{ "id": "9f708a71-c2ac-4f9e-81d8-2813da625f3d", "created_at": "2026-04-06T00:08:27.005216Z", "updated_at": "2026-04-10T13:12:15.9197Z", "deleted_at": null, "sha1_hash": "30f2a48048ed6d31502762c7efb4b1404b60b606", "title": "PicassoLoader and Cobalt Strike Beacon Detection: UAC-0057 aka GhostWriter Hacking Group Attacks the Ukrainian Leading Military Educational Institution", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 140581, "plain_text": "PicassoLoader and Cobalt Strike Beacon Detection: UAC-0057 aka\r\nGhostWriter Hacking Group Attacks the Ukrainian Leading\r\nMilitary Educational Institution\r\nBy Veronika Zahorulko\r\nPublished: 2023-06-16 · Archived: 2026-04-02 11:44:28 UTC\r\nOn June 16, 2023, CERT-UA researchers issued a new alert covering the recently discovered malicious activity\r\ntargeting the National Defense University of Ukraine, named after Ivan Cherniakhovskyi, the country’s leading\r\nmilitary educational institution. In this ongoing campaign, threat actors spread PicassoLoader and Cobalt Strike\r\nBeacon on the compromised systems via a malicious file containing a macro and a lure image with the university\r\nemblem. The malicious activity is attributed to the hacking collective tracked as UAC-0057 aka GhostWriter.\r\nUAC-0057 aka GhostWriter Attack Analysis \r\nThe onset of the summer of 2023 has intensified the activity within the cyber threat landscape. Early June, CERT-UA warned the worldwide community of cyber defenders about the ongoing cyber-espionage operations against\r\nUkrainian and Central Asian organizations linked to the UAC-0063 group. In mid-Hune, another wave of cyber\r\nattacks caused a stir in the cyber threat arena covered in the corresponding CERT-UA#6852 alert. \r\nCybersecurity researchers have recently uncovered a PPT file containing a malicious macro and an emblem image\r\nof the National Defense University of Ukraine named after Ivan Cherniakhovskyi luring the targeted\r\nrepresentatives of the corresponding educational institution into opening the document. The infection chain starts\r\nby opening the document and activating the malicious macro that leads to generating a DLL file along with a\r\nshortcut file to launch the former. The malicious DLL file is identified as PicassoLoader malware, which is\r\ncommonly used by the UAC-0057 hacking group, also known as GhostWriter. PicassoLoader downloads and\r\nlaunches a .NET malware dropper, which in turn, decrypts and launches another DLL file. The latter is used to\r\ndecrypt and launch the infamous Cobalt Strike Beacon malware on compromised systems. Threat actors maintain\r\nthe persistence of the above-referenced DLL file via a scheduled task or by creating an LNK file in the autostart\r\nfolder. \r\nAccording to the CERT-UA research, the malware remote access servers are located in russia, however, the\r\ndomain names are hidden via Cloudflare capabilities.\r\nDetecting the Malicious Activity of UAC-0057 Group Covered in the CERT-UA#6852 Alert\r\nIn the face of the relentless surge in cyber attacks against Ukraine and its allies, cybersecurity defenders are\r\nmaking concerted efforts to raise awareness and swiftly mitigate the associated risks. In response to the novel\r\nhttps://socprime.com/blog/picassoloader-and-cobalt-strike-beacon-detection-uac-0057-aka-ghostwriter-hacking-group-attacks-the-ukrainian-leading-military-educational-institution/\r\nPage 1 of 2\n\nCERT-UA#6852 alert covering the malicious activity of the UAC-0057 hacking group also tracked as\r\nGhostWriter, SOC Prime Platform has released curated Sigma rules available by the link below:\r\nSigma rules to detect adversary activity by UAC-0057 covered in the CERT-UA#6852 alert\r\nDetection algorithms are aligned with the MITRE ATT\u0026CK® framework v12, enriched with intelligence and\r\nrelevant metadata, and can be applicable across dozens of SIEM, EDR, and XDR technologies. To streamline the\r\nsearch for the above-mentioned Sigma rules, security engineers can apply the custom filter tags based on the\r\ngroup ID (“UAC-0057”) or the corresponding CERT-UA alert (“CERT-UA#6852”). \r\nTo reach the entire collection of Sigma rules for GhostWriter activity detection, click the Explore Detection\r\nbutton below. Check out ATT\u0026CK links, CTI, and more cyber threat context to always stay in the know. \r\nExplore Detections\r\nCybersecurity experts can also seamlessly hunt for indicators of compromise related to the UAC-0057 adversary\r\nactivity and provided in the latest CERT-UA research. Rely on Uncoder AI to instantly generate custom IOC\r\nqueries ready to run in the selected SIEM or EDR environment and timely identify the PicassoLoader та Cobalt\r\nStrike Beacon infection in your infrastructure. \r\nMITRE ATT\u0026CK Context\r\nTo explore the context behind the latest UAC-0057 malicious campaign reported in the CERT-UA#6852 alert, all\r\ndedicated Sigma rules are automatically tagged with ATT\u0026CK addressing the corresponding tactics and\r\ntechniques:\r\nSource: https://socprime.com/blog/picassoloader-and-cobalt-strike-beacon-detection-uac-0057-aka-ghostwriter-hacking-group-attacks-the-ukra\r\ninian-leading-military-educational-institution/\r\nhttps://socprime.com/blog/picassoloader-and-cobalt-strike-beacon-detection-uac-0057-aka-ghostwriter-hacking-group-attacks-the-ukrainian-leading-military-educational-institution/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://socprime.com/blog/picassoloader-and-cobalt-strike-beacon-detection-uac-0057-aka-ghostwriter-hacking-group-attacks-the-ukrainian-leading-military-educational-institution/" ], "report_names": [ "picassoloader-and-cobalt-strike-beacon-detection-uac-0057-aka-ghostwriter-hacking-group-attacks-the-ukrainian-leading-military-educational-institution" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "119c8bea-816e-4799-942b-ff375026671e", "created_at": "2022-10-25T16:07:23.957309Z", "updated_at": "2026-04-10T02:00:04.807212Z", "deleted_at": null, "main_name": "Operation Ghostwriter", "aliases": [ "DEV-0257", "Operation Asylum Ambuscade", "PUSHCHA", "Storm-0257", "TA445", "UAC-0051", "UAC-0057", "UNC1151", "White Lynx" ], "source_name": "ETDA:Operation Ghostwriter", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "HALFSHELL", "Impacket", "RADIOSTAR", "VIDEOKILLER", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "d0d996a0-98e2-49fd-b55e-97ba053c4ed0", "created_at": "2024-07-25T02:00:04.423466Z", "updated_at": "2026-04-10T02:00:03.679863Z", "deleted_at": null, "main_name": "UAC-0063", "aliases": [], "source_name": "MISPGALAXY:UAC-0063", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8a33d3ac-14ba-441c-92c1-39975e9e1a73", "created_at": "2023-01-06T13:46:39.195689Z", "updated_at": "2026-04-10T02:00:03.243054Z", "deleted_at": null, "main_name": "Ghostwriter", "aliases": [ "UAC-0057", "UNC1151", "TA445", "PUSHCHA", "Storm-0257", "DEV-0257" ], "source_name": "MISPGALAXY:Ghostwriter", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434107, "ts_updated_at": 1775826735, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/30f2a48048ed6d31502762c7efb4b1404b60b606.pdf", "text": "https://archive.orkl.eu/30f2a48048ed6d31502762c7efb4b1404b60b606.txt", "img": "https://archive.orkl.eu/30f2a48048ed6d31502762c7efb4b1404b60b606.jpg" } }