{ "id": "bd4f982f-72aa-4776-9f2c-d848c02d7352", "created_at": "2026-04-06T00:10:13.286538Z", "updated_at": "2026-04-10T03:37:49.941023Z", "deleted_at": null, "sha1_hash": "28cf2b4c13ef9297c90335b96fc9cb86f755ebe0", "title": "Targeted Phishing Attack against Ukrainian Government Expands to Georgia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1757085, "plain_text": "Targeted Phishing Attack against Ukrainian Government Expands\r\nto Georgia\r\nBy Avigayil Mechtinger\r\nPublished: 2021-07-14 · Archived: 2026-04-05 21:25:36 UTC\r\nIn May 2021, Fortinet published a report about the early stages of an ongoing phishing attack against the\r\nUkrainian government. The attack, initially based on the Saint Bot downloader, also targeted Georgia as reported\r\nby Malwarebytes. Since June we have seen this threat actor expand its operation with new samples targeting\r\ngovernment entities in Georgia. In this report we will cover the new malware samples we found.\r\nMethod of Infection\r\nThe attack’s entry point is a spear phishing email referencing government-related topics including veterans,\r\nUkraine’s Anti-Terrorist Operation (ATO), Georgia’s Internally Displaced Persons (IDPs), organizations in\r\nGeorgia’s private sector and COVID-19. The attack mainly targets government agencies in Ukraine and Georgia.\r\nThe Malware\r\nThe main payload delivered by the malware is an infostealer written in AutoIt. Its main goal is to steal files from\r\nthe victim’s machine, uploading them to a predefined Command and control (C2) server.\r\nBased on victimology and the fact that this attack tries to steal files from government entities, a classic goal of\r\nnation-state groups, it is likely operated by a Russian nation-state. There are also several similarities between this\r\nattack and past APT28 campaigns which we will discuss later.\r\nBelow we summarize the early stages of the attack and show the latest malware targeting government entities in\r\nGeorgia. We assess with high confidence that this attack may expand its operations to target additional Eastern\r\nEuropean countries.\r\nTechnical Analysis\r\nThe attack flow, described below, begins with a phishing email containing a malicious shortened URL. The URL\r\nredirects to a Command and control (C2) where a ZIP file or malicious document is hosted. The ZIP file contains a\r\nmalicious file and in some emails also a harmless PDF file. The malicious attachment varies between RTF, DOC,\r\nPDF, JS, LNK or EXE. Its main goal is to drop the packed payloads from the C2. The method in which a dropper\r\ncontacts the C2 in order to deliver the packed payload varies between the different file types and stages of the\r\nattack. The packed executable loads an AutoIt payload into memory. The payload searches for files on the victim’s\r\nmachine based on a list of file extensions and uploads them to a C2 that is hardcoded in the script.\r\nhttps://www.intezer.com/blog/malware-analysis/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/\r\nPage 1 of 16\n\nAttack flow.\r\nAn example of one of the phishing emails sent to the Ukrainian government is below. The threat actor references\r\npayments made to veterans of the Anti-Terrorist Operation (ATO).\r\nPhishing email sent to the Ukrainian government. Translation from Ukrainian – Subject: “Payments to ATO\r\nVeterans.” Content: “It must be filled in and sent back.”\r\nThe link, masqueraded as a Ukrainian .gov domain, is actually a shortened URL (https[://]cutt[.]ly/WcBTVdf)\r\nwhich contacts http[://]gosloto[.]site/doc/form_request.doc and downloads form_request.doc to the victim’s\r\nmachine. This document is an RTF file that once runs will present content related to the Israeli Merkava, the main\r\nbattle tank used by the Israeli Defense Forces.\r\nhttps://www.intezer.com/blog/malware-analysis/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/\r\nPage 2 of 16\n\nReference to Israeli Merkava in the RTF file.\r\nThis file is incharge of dropping the final payload from the C2. In other phishing emails, this file is named\r\nNATO_06042021 (44697aad796c0d82c1adbee15fd1266b).\r\nFirst we Take Kyiv, then we Take Tbilisi\r\nCombined with continuous attacks against Ukraine, the threat actor has expanded its campaign to target\r\ngovernment entities in Georgia. The following malicious documents were uploaded to VirusTotal from Georgia on\r\nJune 17 and July 5.\r\nb56975725c4e260370af540f9c0b6709 Georgia_Private_Sector_Poster_Inputs_06_2021.pdf\r\n900e892c8151f0f59a93af1206583ce6\r\n2021-2022 Strategy Action Plan for IDPs.doc\r\n(translated from Georgian)\r\n333796e18eb3f3d1529d07ec90c63e61 Change to 828.doc (translated from Georgian)\r\nAll three files have low detection rates in VirusTotal at the time of this writing. In the following sections we will\r\ndescribe each file’s behavior.\r\nhttps://www.intezer.com/blog/malware-analysis/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/\r\nPage 3 of 16\n\nb56975725c4e260370af540f9c0b6709 in VirusTotal.\r\nThe PDF File\r\nThe PDF file, named “Georgia_Private_Sector_Poster_Inputs_06_2021.pdf,” was uploaded to VirusTotal on June\r\n17, 2021. The PDF contains an action object. Upon a victim opening the PDF it will send a query to Google\r\ncontaining the C2: http://www[.]google[.]com/url?\r\nq=http%3A%2F%2F93482432493824792343432843240234327488\r\n92349702394023.xyz\u0026sa=D\u0026sntz=1\u0026usg=AFQjCNFWmVffgSGlrrv-2U9sSOJYzfUQqw) The system will\r\nprompt a security warning allowing the document to contact “http[:]//www.google.com.”\r\n Action object in\r\nb56975725c4e260370af540f9c0b6709\r\n System prompt message.\r\nOnce the document connects to Google a short series of network redirections occurs. First, Google will redirect to\r\nthe C2’s URL. Then, as described in the image below, the C2 contains a frame with an src to another C2 URL\r\n(https[://]16868138130[.]space/000/), which then redirects to a shortened URL\r\nhttps://www.intezer.com/blog/malware-analysis/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/\r\nPage 4 of 16\n\n(https[://]qaz[.]im/load/rKtsZD/hDKKFD) using a meta refresh redirect. This will finally drop\r\ngeorgia_private_sector_poster_inputs_06_2021.cpl (02f0118bd15dabf727659b9fd27c86c9).\r\nNetwork redirections for delivering the payload.\r\nThis redirection process, starting with Google as the first domain the PDF attempts to access, is an obvious\r\nAntivirus evasion technique.\r\ngeorgia_private_sector_poster_inputs_06_2021.cpl is a DLL which upon clicking on it, runs under a trusted\r\ncontrol panel process. The DLL is incharge of dropping and running the packed payload from the C2,\r\n16868138130[.]space/000/000.exe (41af4d9fbd0bc719212b78cd7a1b89ec). The packed malware loads the AutoIt\r\npayload into memory.\r\nhttps://www.intezer.com/blog/malware-analysis/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/\r\nPage 5 of 16\n\nGenetic report of 02f0118bd15dabf727659b9fd27c86c9. Drops 41af4d9fbd0bc719212b78cd7a1b89ec which loads\r\nAutoIt into memory.\r\nIoC report of 02f0118bd15dabf727659b9fd27c86c9 in Intezer Analyze.\r\nThe AutoIt script’s main goal is to upload files from the victim’s machine to a predefined C2. The main logic (see\r\nimage below) calls the _filsearch function (two images below) which looks for files containing the following\r\nextensions:\r\n*.doc;*.pdf;*.ppt;*.dot;*.xl;*.csv;*.rtf;*.dot;*.mdb;*.accdb;*.pot;*.pps;*.ppa;*.rar;*.zip;*.tar;*.7z;*.txt.\r\n_filsearch uses @ComSpec environment variable (which usually points to CMD). The process tree created by the\r\nAutoIt file is below.\r\nhttps://www.intezer.com/blog/malware-analysis/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/\r\nPage 6 of 16\n\nCode snippet from the AutoIt script main logic.\r\nCode snippet from the AutoIt script _filsearch function.\r\nhttps://www.intezer.com/blog/malware-analysis/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/\r\nPage 7 of 16\n\nProcess tree snippet in Intezer Analyze.\r\nEach file is uploaded to the C2 via a multipart/form-data POST request. The file’s directory is sent as Hex. Below\r\nis an example of a file upload request.\r\nhttps://www.intezer.com/blog/malware-analysis/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/\r\nPage 8 of 16\n\nExample of C_/Users/admin/AppData/Roaming/Microsoft/Windows/Cookies/NUT28OOW.txt file upload.\r\nLastly, the AutoIt script creates and runs a batch named “r.bat” which deletes the malware from disk and kills the\r\nprocess.\r\nThe Document Files\r\nBoth malicious Word documents uploaded to VirusTotal on July 5 display similar behavior. Let’s look at\r\n900e892c8151f0f59a93af1206583ce6. Once a user opens this document, it will run a VBA macro with the main\r\nlogic to create, write to and run a batch file named “ballDemocrat.bat.” The script written to the batch file will run\r\na PowerShell command that drops an executable from the C2 (http[://]1221[.]site/15858415841/0407.exe) and\r\nsaves it as centuryarticle.exe.\r\nVBA script (7546f382d73231a4c1fdc58ab1535ec0) in the malicious document.\r\nhttps://www.intezer.com/blog/malware-analysis/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/\r\nPage 9 of 16\n\nProcess tree of 900e892c8151f0f59a93af1206583ce6\r\nThe file dropped from the C2 is a packed .NET file that loads the AutoIt payload into memory.\r\nPossible Russian Connection\r\nWe noticed similarities between this attack and Russia’s APT28 campaigns . While these similarities alone are not\r\nenough to attribute APT28, victimology and intent to conduct espionage on various government entities in Eastern\r\nEuropean regions gives us reason to believe that Russia is behind the attack.\r\n1. Victimology: APT28 has targeted Ukraine and Georgia in the past. [1][2][3]\r\n2. Phishing theme: APT28 previously used COVID-19-related phishing themes to target countries including\r\nUkraine. APT28 also used NATO as a phishing theme in the past. [1][2][4][5]\r\n3. Use of AutoIt: One of Zebrocy’s (malware from APT28) variants is written in AutoIt. [6][7]\r\n4. File search with predefined extensions: Zebrocy searches for predefined file extensions on the victim\r\nmachine. [8][9][13]\r\n5. Compressed file holding both malicious and benign files was used in an APT28 COVID-19 phishing\r\nattack last year and in other campaigns in the past. [4][8]\r\n6. Use of spear phishing emails containing URL-shortener was documented in past APT28 campaigns. In\r\none of the campaigns, this URL hosted a ZIP file containing a benign PDF and a malicious executable. [8]\r\n[10][11]\r\n7. Use of Hex encoding: The Zebrocy AutoIt version uses String to Hex encoding. [7]\r\n8. Use of batch files, PowerShell and CMD are part of APT28’s documented TTPs. [8][12]\r\nMitigation\r\nTake the following precautions to keep your organization clean and safe from phishing attacks.\r\n1. Enhance social engineering awareness within your organization.\r\n2. Use an email gateway to analyze attachments and links. Intezer Analyze now supports analysis for\r\nMicrosoft Office documents, PDFs and scripts.\r\n3. Conduct proactive threat hunting on all endpoints inside your organization to routinely ensure that no\r\ntraces of malicious code or malware exist in-memory. Intezer’s live Endpoint Scanner can help you achieve\r\nthis at scale by collecting all binaries running in-memory, including fileless, and classifying them using\r\nGenetic Code Analysis technology. We also have a Volatility plugin for analyzing memory dumps.\r\nIoCs\r\nAutoIt Payload Script\r\nhttps://www.intezer.com/blog/malware-analysis/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/\r\nPage 10 of 16\n\nThe AutoIt script can be found in the following GitHub repository.\r\nDelivery Files\r\nRTF\r\na60f4a353ea89adc8def453c8a1e65ea2ecc46c64d0d9ea375ca4e85e1c428fd\r\n52173598ca2f4a023ec193261b0f65f57d9be3cb448cd6e2fcc0c8f3f15eaaf7\r\n2ec710d38a0919f9f472b220cfe8d554a30d24bfa4bdd90b96105cee842cf40d\r\n9803e65afa5b8eef0b6f7ced42ebd15f979889b791b8eadfc98e7f102853451a\r\nf357f9bf438f44b2029dfa12c03856393484f723b9df03ecde3e1ef03ddffcb7\r\nDOC\r\n0be1801a6c5ca473e2563b6b77e76167d88828e1347db4215b7a83e161dae67f\r\n96f815abb422bb75117e867384306a3f1b3625e48b81c44ebf032953deb2b3ff\r\nLNK\r\n101d9f3a9e4a8d0c8d80bcd40082e10ab71a7d45a04ab443ef8761dfad246ca5\r\nCed5f53bafc5896be0a62ed5bdabed38a6224f8dcbe61669e833749ff62693dd\r\n2b15ade9de6fb993149f27c802bb5bc95ad3fc1ca5f2e86622a044cf3541a70d\r\nZIP\r\n275388ffad3a1046087068a296a6060ed372d5d4ef6cf174f55c3b4ec7e8a0e8\r\nA16e466bed46fcf9c0a771ca0e41bc42a1ac13e66717354e4824f61d1695dbb1\r\n47e1991f94309566e35ea57507c7c8d013103e860f12f2166450900e8179a75e\r\nE39a12f34bb8a7a5a03fd23f351846088692e1248a3952e488102d3aea577644\r\n677500881c64f4789025f46f3d0e853c00f2f41216eb2f2aaa1a6c59884b04cc\r\n5227adda2d80fb9b66110eeb26d57e69bbbb7bd681aecc3b1e882dc15e06be17\r\na856ae150144179848e0cc9be7618b4404c20c356eb93db490c8496ae2775b5e\r\nCPL\r\n10d21d4bf93e78a059a32b0210bd7891e349aabe88d0184d162c104b1e8bee2e\r\nhttps://www.intezer.com/blog/malware-analysis/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/\r\nPage 11 of 16\n\n0c644fedcb4298b705d24f2dee45dda0ae5dd6322d1607e342bcf1d42b59436c\r\n0db336cab2ca69d630d6b7676e5eab86252673b1197b34cf4e3351807229f12a\r\n72f57b040d6f523afee40159a743b1ecae685a5bf939cab06b78d1fc397ec5e7\r\n64057982a5874a9ccdb1b53fc15dd40f298eda2eb38324ac676329f5c81b64e0\r\nf4a56c86e2903d509ede20609182fbe001b3a3ca05f8c23c597189935d4f71b8\r\nJS\r\n5d9c7192cae28f4b6cc0463efe8f4361e449f87c2ad5e74a6192a0ad96525417\r\nfe49909fdd70192e3367d4d88458afbaf817e7a50acae199db97bd68358b241e\r\nPDF\r\nf69125eafdd54e1aae10707e0d95b0526e80b3b224f2b64f5f6d65485ca9e886\r\nPacked AutoIT Infostealer\r\ncd93f6df63187e3ac31ea56339f9b859b0f4fbe3e73e1c07192cef4c9a6f8b08\r\n4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e\r\n2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca\r\nd6e2a79bc87d48819fabe332dd3539f572605bb6091d34ae7d25ae0934b606b5\r\n6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79\r\nea9e5ad0ef82af2c0c75c371e683352a781eb2260a45c584d70995edec956ce9\r\n0d83c1f7d2d7ea0e7fe144933bfa9dd314dae3937af714ea9274f43641756060\r\n4d59a7739f15c17f144587762447d5abb81c01f16224a3f7ce5897d1b6f7ee77\r\n39e8455d21447e32141dc064eb7504c6925f823bf6d9c8ce004d44cb8facc80b\r\ncb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1\r\nb72188ba545ad865eb34954afbbdf2c9e8ebc465a87c5122cebb711f41005939\r\n005d2d373e7ba5ee42010870b9f9bf829213a42b2dd3c4f3f4405c8b904641f2\r\nba4b321bf2bc542d9e9bcfcf54bc98335acd0b27a5e5851f4667e6b23d968a04\r\nb0b4550ba09080e02c8a15cec8b5aeaa9fbb193cec1d92c793bdede78a70cec6\r\na9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb\r\nhttps://www.intezer.com/blog/malware-analysis/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/\r\nPage 12 of 16\n\nbd83e801b836906bab4854351b4d6000e0a435736524a504b9839b5f7bdf97cc\r\n3075a467e89643d1f37e9413a2b38328fbec4dd1717ae57128fdf1da2fe39819\r\n8ab3879ed4b1601feb0de11637c9c4d1baeb5266f399d822f565299e5c1cd0c4\r\nb83c41763b5e861e15614d3d6ab8573c7948bf176143ee4142516e9b8bcb4423\r\n0222f6bdfd21c41650bcb056f618ee9e4724e722b3abcd8731b92a99167c6f8d\r\nb02c420e6f8a977cd254cd69281a7e8ce8026bda3fc594e1fc550c3b5e41565d\r\n6a698edb366f25f156e4b481639903d816c5f5525668f65e2c097ef682afc269\r\n9ee1a587acaddb45481aebd5778a6c293fe94f70fe89b4961098eb7ba32624a8\r\n2762cbc81056348f2816de01e93d43398ba65354252c97928a56031e32ec776f\r\n476ee9c0b7f7f864b169f0d1beb1a3bbcc7dbab1bae7d7f77ee69e22ad25ff66\r\ndf3b1ad5445d628c24c1308aa6cb476bd9a06f0095a2b285927964339866b2c3\r\n26ce818e64caf89d795861db0c84a59e42428bd99b381feb53cb05a67ec69c07\r\nff07325f5454c46e883fefc7106829f75c27e3aaf312eb3ab50525faba51c23c\r\n494122ff204f3dedaa8f0027f9f98971b32c50acbcce4efa8de0498efa148365\r\n7419f0798c70888e7197f69ed1091620b2c6fbefead086b5faf23badf0474044\r\nec62c984941954f0eb4f3e8baee455410a9dc0deb222360d376e28981c53b1a0\r\n56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256\r\n0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c\r\n975f9ce0769a079e99f06870122e9c4d394dfd51a6020818feeef9ccdb8b0614\r\n0f19735f076a42396b9f41b10c314d094a54e0e647f2cf7a2c025da8f8e9f54e\r\n9917c962b7e0a36592c4740d193adbd31bc1eae748d2b441e77817d648487cff\r\nf24ee966ef2dd31204b900b5c7eb7e367bc18ff92a13422d800c25dbb1de1e99\r\n7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871\r\n71e9cc55f159f2cec96de4f15b3c94c2b076f97d5d8cecb60b8857e7a8113a35\r\nafdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a\r\n9528a97d8d73b0dbed2ac496991f0a2eecc5a857d22e994d227ae7c3bef7296f\r\nhttps://www.intezer.com/blog/malware-analysis/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/\r\nPage 13 of 16\n\n0fc7154ebd80ea5d81d82e3a4920cb2699a8dd7c31100ca8ec0693a7bd4af8b7\r\n2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b\r\n9ef2d114c329c169e7b62f89a02d3f7395cb487fcd6cff4e7cac1eb198407ba6\r\nb2f5edef0e599005e205443b20f6ffd9804681b260eec52fa2f7533622f46a6c\r\ndfc24fa837b6cd3210e7ea0802db3dcf7bb1f85bff2c1b4bda4c3c599821bf8c\r\n27868ae50b849506121c36b00d92afe3115ce2f041cc28476db8dfc0cc1d6908\r\n7963f8606e4c0e7502a813969a04e1266e7cd20708bef19c338e8933c1b85eda\r\n89da9a4a5c26b7818e5660b33941b45c8838fa7cfa15685adfe83ff84463799a\r\n187e0a02620b7775c2a8f88d5b27e80b5d419ad156afc50ef217a95547d0feaa\r\nb24eac4c704502ee8952ad32384daec5894fd81d7bb668224730d4fb06293942\r\n2945393c74dd6d8de782e060362cdd468004ae2633bb4958c6063cd2fd5f5561\r\n707971879e65cbd70fd371ae76767d3a7bff028b56204ca64f27e93609c8c473\r\n37be3d8810959e63d5b6535164e51f16ccea9ca11d7dab7c1dfaa335affe6e3d\r\nC33a905e513005cee9071ed10933b8e6a11be2335755660e3f7b2adf554f704a\r\n0e1e2f87699a24d1d7b0d984c3622971028a0cafaf665c791c70215f76c7c8fe\r\nC2\r\n9832473219412342343423243242364-34939246823743287468793247237[.]site\r\n4895458025-4545445-222435-9635794543-3242314342-234123423728[.]space\r\n1221[.]site\r\n1681683130[.]website\r\n1833[.]site\r\n2215[.]site\r\n2055[.]site\r\n16868138130[.]space\r\n33655990[.]cyou\r\n16868138130[.]space\r\nhttps://www.intezer.com/blog/malware-analysis/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/\r\nPage 14 of 16\n\nname4050[.]com\r\nname1d[.]site\r\n000000027[.]xyz\r\ncoronavirus5g[.]site\r\n99kg[.]site\r\n9348243249382479234343284324023432748892349702394023[.]xyz\r\n15052021[.]space\r\n1000020[.]xyz\r\n32689657[.]xyz\r\n1000018[.]xyz\r\n32689658[.]xyz\r\n45[.]146[.]165[.]91 31[.]42[.]185[.]63\r\n194[.]58[.]112[.]173\r\n194[.]147[.]142[.]232\r\n176[.]113[.]115[.]133\r\nReferences\r\n1. CNBC, Russian Hackers Target NATO, Military Secrets\r\n2. FireEye, APT28: A Window Into Russia’s Cyber Espionage Operations?\r\n3. Kaspersky, GreyEnergy’s Overlap with Zebrocy\r\n4. Intezer, A Zebra in Gopher’s Clothing: Russian APT Uses COVID-19 Lures to Deliver Zebrocy\r\n5. Quointelligence, APT28 Delivers Zebrocy Malware Campaign using NATO Theme as Lure\r\n6. ESET, Sednit Update: Analysis of Zebrocy\r\n7. VK-Intel. Let’s Learn: Progression of APT28 AutoIt Zebrocy Downloaders: Source-Code Level Analysis\r\n8. ESET, A Journey to Zebrocy Land\r\n9. ESET, Sednit: What’s Going on with Zebrocy?\r\n10. Brady, S. Indictment – United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020\r\n11. Mueller, R. Indictment – United States of America vs. Viktor Borisovich Netyksho, et al. Retrieved\r\nSeptember 13, 2018\r\n12. APT28 MITRE ATT\u0026CK\r\n13. Zebrocy MITRE ATT\u0026CK\r\nhttps://www.intezer.com/blog/malware-analysis/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/\r\nPage 15 of 16\n\nSource: https://www.intezer.com/blog/malware-analysis/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/\r\nhttps://www.intezer.com/blog/malware-analysis/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/\r\nPage 16 of 16", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.intezer.com/blog/malware-analysis/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/" ], "report_names": [ "targeted-phishing-attack-against-ukrainian-government-expands-to-georgia" ], "threat_actors": [ { "id": "4d9cdc7f-72d6-4e17-89d8-f6323bfcaebb", "created_at": "2023-01-06T13:46:38.82716Z", "updated_at": "2026-04-10T02:00:03.113893Z", "deleted_at": null, "main_name": "GreyEnergy", "aliases": [], "source_name": "MISPGALAXY:GreyEnergy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434213, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/28cf2b4c13ef9297c90335b96fc9cb86f755ebe0.pdf", "text": "https://archive.orkl.eu/28cf2b4c13ef9297c90335b96fc9cb86f755ebe0.txt", "img": "https://archive.orkl.eu/28cf2b4c13ef9297c90335b96fc9cb86f755ebe0.jpg" } }