{ "id": "b63f1a81-78a3-4a88-b469-cea8ec9c92fe", "created_at": "2026-04-06T00:14:27.567447Z", "updated_at": "2026-04-10T03:24:58.556792Z", "deleted_at": null, "sha1_hash": "6dfea7c670d252fd147a0d07de14c246b46e050b", "title": "Detecting SmokeLoader Campaign: UAC-0006 Keep Targeting Ukrainian Financial Institutions in a Series of Phishing Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49226, "plain_text": "Detecting SmokeLoader Campaign: UAC-0006 Keep Targeting\r\nUkrainian Financial Institutions in a Series of Phishing Attacks\r\nBy Daryna Olyniychuk\r\nPublished: 2023-07-24 · Archived: 2026-04-05 18:54:29 UTC\r\nUAC-0006 hacking collective is on the rise, actively targeting Ukrainian organizations with SmokeLoader\r\nmalware in a long-lasting campaign aimed at financial profits. The latest CERT-UA cybersecurity alert details that\r\nthe hacking group has launched a third massive cyber-attack in a row, severely threatening the banking systems\r\nacross the country. \r\nAnalyzing UAC-0006 Phishing Campaign Aimed at SmokeLoader Distribution\r\nIn the wake of the UAC-0006 offensive operation in mid-July 2023, adversaries persistently target the Ukrainian\r\nfinancial sector with a third consecutive attack in the last ten days, utilizing a phishing vector to deliver\r\nSmokeLoader malware. \r\nDetailed analysis by CERT-UA reveals that the latest attack involves the use of a dedicated ZIP polyglot file,\r\nwhose contents vary based on the extracting program. If WinRAR is utilized, the ZIP polyglot would contain\r\neither a .pdf or .docx extension, leading to a sequence of JavaScript downloader, SFX-archive, BAT script, and\r\ndecoy files, enticing victims with financial-themed lures, particularly related to payment instructions from Privat\r\nBank, one of Ukraine’s largest banks.\r\nWith more than 1000 devices currently enslaved to the botnet, CERT-UA states with a high level of confidence\r\nthat the adversaries are leveraging compromised authentication data from previous attacks to execute large-scale\r\nphishing email campaigns. \r\nAs the malicious activities of UAC-0006 escalate, CERT-UA anticipates a notable surge in cyber fraud targeting\r\nremote banking systems. To counter these threats, defenders strongly recommend implementing mitigation\r\nmeasures such as restricting the use of utilities like wscript.exe, cscript.exe, powershell.exe, and mshta.exe while\r\nimplementing outgoing information flow filtering.\r\nDetecting SmokeLoader Campaing by UAC-0006 Detailedi n CERT-UA#7065,\r\nCERT-UA#7076 Alerts\r\nTo assist cyber defenders in thwarting malicious activity aimed at SmokeLoader infections, SOC Prime Platform\r\nfor collective cyber defense provides a set of curated Sigma rules aimed at UAC-0006 attack detection. \r\nPress the Explore Detections button below to grab an extensive batch of dedicated Sigma rules allowing security\r\nprofessionals timely identify relevant TTPs leveraged by the UAC-0006 collective. To streamline the SOC content\r\nsearch, apply the corresponding tags “UAC-0006”, “CERT-UA#7065”, “CERT-UA#7066,” or “SmokeLoader” to\r\nhttps://socprime.com/blog/detecting-smokeloader-campaign-uac-0006-keep-targeting-ukrainian-financial-institutions-in-a-series-of-phishing-attacks/\r\nPage 1 of 2\n\nselect detection algorithms enhanced with cyber threat context and automatically convertible to dozens of SIEM,\r\nEDR, XDR formats.\r\nExplore Detections\r\nSecurity engineers can also rely on Uncoder AI to seamlessly hunt for IOCs listed in recommended CERT-UA#6613, CERT-UA#6757, CERT-UA#6999 alerts by creating custom IOC queries and running them in the\r\nselected environment on the fly.\r\nMITRE ATT\u0026CK Context\r\nCyber defenders can also gain insights into the context behind the latest phishing attacks by UAC-0006 in more\r\ndetail by exploring the table below, which provides the list of relevant adversary tactics and techniques as per\r\nATT\u0026CK:\r\nSource: https://socprime.com/blog/detecting-smokeloader-campaign-uac-0006-keep-targeting-ukrainian-financial-institutions-in-a-series-of-ph\r\nishing-attacks/\r\nhttps://socprime.com/blog/detecting-smokeloader-campaign-uac-0006-keep-targeting-ukrainian-financial-institutions-in-a-series-of-phishing-attacks/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://socprime.com/blog/detecting-smokeloader-campaign-uac-0006-keep-targeting-ukrainian-financial-institutions-in-a-series-of-phishing-attacks/" ], "report_names": [ "detecting-smokeloader-campaign-uac-0006-keep-targeting-ukrainian-financial-institutions-in-a-series-of-phishing-attacks" ], "threat_actors": [ { "id": "078f7b2a-4e1c-4843-b7cd-353331cd2260", "created_at": "2023-11-21T02:00:07.359148Z", "updated_at": "2026-04-10T02:00:03.467054Z", "deleted_at": null, "main_name": "UAC-0006", "aliases": [], "source_name": "MISPGALAXY:UAC-0006", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434467, "ts_updated_at": 1775791498, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6dfea7c670d252fd147a0d07de14c246b46e050b.pdf", "text": "https://archive.orkl.eu/6dfea7c670d252fd147a0d07de14c246b46e050b.txt", "img": "https://archive.orkl.eu/6dfea7c670d252fd147a0d07de14c246b46e050b.jpg" } }