{ "id": "33b7aa3a-2a9f-4cfc-9e83-f09cc700ab25", "created_at": "2026-04-06T00:20:53.36158Z", "updated_at": "2026-04-10T03:24:58.562499Z", "deleted_at": null, "sha1_hash": "381d8c740d0bbba64e52a5a339affb5a0e63ca2a", "title": "Detect SmokeLoader Malware: UAC-0006 Strikes Again to Target Ukraine in a Series of Phishing Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 164878, "plain_text": "Detect SmokeLoader Malware: UAC-0006 Strikes Again to Target\r\nUkraine in a Series of Phishing Attacks\r\nBy Daryna Olyniychuk\r\nPublished: 2023-05-30 · Archived: 2026-04-02 10:35:23 UTC\r\nHot on the heels of the massive phishing attacks launched by UAC-0006 at the beginning of  May 2023, CERT-UA warns cyber defenders of a new wave of cyber attacks resulting in SmokeLoader infections. The latest\r\ninvestigation indicates that adversaries increasingly spread phishing emails with financial subject lures and use\r\nZIP/RAR attachments to drop malicious samples on the targeted instances.\r\nAnalyzing UAC-0006 Phishing Attacks Aimed at SmokeLoader Distribution\r\nOn May 29, 2023, CERT-UA experts released a new CERT-UA#6757 alert detailing the ongoing phishing\r\ncampaign launched by UAC-0006 hacking collective. By leveraging the malicious attachments with a dedicated\r\nJavaScript downloader, adversaries deliver SmokeLoader to targeted systems. Specifically, hackers leverage either\r\nZIP or RAR archives containing malicious HTML or VHDX files. In case extracted, the archive triggers\r\nJavaScript code, which in turn downloads and launches the executable file that later drops SmokeLoader to spread\r\nthe infection further. \r\nCERT-UA team identifies a number of prominent updates in the UAC-0006 attack kill chain compared to the\r\nsimilar phishing campaign launched earlier in May 2023. Specifically, experts observe that attackers tend to use\r\nmultiple infection chains. Also, the SmokeLoader sample used in the latest campaign contains 26 URL links to a\r\nserver controlling a botnet. Additionally, CERT-UA identified a malicious Cobalt Strike Beacon applied during the\r\nintrusions which indicates that UAC-0006 aims to expand its toolset.\r\nDetecting the Latest UAC-0006 Adversary Activity \r\nJust a couple of weeks after massive phishing attacks spreading SmokeLoader, UAC-0006 threat actors\r\nresponsible for earlier intrusions resurfaced to hit once again. Due to the changes in adversary TTPs and the use of\r\nmultiple infection chains in the latest offensive operation, organizations can be potentially exposed to more\r\nserious risks, which requires urgent attention from cyber defenders. SOC Prime has recently released a set of\r\nrelevant Sigma rules to timely detect the malicious activity of the UAC-0006 group covered in the latest CERT-UA#6757 alert. All detection content is filtered by the custom tags “CERT-UA#6757” or “UAC-0006” according\r\nto the corresponding alert and the group IDs, which enables researchers to streamline content search and threat\r\nhunting activities.\r\nPress the Explore Detections button to instantly access the entire collection of Sigma rules for UAC-0006 attack\r\ndetection mapped to MITRE ATT\u0026CK® and automatically convertible to industry-leading SIEM, EDR, and XDR\r\nsolutions. To explore relevant metadata, ATT\u0026CK links and CTI references along with other cyber threat context\r\nare also available at hand.\r\nhttps://socprime.com/blog/latest-threats/detect-smokeloader-malware-uac-0006-strikes-again-to-target-ukraine-in-a-series-of-phishing-attacks/\r\nPage 1 of 2\n\nExplore Detections\r\nSOC team members are also welcome to hunt for IOCs linked to the UAC-0006 malicious activity leveraging\r\nUncoder AI, an augmented intelligence framework that serves as an ultimate tool for threat hunters and detection\r\nengineers and enables converting IOCs to custom IOC queries without limits. Just insert the file, host, or network\r\nIOCs provided in the CERT-UA#6757 alert to the tool, select the platform of your choice, apply the query settings\r\ncustomized to your security needs, and be ready to hunt for relevant threats instantly in your SIEM or EDR\r\nenvironment. \r\nMITRE ATT\u0026CK Context\r\nTo dive into TTPs leveraged during the most recent attack by the UAC-0006 hacking group spreading\r\nSmokeLoader, all the above-mentioned Sigma rules are mapped to ATT\u0026CK and address the corresponding\r\ntactics and techniques:\r\nSource: https://socprime.com/blog/latest-threats/detect-smokeloader-malware-uac-0006-strikes-again-to-target-ukraine-in-a-series-of-phishing-attacks/\r\nhttps://socprime.com/blog/latest-threats/detect-smokeloader-malware-uac-0006-strikes-again-to-target-ukraine-in-a-series-of-phishing-attacks/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://socprime.com/blog/latest-threats/detect-smokeloader-malware-uac-0006-strikes-again-to-target-ukraine-in-a-series-of-phishing-attacks/" ], "report_names": [ "detect-smokeloader-malware-uac-0006-strikes-again-to-target-ukraine-in-a-series-of-phishing-attacks" ], "threat_actors": [ { "id": "078f7b2a-4e1c-4843-b7cd-353331cd2260", "created_at": "2023-11-21T02:00:07.359148Z", "updated_at": "2026-04-10T02:00:03.467054Z", "deleted_at": null, "main_name": "UAC-0006", "aliases": [], "source_name": "MISPGALAXY:UAC-0006", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434853, "ts_updated_at": 1775791498, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/381d8c740d0bbba64e52a5a339affb5a0e63ca2a.pdf", "text": "https://archive.orkl.eu/381d8c740d0bbba64e52a5a339affb5a0e63ca2a.txt", "img": "https://archive.orkl.eu/381d8c740d0bbba64e52a5a339affb5a0e63ca2a.jpg" } }