{
	"id": "1812c98b-caa7-4249-ab4f-766e5d9d886f",
	"created_at": "2026-04-06T00:08:48.691299Z",
	"updated_at": "2026-04-10T03:24:23.535036Z",
	"deleted_at": null,
	"sha1_hash": "27ea60bacd872c1f7772d2e2f9068ffbb2c26cd8",
	"title": "A multi-stage PowerShell based attack targets Kazakhstan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2133080,
	"plain_text": "A multi-stage PowerShell based attack targets Kazakhstan\r\nBy Mark Stockley\r\nPublished: 2021-11-11 · Archived: 2026-04-05 21:33:48 UTC\r\nNovember 12, 2021\r\nThis blog post was authored by Hossein Jazi.\r\nOn November 10 we identified a multi-stage PowerShell attack using a document lure impersonating the Kazakh\r\nMinistry of Health Care, leading us to believe it targets Kazakhstan.\r\nA threat actor under the user name of DangerSklif (perhaps in reference to Moscow’s emergency hospital) created\r\na GitHub account and uploaded the first part of the attack on November 8.\r\nArticle continues below this ad.\r\nIn this blog we will review the different steps the attacker took to fly under the radar with the intent on deploying\r\nCobalt Strike onto its victims.\r\nOverview\r\nThe attack started by distributing a RAR archive named “Уведомление.rar” (“Notice.rar”). The archive file\r\ncontains a lnk file with the same name pretending to be a PDF document from “Ministry of Health Care, Republic\r\nof Kazakhstan”. Upon opening the lnk file, a PDF file will be shown to confuse victims while in the background\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/11/a-multi-stage-powershell-based-attack-targets-kazakhstan/\r\nPage 1 of 9\n\nmultiple stages of this attack are being executed. The decoy document is an amendment for a Covid 19 policy that\r\nhas been issued by the Chef State Sanitary of the Republic of Kazakhstan.\r\nAttack process\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/11/a-multi-stage-powershell-based-attack-targets-kazakhstan/\r\nPage 2 of 9\n\nThe following figure shows the overall process of this attack. The attack started by executing the lnk file that calls\r\nPowerShell to perform several techniques such as privilege escalation and persistency through an autorun registry\r\nkey. We will provide the detailed analysis in the next section. \r\nAll stages of this attack have been hosted in one Github repository named GoogleUpdate. This repository was\r\ncreated on November 8th by a user named DangerSklif. The DangerSklif user was created on GitHub on\r\nNovember 1st. \r\nAnalysis\r\nThe embedded lnk file is obfuscated and after de-obfuscation we can see that it used cmd.exe to call PowerShell to\r\ndownload and execute the first stage of the attack from the Github account (lib7.ps1).\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/11/a-multi-stage-powershell-based-attack-targets-kazakhstan/\r\nPage 3 of 9\n\nThe lib7.ps1 downloads the decoy PDF file from the same Github account and stores it in\r\nthe Downloads directory.  In the next step it opens the decoy PDF to confuse the user while it performs the rest of\r\nprocess in the background, which includes getting the OS version and downloading the next stage based on the OS\r\nversion. \r\nIf the OS version is 7 or 8, it downloads and executes lib30.ps1 and if the OS version is 10 it downloads and\r\nexecutes lib207.ps1. The reason the actor is checking the OS version is because it is trying to execute the right\r\nprivilege escalation method. These techniques previously used by TA505 in their campaign to drop SrvHelper. \r\nUsing the SilentCleanup task in the Task Scheduler to bypass UAC in Windows 10: Attacker used\r\nLib207.ps1 to bypass UAC in Windows 10. The PowerShell commands used to perform the bypass are\r\nXOR encrypted using 0x58 key.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/11/a-multi-stage-powershell-based-attack-targets-kazakhstan/\r\nPage 4 of 9\n\nAfter decrypting the commands, we can see the process of UAC bypass which includes creating a SilentCleanup\r\ntask in the Task Scheduler that calls PowerShell to execute the created vbs file with higher privilege.\r\nUsing the sysprep.exe system utility and DLL side-loading to bypass UAC in Windows 7 and 8: Lib30.ps1\r\nis used to execute this bypass. Simliar to lib207.ps1 this PowerShell script is also XOR encrypted but using\r\ndifferent key (0x02).\r\nFigure 9 shows PowerShell commands after decryption. The process starts by creating a batch file (cmd.bat) in the\r\n“Windows/Temp” directory.  In the next step, a cab archive file is created containing a DLL (CRYPTBASE.dll for\r\nWindows 7 or shcore.dll for Windows 8. Then this cab file is extracted into the C:WindowsSystem32Sysprep\r\ndirectory using wusa.exe.\r\nAt the end, the sysprep.exe system utility launches which side loads the CRYPTBASE.dll for Windows 7 or\r\nshcore.dll for Windows 8. This DLL executes the created cmd.bat file which leads to executing it with a high\r\nprivilege.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/11/a-multi-stage-powershell-based-attack-targets-kazakhstan/\r\nPage 5 of 9\n\nAfter bypassing UAC, in all OS versions the next stage payload is downloaded and executed (lib106.ps1).\r\nThis stage performs the following actions:\r\nCreates a vbs file (cu.vbs) in ProgramFiles directory and makes this multi-stage attack persistence by\r\nadding this vbs file to HKLMSoftwareMicrosoftWindowsCurrentVersionRun registry key.  \r\nMakes vbs file hidden using “Attrib.exe +h” command. \r\nDownloads and executes the final stage (updater.ps1) using PowerShell.\r\nThe final stage (updater.ps1) is executing Cobalt Strike in PowerShell context. In fact this PowerShell script is\r\nPowerShell variant of Cobalt Strike.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/11/a-multi-stage-powershell-based-attack-targets-kazakhstan/\r\nPage 6 of 9\n\nThe Cobalt Strike ShellCode is base64 encoded and XOR encrypted using 35 key. After decoding and decrypting\r\nthe ShellCode it allocates it into memory using VirtualAlloc and finally execute it by calling Invoke function.\r\nKazakhstan in the news\r\nKazakhstan has been in the news recently for taking over China in the cryptomining industry, depleting its own\r\nelectric resources. The energy-rich country is a very important ally for Russia in particular with lucrative joint oil\r\nand gas ventures.\r\nOther than their GitHub profile, we do not have much information on the threat actor or their exact intention with\r\nthis attack. However, monitoring and espionage are a likely motive.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/11/a-multi-stage-powershell-based-attack-targets-kazakhstan/\r\nPage 7 of 9\n\nMalwarebytes users were protected thanks to the Anti-Exploit layer of our product.\r\nIOCs\r\nУведомление.pdf.lnk:\r\n574a33ee07e434042bdd1f59fc89120cb7147a1e20b1b3d39465cd6949ba7d99\r\nУведомление.rar:\r\nd0f3c838bb6805c8a360e7b1f28724e73e7504f52147bbbb06551f91f0df3edb\r\nUpdater.ps1:\r\n08f096134ac92655220d9ad7137e35d3b3c559359c238e034ec7b4f33a246d61\r\nlib106.ps1:\r\n81631df5d27761384a99c1f85760ea7fe47acc49ef81003707bb8c4cbf6af4be \r\nlib2.ps1:\r\n912434caec48694b4c53a7f83db5f0b44b84ea79be57d460d83f21181ef1acbb\r\nlib207.ps1:\r\n893f6cac7bc1a1c3ee72d5f3e6994e902b5af044f401082146a486a0057697e5 \r\nlib30.ps1:\r\n11d6b0b76d057ac9db775d9a1bb14da2ed9acef325060d0452627d9391be4ea2 \r\nlib63.ps1:\r\n8f974d8d0741fd1ec9496857d7aabbe0d3ba4d2e52cc311c76c28396edae9eb9 \r\nlib64.ps1:\r\n301194613cbc11430d67acf7702fd15ec40ee0f9be348cf8a33915809b65bc5e\r\nlib7.ps1:\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/11/a-multi-stage-powershell-based-attack-targets-kazakhstan/\r\nPage 8 of 9\n\n026fcb13e9a4ea6c1eab73c892118a96731b868a1269f348a14a5087713dd9e5\r\nlib706.ps1:\r\n36aba78e63825ab47c1421f71ca02422c86c774ba525959f42b8e565a808a7d4 \r\nC2:\r\n188.165.148.241\r\nSource: https://blog.malwarebytes.com/threat-intelligence/2021/11/a-multi-stage-powershell-based-attack-targets-kazakhstan/\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/11/a-multi-stage-powershell-based-attack-targets-kazakhstan/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-intelligence/2021/11/a-multi-stage-powershell-based-attack-targets-kazakhstan/"
	],
	"report_names": [
		"a-multi-stage-powershell-based-attack-targets-kazakhstan"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434128,
	"ts_updated_at": 1775791463,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/27ea60bacd872c1f7772d2e2f9068ffbb2c26cd8.pdf",
		"text": "https://archive.orkl.eu/27ea60bacd872c1f7772d2e2f9068ffbb2c26cd8.txt",
		"img": "https://archive.orkl.eu/27ea60bacd872c1f7772d2e2f9068ffbb2c26cd8.jpg"
	}
}