{ "id": "f3ec3a93-6c33-4b27-aa26-79e93de50824", "created_at": "2026-04-06T00:11:03.483132Z", "updated_at": "2026-04-10T03:35:37.743961Z", "deleted_at": null, "sha1_hash": "20f726ae367f8190f262096707f0b59995909557", "title": "Fake antivirus updates used to deploy Cobalt Strike in Ukraine", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5405795, "plain_text": "Fake antivirus updates used to deploy Cobalt Strike in Ukraine\r\nBy Bill Toulas\r\nPublished: 2022-03-14 · Archived: 2026-04-05 14:40:17 UTC\r\nUkraine's Computer Emergency Response Team is warning that threat actors are distributing fake Windows antivirus\r\nupdates that install Cobalt Strike and other malware.\r\nThe phishing emails impersonate Ukrainian government agencies offering ways to increase network security and advise\r\nrecipients to download \"critical security updates,\" which come in the form of a 60 MB file named\r\n\"BitdefenderWindowsUpdatePackage.exe.\"\r\nPhishing email urging the download of a fake AV updater (CERT-UA)\r\nThese emails contain a link to a French website (now offline) that offers download buttons for the alleged AV software\r\nupdates. Another website, nirsoft[.]me, was also discovered by MalwareHunterTeam to be acting as the command and\r\ncontrol server for this campaign.\r\nhttps://www.bleepingcomputer.com/news/security/fake-antivirus-updates-used-to-deploy-cobalt-strike-in-ukraine/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/fake-antivirus-updates-used-to-deploy-cobalt-strike-in-ukraine/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nMalware-delivering website\r\nSource: CERT-UA\r\nWhen a victim downloads and run this fake BitDefender Windows update [VirusTotal], the screen below will be shown\r\nprompting the users to install a 'Windows Update Package.'\r\nHowever, this 'update' actually downloads and installs the one.exe file [VirusTotal] from the Discord CDN, which is\r\na Cobalt Strike beacon.\r\nCobalt Strike is a widely abused penetration testing suite that offers offensive security capabilities, facilitates lateral network\r\nmovement, and ensures persistence.\r\nThe same process fetches a Go downloader (dropper.exe) which decodes and executes a base-64-encoded file (java-sdk.exe).\r\nThis file adds a new Windows registry key for persistence and also downloads two more payloads, the GraphSteel backdoor\r\n(microsoft-cortana.exe) and GrimPlant backdoor (oracle-java.exe).\r\nThe infection chain of the uncovered campaign (CERT-UA)\r\nhttps://www.bleepingcomputer.com/news/security/fake-antivirus-updates-used-to-deploy-cobalt-strike-in-ukraine/\r\nPage 3 of 5\n\nAll executables in the campaign are packed on the Themida tool, which protects them from reverse engineering, detection,\r\nand analysis.\r\nGo payloads\r\nBoth GraphSteel and GrimPlant are malware written in Go, a versatile and cross-platform programming language with\r\nminimal footprint and low AV detection rates.\r\nThe capabilities of the two tools cover network reconnaissance, command execution, and file operations, so the fact that\r\nboth are deployed in the same system is likely done for redundancy.\r\nGraphSteel features:\r\nGather hostname, username, and IP address information\r\nExecute commands\r\nSteal account credentials\r\nUse WebSocket and GraphQL to communicate with C2 using AES and base64 encryption\r\nGrimPlant capabilities:\r\nGather IP address, hostname, OS, username, home dir\r\nExecute commands received remotely and return results to C2\r\nUse gRPC (HTTP/2+SSL) for C2 communication\r\nNot many technical details have been provided on these two payloads, and we can't exclude the possibility of them being\r\nknown backdoors given new names in this report.\r\nAttribution\r\nGiven the current situation in Ukraine, it's easy to attribute all hostile activity to Russian and pro-Russian threat actors, and\r\nthis seems to be the case here too.\r\nThe Ukrainian Computer Emergency Response Team associates the detected activity with the UAC-0056 group with\r\nmedium confidence.\r\nUAC-0056, also known as \"Lorec53\", is a sophisticated Russian-speaking APT that uses a combination of phishing emails\r\nand custom backdoors to collect information from Ukrainian organizations.\r\nUAC-0056 was spotted ramping up its phishing distribution and network compromise efforts in Ukraine since December\r\n2021.\r\nThe same actor was spotted targeting Georgian government agencies with phishing lures in the recent past, so there's a high\r\nlevel of coordination and alignment with the interests of the Russian state.\r\nhttps://www.bleepingcomputer.com/news/security/fake-antivirus-updates-used-to-deploy-cobalt-strike-in-ukraine/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/fake-antivirus-updates-used-to-deploy-cobalt-strike-in-ukraine/\r\nhttps://www.bleepingcomputer.com/news/security/fake-antivirus-updates-used-to-deploy-cobalt-strike-in-ukraine/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/fake-antivirus-updates-used-to-deploy-cobalt-strike-in-ukraine/" ], "report_names": [ "fake-antivirus-updates-used-to-deploy-cobalt-strike-in-ukraine" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eecf54a2-2deb-41e5-9857-fed94a53f858", "created_at": "2023-01-06T13:46:39.349959Z", "updated_at": "2026-04-10T02:00:03.296196Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Bleeding Bear", "Cadet Blizzard", "Nascent Ursa", "Nodaria", "Storm-0587", "DEV-0587", "Saint Bear", "EMBER BEAR", "UNC2589", "TA471", "UAC-0056", "FROZENVISTA", "Lorec53", "Lorec Bear" ], "source_name": "MISPGALAXY:SaintBear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c28760b2-5ec6-42ad-852f-be00372a7ce4", "created_at": "2022-10-27T08:27:13.172734Z", "updated_at": "2026-04-10T02:00:05.279557Z", "deleted_at": null, "main_name": "Ember Bear", "aliases": [ "Ember Bear", "UNC2589", "Bleeding Bear", "DEV-0586", "Cadet Blizzard", "Frozenvista", "UAC-0056" ], "source_name": "MITRE:Ember Bear", "tools": [ "P.A.S. Webshell", "CrackMapExec", "ngrok", "reGeorg", "WhisperGate", "Saint Bot", "PsExec", "Rclone", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "03a6f362-cbab-4ce9-925d-306b8c937bf1", "created_at": "2024-11-01T02:00:52.635907Z", "updated_at": "2026-04-10T02:00:05.339384Z", "deleted_at": null, "main_name": "Saint Bear", "aliases": [ "Saint Bear", "Storm-0587", "TA471", "UAC-0056", "Lorec53" ], "source_name": "MITRE:Saint Bear", "tools": [ "OutSteel", "Saint Bot" ], "source_id": "MITRE", "reports": null }, { "id": "083d63b2-3eee-42a8-b1bd-54e657a229e8", "created_at": "2022-10-25T16:07:24.143338Z", "updated_at": "2026-04-10T02:00:04.879634Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Ember Bear", "FROZENVISTA", "G1003", "Lorec53", "Nascent Ursa", "Nodaria", "SaintBear", "Storm-0587", "TA471", "UAC-0056", "UNC2589" ], "source_name": "ETDA:SaintBear", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Elephant Client", "Elephant Implant", "GraphSteel", "Graphiron", "GrimPlant", "OutSteel", "Saint Bot", "SaintBot", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434263, "ts_updated_at": 1775792137, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/20f726ae367f8190f262096707f0b59995909557.pdf", "text": "https://archive.orkl.eu/20f726ae367f8190f262096707f0b59995909557.txt", "img": "https://archive.orkl.eu/20f726ae367f8190f262096707f0b59995909557.jpg" } }