{ "id": "985f5c84-dd84-4235-8988-cfedfadf4c06", "created_at": "2026-04-07T15:34:59.048065Z", "updated_at": "2026-04-10T03:37:20.31259Z", "deleted_at": null, "sha1_hash": "804cad95b32569b1648541a3d968cecc2f3349f3", "title": "State-sponsored Attack Groups Capitalise on Russia-Ukraine War for Cyber Espionage", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 172321, "plain_text": "State-sponsored Attack Groups Capitalise on Russia-Ukraine War\r\nfor Cyber Espionage\r\nBy alexandrag\r\nPublished: 2022-03-31 · Archived: 2026-04-07 15:24:19 UTC\r\nIntroduction\r\nGeopolitical tensions often make headlines and present a golden opportunity for threat actors to exploit the\r\nsituation, especially those targeting high-profile victims. In the past month while the Russian invasion of Ukraine\r\nwas unfolding, Check Point Research (CPR) has observed advanced persistent threat (APT) groups around the\r\nworld launching new campaigns, or quickly adapting ongoing ones to target victims with spear-phishing emails\r\nusing the war as a lure. The attackers use decoys ranging from official-looking documents to news articles or even\r\njob postings, depending on the targets and region. Many of these lure documents utilize malicious macros or\r\ntemplate injection to gain an initial foothold into the targeted organizations, and then launch malware attacks.\r\nThe use of the conflict as a bait is not limited to a specific region or APT group, it goes from Latin America to the\r\nMiddle East and to Asia. In this article, CPR will provide an overview of several campaigns by different APT\r\ngroups using the ongoing Russia-Ukraine war to increase the efficiency of their campaigns. CPR will discuss the\r\nvictimology of these campaigns; the tactics used, and provide technical analysis of the observed malicious\r\npayloads and malware. Below are the campaigns identified and profiled in this article:\r\nAPT Name APT Origin Targeted Sector Targeted Countries\r\nEl Machete\r\nSpanish-speaking\r\nCountry\r\nFinancial, Governmental\r\n \r\nNicaragua,\r\nVenezuela  \r\nLyceum Iran Energy Israel, Saudi Arabia\r\nSideWinder Possibly India Unknown Pakistan\r\nLatin America: El Machete APT\r\nTargets: Financial and governmental sectors\r\nKaspersky first publicly disclosed El Machete, a Spanish-speaking threat actor that focuses on Latin American’s\r\ntargets, in 2014 with the group’s activity dating back to 2010. The group’s activities have persisted throughout the\r\nyears, adopting the practice of using government-themed documents as decoys, as well as using lures related to\r\nthe current political situation.\r\nIn mid-March, El Machete was spotted sending spear-phishing emails to financial organizations in Nicaragua,\r\nwith an attached Word document titled “Dark plans of the neo-Nazi regime in Ukraine.” The document\r\nhttps://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/\r\nPage 1 of 31\n\ncontained an article written and published by Alexander Khokholikov, the Russian Ambassador to Nicaragua that\r\ndiscussed the Russo-Ukrainian conflict from the perspective of the Kremlin.\r\nFigure 1 – Lure document that contains an article about the Russia-Ukraine conflict, sent by El Machete APT to\r\nNicaraguan financial institutions.\r\nInfection chain\r\nhttps://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/\r\nPage 2 of 31\n\nThe malicious macro inside the document drops a base64-encoded file named ~djXsfwEFYETE.txt , uses the\r\nbuilt-in certutil.exe to decode it to ~djXsfwEFYETE.vbe , an encoded VBScript file. The macro then launches the\r\nwscript.exe to execute the .vbe file, whose primary objective is to execute msiexec.exe with a remotely\r\nhosted .msi file titled Adobe.msi , which masquerades itself as Adobe software.\r\nFigure 2 – Schema of the main components of the infection chain.\r\nThe Adobe.msi installer initially installs malware-related files to a subfolder in the user’s TEMP directory. Later,\r\nthe malware copies itself from the TEMP directory to a working directory C:\\ProgramData\\PD , which is set as\r\nhidden to make sure users do not see it when they open the ProgramData folder in File Explorer. The malware is\r\nprimarily written in Python, and comes with two different Python interpreters that also masquerade as executables\r\nrelated to Adobe, AdobeReaderUpdate.exe and ReaderSetting.exe . The malware sets up persistence via a\r\nscheduled task that runs every 5 minutes, pretending to be an update task for Adobe Reader named\r\nUpdateAdobeReader . The task executes the AdobeReaderUpdate script, a customized version of the open-source\r\nLoki.Rat which has been used by the El Machete APT group in an ongoing campaign since 2020.\r\nC\u0026C communication\r\nThe malware does not have a hardcoded C\u0026C server address. Instead, it relies on a file called license.dll ,\r\nwhich contains a Base64-encoded URL to a BlogSpot webpage. This page seemingly contains security-related\r\ncontent and discuses asymmetric encryption. However, embedded inside the BlogSpot page is another base64\r\nstring that contains the encoded C\u0026C URL that the malware will eventually use. To find the relevant URL, the\r\nmalware knows to search between two hardcoded strings that are 6-7 characters long. They tend to follow the\r\npattern of /AAAA/ and *AAAA/ , where the AAAA represents a 4-5-letter string.\r\nhttps://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/\r\nPage 3 of 31\n\nFigure 3 – BlogSpot page used by Adobe.msi. The C\u0026C server is encoded between /noul/ and *noul/.\r\nThis method of retrieving the C\u0026C servers has several advantages. Foremost, it easily allows the attacker to make\r\nthe initial connection look innocuous by connecting to a subdomain of a known and seemingly benign server\r\n(blogspot.com). In addition, the attackers can switch C\u0026C infrastructure very easily without having to redeploy\r\nnew code to the victims’ machines.\r\nThe data is submitted to the C\u0026C server in a somewhat obfuscated but consistent JSON format:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n{\r\n\"nu8\": \"\u003chostname-username\u003e\",\r\n\"d4\": \"\u003ctag\u003e\",\r\nhttps://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/\r\nPage 4 of 31\n\n\"r88\": \"\u003cmodule name/data type\u003e\",\r\n\"m77\": \"\u003cfile path\u003e.pgp\",\r\n\"ns32\": \"\u003cpayload\u003e\",\r\n\"submit\": \"submit\"\r\n}\r\n{ \"nu8\": \"\u003chostname-username\u003e\", \"d4\": \"\u003ctag\u003e\", \"r88\": \"\u003cmodule name/data type\u003e\", \"m77\": \"\u003cfile path\u003e.pgp\",\r\n\"ns32\": \"\u003cpayload\u003e\", \"submit\": \"submit\" }\r\n{\r\n \"nu8\": \"\u003chostname-username\u003e\",\r\n \"d4\": \"\u003ctag\u003e\",\r\n \"r88\": \"\u003cmodule name/data type\u003e\",\r\n \"m77\": \"\u003cfile path\u003e.pgp\",\r\n \"ns32\": \"\u003cpayload\u003e\",\r\n \"submit\": \"submit\"\r\n}\r\nThe tag in the d4 field used by the Adobe malware is Utopiya_Nyusha_Maksim , which El Machete has used since\r\n2020.\r\nThe Loki.Rat Backdoor\r\nEach of the Python script files is obfuscated using base64 encoding. However, once decoded from base64, the\r\ncode is relatively straightforward, only with few minor variable name obfuscation.\r\nhttps://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/\r\nPage 5 of 31\n\nFigure 4 – Deobfuscated AdobeReaderUpdate script.\r\nMalware capabilities include:\r\nKeylogging – The keylogger runs as a separate process and script: the ReaderSetting.exe Python\r\ninterpreter is used to run a separate file called SearchAdobeReader .\r\nCollect credentials stored in Chrome and Firefox browsers.\r\nUpload and download files.\r\nhttps://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/\r\nPage 6 of 31\n\nCollect information about the files on each drive – collect file names and file sizes for all the files with the\r\nextensions from the list: .doc, .docx, .pdf, .xlsx, .xls, .ppt, .pptx, .jpg, .jpeg, .rar, .zip,\r\n.odt, .ott, .odm, .ods, .ots, .odp. except excluded (system, temp) folders.\r\nTake screenshots.\r\nCollect clipboard data.\r\nExecute commands.\r\nCommands and payloads\r\nThe actors first send several commands to understand if the infected machine is interesting enough to proceed:\r\nthese commands perform screenshots, keylogging, and listing files on the system. If deemed worthwhile, the\r\nactors execute a command to download and install another malware, JavaOracle.msi , via msiexec.exe .\r\nSimilar to Adobe.msi , JavaOracle.msi installs a Python-based malware and uses scheduled tasks for\r\npersistence. However, the Python scripts are not based on the Loki.Rat backdoor, although they offer some similar\r\nfunctionality through the modules placed in the directory Libs\\site-packages\\Java . The malware was observed\r\nlaunching multiple Python interpreters in parallel, each one running a different module. The Python executables\r\nare disguised as JavaHosts.exe , JavaExt.exe and JavaAdd.exe , and the actors also use these Python “clones”\r\nto check if a certain script/module is running, based on the process name. The modules include the following\r\ncapabilities:\r\nDownload a payload from the C\u0026C server ( GAME module) – The code implies that the payload is expected\r\nto be either a .exe or a .msi file. The payload is written to the directory C:\\ProgramData\\ControlD\\ , which\r\nit sets as a folder with system and hidden attributes.\r\nKeylogger ( TIME module) – This is similar to the one that came with the Adobe.msi payload, but it never\r\nwrites to disk. Instead, it posts the keylogger data directly to the C\u0026C server.\r\nBOX module – This iterates over files in the system and uploads files of interest that are less than 5 MB,\r\nencoded as base64. The module first checks connectivity by opening a TCP socket to google.es. If the site\r\nis not accessible, the script exits.\r\nScreenshot ( LIST module) – The module saves screenshots to -shopt.png inside a directory\r\nmasquerading as Microsoft, namely %APPDATA%\\Microsoft\\ControlDesktop\\ . It then uploads the\r\nscreenshot to the C\u0026C server and proceeds to delete all PNG files in this directory. Similar to BOX, it\r\ninitially checks that it can open a TCP socket to google.ru. If it fails, the script exits.\r\nClipboard stealer ( SCAN module) – Posts the data directly to the C\u0026C server, without writing the data to\r\ndisk. Before doing so, it checks that it can open a TCP connection to google.ru.\r\nThe malware from the JavaOracle.msi file seems to be using a new hardcoded tag, Foo_Fighters_Everlong .\r\nThe timing appears to be coincidental, as the payload was first seen a few days before the news that Foo Fighters\r\ndrummer Taylor Hawkins died.\r\nhttps://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/\r\nPage 7 of 31\n\nFigure 5 – JavaOracle code steals the clipboard contents and posts the data to the C\u0026C with a custom tag.\r\nTargets and goals\r\nAlthough the specific email trap targeted a financial institution in Nicaragua, multiple artifacts suggest that this is\r\npart of a larger campaign, which is also targeting government entities in Venezuela. Judging by the activities that\r\nthe actors perform in the infected networks, the purpose of the whole campaign is deemed a cyberespionage\r\noperation, consistent with the previously disclosed activity by the same attack group. This indicates that El\r\nMachete APT group continues to operate with slightly changing TTPs, even after researchers published technical\r\ndescriptions and indicators of compromise for the malware used by the group.\r\nMiddle East: Lyceum\r\nTargets: Energy sector\r\nBelieved to be active since 2017, Lyceum is an Iranian APT group active in the Middle East and Africa, and is\r\nknown to target sectors of strategic national importance to carry out cyber espionage. Mid March, an Israeli\r\nenergy company received an email from the address inews-reporter@protonmail[.]com with the subject\r\n“Russian war crimes in Ukraine”. The email contained a few pictures taken from public media sources and\r\ncontained a link to an article hosted on the news-spot[.]live domain: \r\nhttps://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/\r\nPage 8 of 31\n\nFigure 6 – Lure email utilizing the Russia-Ukraine conflict theme, sent by Lyceum group.\r\nThe link in the email leads to a document that contains the article “Researchers gather evidence of possible\r\nRussian war crimes in Ukraine” published by The Guardian:\r\nhttps://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/\r\nPage 9 of 31\n\nFigure 7 – Lure document that contains The Guardian article on possible Russian war crimes in Ukraine.\r\nThe same domain hosts a few more malicious documents related to the Russia and Russia-Ukraine conflict, such\r\nas a copy of an article by The Atlantic Council from 2020 on Russian nuclear weapons, and a job posting for the\r\n“Extraction / Protective Agent” agent in Ukraine:\r\nhttps://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/\r\nPage 10 of 31\n\nFigure 8 – Russia-Ukraine war-related decoy documents used by the Lyceum APT group.\r\nInfection chain\r\nThe malicious Office document executes a macro code when the document is closed. The macro deobfuscates an\r\nexecutable embedded in the document and saves it to the %APPDATA%\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\ directory. By using this method, the payload isn’t executed directly by the Office\r\ndocument, but it will run the next time the computer is restarted.\r\nAs part of the wider Lyceum campaign,  we also observed different executable droppers. These are executables\r\nbearing PDF icons, not documents:\r\nhttps://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/\r\nPage 11 of 31\n\nFigure 9 – Two variants of Lyceum infection chain: lures related to the RU-UA conflict (top) and to Iran (bottom).\r\nAll the executables are written slightly differently but the main idea is the same: first, the dropper extracts a lure\r\nPDF file embedded as a resource and opens it, in the background and unnoticed by a victim, the dropper then\r\ndownloads and executes the payload. We identified three categories of droppers:\r\n.NET DNS dropper – Used to drop the .NET DNS backdoor (discussed later):\r\nFigure 10 – The .NET dropper opens the decoy PDF and downloads the payload.\r\n.NET TCP Dropper – Drops the .NET HTTP backdoor variant, and adds a scheduled task to run it.\r\nGolang Dropper – Drops the Golang backdoor to the Startup folder and the Public\\Downloads folder.\r\nIn addition, it drops a PDF file (a report about the Iranian cyber threat, similar to the other droppers) to the\r\nPublic\\Downloads folder and executes it. After the PDF report is opened, the dropper finally executes the\r\nGolang backdoor from Public\\Downloads folder.\r\nhttps://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/\r\nPage 12 of 31\n\nFigure 11 – Code snippet of the Golang dropper, which drops a Golang backdoor and a PDF report titled\r\n“Iranian Cyber Threat”.\r\nThe dropped files can be downloaded from the internet, or extracted from the dropper itself, depending on the\r\nsample.\r\nPayloads\r\nEach dropper bring its own type of payload. We observed the following backdoors deployed:\r\n.NET DNS Backdoor\r\nThe .NET DNS backdoor is a modified version of a tool called DnsDig, with code added to form frm1 that uses\r\nHeijdenDNS and DnsDig capabilities.\r\nFigure 12 – Original DnsDig tool (left) vs Modified DnsDig (added frm1).\r\nhttps://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/\r\nPage 13 of 31\n\nThe backdoor uses DNS tunneling to communicate with its C\u0026C server, and is able to download/upload files and\r\nexecute commands.\r\n.NET TCP Backdoor\r\nThe backdoor communicates with the C\u0026C using raw TCP sockets, and it implements its own communication\r\nprotocol on top of this. Each sample contains a configuration that defines how it should communicate with the\r\nC\u0026C, including separator characters, TCP ports and mapping of command types to numbers:\r\nFigure 13 – Configuration snippet of the .NET TCP backdoor.\r\nAlthough the malware contains a configuration for the C\u0026C communication, it still uses hardcoded values in the\r\ncode itself, instead of the configuration constants. This indicates that the malware might still be under active\r\ndevelopment.\r\nThe capabilities of this backdoor include:\r\nExecute commands.\r\nhttps://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/\r\nPage 14 of 31\n\nTake screenshots.\r\nList files/directories.\r\nList installed applications.\r\nUpload/download/execute files.\r\nGolang HTTP Backdoor\r\nThe execution of the HTTP backdoor, written in Golang, consists of 3 stages, that occur in a loop:\r\nStage 1 – Connectivity check. The malware generates a unique ID for the victim, based on the MD5 hash of the\r\nusername. It then sends an empty HTTP POST request to the URI /GO/1.php of the C\u0026C server. If the server\r\nresponds with OK, the backdoor continues to the next stage.\r\nStage 2 – Victim registration. In this step, the malware sends basic details of the victim in a POST request to the\r\nURI /GO/2.php , to register the victim in the attacker’s C\u0026C server.\r\nStage 3 – Commands retrieval and execution. First, the malware sends HTTP POST requests to the URI\r\n/GO/3.php to get commands for execution. Like the other backdoors we described, the backdoor supports\r\nhttps://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/\r\nPage 15 of 31\n\ncommands that allow it to download/upload files and execute shell commands.\r\nFigure 14 – Network traffic of the Golang HTTP backdoor, per execution stage\r\nAttribution and victimology\r\nIn addition to targets in the Israeli energy sector, when hunting for the files and infrastructure related to this attack,\r\nCPR observed some artifacts uploaded to VirusTotal (VT) from Saudi Arabia. Although these artifacts contain\r\ntraps related to Iran, the other documents found on the relevant infrastructure suggest that the group might have\r\nused the baits related to the Russia-Ukraine war in Saudi Arabia as well, and probably in other countries in the\r\nregion, which is the primary focus of the group’s activities.\r\nhttps://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/\r\nPage 16 of 31\n\nAs well as the clear victimology, other indicators that suggest this activity is from the Lyceum APT group include:\r\nUse of Heijden.DNS open-source library, which was used by Lyceum in their previous attacks. This time,\r\nthe actors did not obfuscate the library name but modified a tool named DnsDig that uses Heijden.DNS.\r\nDNS tunneling technique in the C\u0026C communication widely used in previous Lyceum campaigns.\r\nOverlaps in the infrastructure, such as known Lyceum C\u0026C servers hosted on the same ASN in the same\r\nnetworks with C\u0026C from this campaign, and use of the same domain registrars such as Namecheap.\r\nUse of Protonmail email addresses to send the malicious email to their targets or to register the domains.\r\nJudging by the timestamps artifacts found and malicious domains registration, this specific campaign has been\r\nrunning for a few months. The adoption of more relevant lures and constant malware retooling suggests that the\r\nLyceum group will continue to conduct and adjust their espionage operations in the Middle East, despite public\r\ndisclosures.\r\nSouth Asia: SideWinder\r\nTargets: Entities in Pakistan\r\nSideWinder is a suspected Indian APT group that strongly focuses on Pakistan and China government\r\norganizations. SideWinder’s malicious document, which also exploit the Russia-Ukraine conflict, was uploaded to\r\nVT in the middle of March. Judging by its content, the intended targets are Pakistani entities; the bait document\r\ncontains the document of National Institute of Maritime Affairs of Bahria University in Islamabad, and is titled\r\n“Focused talk on Russian Ukraine Conflict Impact on Pakistan.”\r\nhttps://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/\r\nPage 17 of 31\n\nFigure 15 – Decoy document related to Russia-Ukraine war, by Sidewinder APT.\r\nThis malicious document uses remote template injection. When it’s opened, the document retrieves a remote\r\ntemplate from an actor-controlled server. The external template that’s downloaded is an RTF file that exploits the\r\nCVE-2017-11882 (Equation Editor) vulnerability. When the vulnerability is exploited, it drops and executes 1.a\r\npackage, that contains obfuscated JavaScript. The Sidewinder campaigns TTPs have not changed in the last few\r\nyears, so we do not include exact technical details here, as they have been thoroughly described by multiple\r\nresearchers.\r\nhttps://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/\r\nPage 18 of 31\n\nHowever, it is worth mentioning that a typical SideWinder APT payload is a .NET-based infostealer, originally\r\ncalled “SystemApp.dll”, and is capable of gathering system information, exfiltrating files from the infected\r\nmachine and executing commands. The infostealer has been used with minor modifications in the group’s\r\nespionage campaigns since early 2019.\r\nConclusion\r\nCPR shared a few examples of APT groups attempting to abuse the interest in the ongoing war between Russia\r\nand Ukraine. As some of these campaigns contain previously undisclosed technical details or updated malware,\r\nCPR researchers included Yara rules in the Appendix, which can assist with threat hunting for these APT\r\ncampaigns and the tools they utilize.\r\nAlthough the attention of the public does not usually linger on a single issue for an extended period, the Russian-Ukrainian war is an obvious exception. This war affects multiple regions around the world and has potentially far-reaching ramifications. As a result, we can expect that APT threat actors will continue to use this crisis to conduct\r\ntargeted phishing campaigns for espionage purposes.\r\nIOCs\r\nLyceum APT:\r\n13814a190f61b36aff24d6aa1de56fe2\r\nf9fd9e32cb04c4fc93e65f48562ecad3\r\n53542ec51daf61fba2d26fe91b7d701f\r\nd962dd55fde800d972a156f5c63a6243\r\n1a5489147a888c4f5f32e97ffcb01733\r\n9fcad8f97eeae10f7a222eca94cb9a5f\r\nf8c29040122cf892190bcf3665975d2f\r\na5dbfd729b6fd64a6c4fd77a3e356989\r\n8b01dec07856a67db0e0d849bc84fd9e\r\n23d174e6a0905fd59b2613d5ac106261\r\na437f997d45bc14e76d0f2482f572a34\r\nce186cda677f0120cfdb308803b8e8d8\r\n214011a0d57b1d8238532be4f6414f58\r\n8d51fbb90ad5942cd1a5a6534bd9d1d7\r\n6aeca48c9090b301b3fdf9da4382c882\r\nc41ffcbd933039bb6981d05b4c4c673e\r\ne03c7e3e8957ede592de07d3dca247b7\r\nf72768f352994ecce3b9e5109fe93eec\r\n8199f14502e80581000bd5b3bda250ee\r\nd79687676d2d152aec4143c852bdbc4a\r\n2bc2abefc1a721908bc805894b62227d\r\n37a1514a7a5f9b2c6786096129a30721\r\n1c444ebeba24dcba8628b7dfe5fec7c6\r\n85ca334f87667bd7fa0c47ae6149353e\r\n73bddd5f1a0847ae5f5d55e7d9c177f6\r\nhttps://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/\r\nPage 19 of 31\n\n9fb86915db1b7c00f1a4587de4e052de\r\n37fe608983d4b06a5549247f0e16bc11\r\n5916e5189ef0050dfcc3cc19382d08d5\r\nf3b395661cc663c1baad41b439622071\r\n8044dc6078b003698d6e1cbbd22a9ea6\r\nbcb465cc2257e5777bab431690ca5039\r\nnews-spot[.]live\r\nnews-spot[.]xyz\r\ncyberclub[.]one\r\nscience-news[.]live\r\nnews-reporter[.]xyz\r\n104.249.26[.]60\r\n85.206.175[.]201\r\n185.243.112[.]136\r\nEl Machete APT:\r\n8e1360cc27e95fc47924d9ba3ef84cb8fa9e142cfd16e1503c5277d0c16ae241\r\ne2c67e495166be1b97134e67b2326e1b800d3d4d8dba4bc61fd3f8eb3a92d612\r\ne3718adaca6eafeba6ff171669210cb55a3b8babf3b78072cc513273b99a7639\r\ned09da9d48afe918f9c7f72fe4466167e2f127a28a7641ba80d6165e82f48431\r\nb9bf3e9725696331916e32e5936111e1166867b1d2d3ab05e46b9fff8679cf8f\r\nc6c794348d17d40c544487154ca72e8e6199b670f804ee25d7bcd9ff884d67b1\r\n7115580f8235a0bbce61e8af79c3ed5cbe46900912eb0765ccaee82213a9275e\r\n907ccb541d0066d36701310e86e1d2b61448178d1d36f6748af0b3163ca273ac\r\n7ea7cae7dd6353831359179f4834ac4c2e9022659e205ca8506f372aad63f629\r\nbb4b04eff1b5154d23b2636fc55222e4f27c654777f348edee47c920e457835e\r\nebbcc2075fcb0ba18d43475b8454c51b35bb65e1ed323b657ea7d9651e98074d\r\nda81697353fe3238920a8c2c4cbbf25a298b3e3414f988ece0cf7afb73e3e0a5\r\n4c22116b68732f8fe9e2fb5e56e9ff798f30805f9008e4f7a4be1e1c830162b8\r\n65e48c986d185d156999adc762d7bff84ddbf44851419d66c2985a2ccc2e072d\r\ncaac5087528dde6839481133737de12af973080184b2aa0b2eb35af88875adbb\r\na5f0af1124f7abf06e712a2bfb4f1104ee0df179343020577959339617db69b3\r\nca4182fbaf3f02d9b428f7e851d5a679d6dcfceafabb245cff155b48d9c09307\r\n96b33df5720901b4f2fc6fb810b6eca994fb8b2ff0edc0aa456195a7c9115615\r\ne27f75c4e4e74bff20270ec0f2bd41a4b54c121bcb811451a67c831dba1e4c03\r\na26751cde843d44506ccece87d6347ede5071703bfd63fb12f8982eae7aaf3dd\r\ne60ea877d008e61cb625b4f8b2d712ce9289892f7e799dbb1030301e2db4b0ac\r\nhxxps://correomindefensagobvemyspace[.]com/kolomenskoye/Adobe.msi\r\nhxxps://solutionconect[.]online/uu2/x3/JavaOracle.msi\r\nhxxps://great-jepsen.51-79-62-98[.]plesk[.]page/MKS/w3/Adobe.msi\r\nhxxps://asymmetricfile.blogspot[.]com\r\nhxxps://postinfomatico.blogspot[.]com\r\nhxxp://31.207.44[.]72:8080\r\nhxxps://Intelligent-archimedes.51-79-62-98[.]plesk[.]page/x3/Uu-3.php\r\nhttps://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/\r\nPage 20 of 31\n\nSidewinder APT:\r\nf765b0b6e4a34eb95c6f0ddf058bc88d5ef9ec2b11a5f3504d1673f4f69aceca\r\nmaritimepakistan.kpt-pk[.]net\r\nkpt-pk[.]net\r\nAppendix – YARA rules\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nrule lyceum_dotnet_dns_backdoor\r\n{\r\nmeta:\r\nauthor = \"CPR\"\r\nhash1 = \"8199f14502e80581000bd5b3bda250ee\"\r\nhash2 = \"d79687676d2d152aec4143c852bdbc4a\"\r\nhash3 = \"bcb465cc2257e5777bab431690ca5039\"\r\nhash4 = \"2bc2abefc1a721908bc805894b62227d\"\r\nhash5 = \"37a1514a7a5f9b2c6786096129a30721\"\r\nstrings:\r\n$log1 = \"MSG SIZE rcvd\" wide\r\n$log2 = \"Empty output\" wide\r\n$log3 = \"Big Output. lines: \" wide\r\n$com1 = \"Enddd\" wide\r\n$com2 = \"uploaddd\" wide\r\n$com3 = \"downloaddd\" wide\r\n$dga = \"trailers.apple.com\" wide\r\nhttps://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/\r\nPage 21 of 31\n\n$replace1 = \"BackSlashh\" wide\r\n$replace2 = \"QuotationMarkk\" wide\r\n$re_pattern = \"60\\\\s+IN\\\\s+TXT\" wide\r\n$func1 = \"comRun\"\r\n$func2 = \"PlaceDot\"\r\n$func3 = \"sendAns\"\r\n$heijden1 = \"Heijden.DNS\"\r\n$heijden2 = \"DnsHeijden\"\r\ncondition:\r\nuint16(0)==0x5a4d and (all of ($log*) or all of ($com*) or all of ($replace*) or all of ($func*) or (any of\r\n($heijden*) and $re_pattern and $dga))\r\n}\r\nrule lyceum_dotnet_http_backdoor\r\n{\r\nmeta:\r\nauthor = \"CPR\"\r\nhash1 = \"1c444ebeba24dcba8628b7dfe5fec7c6\"\r\nhash2 = \"85ca334f87667bd7fa0c47ae6149353e\"\r\nhash3 = \"73bddd5f1a0847ae5f5d55e7d9c177f6\"\r\nhash4 = \"9fb86915db1b7c00f1a4587de4e052de\"\r\nhash5 = \"37fe608983d4b06a5549247f0e16bc11\"\r\nhash6 = \"5916e5189ef0050dfcc3cc19382d08d5\"\r\nstrings:\r\n$class1 = \"Funcss\"\r\n$class2 = \"Constantss\"\r\n$class3 = \"Reqss\"\r\n$class4 = \"Screenss\"\r\nhttps://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/\r\nPage 22 of 31\n\n$class5 = \"Shll\"\r\n$class6 = \"test_A1\"\r\n$class7 = \"Uploadss\"\r\n$class8 = \"WebDL\"\r\n$cnc_uri1 = \"/upload\" wide\r\n$cnc_uri2 = \"/screenshot\" wide\r\n$cnc_pattern_hex1 = {43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61\r\n3b 20 6e 61 6d 65 3d 22 7b 30 7d 22 0d 0a 0d 0a}\r\n$cnc_pattern_hex2 = {6d 75 6c 74 69 70 61 72 74 2f 66 6f 72 6d 2d 64 61 74 61 3b 20 62 6f 75 6e 64 61 72 79 3d\r\n7b 30 7d}\r\n$cnc_pattern_hex3 = {43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61\r\n3b 20 6e 61 6d 65 3d 22 7b 30 7d 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 7b 31 7d 22 0d 0a 43 6f 6e 74 65 6e 74\r\n2d 54 79 70 65 3a 20 7b 32 7d 0d 0a 0d 0a}\r\n$constant1 = \"FILE_DIR_SEPARATOR\"\r\n$constant2 = \"APPS_PARAMS_SEPARATOR\"\r\n$constant3 = \"TYPE_SENDTOKEN\"\r\n$constant4 = \"TYPE_DATA1\"\r\n$constant5 = \"TYPE_SEND_RESPONSE_IN_SOCKET\"\r\n$constant6 = \"TYPE_FILES_LIST\"\r\n$constant7 = \"TYPE_FILES_DELETE\"\r\n$constant8 = \"TYPE_FILES_RUN\"\r\n$constant9 = \"TYPE_FILES_UPLOAD_TO_SERVER\"\r\n$constant10 = \"TYPE_FILES_DELETE_FOLDER\"\r\n$constant11 = \"TYPE_FILES_CREATE_FOLDER\"\r\n$constant12 = \"TYPE_FILES_DOWNLOAD_URL\"\r\n$constant13 = \"TYPE_OPEN_CMD\"\r\n$constant14 = \"TYPE_CMD_RES\"\r\n$constant15 = \"TYPE_CLOSE_CMD\"\r\nhttps://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/\r\nPage 23 of 31\n\n$constant16 = \"TYPE_CMD_REQ\"\r\n$constant17 = \"TYPE_INSTALLED_APPS\"\r\n$constant18 = \"TYPE_SCREENSHOT\"\r\n$constant19 = \"_RG_APP_NAME_\"\r\n$constant20 = \"_RG_APP_VERSION_\"\r\n$constant21 = \"_RG_APP_DATE_\"\r\n$constant22 = \"_RG_APP_PUB_\"\r\n$constant23 = \"_RG_APP_SEP_\"\r\n$constant24 = \"_SC_EXT_\"\r\ncondition:\r\nuint16(0)==0x5a4d and (4 of ($class*) or 4 of ($cnc_*) or 4 of ($constant*))\r\n}\r\nrule lyceum_golang_backdoor\r\n{\r\nmeta:\r\nauthor = \"CPR\"\r\nhash1 = \"a437f997d45bc14e76d0f2482f572a34\"\r\nhash2 = \"23d174e6a0905fd59b2613d5ac106261\"\r\nhash3 = \"bcb465cc2257e5777bab431690ca5039\"\r\nstrings:\r\n$func1 = \"main.Ase256\"\r\n$func2 = \"main.DecryptAse256\"\r\n$func3 = \"main.IsServerUp\"\r\n$func4 = \"main.register\"\r\n$func5 = \"main.commandforrun\"\r\n$func6 = \"main.UPLOAD\"\r\nhttps://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/\r\nPage 24 of 31\n\n$func7 = \"main.commandforanswer\"\r\n$func8 = \"main.GetMD5Hash\"\r\n$func9 = \"main.get_uid\"\r\n$func10 = \"main.commandrun\"\r\n$func11 = \"main.download\"\r\n$func12 = \"main.postFile\"\r\n$func13 = \"main.sendAns\"\r\n$func14 = \"main.comRun\"\r\n$cnc_uri1 = \"/GO/1.php\"\r\n$cnc_uri2 = \"/GO/2.php\"\r\n$cnc_uri3 = \"/GO/3.php\"\r\n$auth_token = \"auth_token=\\\"XXXXXXX\\\"\"\r\n$log1 = \"client registred\"\r\n$log2 = \"no command\"\r\n$log3 = \"can not create file\"\r\n$log4 = \"errorGettingUserName\"\r\n$log5 = \"New record created successfully\"\r\n$log6 = \"SERVER_IS_DOWN\"\r\n$dga = \"trailers.apple.com.\"\r\ncondition:\r\nuint16(0)==0x5a4d and ((10 of ($func*) or any of ($cnc_uri*) or $auth_token or 3 of ($log*)) or ($dga and 4 of\r\nthem))\r\n}\r\nrule ElMachete_doc\r\n{\r\nmeta:\r\nauthor = \"CPR\"\r\nhttps://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/\r\nPage 25 of 31\n\nhash1 = \"8E1360CC27E95FC47924D9BA3EF84CB8FA9E142CFD16E1503C5277D0C16AE241\"\r\nstrings:\r\n$s1 = \"You want to continue with the Document\" ascii\r\n$s2 = \"certutil -decode\" ascii\r\n$s3 = /C:\\\\ProgramData\\\\.{1,20}\\.txt/\r\n$s4 = /C:\\\\ProgramData\\\\.{1,20}\\.vbe/\r\ncondition:\r\nuint16be(0) == 0xD0CF and 2 of ($s*)\r\n}\r\nrule ElMachete_msi\r\n{\r\nmeta:\r\nauthor = \"CPR\"\r\nhash1 = \"ED09DA9D48AFE918F9C7F72FE4466167E2F127A28A7641BA80D6165E82F48431\"\r\nstrings:\r\n$s1 = \"MSI Wrapper (8.0.26.0)\"\r\n$s2 = \"Windows Installer XML Toolset (3.11.0.1701)\"\r\n$s3 = \"\\\\Lib\\\\site-packages\\\\PIL\\\\\"\r\n$s4 = \"\\\\Lib\\\\site-packages\\\\pyHook\\\\\"\r\n$s5 = \"\\\\Lib\\\\site-packages\\\\requests\\\\\"\r\n$s6 = \"\\\\Lib\\\\site-packages\\\\win32com\\\\\"\r\n$s7 = \"\\\\Lib\\\\site-packages\\\\Crypto\\\\\"\r\ncondition:\r\n4 of them\r\n}\r\nrule lyceum_dotnet_dns_backdoor { meta: author = \"CPR\" hash1 = \"8199f14502e80581000bd5b3bda250ee\"\r\nhash2 = \"d79687676d2d152aec4143c852bdbc4a\" hash3 = \"bcb465cc2257e5777bab431690ca5039\" hash4 =\r\nhttps://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/\r\nPage 26 of 31\n\n\"2bc2abefc1a721908bc805894b62227d\" hash5 = \"37a1514a7a5f9b2c6786096129a30721\" strings: $log1 = \"MSG\r\nSIZE rcvd\" wide $log2 = \"Empty output\" wide $log3 = \"Big Output. lines: \" wide $com1 = \"Enddd\" wide $com2\r\n= \"uploaddd\" wide $com3 = \"downloaddd\" wide $dga = \"trailers.apple.com\" wide $replace1 = \"BackSlashh\" wide\r\n$replace2 = \"QuotationMarkk\" wide $re_pattern = \"60\\\\s+IN\\\\s+TXT\" wide $func1 = \"comRun\" $func2 =\r\n\"PlaceDot\" $func3 = \"sendAns\" $heijden1 = \"Heijden.DNS\" $heijden2 = \"DnsHeijden\" condition:\r\nuint16(0)==0x5a4d and (all of ($log*) or all of ($com*) or all of ($replace*) or all of ($func*) or (any of\r\n($heijden*) and $re_pattern and $dga)) } rule lyceum_dotnet_http_backdoor { meta: author = \"CPR\" hash1 =\r\n\"1c444ebeba24dcba8628b7dfe5fec7c6\" hash2 = \"85ca334f87667bd7fa0c47ae6149353e\" hash3 =\r\n\"73bddd5f1a0847ae5f5d55e7d9c177f6\" hash4 = \"9fb86915db1b7c00f1a4587de4e052de\" hash5 =\r\n\"37fe608983d4b06a5549247f0e16bc11\" hash6 = \"5916e5189ef0050dfcc3cc19382d08d5\" strings: $class1 =\r\n\"Funcss\" $class2 = \"Constantss\" $class3 = \"Reqss\" $class4 = \"Screenss\" $class5 = \"Shll\" $class6 = \"test_A1\"\r\n$class7 = \"Uploadss\" $class8 = \"WebDL\" $cnc_uri1 = \"/upload\" wide $cnc_uri2 = \"/screenshot\" wide\r\n$cnc_pattern_hex1 = {43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61\r\n3b 20 6e 61 6d 65 3d 22 7b 30 7d 22 0d 0a 0d 0a} $cnc_pattern_hex2 = {6d 75 6c 74 69 70 61 72 74 2f 66 6f 72\r\n6d 2d 64 61 74 61 3b 20 62 6f 75 6e 64 61 72 79 3d 7b 30 7d} $cnc_pattern_hex3 = {43 6f 6e 74 65 6e 74 2d 44\r\n69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 7b 30 7d 22 3b 20 66 69\r\n6c 65 6e 61 6d 65 3d 22 7b 31 7d 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 7b 32 7d 0d 0a 0d 0a}\r\n$constant1 = \"FILE_DIR_SEPARATOR\" $constant2 = \"APPS_PARAMS_SEPARATOR\" $constant3 =\r\n\"TYPE_SENDTOKEN\" $constant4 = \"TYPE_DATA1\" $constant5 = \"TYPE_SEND_RESPONSE_IN_SOCKET\"\r\n$constant6 = \"TYPE_FILES_LIST\" $constant7 = \"TYPE_FILES_DELETE\" $constant8 = \"TYPE_FILES_RUN\"\r\n$constant9 = \"TYPE_FILES_UPLOAD_TO_SERVER\" $constant10 = \"TYPE_FILES_DELETE_FOLDER\"\r\n$constant11 = \"TYPE_FILES_CREATE_FOLDER\" $constant12 = \"TYPE_FILES_DOWNLOAD_URL\"\r\n$constant13 = \"TYPE_OPEN_CMD\" $constant14 = \"TYPE_CMD_RES\" $constant15 = \"TYPE_CLOSE_CMD\"\r\n$constant16 = \"TYPE_CMD_REQ\" $constant17 = \"TYPE_INSTALLED_APPS\" $constant18 =\r\n\"TYPE_SCREENSHOT\" $constant19 = \"_RG_APP_NAME_\" $constant20 = \"_RG_APP_VERSION_\"\r\n$constant21 = \"_RG_APP_DATE_\" $constant22 = \"_RG_APP_PUB_\" $constant23 = \"_RG_APP_SEP_\"\r\n$constant24 = \"_SC_EXT_\" condition: uint16(0)==0x5a4d and (4 of ($class*) or 4 of ($cnc_*) or 4 of\r\n($constant*)) } rule lyceum_golang_backdoor { meta: author = \"CPR\" hash1 =\r\n\"a437f997d45bc14e76d0f2482f572a34\" hash2 = \"23d174e6a0905fd59b2613d5ac106261\" hash3 =\r\n\"bcb465cc2257e5777bab431690ca5039\" strings: $func1 = \"main.Ase256\" $func2 = \"main.DecryptAse256\"\r\n$func3 = \"main.IsServerUp\" $func4 = \"main.register\" $func5 = \"main.commandforrun\" $func6 =\r\n\"main.UPLOAD\" $func7 = \"main.commandforanswer\" $func8 = \"main.GetMD5Hash\" $func9 = \"main.get_uid\"\r\n$func10 = \"main.commandrun\" $func11 = \"main.download\" $func12 = \"main.postFile\" $func13 =\r\n\"main.sendAns\" $func14 = \"main.comRun\" $cnc_uri1 = \"/GO/1.php\" $cnc_uri2 = \"/GO/2.php\" $cnc_uri3 =\r\n\"/GO/3.php\" $auth_token = \"auth_token=\\\"XXXXXXX\\\"\" $log1 = \"client registred\" $log2 = \"no command\"\r\n$log3 = \"can not create file\" $log4 = \"errorGettingUserName\" $log5 = \"New record created successfully\" $log6 =\r\n\"SERVER_IS_DOWN\" $dga = \"trailers.apple.com.\" condition: uint16(0)==0x5a4d and ((10 of ($func*) or any of\r\n($cnc_uri*) or $auth_token or 3 of ($log*)) or ($dga and 4 of them)) } rule ElMachete_doc { meta: author =\r\n\"CPR\" hash1 = \"8E1360CC27E95FC47924D9BA3EF84CB8FA9E142CFD16E1503C5277D0C16AE241\"\r\nstrings: $s1 = \"You want to continue with the Document\" ascii $s2 = \"certutil -decode\" ascii $s3 =\r\n/C:\\\\ProgramData\\\\.{1,20}\\.txt/ $s4 = /C:\\\\ProgramData\\\\.{1,20}\\.vbe/ condition: uint16be(0) == 0xD0CF and 2 of\r\n($s*) } rule ElMachete_msi { meta: author = \"CPR\" hash1 =\r\nhttps://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/\r\nPage 27 of 31\n\n\"ED09DA9D48AFE918F9C7F72FE4466167E2F127A28A7641BA80D6165E82F48431\" strings: $s1 = \"MSI\r\nWrapper (8.0.26.0)\" $s2 = \"Windows Installer XML Toolset (3.11.0.1701)\" $s3 = \"\\\\Lib\\\\site-packages\\\\PIL\\\\\" $s4\r\n= \"\\\\Lib\\\\site-packages\\\\pyHook\\\\\" $s5 = \"\\\\Lib\\\\site-packages\\\\requests\\\\\" $s6 = \"\\\\Lib\\\\site-packages\\\\win32com\\\\\" $s7 = \"\\\\Lib\\\\site-packages\\\\Crypto\\\\\" condition: 4 of them }\r\nrule lyceum_dotnet_dns_backdoor\r\n{\r\n meta:\r\n author = \"CPR\"\r\n hash1 = \"8199f14502e80581000bd5b3bda250ee\"\r\n hash2 = \"d79687676d2d152aec4143c852bdbc4a\"\r\n hash3 = \"bcb465cc2257e5777bab431690ca5039\"\r\n hash4 = \"2bc2abefc1a721908bc805894b62227d\"\r\n hash5 = \"37a1514a7a5f9b2c6786096129a30721\"\r\n strings:\r\n $log1 = \"MSG SIZE rcvd\" wide\r\n $log2 = \"Empty output\" wide\r\n $log3 = \"Big Output. lines: \" wide\r\n $com1 = \"Enddd\" wide\r\n $com2 = \"uploaddd\" wide\r\n $com3 = \"downloaddd\" wide\r\n $dga = \"trailers.apple.com\" wide\r\n $replace1 = \"BackSlashh\" wide\r\n $replace2 = \"QuotationMarkk\" wide\r\n $re_pattern = \"60\\\\s+IN\\\\s+TXT\" wide\r\n $func1 = \"comRun\"\r\n $func2 = \"PlaceDot\"\r\n $func3 = \"sendAns\"\r\n $heijden1 = \"Heijden.DNS\"\r\n $heijden2 = \"DnsHeijden\"\r\n condition:\r\n uint16(0)==0x5a4d and (all of ($log*) or all of ($com*) or all of ($replace*) or all of ($fun\r\n}\r\nrule lyceum_dotnet_http_backdoor\r\n{\r\n meta:\r\n author = \"CPR\"\r\n hash1 = \"1c444ebeba24dcba8628b7dfe5fec7c6\"\r\n hash2 = \"85ca334f87667bd7fa0c47ae6149353e\"\r\n hash3 = \"73bddd5f1a0847ae5f5d55e7d9c177f6\"\r\n hash4 = \"9fb86915db1b7c00f1a4587de4e052de\"\r\n hash5 = \"37fe608983d4b06a5549247f0e16bc11\"\r\n hash6 = \"5916e5189ef0050dfcc3cc19382d08d5\"\r\n strings:\r\n $class1 = \"Funcss\"\r\nhttps://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/\r\nPage 28 of 31\n\n$class2 = \"Constantss\"\r\n $class3 = \"Reqss\"\r\n $class4 = \"Screenss\"\r\n $class5 = \"Shll\"\r\n $class6 = \"test_A1\"\r\n $class7 = \"Uploadss\"\r\n $class8 = \"WebDL\"\r\n $cnc_uri1 = \"/upload\" wide\r\n $cnc_uri2 = \"/screenshot\" wide\r\n $cnc_pattern_hex1 = {43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72\r\n $cnc_pattern_hex2 = {6d 75 6c 74 69 70 61 72 74 2f 66 6f 72 6d 2d 64 61 74 61 3b 20 62 6f 75\r\n $cnc_pattern_hex3 = {43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72\r\n $constant1 = \"FILE_DIR_SEPARATOR\"\r\n $constant2 = \"APPS_PARAMS_SEPARATOR\"\r\n $constant3 = \"TYPE_SENDTOKEN\"\r\n $constant4 = \"TYPE_DATA1\"\r\n $constant5 = \"TYPE_SEND_RESPONSE_IN_SOCKET\"\r\n $constant6 = \"TYPE_FILES_LIST\"\r\n $constant7 = \"TYPE_FILES_DELETE\"\r\n $constant8 = \"TYPE_FILES_RUN\"\r\n $constant9 = \"TYPE_FILES_UPLOAD_TO_SERVER\"\r\n $constant10 = \"TYPE_FILES_DELETE_FOLDER\"\r\n $constant11 = \"TYPE_FILES_CREATE_FOLDER\"\r\n $constant12 = \"TYPE_FILES_DOWNLOAD_URL\"\r\n $constant13 = \"TYPE_OPEN_CMD\"\r\n $constant14 = \"TYPE_CMD_RES\"\r\n $constant15 = \"TYPE_CLOSE_CMD\"\r\n $constant16 = \"TYPE_CMD_REQ\"\r\n $constant17 = \"TYPE_INSTALLED_APPS\"\r\n $constant18 = \"TYPE_SCREENSHOT\"\r\n $constant19 = \"_RG_APP_NAME_\"\r\n $constant20 = \"_RG_APP_VERSION_\"\r\n $constant21 = \"_RG_APP_DATE_\"\r\n $constant22 = \"_RG_APP_PUB_\"\r\n $constant23 = \"_RG_APP_SEP_\"\r\n $constant24 = \"_SC_EXT_\"\r\n condition:\r\n uint16(0)==0x5a4d and (4 of ($class*) or 4 of ($cnc_*) or 4 of ($constant*))\r\n}\r\nrule lyceum_golang_backdoor\r\n{\r\n meta:\r\n author = \"CPR\"\r\n hash1 = \"a437f997d45bc14e76d0f2482f572a34\"\r\n hash2 = \"23d174e6a0905fd59b2613d5ac106261\"\r\n hash3 = \"bcb465cc2257e5777bab431690ca5039\"\r\nhttps://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/\r\nPage 29 of 31\n\nstrings:\r\n $func1 = \"main.Ase256\"\r\n $func2 = \"main.DecryptAse256\"\r\n $func3 = \"main.IsServerUp\"\r\n $func4 = \"main.register\"\r\n $func5 = \"main.commandforrun\"\r\n $func6 = \"main.UPLOAD\"\r\n $func7 = \"main.commandforanswer\"\r\n $func8 = \"main.GetMD5Hash\"\r\n $func9 = \"main.get_uid\"\r\n $func10 = \"main.commandrun\"\r\n $func11 = \"main.download\"\r\n $func12 = \"main.postFile\"\r\n $func13 = \"main.sendAns\"\r\n $func14 = \"main.comRun\"\r\n $cnc_uri1 = \"/GO/1.php\"\r\n $cnc_uri2 = \"/GO/2.php\"\r\n $cnc_uri3 = \"/GO/3.php\"\r\n $auth_token = \"auth_token=\\\"XXXXXXX\\\"\"\r\n $log1 = \"client registred\"\r\n $log2 = \"no command\"\r\n $log3 = \"can not create file\"\r\n $log4 = \"errorGettingUserName\"\r\n $log5 = \"New record created successfully\"\r\n $log6 = \"SERVER_IS_DOWN\"\r\n $dga = \"trailers.apple.com.\"\r\n condition:\r\n uint16(0)==0x5a4d and ((10 of ($func*) or any of ($cnc_uri*) or $auth_token or 3 of ($log*))\r\n}\r\nrule ElMachete_doc\r\n{\r\n meta:\r\n author = \"CPR\"\r\n hash1 = \"8E1360CC27E95FC47924D9BA3EF84CB8FA9E142CFD16E1503C5277D0C16AE241\"\r\n strings:\r\n $s1 = \"You want to continue with the Document\" ascii\r\n $s2 = \"certutil -decode\" ascii\r\n $s3 = /C:\\\\ProgramData\\\\.{1,20}\\.txt/\r\n $s4 = /C:\\\\ProgramData\\\\.{1,20}\\.vbe/\r\n condition:\r\n uint16be(0) == 0xD0CF and 2 of ($s*)\r\n}\r\nrule ElMachete_msi\r\n{\r\n meta:\r\nhttps://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/\r\nPage 30 of 31\n\nauthor = \"CPR\"\r\n hash1 = \"ED09DA9D48AFE918F9C7F72FE4466167E2F127A28A7641BA80D6165E82F48431\"\r\n strings:\r\n $s1 = \"MSI Wrapper (8.0.26.0)\"\r\n $s2 = \"Windows Installer XML Toolset (3.11.0.1701)\"\r\n $s3 = \"\\\\Lib\\\\site-packages\\\\PIL\\\\\"\r\n $s4 = \"\\\\Lib\\\\site-packages\\\\pyHook\\\\\"\r\n $s5 = \"\\\\Lib\\\\site-packages\\\\requests\\\\\"\r\n $s6 = \"\\\\Lib\\\\site-packages\\\\win32com\\\\\"\r\n $s7 = \"\\\\Lib\\\\site-packages\\\\Crypto\\\\\"\r\n condition:\r\n 4 of them\r\n}\r\nSource: https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/\r\nhttps://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/\r\nPage 31 of 31", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/" ], "report_names": [ "state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "cde987a8-c71f-49e2-b761-5b7fa2b4ada6", "created_at": "2022-10-25T16:07:23.706646Z", "updated_at": "2026-04-10T02:00:04.719127Z", "deleted_at": null, "main_name": "Hexane", "aliases": [ "ATK 120", "Cobalt Lyceum", "G1001", "Lyceum", "Operation Out to Sea", "Siamesekitten", "Yellow Dev 9" ], "source_name": "ETDA:Hexane", "tools": [ "DanBot", "DanDrop", "Decrypt-RDCMan.ps1", "Get-LAPSP.ps1", "James", "Milan", "kl.ps1" ], "source_id": "ETDA", "reports": null }, { "id": "d303c77e-0110-471b-a3a6-37fce9ac848d", "created_at": "2022-10-25T15:50:23.342452Z", "updated_at": "2026-04-10T02:00:05.373848Z", "deleted_at": null, "main_name": "Machete", "aliases": [ "APT-C-43", "El Machete" ], "source_name": "MITRE:Machete", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "ba4f277c-c3da-45e6-a2fb-4ed556dbae64", "created_at": "2023-01-06T13:46:38.605117Z", "updated_at": "2026-04-10T02:00:03.03665Z", "deleted_at": null, "main_name": "El Machete", "aliases": [ "G0095", "machete-apt", "APT-C-43" ], "source_name": "MISPGALAXY:El Machete", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "edc11896-f4f1-4132-9c38-d073ccdcf5b6", "created_at": "2022-10-25T16:07:23.576476Z", "updated_at": "2026-04-10T02:00:04.674784Z", "deleted_at": null, "main_name": "El Machete", "aliases": [ "APT-C-43", "ATK 97", "G0095", "Operation HpReact", "TAG-NS1", "TEMP.Andromeda" ], "source_name": "ETDA:El Machete", "tools": [ "El Machete", "ForeIT", "LOLBAS", "LOLBins", "Living off the Land", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "Pyark" ], "source_id": "ETDA", "reports": null }, { "id": "a7df240e-6750-4b71-99de-85831b92faa2", "created_at": "2022-10-25T15:50:23.859253Z", "updated_at": "2026-04-10T02:00:05.285965Z", "deleted_at": null, "main_name": "HEXANE", "aliases": [ "Lyceum", "Siamesekitten", "Spirlin" ], "source_name": "MITRE:HEXANE", "tools": [ "Milan", "netstat", "BITSAdmin", "DnsSystem", "DanBot", "ipconfig", "Mimikatz", "Kevin", "PoshC2" ], "source_id": "MITRE", "reports": null }, { "id": "fb8f3a5f-01a9-498e-9396-52f844424c33", "created_at": "2023-01-06T13:46:39.045338Z", "updated_at": "2026-04-10T02:00:03.195743Z", "deleted_at": null, "main_name": "LYCEUM", "aliases": [ "Spirlin", "MYSTICDOME", "siamesekitten", "Chrono Kitten", "Storm-0133", "COBALT LYCEUM", "UNC1530" ], "source_name": "MISPGALAXY:LYCEUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775576099, "ts_updated_at": 1775792240, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/804cad95b32569b1648541a3d968cecc2f3349f3.pdf", "text": "https://archive.orkl.eu/804cad95b32569b1648541a3d968cecc2f3349f3.txt", "img": "https://archive.orkl.eu/804cad95b32569b1648541a3d968cecc2f3349f3.jpg" } }