{ "id": "01582d76-c5ca-4529-bacb-0b96a16f0f75", "created_at": "2026-04-06T00:14:58.848926Z", "updated_at": "2026-04-10T03:37:49.838863Z", "deleted_at": null, "sha1_hash": "539d54e61bda7b990e0b86d8d3c4e77ec14896fe", "title": "UAC-0063: Cyber Espionage Operation Expanding from Central Asia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3525159, "plain_text": "UAC-0063: Cyber Espionage Operation Expanding from Central Asia\r\nBy Martin Zugec\r\nArchived: 2026-04-05 16:28:59 UTC\r\nBitdefender Labs warns of an active cyber-espionage campaign targeting organizations in Central Asia and European\r\ncountries. The group, tracked as UAC-0063, employs sophisticated tactics to infiltrate high-value targets, including\r\ngovernment entities and diplomatic missions, expanding their operations into Europe.\r\nSince the start of the Ukraine war , the geopolitical landscape of Central Asia has undergone significant shifts, impacting the\r\nregion's relationships with both Russia and China. Russia's influence, once dominant, has noticeably declined due to its\r\nactions in Ukraine, which have damaged its reputation as a regional security guarantor, with some Central Asian countries\r\nfeeling that Russia doesn't respect their sovereignty.\r\nIn contrast, China's influence in Central Asia is growing, particularly in the economic sphere, as it seeks access to raw\r\nmaterials and prioritizes economic development as a path to stability. China's approach differs from Russia's; Beijing\r\nfocuses on economic instruments such as the Belt and Road Initiative (BRI) to build infrastructure and trade links, while\r\nMoscow historically relied on military presence and formal alliances.\r\nWhile they share some security interests, such as combating extremism and terrorism, the relationship between Russia and\r\nChina in Central Asia is complex, marked by both cooperation and competition. This competition is made more\r\nconsequential by the absence of a strong U.S. presence in the region, which removes an incentive for the two powers to\r\ncooperate. Unsurprisingly, these geopolitical tensions in Central Asia have created a fertile ground for cyberespionage.\r\nOur previous research identified a new persistent threat actor, UAC-0063, specializing in espionage against government\r\ninstitutions and sensitive data exfiltration. We have been monitoring their operations since 2022. While initially lacking\r\nsufficient data for a dedicated name, further research by Bitdefender Labs and insights from CERT-UA have provided a\r\nmore comprehensive understanding of this actor's tactics, techniques, and procedures (TTPs). This research focuses on\r\ncompleting the picture of UAC-0063's operations, particularly documenting their expansion beyond their initial focus on\r\nCentral Asia, targeting entities such as embassies in multiple European countries, including Germany, the UK, the\r\nNetherlands, Romania, and Georgia.\r\nKey Points:\r\nInitial Access: Threat actors exploited previously compromised victims by weaponizing exfiltrated Microsoft Word\r\ndocuments. These weaponized documents were then used to deliver the HATVIBE malware to new targets.\r\nData Exfiltration: An USB data exfiltrator we named PyPlunderPlug was discovered on a victim's system. This\r\ntool was found alongside a keylogger that is believed to be a precursor to the LOGPIE\r\nMalware Payloads: Intensive monitoring has provided a more detailed understanding of the payloads delivered by\r\nDownEx (written in C++) and DownExPyer (written in Python, also known as CHERRYSPY) malware.\r\nOngoing Operations: The continuous use and maintenance of infrastructure and the weaponization of new\r\ndocuments indicates that these espionage operations are active and ongoing.\r\nAttribution\r\nRather than creating a new designation, we have adopted the name UAC-0063 assigned by CERT-UA for this threat actor.\r\nThe threat actor UAC-0063 is also tracked as TAG-110. We have mentioned APT28 in our initial research, because UAC-0063 uses backdoors written in multiple languages, a characteristic observed with APT28's Zebrocy backdoor. However, it is\r\nimportant to note that this does not definitively link the two groups and that the use of multiple languages is a characteristic\r\nof different threat actors, as well.\r\nThere is a moderate confidence assessment by CERT-UA that UAC-0063 is linked to the Russian cyber-espionage group\r\nAPT28 (BlueDelta). However, the specific basis for this assessment remains unclear, as it is not explicitly attributed to\r\nshared infrastructure, code similarities, or other concrete technical evidence.\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/uac-0063-cyber-espionage-operation-expanding-from-central-asia\r\nPage 1 of 17\n\nWhile the strategic interests overlap, the technical evidence to definitively link UAC-0063 to APT28 is not strong enough to\r\neither confirm or deny it with high confidence. The identification of overlapping interests and TTPs with known Russian\r\ngroups is important to be aware of but does not constitute full attribution in our opinion.\r\nInitial access\r\nAs part of our process for analyzing threat actor TTPs, we analyze malicious documents to develop generalized detection\r\nsignatures. These signatures proactively help our customers identify and block similar threats. Additionally, this approach\r\nallows us to receive alerts when matching files are encountered on third-party platforms, such as VirusTotal. Several such\r\nalerts were triggered in September and October of 2024.\r\nOur analysis revealed a concerning scenario: threat actors compromised one victim, weaponized their real documents, and\r\nthen used these compromised documents to attack another victim. This exemplifies a common, yet often underestimated,\r\nform of supply chain attack. The weaponized Microsoft Word documents were uploaded from Kazakhstan and appear to\r\nhave been exfiltrated from Kazakh embassies, based on details found in the documents. This hypothesis is supported by\r\nmetadata such as author names, document titles, and even comments included in some files.\r\nThese documents were all designed to deploy the HATVIBE loader using a combination of VBA scripts. Another detailed\r\nanalysis of the HATVIBE loader was published by Sekoia team.\r\nDetails about some of the identified documents are presented below:\r\nMD5 Relevant Details Creation Time \r\n35fee95e38e47d80b470ee1069dd5c9c\r\nDocument name -\u003e Rev5_ Joint Declaration\r\nC5+GER_clean version.doc\r\n2024-09-13\r\n09:06:00Z\r\na15e652cf058209c0c0040dfcaf86fec\r\nDocument name -\u003e Rev5_ Joint Declaration\r\nC5+GER_track changes.doc\r\n2024-09-\r\n13T09:10:00Z\r\nafe03893b7a5c589fc31f9ce9ed28a9f\r\nDocument name -\u003e 16-09-2024 Об итогах визита в\r\nЛюксембург.doc\r\n2024-09-\r\n16T07:57:00Z\r\n3d33ac05d0ca473518c784c37bc887a9\r\nAuthor -\u003e Consulate\r\nLast modified by -\u003e Kabul\r\n2024-08-\r\n27T14:45:00Z\r\n276f1b9d7b6ebd9bd799822ec94470c7\r\nTitle-\u003e Накануне начала президентских выборов в\r\nРумынии\r\n2024-09-\r\n12T13:55:00Z\r\nab5685ebf439f61c554977df1e1cd0c3\r\nTitle -\u003e Об итогах встреч Главы государства с\r\nруководителями американских компаний\r\n(г. Нью-Йорк, 17-18 сентября 2023 г.)\r\n2023-09-28\r\n05:41:00\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/uac-0063-cyber-espionage-operation-expanding-from-central-asia\r\nPage 2 of 17\n\nDocument samples retrieved from VirusTotal for analysis\r\nFor delivery of these weaponized documents, threat actors send emails with URL links in their body instead of directly\r\nattaching these documents to emails. This approach reduces the risk of detection by more basic email security gateways. The\r\nlatest infection attempt was observed on November 21, 2024, containing a link to a document file named Инфо о запуске\r\nнового проекта ec.doc hosted on server https://cloud-mail[.]ink/download.php.\r\nAfter opening these documents, users encounter a deceptive display: blurred pages accompanied by a standard warning\r\nbanner that \"Macros have been disabled.\" This social engineering technique aims to pressure the user into enabling macros\r\nby implying that enabling them is necessary to view the document content.\r\nVictim's View: Microsoft Word document with blurred content and macro warning (blurring removed upon macro\r\nenablement).\r\nOnce macros are enabled, the built-in subroutine Document_Open() is automatically executed. The document is password-protected – the sub starts with unlocking this document using a hardcoded password. This is followed by removal of visual\r\nelements that blur the document content, creating the illusion that the user has successfully “unlocked” the document, while\r\nthe malicious payload silently executes in the background.\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/uac-0063-cyber-espionage-operation-expanding-from-central-asia\r\nPage 3 of 17\n\nThe embedded VBA code in the initial document tries to minimize suspicious activity. The primary objective is to disable\r\nmacro security and deploy the second-stage VBA payload.\r\nThe malicious script continues by making registry changes, specifically setting the AccessVBOM registry value to 1 in the\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Office\\16.0\\Word\\Security key (where \"16.0\" corresponds to the Office\r\napplication version). By default, this registry value does not exist. When this value is absent or set to 0, Office documents\r\nhave restricted access to the VBA object model, limiting the potential damage that malicious macros can inflict.\r\nThreat actors store segments of the malicious code as variables within the initial compromised document. A new, temporary\r\ndocument is created in the % LOCALAPPDATA %\\Temp directory. All variables from the initial document are copied to the\r\nnew document, with a unique string (ergegdr) appended to each variable name. The purpose of this renaming remains\r\nunclear.\r\nThe initial document contains the second-stage VBA code and the HATVIBE payload, both stored within document variables\r\n(settings.xml).\r\nWithin this temporary document, the script dynamically reconstructs the malicious code by combining the values of the last\r\nthree variables from the initial document.\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/uac-0063-cyber-espionage-operation-expanding-from-central-asia\r\nPage 4 of 17\n\nThe next-stage code is generated by concatenating the contents of various variables.\r\nThis VBA code comprised two distinct code blocks (stored in variables block1 and block2).\r\nblock1 combines all variables (excluding the last three), each containing a hex-encoded string. These hex strings,\r\nwhen concatenated, form the HATVIBE loader, an HTA (HTML Application) script. The generated HATVIBE\r\nloader is saved to the %LOCALAPPDATA%\\Settings\\locale or %LOCALAPPDATA%\\Lookup\\Dispatch\r\nblock2 creates a scheduled task named Settings\\ServiceDispatch or Lookup\\Dispatch. This scheduled task executes\r\nthe HATVIBE loader using the exe utility every 4 minutes to establish persistent access to the compromised system.\r\nThe complete flow of this initial attack stage is summarized in the diagram below.\r\nHATVIBE Loader\r\nAs mentioned before, HATVIBE is an HTA (HTML Application) script. HTA is a file format that combines HTML, CSS,\r\nand scripting languages like VBScript or JavaScript and is executed under mshta.exe. In this case, the generated HTA file\r\ncontains an encoded VBScript (VBE) payload to interact with the C2 server, receive commands, and execute malicious\r\nactions on the compromised system.\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/uac-0063-cyber-espionage-operation-expanding-from-central-asia\r\nPage 5 of 17\n\nDecoded HATVIBE HTA file containing encoded VBScript code\r\nDecoded VBScript code contains HATVIBE implant\r\nHTA was traditionally used to provide a user interface for legacy Windows scripting languages. But a visible user interface\r\nis exactly the opposite of what threat actors are trying to achieve. To address this, the beginning of the HTA file contains the\r\nfollowing commands:\r\nwindow.resizeTo(0, 0);\r\nwindow.moveTo(-2000, -2000);\r\nThese commands effectively hide the HTA window by resizing it to zero dimensions and moving it off-screen.\r\nDecoded HATVIBE script shows that an HTTP PUT request is sent to the C2 server, transmitting the victim's ID, hostname,\r\nand username as a JSON payload. If the C2 server’s response is prefixed with sd5ddf3e3fg4gfds, the implant executes the\r\nreturned hex-encoded code. Otherwise, the script is delayed for 10-20 seconds before attempting to contact the C2 server\r\nagain.\r\nThe payload returned by the C2 server triggers another HTTP request using the same JSON object and method but targeting\r\na different endpoint. The C2 server's response to this request can contain:\r\nA string prefixed with c50507e7e2c5029: This triggers the execution of a VBScript script provided in the response.\r\nA string prefixed with 65mnn4mmk3mv3ac: This indicates that a file should be dropped on the victim's system. The\r\nresponse also includes the file's path, size, and content.\r\nThese capabilities suggest a feature-rich implant with likely many more prefixed commands yet to be uncovered.\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/uac-0063-cyber-espionage-operation-expanding-from-central-asia\r\nPage 6 of 17\n\nAn example of a task received by the HATVIBE loader from the C2 server\r\nAn interesting observation related to the HATVIBE C2 server is the presence of a zip archive named 379.zip (MD5:\r\n7a2a8c002a5e22c6231885e1ccf82bd1) stored in the /tmp directory. This archive contains a ready-to-deploy Python\r\nenvironment. Notably, the same Python executable extracted from the 379.zip archive is used to execute the malicious\r\nPython implant known as DownExPyer (or CherrySpy). DownExPyer is likely the next payload intended for deployment on\r\nspecific targeted victims.\r\nComponents\r\nThe effort to monitor the UAC-0063's TTPs yielded valuable insights, uncovering previously unknown tools specifically\r\ndesigned for data collection and subsequent exfiltration. The following section details the findings from this investigation.\r\nDownExPyer Tasks\r\nDownExPyer (also known as CherrySpy), a key component of the UAC-0063 operations, was first detailed in Bitdefender's\r\n\"Deep Dive Into DownEx Espionage Operation in Central Asia\" and subsequently analyzed by CERT-UA and Insikt Group.\r\nDownExPyer maintains a persistent connection with a C2 server controlled by the attackers. The C2 server can send a\r\nvariety of tasks to the infected system, such as instructions to collect specific data, execute commands, or deploy additional\r\nmalware components. This approach enables the client-side component (the malware on the infected system) to remain\r\nlightweight and harder to detect, as the majority of the operational logic and code reside on the C2 server. While\r\nDownExPyer utilizes classes for task organization, it is important to mention that nothing prevents threat actors from\r\ndelivering Python code directly instead of using class constructs. This suggests a more developed framework on the C2\r\nserver side.\r\nThe stability of DownExPyer's core functionalities over the past two years is a significant indicator of its maturity and likely\r\nlong-standing presence within the UAC-0063 arsenal. This observed stability suggests that DownExPyer was likely already\r\noperational and refined prior to 2022.\r\nSeveral older artifacts are listed below:\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/uac-0063-cyber-espionage-operation-expanding-from-central-asia\r\nPage 7 of 17\n\nMD5 Path\r\nLast Write\r\nTime\r\nC2\r\n2e91803687463201792ca7514fca07fa %COMMON_APPDATA%\\python\\tools\\scripts\\help.py\r\n2022-06\r\n16T09:16:06Z\r\nnet-certificate\r\nservices\r\nbd7d98bc785beff4f4e5f7d8fc1ac2b4 %COMMON_APPDATA%\\programs\\base_sql.py\r\n2022-07-\r\n08T08:15:07Z\r\n109.230.199[\r\n363f000702504ab19652dde2fde800e8 %COMMON_APPDATA%\\python\\tools\\scripts\\aiopyfix.py\r\n2023-01\r\n20T11:07:23Z\r\n109.230.199[\r\nb657d46d69e24b3607a81cacc486e384 %COMMON_APPDATA%\\python\\tools\\scripts\\findcolor.py\r\n2023-05-\r\n24T07:11:28Z\r\n103.140.186[\r\n3cf8f57bd07fdd8e06b1630a3f27f330 %COMMON_APPDATA%\\python\\tools\\scripts\\findcolor.py\r\n2023-05-\r\n31T06:58:34Z\r\nerrorreporting\r\nOn April 4, 2024, a notable change in the deployment of DownExPyer was observed when a compiled version of the script,\r\ncreated using Cython, attempted to execute on a victim in Romania. This compiled DLL file included the presence of\r\nfamiliar function names and identifiers like USR_KAF.\r\nHowever, the C2 address was obfuscated by XOR-encoding it using the key 18f3aMKv. Other parameters, including the\r\nvictim ID, user agent, and JSON fields like TSK_BODY and USR_CRC used in communication, were also encoded using\r\nthis method.\r\nMD5 Path Last Write Time C2\r\n8f7dab01610b53398a296192ee600905 %COMMON_APPDATA%\\python\\aiopyfix.cp37win32.pyd 20240404T08:55:35Z retaild\r\nThe inner workings of DownExPyer have been extensively documented in previous research by Bitdefender and CERT-UA.\r\nThis update will focus on the specific tasks it receives from its C2 servers.\r\nDuring the investigation, tasks delivered from various C2 servers were analyzed. The key findings are summarized below:\r\nAll tasks are implemented as Python classes, with names consistently beginning with the letter \"A\" followed by a\r\nunique number. Analysis indicates the existence of at least 11 such task classes.\r\nEach task class is instantiated in the final line of the received script. The first four parameters of the constructor are\r\nconsistent across all tasks\r\nuri - The C2 communication URL, formatted as uri = \"https://\u003cC2\u003e:443/\u003c32-character USR_KAF\u003e\"\r\nms - The unique task ID\r\naes_key - The AES encryption key\r\niv - The AES initialization vector (IV)\r\nA3 - DOWNLOAD_LIST\r\nThe first task from the list is A3, designed for file exfiltration. The A3 task retrieves its parameters from the ATTRIB list,\r\nwhich is provided as an argument to the class constructor. This list contains at least four elements:\r\n1. days: Specifies the number of days to filter files. Only files modified within the last days are considered for\r\nexfiltration. If days is set to -1, no time-based filtering is applied.\r\n2. isReverseFormat: A Boolean value that determines whether to include or exclude files based on the specified\r\ncriteria. If False, only files matching the specified criteria are collected. If True, all files except those matching the\r\ncriteria are collected.\r\n3. (unused): This element currently appears to be unused.\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/uac-0063-cyber-espionage-operation-expanding-from-central-asia\r\nPage 8 of 17\n\n4. File Paths and Extensions: Subsequent elements define the starting locations for searching for files and the\r\ncorresponding extensions. These elements are formatted as \u003cfile or folder\u003e || \u003cext1; ext2;...\u003e, where \u003cfile or folder\u003e\r\nspecifies the root directory for the search and \u003cext1; ext2;...\u003e defines a semicolon-separated list of extensions to\r\ninclude or exclude (based on the isReverseFormat value).\r\nFor example: ATTRIB=['1', 'False', 'False', 'c:\\\\Users\\\\ || doc; dot; docx; xls; xlsx; ppt; pptx; odt; pdf; rtf; rar; zip; jpg; jpeg;',\r\n'c:\\\\$Recycle.Bin\\\\ || doc; dot; docx; xls; xlsx; ppt; pptx; odt; pdf; rtf; rar; zip; jpg; jpeg;']\r\nStarting from the fourth element (index 3) of the list, each string is processed by separating the path from the extensions,\r\nfollowed by a recursive scan of the path:\r\nFolder scanning routine\r\nDuring the scan, two lists are populated: one containing the full file paths and another storing metadata for each file,\r\nincluding its path, creation and modification times, and size. To be included in exfiltration, each file must meet the following\r\ncriteria:\r\nModification Time - The file's modification time must fall within the specified time window, determined by the days\r\nExtension Matching - The file's extension must either be included in or excluded from the specified list of extensions,\r\ndepending on the value of the isReverseFormat\r\nFile Size - The file size must not exceed 64MB.\r\nDuring the scanning process, a counter is incremented for each file processed. After every 500 files, the script checks for\r\ncancellation flag. This flag is set in the config.ini file located in the same directory as the DownExPyer implant. Further\r\ndetails about the cancellation mechanism are provided in the A11 task subsection.\r\nOnce the scan is complete, the lists of file paths and metadata are further processed prior to data exfiltration.\r\nFirst, file metadata is grouped into chunks of 10,000 entries and uploaded to the C2 server as .logs files. Next, files selected\r\nfor exfiltration are combined into archives, each no larger than 16MB, and uploaded to the C2 server. If an exception occurs\r\nat any stage, the exception details are captured and uploaded as .logs files.\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/uac-0063-cyber-espionage-operation-expanding-from-central-asia\r\nPage 9 of 17\n\nCompression and Exfiltration loop\r\nA4 - DOWNLOAD_AND_DELETE_LIST\r\nThe A4 task is quite similar to A3, sharing much of the same code and the same parameters to control behavior. However,\r\none key difference is that, in addition to exfiltrating files to the C2, the A4 task also deletes the files from the disk after\r\nexfiltration. Evidence indicates that A4 task was used to collect keystroke logs.\r\nCode corresponding to file exfiltration and deletion\r\nFor example: A4(uri = \"\u003cc2\u003e\",ms = \u003ctask id\u003e,aes_key = b'\u003caes key\u003e',iv = b'\u003caes iv\u003e',ATTRIB=['-1', 'True', '',\r\n'C:\\\\ProgramData\\\\Python\\\\Lib\\\\LOC\\\\F\\\\ || py;'])\r\nA5 - EXECUTE\r\nThe A5 task results in a command execution, where commands are supplied as a list to the class constructor. The first three\r\nelements of the list provided to the class constructor are used for common parameters. The fourth element of the list\r\nrepresents the command itself. Importantly, the command itself is also a list, with the first three elements reserved. The\r\nactual command to execute is specified in the fourth and subsequent elements of the internal command array. While\r\nhypothetically there could be multiple commands to execute, all tasks that we’ve analyzed had only a single command (four\r\nelements).\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/uac-0063-cyber-espionage-operation-expanding-from-central-asia\r\nPage 10 of 17\n\nFor example: A5(uri = \"\u003cC2\u003e\",ms = \u003ctask\u003e,aes_key = b'\u003caes key\u003e',iv = b'\u003caes IV\u003e', command=['', '', '', 'taskkill /f /im\r\npythonw.exe'])\r\nThe subprocess.Popen function is used to execute the commands. The output generated from the command execution is then\r\ncollected and transmitted back to the C2 server.\r\nExecution routine\r\nIf the fourth parameter is an empty string, the script invokes the systeminfo function, which sends the following system\r\ninformation to the C2:\r\nsysteminfo() command implementation\r\nIn November 2024, a notable task was issued to execute the command C:\\\\ProgramData\\\\Python\\\\pythonw.exe -m pip install\r\npywin32==304 psutil keyboard scipy, likely as an attempt to install dependencies for the LOGPIE keylogger. This suggests\r\nthat DownExPyer may include a task capable of uploading files to the victim's system, with this particular A5 task\r\npotentially serving as the initial step in deploying the keylogger by installing its required components.\r\nA6 - SCAN_LIST\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/uac-0063-cyber-espionage-operation-expanding-from-central-asia\r\nPage 11 of 17\n\nThe A6 task provides file listing capabilities, similarly to how the A3 and A4 tasks report file metadata. However, unlike A3\r\nand A4, A6 does not exfiltrate the actual file content.\r\nThe issued A6 tasks specifically target shared folders, indicating that attackers likely use this task to search for files of\r\ninterest.\r\nA7 – SCREENSHOT\r\nThe A7 task enables screen capturing and uses two additional parameters, besides the common ones: num and period. These\r\nparameters control the number of screenshots to be taken and the delay (in seconds) between each capture.\r\nFor example: A7(uri = \"\u003cC2\u003e\",ms = \u003ctask id\u003e,aes_key = b'\u003caes key\u003e',iv = b'\u003caes IV\u003e',num=1, period=1)\r\nThe screenshots are captured using the mss Python module and uploaded to the C2 as .png files:\r\nScreen capturing routine\r\nA11 – STOP_TSK\r\nThe A11 task is a cancellation task, designed to notify another currently running task to terminate its execution.\r\nThe class is instantiated by providing a parameter, TSK_LINK, which is the ID of the task to be canceled, along with the\r\ncommon parameters.\r\nFor example: A11(uri=\"\u003cC2\u003e\", ms=\u003ctask id\u003e, aes_key=b'\u003caes key\u003e', iv=b'\u003caes IV\u003e', TSK_LINK=\"\u003cid of the task to be\r\ncancelled\u003e\")\r\nThe target task ID is then stored in the config.ini file, completing the task A11.\r\nSTOP_TSK implementation in A11 class\r\nAll other DownExPyer tasks include a class method named STOP_TSK. This method works by checking the config.ini file\r\nfor a cancellation flag. It then compares the task ID with which the class was initialized to the task ID listed in the config.ini\r\nfile. If these IDs match, it signifies that attackers have issued a cancellation command, prompting the task to immediately\r\nterminate its execution.\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/uac-0063-cyber-espionage-operation-expanding-from-central-asia\r\nPage 12 of 17\n\nSTOP_TSK implementation task classes (except A11)\r\nThe STOP_TSK method is implemented within each class (except A11). The config.ini file is designed to hold only a single\r\ntask ID and is deleted after its contents are read. The check for a match between the class task ID and the ID retrieved from\r\nconfig.ini occurs after the file is deleted.\r\nDownExPyer seems to be poorly designed for handling parallel task execution. While each task is executed in a separate\r\nthread, the STOP_TSK method functions correctly only when tasks are processed sequentially.\r\nPyPlunderPlug\r\nThe PyPlunderPlug script was deployed on January 12, 2023, at a target in Germany, based on the file's last modified\r\ntimestamp. Much later, a Bitdefender solution was installed, which detected artifacts from the Python execution. This\r\nenabled the recovery and analysis of some of the scripts.\r\nInvestigation revealed that PyPlunderPlug was deployed alongside DownExPyer, both PYARMOR protected and executed\r\nwithin the same Python environment.\r\nMD5 Path\r\nda6d60f86a6c38127260e29fa91c1c8a %LOCALAPPDATA%\\programs\\onedrive\\crashreporting.py\r\nThe script is designed to collect data from removable devices connected to the infected system.\r\nThe script uses the file %LOCALAPPDATA%\\local.file.db-txt to log information about collected files, with each entry\r\nstored on a separate line. Each entry consists of a Base64-encoded string containing the file name, creation time, last\r\nmodification time, and file size, added for files meeting specific conditions. Upon startup, the script checks for the presence\r\nof the file and if it exists, all entries are read, and details of previously collected files are loaded into memory to prevent\r\nredundant copying of files that have not been modified since the last collection.\r\nIf it does not exist, the script then creates the staging folder %LOCALAPPDATA%\\Recent\\ShortCuts\\files.\r\nThe core functionality operates within a loop, with a 200-second delay between each iteration. During each cycle, the detect\r\nfunction is called to identify removable drives connected to the system. This function utilizes the win32file module and\r\nfunctions like GetLogicalDrives and GetDriveType to search for devices classified as DRIVE_REMOVABLE.\r\nFor each detected drive, the script performs a recursive scan using the os.walk function. This scan targets files with specific\r\nextensions: doc, dot, odt, xls, ppt, pdf, rtf, txt, tif, jpg, jpeg, bmp, png, rar, zip, 7z, gz, tmp, pages. Additionally, the script\r\nconsiders the days parameter, which instructs it to collect only files modified within the specified number of days.\r\nFiles meeting the criteria are copied to the staging location, %LOCALAPPDATA%\\Recent\\ShortCuts\\files, using the\r\nshutil.copyfile function.\r\nThe script itself lacks a mechanism for exfiltrating the collected data. This suggests that data exfiltration likely occurs\r\nthrough a separate channel, potentially using other malware implants such as DownEx or DownExPyer.\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/uac-0063-cyber-espionage-operation-expanding-from-central-asia\r\nPage 13 of 17\n\nLOGPIE Keylogger Precursor\r\nAmong the artifacts identified on another victim's system is a Python script designed to record keystrokes on the\r\ncompromised machine.\r\nMD5 Path\r\nc3288a9d7fe494ae85a70af9f84e4d02 %COMMON_APPDATA%\\python\\lib\\mac\\synchronizewintime.py\r\nThis script was deployed on June 20, 2022, shortly after the installation of DownExPyer. To ensure persistence, the script\r\nwas executed via a scheduled task named Application\\SynchronizeTime.\r\nFurthermore, the presence of DownEx and the HATVIBE implants was confirmed. Evidence of HATVIBE was found in a\r\nscheduled task designed to execute %LOCALAPPDATA%\\verifiedpublisher\\certstorecheck.hta using mshta.exe.\r\nAnalysis of the Python script revealed it to be a relatively simple piece of code, likely adapted from a publicly available\r\nrepository, with a resemblance to publicly accessible keylogger examples. Notably, the script lacks any form of obfuscation,\r\nsuggesting it may have been an initial, less sophisticated attempt by the attacker to deploy a basic keylogging tool.\r\nKeylogger log files are stored in the same directory as the Python script itself. Filenames are generated from a modified\r\ntimestamp ({start_dt_str}) and assigned the unusual .~tm extension. Interestingly, this uncommon file extension was also\r\nobserved in the analyzed DownEx samples, suggesting it may be a preferred method for retrieving keystroke logs by these\r\nattackers.\r\nCERT-UA's initial research on UAC-0063 describes an advanced variant of the analyzed script, the LOGPIE keylogger. This\r\nenhanced version not only supports clipboard monitoring but also utilizes a different file extension, .~tmp, and stores logs in\r\nthe following directory: %LOCALAPPDATA%\\Diagnostics\\\u003cUSER_SID\u003e\\1cbe6654-466b-4d53-8303-2e86ab6db8a7.\r\nThis is significant because one of the intercepted A4 tasks received by a DownExPyer implant specifically targeted files\r\nwith the .~tmp extension from this directory, strongly suggesting its purpose was to retrieve keylogs. Furthermore, another\r\nA4 task was configured to scan the C:\\ProgramData\\Python\\\\Lib\\LOC\\F directory for files to upload to the C2 server,\r\nexcluding those with a .py extension. This likely indicates the presence of a keylogger operating from that directory at the\r\ntime the A4 task was issued.\r\nTargets and Infrastructure\r\nThe UAC-0063 group continues its operations, as evidenced by the active DownExPyer C2 servers:\r\nC2 DownExPyer Domain IP\r\nlanmangraphics[.]com 84.32.188.23\r\nerrorreporting[.]net 185.62.56.47\r\ninternalsecurity[.]us 212.224.86.69\r\ntieringservice[.]com 46.183.219.228\r\nautomation-embedding[.]com 195.80.150.54\r\nretaildemo[.]info 185.167.63.42\r\nenrollmentdm[.]com 185.158.248.198\r\nunderwearshopfor[.]com 91.237.124.142\r\nrss-feed-monitoring[.]com 38.180.87.154\r\nfuturesfurnitures[.]com 91.202.5.49\r\nThe actor has been observed renewing TLS certificates for domains functioning as active C2s as their expiration dates\r\napproach. This behavior demonstrates a deliberate effort to sustain operational security over time.\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/uac-0063-cyber-espionage-operation-expanding-from-central-asia\r\nPage 14 of 17\n\nBased on the analyzed data, the UAC-0063 attacks likely targeted embassies in Germany, the Netherlands, Romania,\r\nGeorgia, Kazakhstan, and Afghanistan. In some cases, there were attempts to reinfect previously compromised targets using\r\nthe same known infection vector involving weaponized documents.\r\nConclusion\r\nOur general recommendation for effectively defending against past, present, and future threats remains the same:\r\nimplementing multilayered, defense-in-depth architecture.\r\nPrevention: A critical first step in mitigating the risk of cyberattacks is minimizing the attack surface. Proactive risk\r\nmanagement, including thorough threat modeling and vulnerability assessments, is crucial for identifying and\r\nmitigating potential threats before they can be exploited by adversaries like UAC-0063.\r\nProtection: By deploying multiple security layers across all devices and users, organizations can create significant\r\nobstacles for threat actors who manage to bypass initial defenses. It's essential to strike the right balance between\r\nblocking malicious activities and flagging suspicious behavior, while minimizing false positives and performance\r\nimpacts. \r\nDetection and Response: Most modern attacks take at least days, typically weeks, to fully compromise a network. A\r\nsignificant portion of this time is spent on lateral movement, where attackers gain access to additional systems and\r\ndata. Our investigations consistently reveal that threat actors typically generate sufficient indicators of compromise to\r\nbe detected. However, two common pitfalls hinder effective response. \r\nFirstly, it’s the absence of robust endpoint detection and response (EDR) or extended detection and response\r\n(XDR) solutions. EDR and XDR solutions are designed to decrease the time when threat actors remain\r\nundetected, by analyzing and correlating suspicious behavior, even if it can’t be immediately classified as\r\nmalicious. \r\nSecondly, while detection tools like EDR and XDR can identify anomalies, effective security operations are\r\nrequired to investigate, prioritize, and respond to these alerts. Understaffed or overburdened security teams\r\nmay struggle to analyze these alerts, allowing security incidents to escalate into full-blown security breaches.\r\nBy investing in dedicated security operations teams or more affordable managed detection and response\r\n(MDR) services, organizations can significantly reduce the risk of these breaches. \r\nUAC-0063 exemplifies a sophisticated threat actor group characterized by its advanced capabilities and persistent targeting\r\nof government entities. Their arsenal, featuring sophisticated implants like DownExPyer and PyPlunderPlug, combined with\r\nwell-crafted TTPs, demonstrates a clear focus on espionage and intelligence gathering. The targeting of government entities\r\nwithin specific regions aligns with potential Russian strategic interests.\r\nWe would like to thank Bitdefenders Alexandru Maximciuc, Adrian Schipor, and Victor Vrabie (sorted alphabetically) for\r\ntheir contributions to this research report.\r\nIOCs\r\nThe right threat intelligence solutions can provide critical insights about attacks. Bitdefender IntelliZone is an easy-to-use\r\nsolution that consolidates all the knowledge we've gathered regarding cyber threats and the associated threat actors for the\r\nsecurity analysts, including access to Bitdefender’s malware analysis services. If you already have an IntelliZone account\r\nyou can find additional structured information under Threat ID BDb3u1e5tx.\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/uac-0063-cyber-espionage-operation-expanding-from-central-asia\r\nPage 15 of 17\n\nMD5 Path\r\nLast Write\r\nTime\r\nbd7d98bc785beff4f4e5f7d8fc1ac2b4 %COMMON_APPDATA%\\programs\\base_sql.py\r\n2022-07-\r\n08T08:15:07Z\r\nda6d60f86a6c38127260e29fa91c1c8a %LOCALAPPDATA%\\programs\\onedrive\\crashreporting.py\r\n2023-01-\r\n12T06:02:06Z\r\n2e91803687463201792ca7514fca07fa %COMMON_APPDATA%\\python\\tools\\scripts\\help.py\r\n2022-06-\r\n16T09:16:06Z\r\nb657d46d69e24b3607a81cacc486e384 %COMMON_APPDATA%\\python\\tools\\scripts\\findcolor.py\r\n2023-05-\r\n24T07:11:28Z\r\nc1e4340ebe234478a410f757b18a128c %LOCALAPPDATA%\\Network\\AccessProtection.hta -\r\n5d7a77efe12971bea8ae26206131fbb0 %LOCALAPPDATA%\\Network\\AccessProtection.hta -\r\n8f7dab01610b53398a296192ee600905 %COMMON_APPDATA%\\python\\aiopyfix.cp37-win32.pyd\r\n2024-04-\r\n04T08:55:35Z\r\n363f000702504ab19652dde2fde800e8 %COMMON_APPDATA%\\python\\tools\\scripts\\aiopyfix.py\r\n2023-01-\r\n20T11:07:23Z\r\n3cf8f57bd07fdd8e06b1630a3f27f330 %COMMON_APPDATA%\\python\\tools\\scripts\\findcolor.py\r\n2023-05-\r\n31T06:58:34Z\r\n10791a644da7d95ac4884872d8fa576d %LOCALAPPDATA%\\verifiedpublisher\\certstorecheck.hta -\r\nc3288a9d7fe494ae85a70af9f84e4d02 %COMMON_APPDATA%\\python\\lib\\mac\\synchronizewintime.py\r\n2022-06-\r\n20T10:31:15Z\r\nfdf7da11d37ba888fa7078d0f32fdd08 %COMMON_APPDATA%\\programs\\diagsvc.exe\r\n2022-09-\r\n08T08:06:37Z\r\n99d1de711a79eee936cde1ee58bd9adf %COMMON_APPDATA%\\drivers\\slmgr.vbe\r\n2022-11-\r\n10T20:46:00Z\r\nDownExPyer C2 IP\r\nlanmangraphics[.]com 84.32.188.23\r\nerrorreporting[.]net 185.62.56.47\r\ninternalsecurity[.]us 212.224.86.69\r\ntieringservice[.]com 46.183.219.228\r\nautomation-embedding[.]com 195.80.150.54\r\nretaildemo[.]info 185.167.63.42\r\nenrollmentdm[.]com 185.158.248.198\r\nunderwearshopfor[.]com 91.237.124.142\r\nrss-feed-monitoring[.]com 38.180.87.154\r\nfuturesfurnitures[.]com 91.202.5.49\r\nHATVIBE C2\r\nlookup[.]ink\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/uac-0063-cyber-espionage-operation-expanding-from-central-asia\r\nPage 16 of 17\n\nbackground-services[.]net\r\nMALDOC C2\r\ncloud-mail[.]ink\r\nSource: https://www.bitdefender.com/en-us/blog/businessinsights/uac-0063-cyber-espionage-operation-expanding-from-central-asia\r\nhttps://www.bitdefender.com/en-us/blog/businessinsights/uac-0063-cyber-espionage-operation-expanding-from-central-asia\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.bitdefender.com/en-us/blog/businessinsights/uac-0063-cyber-espionage-operation-expanding-from-central-asia" ], "report_names": [ "uac-0063-cyber-espionage-operation-expanding-from-central-asia" ], "threat_actors": [ { "id": "d0d996a0-98e2-49fd-b55e-97ba053c4ed0", "created_at": "2024-07-25T02:00:04.423466Z", "updated_at": "2026-04-10T02:00:03.679863Z", "deleted_at": null, "main_name": "UAC-0063", "aliases": [], "source_name": "MISPGALAXY:UAC-0063", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434498, "ts_updated_at": 1775792269, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/539d54e61bda7b990e0b86d8d3c4e77ec14896fe.pdf", "text": "https://archive.orkl.eu/539d54e61bda7b990e0b86d8d3c4e77ec14896fe.txt", "img": "https://archive.orkl.eu/539d54e61bda7b990e0b86d8d3c4e77ec14896fe.jpg" } }