{ "id": "72acf313-27c3-447d-b109-cda6e74dc9cd", "created_at": "2026-04-06T00:10:52.001951Z", "updated_at": "2026-04-10T13:12:18.173137Z", "deleted_at": null, "sha1_hash": "23cad03333c6962c96c7cf5cabf54e16ce34fe41", "title": "UNC1151 Strikes Again: Tactics Against Ukraine’s Defence", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4975345, "plain_text": "UNC1151 Strikes Again: Tactics Against Ukraine’s Defence\r\nBy cybleinc\r\nPublished: 2024-06-04 · Archived: 2026-04-05 23:18:36 UTC\r\nUNC1151 Strikes Again: Unveiling Their Tactics Against Ukraine’s Ministry of Defence\r\nUNC1151 Strikes Again: Unveiling Their Tactics Against Ukraine’s Ministry of Defence\r\nCyble analyzes a malware campaign targeting Ukraine's Ministry of Defence orchestrated by the UNC1151 APT group, also\r\nexposing their tactics in the process.\r\nKey Takeaways \r\nCyble Research and Intelligence Labs (CRIL) recently encountered a campaign using a malicious Excel document\r\nlinked to the UNC1151 APT group.  \r\nThe UNC1151 APT group, originating from Belarus, is notorious for targeting Eastern European countries, including\r\nUkraine, Lithuania, Latvia, Poland, and others. \r\nIn the recent campaign, there are indications that the group is possibly targeting Ukraine, with a potential focus on\r\nthe Ministry of Defence based on the lure document. \r\nUpon execution of the lure Excel document, which contains an embedded VBA Macro content that drops an LNK\r\nand a DLL loader file. Subsequently, running the LNK file initiates the DLL loader, potentially leading to a final\r\npayload infection. \r\nIn last year’s campaign, the Threat Actor (TA) obtained an encrypted JPG file via a DLL loader, decrypting it to\r\ndeploy a final payload executable. In the new campaign, the TA is likely to retrieve an encrypted SVG file and\r\ndecrypt it to deliver another DLL payload file. \r\nIn the latest campaign, the TA employs two DLL execution stages in the infection chain, whereas the previous\r\ncampaign utilized only a single DLL in the infection chain. \r\nIn our analysis, we were unable to retrieve the encrypted payload. Nonetheless, it is suspected that the final payload\r\nmay include AgentTesla, Cobalt Strike beacons, and njRAT, similar to what was observed in the previous UNC1151\r\ncampaign. \r\nOverview \r\nMandiant Threat Intelligence has uncovered a persistent information operation called “Ghostwriter/UNC1151,” which is part\r\nof a larger influence campaign supporting Russian security interests and promoting narratives critical of NATO. Active since\r\nat least March 2017, this campaign mainly targets audiences in Ukraine, Lithuania, Latvia, and Poland, disseminating false\r\ninformation via compromised websites and spoofed email accounts. UNC1151 has been associated with the Belarusian\r\ngovernment. \r\nFigure 1 – Cyble vision Threat Library \r\nCRIL recently came across a campaign utilizing malicious XLS documents. Subsequent investigation revealed its\r\nconnection with a malware campaign targeting Ukraine. Further analysis linked this campaign to the Threat Actor (TA)\r\ngroup UNC1151, suggesting a connection to the Belarusian government as part of the GhostWriter operational activities. \r\nSee Cyble in Action\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://cyble.com/blog/unc1151-strikes-again-unveiling-their-tactics-against-ukraines-ministry-of-defence/\r\nPage 1 of 11\n\nBased on the lure document, the TA is targeting the Ukrainian Military (the Ministry of Defence Ukraine, military base\r\nA0000) through deceptive Excel worksheets. The infection chain may begin with a spam email containing a compressed\r\nattachment, which includes a malicious Excel worksheet document. When the Excel document is executed, it runs embedded\r\nVBA Macro content that drops an LNK and a DLL file. Executing the LNK file triggers the DLL loader, which ultimately\r\nleads to a malware infection on the target system. \r\nThe new TTP changes in this campaign involve a shift from previous methods. In the previous campaign, the TA\r\ndownloaded an encrypted JPG file using a DLL loader, which was then decrypted to deploy a final payload executable. In\r\nthe latest campaign, the TA likely downloads an encrypted SVG file, which decrypts to deliver another DLL payload file.\r\nDuring analysis, we were unable to retrieve the final payload. However, the final payload possibly includes AgentTesla,\r\nCobalt Strike beacons, and njRAT, as seen in the previous UNC1151 campaign. \r\nCampaign Analysis \r\nPrevious Campaign (2023) \r\nLast year, a series of cyber campaigns targeted Ukrainian and Polish government, military, and civilian users using\r\nmalicious Excel and PowerPoint files. These files, designed to look like official documents, trick users into enabling macros\r\nthat execute malicious VBA code. The campaigns evolve by using obfuscated code to drop and execute DLLs or\r\ndownloaders, with later stages hidden in appended encrypted blobs in “.jpg” image files. The final payloads include njRAT,\r\nAgentTesla, and Cobalt Strike, aimed at information theft and remote control. \r\nFigure 2 – Differences in the infection chain of the UNC1151 malware campaign \r\nhttps://cyble.com/blog/unc1151-strikes-again-unveiling-their-tactics-against-ukraines-ministry-of-defence/\r\nPage 2 of 11\n\nLatest Campaign (2024) \r\nCampaign 1 \r\nThe initial campaign observed in April 2024 targets the Ukrainian Military (the Ministry of Defence Ukraine, military base\r\nA0000), employing a combination of drone image files and a malicious Microsoft Excel spreadsheet, as shown below.  The\r\nstrategy involved using socially engineered Excel lures sent via spam email to convince targeted users to enable macros,\r\nthereby triggering the execution chain. \r\nFigure 3 – Files inside the compressed attachment \r\nUpon double-clicking to open the .xls file, a button labeled ‘Enable Content’ is displayed, as depicted below. Clicking this\r\nbutton initiates the execution of the embedded VBA Macro within the document. \r\nFigure 4 – Excel lure document \r\nUpon execution of the VBA Macro, it drops a shortcut file named “CybereasonActiveProbe.lnk” in the\r\n“AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\” folder and a malicious DLL file named\r\n“F072d76c85A40hjf9a3c0ab.dll” in the “\\AppData\\Roaming\\Signal\\bin\\bin\\” folder. \r\nSubsequently, it proceeds to execute the LNK shortcut file using Rundll32.exe with the following command-line: \r\nRunDLL32.EXE shell32.dll,ShellExec_RunDLL “C:\\Users\\\u003cUSER\u003e\\AppData\\Roaming\\Microsoft\\Windows\\Start\r\nMenu\\CybereasonActiveProbe.lnk” \r\nWhen the LNK file is executed, it initiates the execution of the malicious DLL file with the parameter “SrvLicInitialize”\r\nusing Rundll32.exe, as depicted in the figure below. \r\nhttps://cyble.com/blog/unc1151-strikes-again-unveiling-their-tactics-against-ukraines-ministry-of-defence/\r\nPage 3 of 11\n\nFigure 5 – Dropped LNK shortcut file \r\nThe image below illustrates the process tree of the malware infection, starting with the opening of the Excel spreadsheet and\r\nending with the execution of the DLL file. \r\nFigure 6 – Process tree \r\nCampaign 2 \r\nIn the next campaign, when the Excel spreadsheet is opened, a button labeled ‘Enable Content’ is displayed. Clicking this\r\nbutton executes the embedded VBA Macro within the document. The Excel worksheet is designed to entice users to enable\r\nmacros featuring specific content in the Ukrainian language, as shown below.\r\nhttps://cyble.com/blog/unc1151-strikes-again-unveiling-their-tactics-against-ukraines-ministry-of-defence/\r\nPage 4 of 11\n\nFigure 7 – Excel lure document \r\nWhen the VBA Macro runs, it drops a shortcut file named “ACtIVePRObE.lnk” in the “\\AppData\\Roaming\\microSoft\\”\r\ndirectory and a malicious DLL file named “Ac83faafb23919Ae9.DLl” in the “\\aPPdaTA\\rOamInG\\VIBErpc\\bIn\\biN\\”\r\ndirectory, as shown in the below code snippet. \r\nFigure 8 – Embedded VBA Macro of the Excel document \r\nThen, it executes the LNK shortcut file using Rundll32.exe along with the below command-line parameters: \r\nRunDLL32.EXE shell32.dll,ShellExec_RunDLL “C:\\Users\\\r\n\u003cUSER\u003e\\AppData\\Roaming\\microSoft\\ACtIVePRObE.lnk” \r\nUpon execution of the LNK file, it initiates the execution of the malicious DLL file without any parameters using\r\nRegsvr32.exe, as illustrated in the figure below. \r\nhttps://cyble.com/blog/unc1151-strikes-again-unveiling-their-tactics-against-ukraines-ministry-of-defence/\r\nPage 5 of 11\n\nFigure 9 – Dropped LNK shortcut file \r\nThe diagram below illustrates the process tree of the malware infection, beginning with the execution of the Excel\r\nspreadsheet and ending with the execution of the DLL file. \r\nFigure 10 – Process tree \r\nDLL Loader (Ac83faafb23919Ae9.DLl) \r\nThe DLL loader is an obfuscated .NET file. Once executed, the malicious DLL loader carries out various malicious actions\r\non the victim’s system. These actions include: \r\nInitially, the DLL verifies specific processes such as processhacker, avastui, aswtoolssvc, procexp, wsc_proxy,\r\noverseer, and avastsvc. If any of these processes are detected, it terminates itself. This action is likely intended to\r\nevade detection and bypass security measures. \r\nhttps://cyble.com/blog/unc1151-strikes-again-unveiling-their-tactics-against-ukraines-ministry-of-defence/\r\nPage 6 of 11\n\nFigure 11 – Code snippet for detection evasion \r\nThen, the DLL modifies the system’s security protocol settings to evade detection or carry out malicious activities.\r\nAdditionally, it attempts to conceal its presence, thereby making it more challenging for security analysts or\r\nautomated detection systems to identify and mitigate the threat. \r\nNext, the malware loads the System.Net assembly and configures a WebClient to download data from a specified\r\nURL (hxxps://goudieelectric[.]shop/cms/svg/6364.2809640e.chunk.svg). It sets a custom User-Agent header\r\nmimicking a mobile browser and prepares the WebClient to download data using the DownloadData method, as\r\nshown in the figure below. \r\nFigure 12 – Custom User-Agent \r\nhttps://cyble.com/blog/unc1151-strikes-again-unveiling-their-tactics-against-ukraines-ministry-of-defence/\r\nPage 7 of 11\n\nBased on the code, it is possible that the downloaded file is yet another DLL, which is encrypted content encoded in\r\nBase64 format. However, during execution, we were not able to get the encrypted content.  \r\nUpon successful retrieval of the content, the DLL decodes the Base64 data and then decrypts it using XOR\r\ndecryption. The resulting DLL binary is saved in the Temp folder with a random name. Subsequently, the new DLL is\r\nexecuted via Rundll32.exe, using the parameter “SrvLicInitialize,” as shown below. \r\nFigure 13 – Code snippet for payload decryption \r\nAfter executing the new DLL, the malware sleeps for a period of time and then proceeds to delete the DLL. \r\nThe primary difference between both files of the latest campaign observed in 2024 lies in their execution and encryption\r\nmethods: \r\nThe “Ac83faafb23919Ae9.DLl” file is executed using Regsvr32.exe by the LNK shortcut file without any\r\nparameters. It relies on plain strings within the file for its malicious operations. This DLL employs an XOR operation\r\nto decrypt the downloaded payload. \r\nIn contrast, the “F072d76c85A40hjf9a3c0ab.dll” file is executed using Rundll32.exe by the LNK shortcut file with\r\nthe parameter “SrvLicInitialize.” It utilizes encoded/encrypted strings throughout the file, decoding/decrypting them\r\nduring execution. This DLL employs the RC4 algorithm for decrypting the downloaded payload. \r\nFigure 14 – Code similarities of the latest (April \u0026 May) malware campaign \r\nThis payload is an encrypted DLL that is decrypted and saved into the %temp% directory. Then, the DLL is executed using\r\nan export function parameter “SrvLicInitialize,” possibly leading to the final malware infection. Due to the unavailability of\r\nthe encrypted files, we are unable to determine how the DLL files are used to deliver the final payload. As per previous\r\ninstances of the UNC1151 campaign, possibly the final payload, which included AgentTesla and Cobalt Strike, was used for\r\ninformation stealing and remote access to infected systems. \r\nTTP Shifts \r\nThe key variance between last year’s and this year’s campaigns lies in how the final payload is deployed. In 2024’s\r\ncampaign, both malware loader files share the similarity of downloading an encrypted payload from a malicious URL that\r\nutilizes a “.svg” extension. \r\nhxxps://goudieelectric[.]shop/cms/svg/6364.2809640e.chunk.svg \u0026 hxxps://thevegan8[.]shop/first-gen-network/micro-grants.svg, \r\nWhereas in last year’s campaign, the encrypted payload file had a “.jpg” extension. \r\nhxxps[://]onyangdol[.]site/thumb_d_F3D14F4982A256B5CDAE9BD579429AE7[.]jpg. \r\nAs outlined in the Talos blog, “the code responsible for downloading the subsequent stage is continuously evolving. In\r\nearlier iterations, the invocation of the Assembly.Load function was relatively straightforward to identify. However, in the\r\nhttps://cyble.com/blog/unc1151-strikes-again-unveiling-their-tactics-against-ukraines-ministry-of-defence/\r\nPage 8 of 11\n\nnext campaigns, TA has opted to introduce a layer of obfuscation, employing the RuntimeBinder.Binder functionality to\r\nlocate and execute functions for downloading, decrypting, and loading.”  \r\nIn the latest campaign, the decrypted payload is a DLL file. This DLL is dropped into the %temp% folder and launched\r\nusing Rundll32.exe with the parameter “SrvLicInitialize,” as shown below. \r\nFigure 15 – TTP changes \r\nConclusion \r\nUNC1151 is persistently conducting a malware campaign against Ukraine, continuously updating its TTPs to enhance its\r\ndefensive evasion techniques. The deployment patterns of the final payload in previous campaigns indicate that its primary\r\nmotivation is to steal information and gain remote access to infected systems. This ongoing threat underscores the need for\r\nvigilant cybersecurity measures to counteract its evolving tactics. UNC1151’s activities highlight a sustained effort to\r\ncompromise Ukrainian targets for strategic gains. \r\nOur Recommendations \r\nThe initial breach may occur via spam emails. Therefore, it’s advisable to deploy strong email filtering systems to\r\nidentify and prevent the dissemination of harmful attachments. \r\nWhen handling email attachments or links, particularly those from unknown senders, exercising caution is crucial.\r\nVerify the sender’s identity, particularly if an email seems suspicious. \r\nConsider disabling or limiting the execution of scripting languages on user workstations and servers if they are not\r\nessential for legitimate purposes. \r\nImplement application whitelisting to restrict the execution of rundll32.exe to authorized processes and paths,\r\nreducing the risk of malware launching lnk files through this method. \r\nDeploy strong antivirus and anti-malware solutions to detect and remove malicious executable files. \r\nEnhance system security by creating strong, distinct passwords for each account and, whenever feasible, activating\r\ntwo-factor authentication. \r\nSet up network-level monitoring to detect unusual activities or data exfiltration by malware. Block suspicious\r\nactivities to prevent potential breaches. \r\nRegularly back up data to guarantee the ability to recover it in case of an infection and keep users informed about the\r\nmost current phishing and social engineering methods cybercriminals employ. \r\nMITRE ATT\u0026CK® Techniques \r\nTactic   Technique   Procedure \r\nExecution  (TA0002) \r\nCommand and Scripting  \r\nInterpreter (T1059) \r\nDocument contains embedded VBA\r\nmacros. \r\nExecution  (TA0002) \r\nExploitation for Client  \r\nExecution (T1203) \r\nPotential document exploit detected \r\nPersistence \r\n(TA0003) \r\nRegistry Run Keys / Startup  \r\nFolder (T1547.001) \r\nAdversaries may achieve persistence by\r\n \r\nadding a program to a startup folder or\r\nreferencing it with a Registry run key. \r\nPrivilege  \r\nEscalation \r\n \r\nHijack Execution Flow:  \r\nDLL Side-Loading (T1574.002) \r\nAdversaries may execute their own  \r\nmalicious payloads by side-loading\r\nDLLs. \r\nDefense\r\nEvasion (TA0005) \r\nRegsvr32 (T1218.010)  Malware abuse Regsvr32.exe to proxy  \r\nexecution of malicious code. \r\nDefense\r\nEvasion (TA0005) \r\nObfuscated Files or  \r\nInformation (T1027) \r\n.Net Binary include packed or crypted  \r\ndata. \r\nhttps://cyble.com/blog/unc1151-strikes-again-unveiling-their-tactics-against-ukraines-ministry-of-defence/\r\nPage 9 of 11\n\nDefense\r\nEvasion (TA0005) \r\nDeobfuscate/Decode Files or\r\nInformation (T1140) \r\nDecode data using Base64 in .NET file. \r\nDefense\r\nEvasion (TA0005) \r\nRundll32 (T1208.011)  Malware abuse Rundll32.exe to proxy  \r\nexecution of malicious code. \r\nDiscovery  \r\n(TA0007) \r\nProcess Discovery (T1057)  Queries a list of all running processes. \r\nDiscovery  \r\n(TA0007) \r\nSecurity Software Discovery \r\n(T1518.001) \r\nAV process strings found (often used to  \r\nterminate AV products) \r\nC\u0026C \r\n(TA0011) \r\nApplication Layer Protocol \r\n(T1071) \r\nMalware exe communicate to C\u0026C\r\nserver. \r\nC\u0026C \r\n(TA0011) \r\nIngress Tool Transfer \r\n(T1105) \r\nDownloads files from webservers via  \r\nHTTP \r\nIndicators of Compromise (IOCs) \r\nIndicators  \r\n815c1571356cf328a18e0b1f3779d52e5ba11e5e4aac2d216b79bb387963c2be \r\n6f4642a203541426d504608eed7927718207f29be2922a4c9aa7e022f22e0deb \r\n88c97af92688d03601e4687b290d4d7f9f29492612e29f714f26a9278c6eda5b 9649d58a220ed2b4474a37d6eac5f055e696769f87baf58b1d3d0b5d\r\nd90f6e12a917ba42f7604362fafc4e74ed3ce3ffca41ed5d3456de28b2d144bf \r\nhxxps://goudieelectric[.]shop/cms/svg/6364.2809640e.chunk.svg \r\n83545b07d74087acd8408d7810cafdb6c2200a72ae7dd990af40b082ad533368 9ac5fa37f5cf3d0201f0e70a3e6527e58250ddcff77370262b8cb377e\r\n08fa6aaf064470dbfac7894469457b2d78541adccba3f1bb278dd4c3f936131a \r\nhxxps://thevegan8[.]shop/first-gen-network/micro-grants.svg \r\ngoudieelectric[.]shop \r\nthevegan8[.]shop \r\nYARA Rule\r\nrule dllLoader{\r\nmeta:\r\n author = \"Cyble Research and Intelligence Labs\"\r\n description = \"Detects dllLoader used in UNC1151 Campaign\"\r\n date = \"2024-06-03\"\r\n os = \"Windows\"\r\n Reference hash = \" d90f6e12a917ba42f7604362fafc4e74ed3ce3ffca41ed5d3456de28b2d144bf\"\r\n \r\nstrings:\r\n $a1 = \"b46ef187886b3aabff8407c8b4ac38a42963d0\" nocase ascii wide\r\nhttps://cyble.com/blog/unc1151-strikes-again-unveiling-their-tactics-against-ukraines-ministry-of-defence/\r\nPage 10 of 11\n\n$a2 = \"wsc_proxy\" nocase ascii wide\r\n $a3 = \".svg\" nocase ascii wide\r\n $a4 = \".shop\" nocase ascii wide\r\n $a5 = \"COR_ENABLE_PROFILING\" nocase ascii wide\r\n $a6 = \"avastsvc\" nocase ascii wide\r\n \r\ncondition:\r\n all of them\r\n}\r\nReferences \r\nhttps://cloud.google.com/blog/topics/threat-intelligence/espionage-group-unc1151-likely-conducts-ghostwriter-influence-activity \r\nhttps://blog.talosintelligence.com/malicious-campaigns-target-entities-in-ukraine-poland/ \r\nhttps://cert.gov.ua/article/861292 \r\nSource: https://cyble.com/blog/unc1151-strikes-again-unveiling-their-tactics-against-ukraines-ministry-of-defence/\r\nhttps://cyble.com/blog/unc1151-strikes-again-unveiling-their-tactics-against-ukraines-ministry-of-defence/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://cyble.com/blog/unc1151-strikes-again-unveiling-their-tactics-against-ukraines-ministry-of-defence/" ], "report_names": [ "unc1151-strikes-again-unveiling-their-tactics-against-ukraines-ministry-of-defence" ], "threat_actors": [ { "id": "f29188d8-2750-4099-9199-09a516c58314", "created_at": "2025-08-07T02:03:25.068489Z", "updated_at": "2026-04-10T02:00:03.827361Z", "deleted_at": null, "main_name": "MOONSCAPE", "aliases": [ "TA445 ", "UAC-0051 ", "UNC1151 " ], "source_name": "Secureworks:MOONSCAPE", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "119c8bea-816e-4799-942b-ff375026671e", "created_at": "2022-10-25T16:07:23.957309Z", "updated_at": "2026-04-10T02:00:04.807212Z", "deleted_at": null, "main_name": "Operation Ghostwriter", "aliases": [ "DEV-0257", "Operation Asylum Ambuscade", "PUSHCHA", "Storm-0257", "TA445", "UAC-0051", "UAC-0057", "UNC1151", "White Lynx" ], "source_name": "ETDA:Operation Ghostwriter", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "HALFSHELL", "Impacket", "RADIOSTAR", "VIDEOKILLER", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "8a33d3ac-14ba-441c-92c1-39975e9e1a73", "created_at": "2023-01-06T13:46:39.195689Z", "updated_at": "2026-04-10T02:00:03.243054Z", "deleted_at": null, "main_name": "Ghostwriter", "aliases": [ "UAC-0057", "UNC1151", "TA445", "PUSHCHA", "Storm-0257", "DEV-0257" ], "source_name": "MISPGALAXY:Ghostwriter", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434252, "ts_updated_at": 1775826738, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/23cad03333c6962c96c7cf5cabf54e16ce34fe41.pdf", "text": "https://archive.orkl.eu/23cad03333c6962c96c7cf5cabf54e16ce34fe41.txt", "img": "https://archive.orkl.eu/23cad03333c6962c96c7cf5cabf54e16ce34fe41.jpg" } }