{
	"id": "ca9a66ae-5807-43ce-b437-f87253687935",
	"created_at": "2026-04-06T00:09:58.661163Z",
	"updated_at": "2026-04-10T13:12:03.183148Z",
	"deleted_at": null,
	"sha1_hash": "5efd1aaa7e3c4c9a1cc9fa5797247df496798a53",
	"title": "UAC-0057 Attack Detection: A Surge in Adversary Activity Distributing PICASSOLOADER and Cobalt Strike Beacon",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 45021,
	"plain_text": "UAC-0057 Attack Detection: A Surge in Adversary Activity\r\nDistributing PICASSOLOADER and Cobalt Strike Beacon\r\nBy Veronika Zahorulko\r\nPublished: 2024-07-25 · Archived: 2026-04-05 15:25:25 UTC\r\nDefenders have observed a sudden surge in the adversary activity of the UAC-0057 hacking group targeting\r\nUkrainian local government agencies. Attackers distribute malicious files containing macros aimed at launching\r\nPICASSOLOADER on the targeted computers, which leads to the delivery of Cobalt Strike Beacon. \r\nDetect UAC-0057 Activity Covered in the CERT-UA#10340 Alert\r\nSince the full-scale war outbreak, the UAC-0057 hacking collective has repeatedly targeted Ukrainian\r\norganizations. To detect the latest UAC-0057 campaign and analyze the group’s activity retrospectively, cyber\r\ndefenders might rely on SOC Prime’s Platform for collective cyber defense, which offers a complete product suite\r\nfor AI-powered Detection Engineering, Automated Threat Hunting, and Detection Stack Validation. \r\nBy following the link below, security professionals can access the comprehensive detection stack addressing the\r\nlatest UAC-0057 activity. Alternatively, experts can browse Threat Detection Marketplace filtering detections by\r\nthe “CERT-UA#10340” tag based on the alert ID. \r\nSigma rules for UAC-0057 attack detection based on the CERT-UA#10340 alert\r\nAll detection algorithms are mapped to the MITRE ATT\u0026CK® framework, enriched with actionable CTI and\r\nmetadata, and are ready to deploy into dozens of cloud-native and on-premises security analytics platforms. \r\nTo obtain the broader detection stack addressing UAC-0057 tactics, techniques, and procedures, security engineers\r\ncan access the relevant Sigma rules collection by clicking the Explore Detections button below.\r\nExplore Detections\r\nThe dedicated CERT-UA alert also provides a collection of IOCs to identify attacks related to the most recent\r\nUAC-0057 campaign. By relying on SOC Prime’s Uncoder AI, defenders can simplify IOC matching by instantly\r\nconverting relevant threat intelligence into custom performance-optimized queries tailored for the language format\r\nof the chosen SIEM or EDR and ready to hunt in the selected environment.\r\nUAC-0057 Attack Analysis\r\nThe UAC-0057 group, also known under the moniker of GhostWriter, has been launching multiple offensive\r\noperations primarily targeting Ukrainian state bodies throughout 2023. For instance, in September 2023, UAC-0057 launched a malicious campaign against the Ukrainian government and educational institutions, abusing a\r\nWinRAR zero-day (CVE-2023-38831) to deliver PICASSOLOADER. In the summer of 2023, the group\r\nleveraged the same loader to infect targeted networks with njRAT.\r\nhttps://socprime.com/blog/uac-0057-attack-detection-a-surge-in-adversary-activity-distributing-picassoloader-and-cobalt-strike-beacon/\r\nPage 1 of 2\n\nIn July 2024, CERT-UA observed a sudden spike in the group’s activity. Adversaries weaponized files containing\r\nmalicious macros to spread PICASSOLOADER and Cobalt Strike Beacon on the impacted systems. \r\nAccording to the latest CERT-UA alert on the UAC-0057 activity, the contents of the uncovered files with macros\r\n(“oborona.rar,” “66_oborona_PURGED.xls,” “trix.xls,” “equipment_survey_regions_.xls,” “accounts.xls,”\r\n“spreadsheet.xls,” “attachment.xls,” “Podatok_2024.xls”) are linked to local government reform, taxation, and\r\nfinancial-economic indicators.\r\nBased on the CERT-UA research, UAC-0057 may have targeted both project office specialists and their\r\ncounterparts among employees of relevant local government authorities in Ukraine.\r\nMITRE ATT\u0026CK Context\r\nLeveraging MITRE ATT\u0026CK provides extensive visibility into the behavior patterns related to the latest UAC-0057 malicious activity targeting Ukrainian local government agencies. Explore the table below to see the full list\r\nof dedicated Sigma rules addressing the corresponding ATT\u0026CK tactics, techniques, and sub-techniques.\r\nSource: https://socprime.com/blog/uac-0057-attack-detection-a-surge-in-adversary-activity-distributing-picassoloader-and-cobalt-strike-beaco\r\nn/\r\nhttps://socprime.com/blog/uac-0057-attack-detection-a-surge-in-adversary-activity-distributing-picassoloader-and-cobalt-strike-beacon/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://socprime.com/blog/uac-0057-attack-detection-a-surge-in-adversary-activity-distributing-picassoloader-and-cobalt-strike-beacon/"
	],
	"report_names": [
		"uac-0057-attack-detection-a-surge-in-adversary-activity-distributing-picassoloader-and-cobalt-strike-beacon"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "119c8bea-816e-4799-942b-ff375026671e",
			"created_at": "2022-10-25T16:07:23.957309Z",
			"updated_at": "2026-04-10T02:00:04.807212Z",
			"deleted_at": null,
			"main_name": "Operation Ghostwriter",
			"aliases": [
				"DEV-0257",
				"Operation Asylum Ambuscade",
				"PUSHCHA",
				"Storm-0257",
				"TA445",
				"UAC-0051",
				"UAC-0057",
				"UNC1151",
				"White Lynx"
			],
			"source_name": "ETDA:Operation Ghostwriter",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"HALFSHELL",
				"Impacket",
				"RADIOSTAR",
				"VIDEOKILLER",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "8a33d3ac-14ba-441c-92c1-39975e9e1a73",
			"created_at": "2023-01-06T13:46:39.195689Z",
			"updated_at": "2026-04-10T02:00:03.243054Z",
			"deleted_at": null,
			"main_name": "Ghostwriter",
			"aliases": [
				"UAC-0057",
				"UNC1151",
				"TA445",
				"PUSHCHA",
				"Storm-0257",
				"DEV-0257"
			],
			"source_name": "MISPGALAXY:Ghostwriter",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434198,
	"ts_updated_at": 1775826723,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5efd1aaa7e3c4c9a1cc9fa5797247df496798a53.pdf",
		"text": "https://archive.orkl.eu/5efd1aaa7e3c4c9a1cc9fa5797247df496798a53.txt",
		"img": "https://archive.orkl.eu/5efd1aaa7e3c4c9a1cc9fa5797247df496798a53.jpg"
	}
}