of 4\n\n\"Similar to other payloads in this attack chain, this payload receives the C2 server as a parameter in Base64 format\r\nwhich is AES encrypted format of the server. Decoding the Base64 string gives the C2 IP address in AES\r\nencrypted format. The actor uses a key to AES decrypt (ECB-NoPadding mode) the C2 address,\" the researchers\r\nsay.\r\nUpon successful connection with its C2 server, it starts collecting data and exfiltrating it into the server.\r\nInitially, it collects basic information about the users and sends it to the server. The collected data is Base64\r\nencoded and includes hostname, OS name(windows), number of CPUs, IP address, Name, Username and home\r\ndirectory.\r\nOnce this is finished, the client tries to steal credentials from the victim's machine. The actor steals data from these\r\nservices: Browser credentials, Wi-Fi information, Credentials manager data, Mail accounts, Putty connections data\r\nand Filezilla credentials.\r\nSource: https://www.govinfosecurity.com/cyber-espionage-actor-deploying-malware-using-excel-a-18830\r\nhttps://www.govinfosecurity.com/cyber-espionage-actor-deploying-malware-using-excel-a-18830\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.govinfosecurity.com/cyber-espionage-actor-deploying-malware-using-excel-a-18830"
	],
	"report_names": [
		"cyber-espionage-actor-deploying-malware-using-excel-a-18830"
	],
	"threat_actors": [
		{
			"id": "eecf54a2-2deb-41e5-9857-fed94a53f858",
			"created_at": "2023-01-06T13:46:39.349959Z",
			"updated_at": "2026-04-10T02:00:03.296196Z",
			"deleted_at": null,
			"main_name": "SaintBear",
			"aliases": [
				"Bleeding Bear",
				"Cadet Blizzard",
				"Nascent Ursa",
				"Nodaria",
				"Storm-0587",
				"DEV-0587",
				"Saint Bear",
				"EMBER BEAR",
				"UNC2589",
				"TA471",
				"UAC-0056",
				"FROZENVISTA",
				"Lorec53",
				"Lorec Bear"
			],
			"source_name": "MISPGALAXY:SaintBear",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c28760b2-5ec6-42ad-852f-be00372a7ce4",
			"created_at": "2022-10-27T08:27:13.172734Z",
			"updated_at": "2026-04-10T02:00:05.279557Z",
			"deleted_at": null,
			"main_name": "Ember Bear",
			"aliases": [
				"Ember Bear",
				"UNC2589",
				"Bleeding Bear",
				"DEV-0586",
				"Cadet Blizzard",
				"Frozenvista",
				"UAC-0056"
			],
			"source_name": "MITRE:Ember Bear",
			"tools": [
				"P.A.S. Webshell",
				"CrackMapExec",
				"ngrok",
				"reGeorg",
				"WhisperGate",
				"Saint Bot",
				"PsExec",
				"Rclone",
				"Impacket"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "03a6f362-cbab-4ce9-925d-306b8c937bf1",
			"created_at": "2024-11-01T02:00:52.635907Z",
			"updated_at": "2026-04-10T02:00:05.339384Z",
			"deleted_at": null,
			"main_name": "Saint Bear",
			"aliases": [
				"Saint Bear",
				"Storm-0587",
				"TA471",
				"UAC-0056",
				"Lorec53"
			],
			"source_name": "MITRE:Saint Bear",
			"tools": [
				"OutSteel",
				"Saint Bot"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "083d63b2-3eee-42a8-b1bd-54e657a229e8",
			"created_at": "2022-10-25T16:07:24.143338Z",
			"updated_at": "2026-04-10T02:00:04.879634Z",
			"deleted_at": null,
			"main_name": "SaintBear",
			"aliases": [
				"Ember Bear",
				"FROZENVISTA",
				"G1003",
				"Lorec53",
				"Nascent Ursa",
				"Nodaria",
				"SaintBear",
				"Storm-0587",
				"TA471",
				"UAC-0056",
				"UNC2589"
			],
			"source_name": "ETDA:SaintBear",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"Elephant Client",
				"Elephant Implant",
				"GraphSteel",
				"Graphiron",
				"GrimPlant",
				"OutSteel",
				"Saint Bot",
				"SaintBot",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434820,
	"ts_updated_at": 1775826747,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1cc4ce033d0882f2409dfb88554b537f88119559.pdf",
		"text": "https://archive.orkl.eu/1cc4ce033d0882f2409dfb88554b537f88119559.txt",
		"img": "https://archive.orkl.eu/1cc4ce033d0882f2409dfb88554b537f88119559.jpg"
	}
}