{
	"id": "c5b631f5-6895-4e06-91e4-a4e4ace1bc03",
	"created_at": "2026-04-06T00:12:28.560341Z",
	"updated_at": "2026-04-10T13:12:07.700178Z",
	"deleted_at": null,
	"sha1_hash": "2dd2e125708c8c57a566f6cc16e3f8893a91d372",
	"title": "Unknown APT group has targeted Russia repeatedly since Ukraine invasion",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4526445,
	"plain_text": "Unknown APT group has targeted Russia repeatedly since Ukraine\r\ninvasion\r\nBy Mark Stockley\r\nPublished: 2022-05-23 · Archived: 2026-04-05 14:24:55 UTC\r\nAn unknown Advanced Persistent Threat (APT) group has targeted Russian government entities with at least four\r\nseparate spear phishing campaigns since late February, 2022.\r\nThe campaigns, discovered by the Malwarebytes Threat Intelligence team, are designed to implant a Remote\r\nAccess Trojan (RAT) that can be used to surveil the computers it infects, and run commands on them remotely.\r\nThe malware uses a number of advanced tricks to hide what it does and how it works, but our analysts have been\r\nable to reverse engineer the malware, reveal its inner workings, and uncover some clues about its possible origins.\r\nAttribution is always difficult, and there is no shortage of countries or agencies with an interest in getting covert\r\naccess to Russian government computers—and the recent invasion of Ukraine has simply increased the stakes.\r\nAlthough our analysis and attribution efforts are ongoing, we have discovered some indicators that suggest the\r\nthreat actor may be a Chinese group.\r\nThe campaigns\r\nThe APT group has launched at least four campaigns since late February, using a variety of lures, detailed below.\r\n1. Interactive map of Ukraine\r\nThe threat actor started this campaign around February 26, 2022, and distributed its custom malware with the name\r\ninteractive_map_UA.exe , trying to disguise it as an interactive map of Ukraine. This campaign began a few days\r\nafter Russia invaded Ukraine, which shows the threat actor was monitoring the situation between Ukraine and\r\nRussia and took advantage of it to lure targets in Russia.\r\nArticle continues below this ad.\r\n2. Log4j patch\r\nIn this campaign the threat actor packaged its custom malware in a tar file called Patch_Log4j.tar.gz , a fake fix\r\nfor December’s high-profile Log4j vulnerability.\r\nThis campaign ran in early March and was primarily aimed at RT TV (formerly Russia Today or Rossiya\r\nSegodnya, a Russian state-controlled international television network funded by the Russian government). The\r\nAPT group had access to almost 100 RT TV employees’ email address.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2022/05/unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion\r\nPage 1 of 18\n\nThe emails were sent with the subject “Ростех. ФСБ РФ. Роскомнадзор. Срочные сиправления уязвимостей”,\r\nwhich translates into “Rostec. FSB RF. Roskomnadzor. Urgent Vulnerability Fixes”. (Rostecis a Russian state-owned defense conglomerate founded by Putin.)\r\nThe emails also come with a number of image files and a PDF attached, perhaps to make the email less suspicious,\r\nand to bypass any systems that flag emails by number of attachments.\r\nThe PDF attachment— О кибербезопасности 3. 1.2022.pdf—pretends to be from the “Ministry of Digital\r\nDevelopment, Telecommunications and Mass Communications of the Russian Federation”. It contains instructions\r\nabout how to execute the fake patch, as well as a bulleted list of security advice such as “Use two-factor\r\nauthentication”, “Issue separate credit cards for purchases”, and “Use Kaspersky antivirus”.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2022/05/unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion\r\nPage 2 of 18\n\nIn a confident demonstration of just how little attention people pay to such lists it ends “Do not open or reply to\r\nsuspicious emails.”\r\nThe list even includes a link to a page on VirusTotalthat proclaims in bright green letters that “No security vendors\r\nand no sandboxes flagged this file as malicious”. This is just another effort to convince the victims that the\r\nattachment is not malicious—the file on VirusTotal has nothing to do with the attachment and appears to be a\r\nlegitimate OpenVPN file.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2022/05/unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion\r\nPage 3 of 18\n\nIn another effort to build trust, the spear phishing email links to the website rostec.digital , a domain registered\r\nby the threat actor, hosting a site made look like the official Rostec website.\r\nThis email also contains links to fake Instagram and Facebook accounts. Interestingly, the threat actor created the\r\nFacebook page in June 2021, nine months before it was used in this campaign. This was probably an attempt to\r\nattract followers, to make the page look more legitimate, and it suggests the APT group were planning this\r\ncampaign long before the invasion of Ukraine.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2022/05/unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion\r\nPage 4 of 18\n\nhttps://www.malwarebytes.com/blog/threat-intelligence/2022/05/unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion\r\nPage 5 of 18\n\n3. Build Rostec\r\nThe Rostec defense conglomerate also appears in the third campaign. This time the threat actor used the file name\r\nbuild_rosteh4.exe for its malware—an apparent attempt to make it look like software from Rostec.\r\n4. Saudi Aramco job\r\nThe most recent campaign occured in mid April and used a Word document containing a fake job advert for a\r\n“Strategy and Growth Analyst” position at Saudi Aramcoas a lure.\r\n(We also discovered a self-extracting archive file that belonged to this campaign—the archive file used a Jitsi\r\nvideo conferencing software icon as decoy, and created a directory named Aramco under\r\nC:ProgramData\r\n.)\r\nAlthough the job advert is written in English, it also contains a message in Russian, asking users to enable macros.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2022/05/unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion\r\nPage 6 of 18\n\nThe document uses remote template injectionto download a macro-embedded template, which executes a macro\r\nthat drops a VBS script called HelpCenterUpdater.vbs in the\r\n%USER%DocumentsAdobeHelpCenter\r\ndirectory.\r\nThe template also seems to do a redundant check for the existence of %USER%DocumentsD5yrqBxW.txt and only if it\r\ndoesn’t exist, will it drop the script and execute it.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2022/05/unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion\r\nPage 7 of 18\n\nThe obfuscated HelpCenterUpdater.vbs script drops another obfuscated VBS file named\r\nUpdateRunner.vbs\r\nand downloads the main payload—a DLL named GE40BRmRLP.dll —from its command and control (C2) server.\r\n(Interestingly, some anti-analysis code, and code responsible for persistence, seems to be commented out in\r\nUpdateRunner.vbs\r\nand isn’t executed. )\r\nIn another payload related to this campaign, the script seems to drop an EXE instead of a DLL, but after analyzing\r\nboth it seems they share the same code.\r\nT he job of the\r\nUpdateRunner.vbs\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2022/05/unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion\r\nPage 8 of 18\n\nscript is to execute the DLL through rundll32.exe .\r\nThe malicious DLL contains the code that communicates with the C2 server and executes the commands it\r\nreceives from it.\r\nThe malware, which is common to all four campaigns, is explained in detail in the next section.\r\nPayload analysis\r\nThis analysis focuses on the GE40BRmRLP.dll payload from the Saudi Aramco campaign, but the malware used in\r\nall four campaigns is essentially the same, with small differences in the code.\r\nThe DLL is heavily obfuscated and most of the library functions are statically linked. IDA is barely able to\r\nrecognize any functions, though it was able to recognize a few that indicate the DLL was most likely compiled\r\nwith LLVM. The DLL’s original name is supposed to be simpleloader.dll , as we can see after analyzing it a bit.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2022/05/unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion\r\nPage 9 of 18\n\nBefore we dive into the functionality and capabilities of this malware, let’s look at various methods it uses to make\r\nthe analysis difficult for us.\r\nAnti-analysis techniques\r\nControl Flow Flattening\r\nAll of the samples used in these campaigns use control flow flattening heavily, a technique that flattens the nested\r\nstructure of a program, making analysis very difficult. We used the D810plugin for IDA which has the capability to\r\ndeobfuscate flattened code and make the decompilation more readable.\r\nAlthough there are many tools that can perform control flow flattening, in this case we suspect OLLVM—an\r\nobfuscator for LLVM—was used. The different samples had different levels of flattening and OLLVM allows users\r\nto specify this. Additionally we also saw what looks like the Bogus Control FlowLLVM pass being used.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2022/05/unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion\r\nPage 10 of 18\n\nString obfuscation\r\nThe payload’s strings are obfuscated with simple XOR encoding. The decode_string function which is used to\r\ndecode a string takes 3 arguments: The encoded string, the destination of the decoded string, and the byte that is\r\nused while decoding the string.\r\nEach string is decoded every time it’s required by the malware.\r\nCommand and control\r\nBefore contacting its C2 server the malware derives an ID which is unique to every machine, which could be used\r\nto differentiate infections. It uses the data from the following APIs to construct the ID:\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2022/05/unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion\r\nPage 11 of 18\n\nGetFileAttributesA\r\non the\r\nC:Windows\r\ndirectory\r\nGetComputerNameA\r\nGetVolumeInformationA\r\non the\r\nC:\r\ndrive\r\nIt then calculates a hash of this data using the Blake2b-256 algorithm and sends it when it makes the first contact\r\nwith its C2.\r\nThe C2 address is decoded every time the malware sends a request. To communicate with the C2 the malware uses\r\nGET requests in the form\r\nurl/?wSR=data\r\n, where datacontains the encoded information.\r\nInterestingly Any.run and Fiddler fail to capture the HTTPS requests made by the malware. To make them, the\r\nmalware doesn’t use any library functions but instead implements everything over raw sockets, and it uses the\r\nWolfSSLlibrary to implement SSL itself. Our analysis also uncovered traces of http-parserfrom ZephyrOS. The\r\ncertificate used for the SSL communication is stored inside the binary as chunks of encoded strings. Initially the\r\nmalware decodes this data and stores it. Later, while making the HTTPS request, it loads this data using WolfSSL’s\r\nloadX509orX509REQFromBuffer.\r\nAfter making every request the malware sleeps for a random amount of time.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2022/05/unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion\r\nPage 12 of 18\n\nBased on the response to the above request, the malware decides which of command to execute:\r\n1. getcomputername\r\n. This retrieves the computer name using\r\nGetComputerNameA\r\nand sends a response to the C2 containing the unique id and the computer name.\r\n2. upload\r\n. This receives a file name and file contents from the C2 which it writes to the local file system.\r\n3. execute\r\n. This receives a command line instruction from the C2 and executes it using\r\nCreateProcessA\r\n. If the command is successful then the malware sends the UID with the “OK” string to the C2, or the\r\noutput of\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2022/05/unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion\r\nPage 13 of 18\n\nGetLastError\r\nif it fails.\r\n4. exit\r\n. This is used to terminate the malware process.\r\n5. ls\r\n. This command uses a directory name from the C2, or the name of the current directory if one isn’t\r\nprovided. It uses the\r\nFindFirstFile\r\nand\r\nFindNextFile\r\nfunction to retrieve a list of all the files under the directory and sends it back to the C2.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2022/05/unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion\r\nPage 14 of 18\n\nAttribution\r\nAttribution is difficult, and threat actors are known to use indicators from other groups as false flags. The\r\nattribution of the APT behind these campaigns is ongoing, but based on the infrastructure used we assess with low\r\nconfidence that this group is a Chinese actor.\r\nAll of the C2s are from BL Networks, which has been used by Chinese APTsin the past. Also, we discovered\r\ninfrastructure overlap between the malware we analyzed and the Sakula Rat malware used by the Deep PandaAPT.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2022/05/unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion\r\nPage 15 of 18\n\nAnother interesting indicator we found was that the macro used in the Aramco campaign is almost identical to\r\nsome macros used by TrickBot and BazarLoader in the past. We think the actor may have used the same macro\r\nbuilder to generate its macro, and they may have used it as a false flag. There are some other weak indicators, such\r\nas WolfSSL, which has been used by Lazarus and Tropic Troopers, but they are not enough to help attribute the\r\nattack to any specific actor.\r\nMalwarebytes customers were proactively protected against these campaigns thanks to our heuristic detection\r\nengines.\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2022/05/unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion\r\nPage 16 of 18\n\nIOCs\r\nC2 Domains\r\nwindowsipdate[.]com\r\nmicrosftupdetes[.]com\r\nmirror-exchange[.]com\r\nC2 IPs\r\n168.100.11.142\r\n192.153.57.83\r\n45.61.137.211\r\n206.188.197.35\r\nDownload Domain\r\nfatobara[.]com\r\nDownload IP\r\n91.210.104.54\r\nHashes\r\nName Hash\r\nFinal payload\r\ncbde42990e53f5af37e6f6a9fd14714333b45498978a7971610acb640ddd5541\r\n86ecd536c84cec6fc07c4cb3db63faa84f966a95763d855c7f6d7207d672911e\r\n917820338751b08cefc635090fc23b4556fa77b9007a8f5d72c11e0453bfec95\r\n22bdc42a86d3c70a01c51f20f5b7cfb353319691a8102f0fe3ea02af9079653e\r\n12c20f9dbdb8955f3f88e28dc10241f35659dbcd74dadc9a10ca1b508722d69a\r\n3f16055dc0f79f34f7644cae21dfe92ffc80f2c3839340a7beebd9436da5d0eb\r\nf5658588c36871421f287f12e7e9ba5afba783a7003da1043a9c52d10354b909\r\nca95e8a8b6fb11b5129821f034b337b06cdf407fa9516619f3baed450ac1cf2d\r\nbac1790efe7618c5b2b9e34e6e1d36ec51592869bcc5fb304dd7554c32731093\r\n5d039f4368f88a2299be91303c03143e340f700f1fc8aa0a8cdbfbc5a193c6be\r\npatch_Log4j.tar.gz 4b622d63e6886b1430f6ca9cba519cbefde60cd8b6dbcade7c3a152c3930e7c7\r\nPDF attachment f4db6fa3a83052152b5d16dc6a4e9749afafc026612ff5c3ad735743736ac488\r\nEmails 0625566ec55f0a083d1c1a548a2631502f17e455066b29731e29d372918e6541\r\n0925b3c05cef6d3476a97b7d4975e9e3ceefedf62f42663b9c02070e587b3f2d\r\n111fef44ba63f11279572f1e7e4d6ce5613ef8fe3b76808355cdcbed47b49fec\r\n1c886a9138f3b0e0b18f1c0da83719a9b5351db7ce24baa13c0e56ef65d96d02\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2022/05/unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion\r\nPage 17 of 18\n\n1fb0cd76ec5ae70f08a87f9e81cb5e9b07f9b3306772ae723fa63ff5abfa0d07\r\n27d19efedb6a7c8d3c65fe06fd5be9c3e236600e797e5058705db1e2335ec2ad\r\n310fa9c65aa182a59e001e8f61c079e27d73b8eb5f8f8965509cb781d97ba811\r\n3627b37b341efa0b36352d76480dce994f481e672ebf9fa2da114a1339cf6c01\r\n3655420f72d0c14cfb113ccb53e9ac85b87883913c3844b3e0bfb7bd7230a9bd\r\n3b2ef76ec2eb3b4db4b7efe14d88c5338f1dc4eb9a9cf309989362d193c25403\r\n3e9254d8cb25b2abf4fb755feaaf41c0059c68067e64de01a9242e5d9e47ab33\r\n3ff96e73aeb0419df67bc5fec786a4dc82e4a9051274b4fc3cbc3ae3af7fdf94\r\n44118322165be32de86569972e9f599a3c79a2336ca6f76c29861b40905cd067\r\n4b6b0c29ece1c4719ec4d5186fb6247603fa1f03bd473bf6ef6367995e8c1121\r\n4f28db1131ace2fce96e84172e0a861eb471ea054799e1132eb4945e4dca550b\r\n4f8c2079ac98a3e8e085be8e88ff7b53ea70cb131cba4bfd2784e391d24c27e9\r\n5a662050df51863575700a8e21efe605f4e789404d4bb53b4299f32b93e8d20f\r\n5aa0a15e052fea2a2d445940ef751ddf3d3ae7c43c095a738b9bd603efc7df8b\r\n5b9c7fe8ee5756dbd8563b3efe8dbc0966ad9044ff223b8797940f9e4e47333e\r\n5ccf98699b96c811f4dab768cf486dc0f31b098dba30e031ba4ab2a5a5a3aba8\r\n7ee7b2193b1e53f93dc2ed573d8f927cfa0916ccf111ff35faef9c4b153456f2\r\n80a3de79f6c859d6c4667f705588c7c254d24fca2f44704123a2ba38e7c285a9\r\n810d6566d9879c10a6a8581bb6ea6bed83a14a869383ad7e1ee16eadfd5bbb54\r\n811827026414bdd400257cd3f048a1c75a2b211d02ac790510b800baa0702de4\r\n81f24d1c310214b8f66345f250a6d5493e5e1cdf06d39d18a96cd9f93a1e7655\r\nac328efa54b6dd4497ba5dc6195474b8b9e5a7bcd32d5733e5006be9bbd0dc22\r\nb63ef28fc1b0b1180fe9f476fe2ef3970b9928b009354e996bb2bf4ece223031\r\nb99580152dde60622c1a962cd7cee1834d0ee86490785ac02d8ee51b73be008f\r\nc9623e83d875d6b9ca1a80087151b59a4037159c605ee92c6c795252ccf89596\r\ncd277299ed849de71e88f698c1c06b0cfa65f166b0e90fc620aa50f6efe70161\r\nd4062c6fd3813299ac721309fe0385a5337cea8b8e3605b05458467aeb23d8c0\r\ne19b7dfe0e693c468c73f0a9e4c751216787daeff7d933cedcc10c932bd2835e\r\ne444303f1888b1ee5eeb69a0c4c3372b0cd2276b6987b0b18ea2267ff7ba19ad\r\nf15d90da5e253aaf570d29ffb9bf87ce7d8292b953d13e5a0f86b8671a4c57e7\r\nfa800e6e16444894455b2a8f9e245efbe8b298fc8af9d7f8e155bb313ca9e7bb\r\nfc4af16fed48bd3a029ce8bfc4158712f9ab0cd8b82ca48cb701923d0a792015\r\nSource: https://www.malwarebytes.com/blog/threat-intelligence/2022/05/unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-inva\r\nsion\r\nhttps://www.malwarebytes.com/blog/threat-intelligence/2022/05/unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.malwarebytes.com/blog/threat-intelligence/2022/05/unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion"
	],
	"report_names": [
		"unknown-apt-group-has-targeted-russia-repeatedly-since-ukraine-invasion"
	],
	"threat_actors": [],
	"ts_created_at": 1775434348,
	"ts_updated_at": 1775826727,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2dd2e125708c8c57a566f6cc16e3f8893a91d372.pdf",
		"text": "https://archive.orkl.eu/2dd2e125708c8c57a566f6cc16e3f8893a91d372.txt",
		"img": "https://archive.orkl.eu/2dd2e125708c8c57a566f6cc16e3f8893a91d372.jpg"
	}
}