{
	"id": "8f3fa3f8-e779-41be-9d6d-842ca7713294",
	"created_at": "2026-04-29T08:23:11.662767Z",
	"updated_at": "2026-04-29T10:41:43.752707Z",
	"deleted_at": null,
	"sha1_hash": "439e6fece9856f87a5828ad0d3b619f698453506",
	"title": "Operation ‘Kremlin’ – ClearSky Cyber Security",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 113134,
	"plain_text": "Operation ‘Kremlin’ – ClearSky Cyber Security\r\nPublished: 2021-01-07 · Archived: 2026-04-29 07:44:07 UTC\r\nIntroduction\r\nClearSky researchers identified a malicious “.docx” file that was uploaded to VirusTotal from Russia in mid-December.\r\nThe file contains an obfuscated URL to a remote template which contains malicious VBA, eventually leading to the\r\nexecution of VBS on the infected machine. The attack’s purpose is to stealthily exfiltrate information without\r\nrunning any external executables on the system.\r\nNotably, the process is escalated on a certain day of the week, suggesting a possible familiarity with the intended victim\r\nor victims.\r\nWe estimate with medium confidence that the same threat actor responsible for the attacks described in this paper also\r\nconducted an attack named “Operation Domino[1]” that occurred earlier in 2020.\r\nWe decided to name the operation “Kremlin” due to the use of a parameter named “kreml” in the “poslai” (meaning send\r\nin Russian) function that exfiltrates the data.\r\nTTPs\r\nThe lure document contains a “bonus payment” request from The Ministry of Defense of the Russian Federation, to be\r\nsubmitted by ministry workers for the period of November 2020.\r\nhttps://www.clearskysec.com/operation-kremlin/\r\nPage 1 of 20\n\nThe document was uploaded from Russia to VirusTotal on the 16-12-2020, and the date that appears at the end of the\r\ndocument is 30-11-2020. The document was last modified at 01-12-2020.\r\nThe malicious file contains an embedded XLS file, which is displayed when the document is opened[2]. This file is not\r\ndetected as malicious on VirusTotal.\r\nTemplate Injection\r\nhttps://www.clearskysec.com/operation-kremlin/\r\nPage 2 of 20\n\nThe docx file abuses remote template injection. The adversary is using an interesting method to hide the URL to the\r\nmalicious file. Typical abuse would include adding a remote code IP address, as can be seen at Trend Micro’s image[3]:\r\nHowever, instead of writing the IP address in dot-decimal notation[4] the adversary used the integer representation.\r\n1587326585 translates[5] to the IP address 94.156.174.121\r\nThe remote file is a DOTM, and was uploaded to VirusTotal from Russia as well:\r\nvirustotal.com/gui/file/56f5cb1590912dc6dfa0945f4d6e49500f238b5d4847ab3da24c7f848c12217d/details\r\nVBS\r\nThis DOTM file contains VBA that writes a VBS file and executes it:\r\nhttps://www.clearskysec.com/operation-kremlin/\r\nPage 3 of 20\n\nThe created VBS file is:\r\nvirustotal.com/gui/file/e72670493c5cbccecf7028fdfad4e166bf0b51cc4d41cb2ac85a59f08ccd2627/details\r\nThe VBS begins its activity by creating an array with the full paths to the “Desktop” and “My Documents” special\r\nfolders, simultaneously creating a “rec” variable with the path of the recently opened file’s special folder in windows.\r\nhttps://www.clearskysec.com/operation-kremlin/\r\nPage 4 of 20\n\nThen, the VBS calls psr.exe[6]. As far as we know, this is the first documented use case of psr.exe as LOLBIN[7] by an\r\nAPT group.\r\nhttps://www.clearskysec.com/operation-kremlin/\r\nPage 5 of 20\n\nThe VBS has a specific check for the day of the week the file is opened on:\r\nIf the file is opened on a Wednesday, the VBS will look up a key in the registry and will query all system drives. If the\r\ndrive type is not 4 (CD/DVD), the VBS will continue. Afterwards the VBS checks if the drive letter is other than “A”\r\n(Thank you @jaydinbas for the correction).\r\nIf both checks on the queried drive pass, the VBS will look for folders that start with “PROGRA” in their name and pass\r\nthe folder name to a procedure named “subse”, this includes remote drives, if attached. The “subse” procedure code is the\r\nfollowing:\r\nIt checks if the folder name starts with “WINDOW”. If it does, the code gets the file names in the folder and each file’s\r\nextension is checked via the “repl” function:\r\nhttps://www.clearskysec.com/operation-kremlin/\r\nPage 6 of 20\n\nThe “repl” function checks whether the file’s extension starts with 2 specific characters from a list of such pairs. This is\r\nmost likely done to avoid suspicious full file extensions while filtering the interesting files. From the first 2 characters we\r\ncan guess which files are of interest:\r\n2 First Characters Signification\r\nDO DOC/DOCX MS Word files\r\nXL XLS/XLSB MS Excel files\r\nPP PPT/PPTX MS Power Point files\r\nRT RTF Rich Text Format files\r\nZI Zip Archives\r\nTX TXT Plain Text Files\r\nCS CSV Comma Separated Values\r\nIf a file with an interesting extension exists, the filename is sent as parameter for the “sendme” procedure.\r\nhttps://www.clearskysec.com/operation-kremlin/\r\nPage 7 of 20\n\nThe “sendme” function assumes that WinRAR exists on the running computer, and it uses “rar.exe” to compress and\r\npassword protect the file of interest.\r\nAfter compression, the file is loaded into a buffer, if the buffer is too big, nothing happens. This is most likely done to\r\navoid big zip files.\r\nHowever, if the buffer is within the range the adversary specified, it will encode the bytes with base64 using the “enco”\r\nfunction:\r\nhttps://www.clearskysec.com/operation-kremlin/\r\nPage 8 of 20\n\nThe base64 encoded bytes are then sent to the “poslai” procedure:\r\nAs a side note, many of the function and variable names are in the Russian language, the word “poslai” means “send”.\r\nThe word “kreml” is the Russian word for “Kremlin”[9]. This is why we decided to call this paper “Operation Kremlin”.\r\nhttps://www.clearskysec.com/operation-kremlin/\r\nPage 9 of 20\n\nThe “poslai” randomly chooses between appending 2 seemingly random integers to the string “http://”:\r\nAs we have seen in the DOC file, 1587326585 translates[10] to the IP address 94.156.174[.]121, while 3119738898\r\ntranslates to 185.243.112[.]18\r\nNext, there is a “for” loop that takes the currently logged-on username and converts every character into its decimal\r\nrepresentation, summing the values.\r\nIf the username is admin, then: a=97+d=100+m=109+i=105+n=110=\u003e521\r\nThe “now()” function in VBS returns the current system time in the following format:\r\nAfter encoding the currently logged on user, there is an “encoding” of the current system time if the file size is bigger\r\nthan 0:\r\nhttps://www.clearskysec.com/operation-kremlin/\r\nPage 10 of 20\n\nIf the size is bigger than zero, the current system time is formatted to remove special characters such as “:” “.” “/”. Then\r\n“12435687” is appended to the formatted string, and only the first 14 characters are used.\r\nIf we take the time from the MsgBox image of “now()” we captured, the formatting before the concatenation would result\r\nin “1228202073443PM”, a 15 character long string. If the time was set to 24h instead of 12h with AM/PM representation\r\nthe string would be exactly 14 characters long:\r\nFinally, there is a “do while” loop, that truncates the archived file of interest that was base64 encoded, into chunks of 942\r\ncharacters that are saved into the “tsip” variable. After 942 characters have been acquired, it appends them to the “uri”\r\nvariable and sends a GET request to the server.\r\nhttps://www.clearskysec.com/operation-kremlin/\r\nPage 11 of 20\n\nHowever, if the size of the file is zero it will send a get request to a file named “patch.png”. If the request’s status code is\r\n200 and the length of the response is bigger than 13, the VBS will write the response to the registry, avoiding writing\r\npotentially malicious code directly to the disk.\r\nNext, the VBS creates a new VBS file named “diagnostics.vbs” in the Windows StartUp special folder. This new VBS\r\nreads the registry key that has been written from the http response. Since the VBS is in the StartUp folder, this seem to be\r\na persistence mechanism.\r\nIf the response is 200 but the length is less than 13, the VBS will launch “msiexec” silently with the URL\r\nhttp://5.9.242[.]126/521/patch.gif (521 in case the username was admin). All of this is done specifically if the file is run\r\non a Wednesday. Additionally, there is a piece of code that runs regardless of the day of the week:\r\nhttps://www.clearskysec.com/operation-kremlin/\r\nPage 12 of 20\n\nThe VBS checks if a file named “myphone_diag.log” exists on the system, if it does the code above won’t execute. If the\r\nfile doesn’t exist, the VBS will start doing something similar to what happens in case of a Wednesday activation, but for\r\nlocal folders only.\r\nOnce again, the purpose of the code is stealthy data exfiltration, it starts with the recently opened file’s folder, listing all\r\nthe LNK files and sending them to the “ExTarPa” procedure:\r\nThe procedure extracts the target path of the actual file that was recently opened, checks the extension against the list of\r\ninteresting extensions as previously shown in the code of the “repl” function.\r\nOnce finished, the VBS proceeds to do the same data exfiltration scheme for the “Desktop” and “My Documents” folders.\r\nAfter the check for the file “myphone_diag.log”, there is the following piece of code:\r\nThis code sleeps for 5 seconds and stops psr.exe. Following this, the VBS performs a WMI query to get the installed\r\nsoftware and its version on the computer:\r\nhttps://www.clearskysec.com/operation-kremlin/\r\nPage 13 of 20\n\nLater, the VBS uses the priorly described “sendme” procedure to exfiltrate those 2 files. As seen in some of the code\r\nabove, there are many http connections if there are interesting files found, but all of them returned 404 status code from\r\nthe server. However, it’s a trap:\r\nAs we described through this post, the data is actually being exfiltrated as part of the URI. The adversary has some sort of\r\ncontrol over the C2 servers, allowing him to read the access logs, reconstructing the exfiltrated archive files from them,\r\nwithout actually sending any data in traditional ways.\r\nThis entire data exfiltration scheme is conducted stealthily, without a single malicious executable file being downloaded\r\nto the computer.\r\nAttribution\r\nThe VBS communicates with two IP addresses that were previously observed[11] in an attack leveraging previously\r\nunseen 1-day exploitation of CVE-2020-0968. This was called “Operation Domino[12]” by a Chinese security firm.\r\nhttps://www.clearskysec.com/operation-kremlin/\r\nPage 14 of 20\n\nThe URL we observed as part of “Operation Domino” was: hxxp://94.156.174[.]7/up/a1a.htm.\r\nIn the Chinese report, they successfully ran the dropped DLL file which communicated with the IP address\r\n185.243.112[.]57. There is a clear connection by the infrastructure used by the adversary:\r\nOperation “Domino” Operation “Kremlin”\r\nСВЕДЕНИЯ О ПОДСУДИМОМ.rtf Tabel_premia_N20.docx\r\n94.156.174[.]7 94.156.174[.]121\r\n185.243.112[.]57 185.243.112[.]18\r\nIn both cases the URI contained the word “up”. Another strong connection between the two files is the unique language\r\nset, Russian and Arabic from Saudi Arabia. Both attacks are complex and carefully tailored for Russian speaking targets,\r\nusing very unique attack techniques that are not seen in wide use.\r\nWe estimate with medium confidence that both attacks are from the same threat actor. At this point we can’t attribute this\r\nto a specific known threat actor, however, during the analysis of “Tabel_premia_N20.docx” we have managed to trace\r\nanother attack by the same threat actor.\r\n2019 Attack\r\nThis attack utilizes a very similar VBS code, but the attack vector is different, so the analysis will mainly focus on the\r\nattack vector as the VBS code should be almost the same as described in the main section above. We have observed the\r\nfollowing html file:\r\n57f0252b8d2a7d946ec2231c546986728c1141ceba95f7a5128a40796b928519\r\nThis file was uploaded from Russia at 2019-04-15 to VirusTotal. We assume it has been sent as an attachment to an email.\r\nhttps://www.clearskysec.com/operation-kremlin/\r\nPage 15 of 20\n\nThe logo in the HTML page is of Inter Raoues[13], a Russian energy company. As can be seen in the image above, the\r\n“footer.png” image didn’t load, but we believe it was never meant to load anything, except give the adversary an\r\nindication someone accessed the HTML file:\r\nThis HTML file automatically “downloads” an HTA file with the following hash:\r\na7091e1c532351ae33a8d51523a7b5cc708bd8299cb87951a2c52fe816da90a3\r\nThis file was uploaded to VirusTotal from Russia on 2019-04-16. The HTA writes to a unique registry key that we have\r\nobserved in the 2020 attack:\r\nThen the HTA creates a VBS file that reads the contents from the registry and executes it, a similar technique was\r\nobserved in 2020 with the “diagnostics.vbs” file. The resulting VBS file hash is:\r\n2c13aa6c2240166ddb1b5b9b22e3868ea9c094424c5056b9f557a7fa906ce564\r\nThis file was uploaded to VirusTotal from Russia on 2019-04-23.\r\nWe have decoded the values from the registry and uploaded the resulting VBS file to VirusTotal:\r\nvirustotal.com/gui/file/557af395b358bd787402e6b1827c7c69e41bedc43e95e35529268264f564866b/detection\r\nSome of the function names, as well as the variables, are the same as in the VBS file from 2020, like “poslai(kreml)”.\r\nOnce again, there is a use of the word “up” in the C2 URI, the extension is PHP as well. The C2 are different and\r\naccessed via domain name and not an IP, which doesn’t correlate to what was observed in 2020:\r\nhttps://www.clearskysec.com/operation-kremlin/\r\nPage 16 of 20\n\nOne of the C2 servers is the domain that was observed from the missing footer image, bibigreen[.]ru. The 2nd\r\n C2 is\r\nhesheflowershop[.]ru.\r\nThe 2019 VBS also uses “psr.exe” to spy on the victim. The 2019 VBS has the same, very specific check for Wednesday,\r\nand if there is a drive with the letter A connected to the system on that day:\r\nThere are many differences between the 2019 VBS \u0026 the 2020 VBS, but the essence of the code is the same, exfiltrate\r\nconfidential information from the affected system without running any 3rd party external executable on the system.\r\nEpilogue\r\nSince we have seen IPs form two sets of pairs coming from the same subnets, we highly recommend monitoring any\r\nnetwork connections with the following subnets:\r\n94.156.174.0/24\r\n185.243.112.0/24\r\nWe have found another connection between the infrastructure used in 2020 by “Operation Kremlin”.\r\nhttps://www.clearskysec.com/operation-kremlin/\r\nPage 17 of 20\n\nThe connection leads to the same person “Edvinas Vyzas” and to the same building in Seychelles, however the phone\r\nnumber is associated with New Zealand.\r\nIndicators\r\nMD5 filename Description\r\nf745d6e3c811c9c06acb2ebc45a174ba Tabel_premia_N20.docx\r\n2020 initial lure\r\ndocument\r\n5dd05f94ebdeb7afb494b541b317eb8c\r\n_____Microsoft_Excel_97-\r\n20031.xls\r\n2020 embedded\r\ntable in initial lure\r\ndocument\r\n60cb0e31510a9cd747daae323d28f489 Dc2.dotm\r\n2020 remote\r\ntemplate containing\r\nmalicious VBA\r\n0a62afe0dfe369b5280c432533671aa0 backup.vbs 2020 VBS payload\r\nfb848fcf49054871f62bbf9b5f5c9282 zanpoc_energy.html\r\n2019 initial lure\r\ndocument\r\n669190300c47c141c35ea3867061512e ENERGY_PRODACTION.html.hta\r\n2019 malicious\r\nHTA\r\nhttps://www.clearskysec.com/operation-kremlin/\r\nPage 18 of 20\n\n54a4302989bf0f3ae42d2aeddca50e1a backup.vbs\r\n2019 minimal VBS\r\npayload\r\n3e38a347b3914893cb5fb92d12558003 diagnostics.vbs\r\n2019 VBS payload\r\nextracted from\r\nregistry\r\nNetwork Address URI Path Network Name (RIPE)\r\nBibigreen[.]ru /wp-content/energia/wp/ REGRU-NETWORK\r\nBibigreen[.]ru /up/up.php REGRU-NETWORK\r\nhesheflowershop[.]ru /wp/up.php REGRU-NETWORK\r\n94.156.174[.]121 /wp/521/patch.png NETERRA-CINFUCOM-NET\r\n94.156.174[.]121 /wp/521up.php NETERRA-CINFUCOM-NET\r\n185.243.112[.]18 /wp/521up.php CrownCloud\r\n5.9.242[.]126 /521/patch.gif CLOSCO-LTD\r\nThe value “521” in the URI Path can be different, depending on the executing user, as described in this blog.\r\n[1] ti.dbappsecurity.com.cn/blog/index.php/2020/09/18/operation-domino/\r\n[2] virustotal.com/gui/file/907ff4964ec8cdb1a8e5ac6005dd74aca7bd01c941f4c4bfff0c1a03dd695f83/details\r\n[3] trendmicro.com/en_us/research/17/h/cve-2017-0199-new-malware-abuses-powerpoint-slide-show.html\r\n[4] en.wikipedia.org/wiki/Dot-decimal_notation\r\n[5] vultr.com/resources/ipv4-converter/?ip_address=94.156.174.121\r\n[6] cyberarms.wordpress.com/2016/02/13/using-problem-steps-recorder-psr-remotely-with-metasploit/\r\n[7] lolbas-project.github.io/lolbas/Binaries/Psr/\r\n[8] docs.microsoft.com/en-us/dotnet/api/system.io.drivetype?view=net-5.0\r\n[9] “The name “Kremlin” means “fortress inside a city”, and is often also used metonymically to refer to the government\r\nof the Russian Federation in a similar sense to how “White House” refers to the Executive Office of the President of the\r\nUnited States”\r\n[10] vultr.com/resources/ipv4-converter/?ip_address=94.156.174.121\r\n[11]\r\ndocs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.i0mazx2vmwtx\r\n[12] ti.dbappsecurity.com.cn/blog/index.php/2020/09/18/operation-domino/\r\nhttps://www.clearskysec.com/operation-kremlin/\r\nPage 19 of 20\n\n[13] en.wikipedia.org/wiki/Inter_RAO\r\nSource: https://www.clearskysec.com/operation-kremlin/\r\nhttps://www.clearskysec.com/operation-kremlin/\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.clearskysec.com/operation-kremlin/"
	],
	"report_names": [
		"operation-kremlin"
	],
	"threat_actors": [
		{
			"id": "17149e38-d8e7-4f06-998e-3b715064fefd",
			"created_at": "2022-10-25T16:07:23.942042Z",
			"updated_at": "2026-04-29T10:39:55.416577Z",
			"deleted_at": null,
			"main_name": "Operation Domino",
			"aliases": [
				"Operation Domino",
				"Operation Kremlin"
			],
			"source_name": "ETDA:Operation Domino",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1777450991,
	"ts_updated_at": 1777459303,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/439e6fece9856f87a5828ad0d3b619f698453506.pdf",
		"text": "https://archive.orkl.eu/439e6fece9856f87a5828ad0d3b619f698453506.txt",
		"img": "https://archive.orkl.eu/439e6fece9856f87a5828ad0d3b619f698453506.jpg"
	}
}