{ "id": "3ca310f2-362e-4e8a-a87c-754862870ce9", "created_at": "2026-04-06T00:22:17.680713Z", "updated_at": "2026-04-10T03:24:58.563852Z", "deleted_at": null, "sha1_hash": "218fab98b526e2b47786efaf3b79c16bb62c35e1", "title": "SmokeLoader Malware Detection: UAC-0006 Group Reemerges to Launch Phishing Attacks Against Ukraine Using Financial Subject Lures", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 54999, "plain_text": "SmokeLoader Malware Detection: UAC-0006 Group Reemerges to\r\nLaunch Phishing Attacks Against Ukraine Using Financial Subject\r\nLures\r\nBy Veronika Zahorulko\r\nPublished: 2023-05-09 · Archived: 2026-04-05 16:31:53 UTC\r\nThe financially-motivated hacking collective tracked as UAC-0006 comes back to the cyber threat arena\r\nexploiting the phishing attack vector and distributing the SmokeLoader malware. According to the latest CERT-UA cybersecurity alert, threat actors massively distribute phishing emails exploiting the compromised accounts\r\nwith the financially related email subject and using a malicious ZIP attachment to deploy malware on the targeted\r\nsystems.\r\nUAC-0006 Phishing Attack Analysis Spreading SmokeLoader\r\nOn May 5, 2023, CERT-UA cybersecurity researchers issued a novel CERT-UA#6613 alert covering the ongoing\r\nadversary campaigns of a notorious financially-motivated hacking group known as UAC-0006. By exploiting the\r\nmalicious archive attached to phishing emails, threat actors deploy the SmokeLoader malware samples on the\r\ncompromised systems. The archive is a polyglot file containing a document lure and a JavaScript code, which\r\ndownloads and launches the executable file portable.exe via PowerShell. The latter launches the SmokeLoader\r\nmalware to spread the infection further. \r\nThe UAC-0006 hacking collective behind the ongoing campaign has been in the limelight in the cyber threat arena\r\nsince 2013 and up to July 2021. The group commonly uses JavaScript file uploaders at the initial attack stage. The\r\ntypical adversary behavioral patterns involve gaining access to remote banking services, stealing authentication\r\ncredentials, like passwords, keys or certificates, and performing unsanctioned payments, for instance, via running\r\nthe HVNC bot directly from the compromised systems.  \r\nThe recommended mitigation measures that help minimize the threat involve blocking the Windows Script Host\r\non the potentially compromised computers. To enable this mitigation configuration, CERT-UA researchers suggest\r\nadding the “Enabled” property with the DWORD type and value “0” to the registry branch\r\n{HKEY_CURRENT_USER,HKEY_LOCAL_MACHINE}\\Software\\Microsoft\\Windows Script Host\\Settings.\r\nDetecting SmokeLoader Malware Spread by the UAC-0006 Group and Covered in\r\nthe CERT-UA#6613 Alert\r\nWith the ever-increasing volume and sophistication of phishing attacks launched by russia-affiliated actors against\r\nUkrainian entities, organizations require a source of reliable detection content to proactively withstand possible\r\nintrusions. SOC Prime´s Detection as Code Platform aggregates a list of curated Sigma rules addressing\r\nhttps://socprime.com/blog/smokeloader-malware-detection-uac-0006-group-reemerges-to-launch-phishing-attacks-against-ukraine-using-financial-subject-lures/\r\nPage 1 of 2\n\nadversaries TTPs covered in CERT-UA inquiries. All the detection content is compatible with 28+ SIEM, EDR,\r\nand XDR solutions and mapped to the MITRE ATT\u0026CK framework v12. \r\nHit the Explore Detections button below and dive into dedication detection content identifying the latest\r\nSmokeLoader campaign by UAC-0006. All the rules are enriched with relevant metadata, including ATT\u0026CK\r\nreferences and CTI links. To streamline the content search, SOC Prime Platform supports filtering by the custom\r\ntag “CERT-UA#6613” and a broader tage “UAC-0006” based on the alert and group identifiers.\r\nExplore Detections\r\nSecurity practitioners can also streamline their threat hunting operations by searching for IoCs linked to the latest\r\nUAC-0006 campaign against Ukrainian organizations using Uncoder.IO. Just paste the IoCs listed in the latest\r\nCERT-UA report into the tool and easily convert it to performance-optimized query in a matter of seconds. \r\nIOCs from the CERT-UA#6613 to detect UAC-0006-related threats via Uncoder.IO\r\nMITRE ATT\u0026CK Context\r\nTo delve into the context behind the ongoing UAC-0006 phishing attacks leveraging SmokeLoader malware, all\r\nthe above-referenced Sigma rules are tagged with ATT\u0026CK v12 addressing the relevant tactics and techniques:\r\nSource: https://socprime.com/blog/smokeloader-malware-detection-uac-0006-group-reemerges-to-launch-phishing-attacks-against-ukraine-usi\r\nng-financial-subject-lures/\r\nhttps://socprime.com/blog/smokeloader-malware-detection-uac-0006-group-reemerges-to-launch-phishing-attacks-against-ukraine-using-financial-subject-lures/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://socprime.com/blog/smokeloader-malware-detection-uac-0006-group-reemerges-to-launch-phishing-attacks-against-ukraine-using-financial-subject-lures/" ], "report_names": [ "smokeloader-malware-detection-uac-0006-group-reemerges-to-launch-phishing-attacks-against-ukraine-using-financial-subject-lures" ], "threat_actors": [ { "id": "078f7b2a-4e1c-4843-b7cd-353331cd2260", "created_at": "2023-11-21T02:00:07.359148Z", "updated_at": "2026-04-10T02:00:03.467054Z", "deleted_at": null, "main_name": "UAC-0006", "aliases": [], "source_name": "MISPGALAXY:UAC-0006", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434937, "ts_updated_at": 1775791498, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/218fab98b526e2b47786efaf3b79c16bb62c35e1.pdf", "text": "https://archive.orkl.eu/218fab98b526e2b47786efaf3b79c16bb62c35e1.txt", "img": "https://archive.orkl.eu/218fab98b526e2b47786efaf3b79c16bb62c35e1.jpg" } }