{
	"id": "2d3271b2-6c1d-4954-ae61-cb9eff49c311",
	"created_at": "2026-04-06T00:17:21.035973Z",
	"updated_at": "2026-04-10T03:31:13.723284Z",
	"deleted_at": null,
	"sha1_hash": "2ff25a4d2dc113f6abc23fde1a0f46d57c7911dd",
	"title": "Somnia Malware Detection: UAC-0118 aka FRwL Launches Cyber Attacks Against Organizations in Ukraine Using Enhanced Malware Strains",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 47113,
	"plain_text": "Somnia Malware Detection: UAC-0118 aka FRwL Launches Cyber\r\nAttacks Against Organizations in Ukraine Using Enhanced\r\nMalware Strains\r\nBy Veronika Zahorulko\r\nPublished: 2022-11-15 · Archived: 2026-04-05 19:02:00 UTC\r\nSince the outbreak of the global cyber war, cyber attacks against Ukraine and its allies leveraging info-stealers and\r\nmalicious payloads have been causing a stir in the cyber threat arena. In the latest cyber attack on the Ukrainian\r\norganization, threat actors have applied a diverse offensive toolkit, including the Vidar info-stealer and the\r\nnotorious Cobalt Strike Beacon, which have been frequently used in a set of malicious campaigns against Ukraine\r\nsince February 2022. \r\nOn November 11, 2022, CERT-UA researchers provided insights into the cybersecurity incident of damaging the\r\ninformation integrity and availability due to the ongoing cyber attack against organizations in Ukraine leveraging\r\nthe advanced version of Somnia malware and a set of other malicious strains. The adversary activity responsible\r\nfor unauthorized intrusion into targeted automated systems and computers has been attributed to the hacking\r\ncollective FRwL aka Z-Team also tracked as UAC-0118.\r\nDetecting the UAC-0118 Malicious Activity Covered by CERT-UA#5185 Alert\r\nIn view of the escalating volume and sophistication of cyber attacks against Ukraine and its allies, cybersecurity\r\npractitioners should timely detect emerging threats to proactively defend their organizations from potential\r\nintrusions. SOC Prime Platform aggregates a batch of high-fidelity alerts and relevant hunting queries to identify\r\nthe malicious activity associated with the UAC-0118 actor and covered by the CERT-UA#5185 alert. All\r\ndetections are tagged with “UAC-0118” (“UA#5185”) to simplify the content selection for SOC team members: \r\nSigma rules to detect the malicious activity covered in the CERT-UA#5185 alert\r\nPress the Explore Detections button to reach the dedicated Sigma rules filtered by the corresponding UAC-0118\r\ntag based on the group identifier. Detection algorithms are aligned with MITRE ATT\u0026CK® and are accompanied\r\nby detailed cyber threat context, including relevant CTI links, mitigations, executable binaries, and more relevant\r\nmetadata. Sigma rules are packed with translations to 25+ SIEM, EDR, and XDR solutions to match any\r\nenvironment cybersecurity practitioners need. \r\nExplore Detections\r\nTo streamline threat hunting efforts and boost the efficiency of SOC operations, security experts can search for\r\nIOCs associated with the latest UAC-0118 attack using Uncoder CTI. Just paste the text containing relevant IOCs\r\nfrom CERT-UA#5185 alert and get custom IOC queries ready to run in a chosen environment. \r\nIOCs Provided by Activity Covered by CERT-UA#5185 Alert\r\nhttps://socprime.com/blog/somnia-malware-detection-uac-0118-aka-frwl-launches-cyber-attacks-against-organizations-in-ukraine-using-enhanced-malware-strains/\r\nPage 1 of 2\n\nUAC-0118 Activity Spreading Somnia Malware: Attack Analysis\r\nThe latest CERT-UA#5185 alert provides research into the ongoing targeted cyber attack against Ukraine by the\r\nFRwL group also known as Z-Team or UAC-0118 spreading Somnia malware on the compromised systems. The\r\ninvestigation has revealed that the infection chain has been triggered by downloading and launching the malicious\r\nfile disguised as Advanced IP Scanner software. The file masquerading as legitimate software has actually\r\ncontained the Vidar information stealer.\r\nCybersecurity researchers assume that the attacker tactic, which involves creating copies of official web resources\r\ndisguised as widespread software, belongs to the offensive toolkit of initial access brokers. In the case of the latest\r\nincident, initial access brokers were in charge of a data breach, and then they shared the compromised data with\r\nthe FRwL hacking group, so they can proceed with a cyber attack. \r\nNotably, the Vidar malware is also capable of stealing Telegram session data. If a potential victim has no two-factor authentication and a passcode turned on, it enables attackers to gain unauthorized access to the\r\ncompromised user account. In the ongoing cyber attack, the victim’s Telegram account has been used for\r\nsubmitting configuration files of the VPN connection, including certificates and authentication data. Due to the\r\ndisabled two-factor authentication during the VPN connection, adversaries were capable of accessing the\r\ncorporate network. After gaining unauthorized access via VPN, threat actors applied Netscan for reconnaissance,\r\nlaunched Cobalt Strike Beacon, and performed data exfiltration via Rclone. In addition to the above-mentioned\r\nmalware strains, the FRwL group was observed deploying Anydesk та Ngrok on the compromised systems.\r\nThe malware strain applied in the ongoing cyber attack dubbed Somnia has significantly evolved. The initial\r\nmalware version used the 3DES algorithm, while the current version applies the AES encryption algorithm and\r\ndoesn’t include data decryption capabilities for enhanced defense evasion. \r\nMITRE ATT\u0026CK® Context\r\nTo dive into the context behind the latest cyber attacks by the UAC-0118 threat actor, all dedicated Sigma rules\r\nare aligned with MITRE ATT\u0026CK® framework addressing the corresponding tactics and techniques:\r\nAlso, you can download the ATT\u0026CK Navigator file below in the JSON format that provides the relevant MITRE\r\nATT\u0026CK context based on both Sigma rules from the SOC Prime Platform and IOCs provided by the CERT-UA#5185 alert:\r\nSource: https://socprime.com/blog/somnia-malware-detection-uac-0118-aka-frwl-launches-cyber-attacks-against-organizations-in-ukraine-usin\r\ng-enhanced-malware-strains/\r\nhttps://socprime.com/blog/somnia-malware-detection-uac-0118-aka-frwl-launches-cyber-attacks-against-organizations-in-ukraine-using-enhanced-malware-strains/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://socprime.com/blog/somnia-malware-detection-uac-0118-aka-frwl-launches-cyber-attacks-against-organizations-in-ukraine-using-enhanced-malware-strains/"
	],
	"report_names": [
		"somnia-malware-detection-uac-0118-aka-frwl-launches-cyber-attacks-against-organizations-in-ukraine-using-enhanced-malware-strains"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "132e1e0f-8725-42cb-8c2d-d2f3ebb1f005",
			"created_at": "2023-12-08T02:00:05.758552Z",
			"updated_at": "2026-04-10T02:00:03.495698Z",
			"deleted_at": null,
			"main_name": "UAC-0118",
			"aliases": [
				"FRwL",
				"FromRussiaWithLove"
			],
			"source_name": "MISPGALAXY:UAC-0118",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "f4f16213-7a22-4527-aecb-b964c64c2c46",
			"created_at": "2024-06-19T02:03:08.090932Z",
			"updated_at": "2026-04-10T02:00:03.6289Z",
			"deleted_at": null,
			"main_name": "GOLD NIAGARA",
			"aliases": [
				"Calcium ",
				"Carbanak",
				"Carbon Spider ",
				"FIN7 ",
				"Navigator ",
				"Sangria Tempest ",
				"TelePort Crew "
			],
			"source_name": "Secureworks:GOLD NIAGARA",
			"tools": [
				"Bateleur",
				"Carbanak",
				"Cobalt Strike",
				"DICELOADER",
				"DRIFTPIN",
				"GGLDR",
				"GRIFFON",
				"JSSLoader",
				"Meterpreter",
				"OFFTRACK",
				"PILLOWMINT",
				"POWERTRASH",
				"SUPERSOFT",
				"TAKEOUT",
				"TinyMet"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434641,
	"ts_updated_at": 1775791873,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2ff25a4d2dc113f6abc23fde1a0f46d57c7911dd.pdf",
		"text": "https://archive.orkl.eu/2ff25a4d2dc113f6abc23fde1a0f46d57c7911dd.txt",
		"img": "https://archive.orkl.eu/2ff25a4d2dc113f6abc23fde1a0f46d57c7911dd.jpg"
	}
}